Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirect


  • Please log in to reply
8 replies to this topic

#1 tonto58

tonto58

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 03 February 2012 - 07:11 PM

Hi All,

I've been having problems for the last 2 -3 weeks with my Google/Yahoo searches. Every time I select one of the search items I get redirected either to abnow.com or mediashifting.com. Actually at the moment when I open Firefox, it goes directly to mediashifting.com even though I have set my homepage to google.com.

I have an older PC which has really not given me too many problems as I usually am pretty careful when I surf. Operating system is Windows XP with SP3 and it is an AMD Athlon XP 1800+ 1.5 Ghz with 1.5 GB of Ram.

Steps to Date:

(i) I have completely backed up my drive to an external using DriveImage XML.

(ii) Updated & Scanned S&D - Nothing Found

My apologies if I have missed posting any helpful information.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:56 AM

Posted 03 February 2012 - 07:31 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)


Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict

with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first

run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your

system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop.

Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

#3 tonto58

tonto58
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 04 February 2012 - 08:01 PM

Here is the TDSS Report:


20:07:41.0605 3440 TDSS rootkit removing tool 2.7.9.0 Feb 1 2012 09:28:49
20:07:42.0027 3440 ============================================================
20:07:42.0027 3440 Current date / time: 2012/02/03 20:07:42.0027
20:07:42.0027 3440 SystemInfo:
20:07:42.0027 3440
20:07:42.0027 3440 OS Version: 5.1.2600 ServicePack: 3.0
20:07:42.0027 3440 Product type: Workstation
20:07:42.0027 3440 ComputerName: DESIGN
20:07:42.0027 3440 UserName: Litho Art
20:07:42.0027 3440 Windows directory: C:\WINDOWS
20:07:42.0027 3440 System windows directory: C:\WINDOWS
20:07:42.0027 3440 Processor architecture: Intel x86
20:07:42.0027 3440 Number of processors: 1
20:07:42.0027 3440 Page size: 0x1000
20:07:42.0027 3440 Boot type: Normal boot
20:07:42.0027 3440 ============================================================
20:07:46.0293 3440 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
20:07:46.0293 3440 \Device\Harddisk0\DR0:
20:07:46.0293 3440 MBR used
20:07:46.0293 3440 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1F411B9
20:07:46.0308 3440 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1F41237, BlocksNum 0x2CEF8F6
20:07:46.0324 3440 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x4C30B6C, BlocksNum 0x9362C55
20:07:46.0496 3440 Initialize success
20:07:46.0496 3440 ============================================================
20:08:25.0137 0280 ============================================================
20:08:25.0137 0280 Scan started
20:08:25.0137 0280 Mode: Manual; TDLFS;
20:08:25.0137 0280 ============================================================
20:08:26.0027 0280 Abiosdsk - ok
20:08:26.0355 0280 abp480n5 - ok
20:08:26.0808 0280 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:08:26.0871 0280 ACPI - ok
20:08:27.0308 0280 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:08:27.0324 0280 ACPIEC - ok
20:08:27.0699 0280 adpu160m - ok
20:08:28.0105 0280 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:08:28.0152 0280 aec - ok
20:08:28.0558 0280 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
20:08:28.0637 0280 AFD - ok
20:08:28.0996 0280 Aha154x - ok
20:08:29.0324 0280 aic78u2 - ok
20:08:29.0699 0280 aic78xx - ok
20:08:30.0230 0280 aksfridge (a6003e95e9561147cee4d3170a01b8cf) C:\WINDOWS\system32\drivers\aksfridge.sys
20:08:30.0355 0280 aksfridge - ok
20:08:30.0715 0280 AliIde - ok
20:08:31.0137 0280 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
20:08:31.0137 0280 AmdK7 - ok
20:08:31.0480 0280 amsint - ok
20:08:31.0824 0280 asc - ok
20:08:32.0183 0280 asc3350p - ok
20:08:32.0496 0280 asc3550 - ok
20:08:32.0887 0280 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:08:32.0902 0280 AsyncMac - ok
20:08:33.0324 0280 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:08:33.0324 0280 atapi - ok
20:08:33.0668 0280 Atdisk - ok
20:08:34.0043 0280 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:08:34.0074 0280 Atmarpc - ok
20:08:34.0465 0280 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:08:34.0465 0280 audstub - ok
20:08:34.0887 0280 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:08:34.0902 0280 Beep - ok
20:08:35.0324 0280 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:08:35.0340 0280 cbidf2k - ok
20:08:35.0683 0280 cd20xrnt - ok
20:08:36.0012 0280 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:08:36.0027 0280 Cdaudio - ok
20:08:36.0418 0280 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:08:36.0449 0280 Cdfs - ok
20:08:36.0840 0280 Cdr4_xp (c3e76b0c05ebf7261abfb08d9e75822e) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
20:08:36.0840 0280 Cdr4_xp - ok
20:08:37.0215 0280 Cdralw2k (17590dfe29e02842a6e3a463e443d1b9) C:\WINDOWS\system32\drivers\Cdralw2k.sys
20:08:37.0230 0280 Cdralw2k - ok
20:08:37.0605 0280 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:08:37.0621 0280 Cdrom - ok
20:08:38.0090 0280 cdudf_xp (a19f8c660426e02aa99af1ed3d0dcb1c) C:\WINDOWS\system32\drivers\cdudf_xp.sys
20:08:38.0183 0280 cdudf_xp - ok
20:08:38.0496 0280 Changer - ok
20:08:38.0887 0280 CmdIde - ok
20:08:39.0293 0280 Cpqarray - ok
20:08:39.0683 0280 CtUsbMs (72968d25a66abde629c1ad7287112b7f) C:\WINDOWS\system32\DRIVERS\CtUsbMs.Sys
20:08:39.0683 0280 CtUsbMs - ok
20:08:40.0043 0280 dac2w2k - ok
20:08:40.0418 0280 dac960nt - ok
20:08:40.0824 0280 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:08:40.0840 0280 Disk - ok
20:08:41.0558 0280 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:08:41.0871 0280 dmboot - ok
20:08:42.0308 0280 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:08:42.0355 0280 dmio - ok
20:08:42.0746 0280 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:08:42.0762 0280 dmload - ok
20:08:43.0183 0280 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:08:43.0199 0280 DMusic - ok
20:08:43.0668 0280 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
20:08:43.0746 0280 dot4 - ok
20:08:44.0090 0280 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
20:08:44.0105 0280 Dot4Print - ok
20:08:44.0496 0280 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
20:08:44.0496 0280 dot4usb - ok
20:08:44.0840 0280 dpti2o - ok
20:08:45.0215 0280 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:08:45.0215 0280 drmkaud - ok
20:08:45.0621 0280 dvd_2K (943873bf94e372b78ab0b0631069ac2b) C:\WINDOWS\system32\drivers\dvd_2K.sys
20:08:45.0621 0280 dvd_2K - ok
20:08:46.0168 0280 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:08:46.0215 0280 Fastfat - ok
20:08:46.0637 0280 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:08:46.0637 0280 Fdc - ok
20:08:47.0074 0280 FETNDIS (abc77d30511723e5f58575881136d728) C:\WINDOWS\system32\DRIVERS\fetnd5a.sys
20:08:47.0090 0280 FETNDIS - ok
20:08:47.0199 0280 FILEMON - ok
20:08:47.0621 0280 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:08:47.0637 0280 Fips - ok
20:08:48.0058 0280 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:08:48.0058 0280 Flpydisk - ok
20:08:48.0433 0280 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:08:48.0496 0280 FltMgr - ok
20:08:48.0887 0280 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:08:48.0887 0280 Fs_Rec - ok
20:08:49.0355 0280 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:08:49.0402 0280 Ftdisk - ok
20:08:49.0808 0280 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
20:08:49.0824 0280 gameenum - ok
20:08:50.0152 0280 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
20:08:50.0168 0280 giveio - ok
20:08:50.0605 0280 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:08:50.0621 0280 Gpc - ok
20:08:51.0262 0280 Hardlock (63777f012fc92853ed1138bb7154dbbb) C:\WINDOWS\system32\drivers\hardlock.sys
20:08:51.0480 0280 Hardlock - ok
20:08:51.0918 0280 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:08:51.0918 0280 HidUsb - ok
20:08:52.0293 0280 hpn - ok
20:08:52.0637 0280 hpt3xx - ok
20:08:53.0105 0280 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:08:53.0199 0280 HTTP - ok
20:08:53.0558 0280 i2omgmt - ok
20:08:53.0902 0280 i2omp - ok
20:08:54.0246 0280 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:08:54.0277 0280 i8042prt - ok
20:08:54.0699 0280 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:08:54.0715 0280 Imapi - ok
20:08:55.0105 0280 ini910u - ok
20:08:55.0465 0280 IntelIde - ok
20:08:55.0871 0280 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:08:55.0887 0280 ip6fw - ok
20:08:56.0277 0280 IPFilter (9ea02e03ed52d25551a6e46cf3b94b01) C:\WINDOWS\system32\DRIVERS\IPFilter.sys
20:08:56.0277 0280 IPFilter - ok
20:08:56.0699 0280 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:08:56.0715 0280 IpFilterDriver - ok
20:08:57.0105 0280 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:08:57.0121 0280 IpInIp - ok
20:08:57.0527 0280 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:08:57.0590 0280 IpNat - ok
20:08:57.0980 0280 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:08:58.0027 0280 IPSec - ok
20:08:58.0387 0280 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:08:58.0387 0280 IRENUM - ok
20:08:58.0808 0280 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:08:58.0824 0280 isapnp - ok
20:08:58.0949 0280 ISWKL (eb8594268cf50baaecbe82d70c833533) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
20:08:58.0965 0280 ISWKL - ok
20:08:59.0371 0280 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:08:59.0387 0280 Kbdclass - ok
20:08:59.0746 0280 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:08:59.0746 0280 kbdhid - ok
20:09:00.0137 0280 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:09:00.0215 0280 kmixer - ok
20:09:00.0621 0280 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:09:00.0652 0280 KSecDD - ok
20:09:01.0105 0280 LBeepKE (9ffd1cf2a782f2560e78eec4b8b8689e) C:\WINDOWS\system32\Drivers\LBeepKE.sys
20:09:01.0105 0280 LBeepKE - ok
20:09:01.0512 0280 lbrtfdc - ok
20:09:01.0902 0280 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
20:09:01.0918 0280 LHidFilt - ok
20:09:02.0387 0280 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
20:09:02.0402 0280 LMouFilt - ok
20:09:02.0746 0280 LMouKE - ok
20:09:03.0121 0280 LUsbFilt (77030525cd86a93f1af34fa9b96d33ce) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
20:09:03.0137 0280 LUsbFilt - ok
20:09:03.0512 0280 MDC8021X (d7010580bf4e45d5e793a1fe75758c69) C:\WINDOWS\system32\DRIVERS\mdc8021x.sys
20:09:03.0512 0280 MDC8021X - ok
20:09:04.0105 0280 mmc_2K (18032034b88c7f9e9068df91ab3ae968) C:\WINDOWS\system32\drivers\mmc_2K.sys
20:09:04.0121 0280 mmc_2K - ok
20:09:04.0512 0280 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:09:04.0512 0280 mnmdd - ok
20:09:04.0933 0280 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:09:04.0949 0280 Modem - ok
20:09:05.0324 0280 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:09:05.0340 0280 Mouclass - ok
20:09:05.0699 0280 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:09:05.0715 0280 mouhid - ok
20:09:06.0105 0280 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:09:06.0121 0280 MountMgr - ok
20:09:06.0465 0280 mraid35x - ok
20:09:06.0855 0280 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:09:06.0918 0280 MRxDAV - ok
20:09:07.0480 0280 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:09:07.0652 0280 MRxSmb - ok
20:09:08.0105 0280 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:09:08.0121 0280 Msfs - ok
20:09:08.0527 0280 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:09:08.0527 0280 MSKSSRV - ok
20:09:08.0902 0280 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:09:08.0902 0280 MSPCLOCK - ok
20:09:09.0293 0280 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:09:09.0293 0280 MSPQM - ok
20:09:09.0668 0280 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:09:09.0668 0280 mssmbios - ok
20:09:10.0027 0280 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
20:09:10.0027 0280 ms_mpu401 - ok
20:09:10.0480 0280 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:09:10.0543 0280 Mup - ok
20:09:10.0621 0280 NAVAP - ok
20:09:10.0668 0280 NAVAPEL - ok
20:09:11.0137 0280 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:09:11.0215 0280 NDIS - ok
20:09:11.0652 0280 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:09:11.0652 0280 NdisTapi - ok
20:09:12.0058 0280 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:09:12.0074 0280 Ndisuio - ok
20:09:12.0496 0280 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:09:12.0527 0280 NdisWan - ok
20:09:12.0902 0280 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:09:12.0918 0280 NDProxy - ok
20:09:13.0308 0280 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:09:13.0324 0280 NetBIOS - ok
20:09:13.0746 0280 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:09:13.0808 0280 NetBT - ok
20:09:14.0308 0280 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:09:14.0324 0280 Npfs - ok
20:09:14.0949 0280 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:09:15.0168 0280 Ntfs - ok
20:09:15.0605 0280 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:09:15.0605 0280 Null - ok
20:09:20.0715 0280 nv (6733e80a193fc36f41c24142b0c45c0e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:09:25.0402 0280 nv - ok
20:09:25.0855 0280 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:09:25.0855 0280 NwlnkFlt - ok
20:09:26.0262 0280 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:09:26.0277 0280 NwlnkFwd - ok
20:09:26.0793 0280 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:09:26.0808 0280 Parport - ok
20:09:27.0183 0280 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:09:27.0199 0280 PartMgr - ok
20:09:27.0605 0280 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:09:27.0605 0280 ParVdm - ok
20:09:27.0918 0280 PCAMPR5 - ok
20:09:28.0246 0280 PCANDIS5 (2f9806b52cb3748b1e49222744b28e3c) C:\WINDOWS\system32\PCANDIS5.SYS
20:09:28.0246 0280 PCANDIS5 - ok
20:09:28.0683 0280 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:09:28.0715 0280 PCI - ok
20:09:29.0058 0280 PCIDump - ok
20:09:29.0418 0280 PCIIde - ok
20:09:29.0855 0280 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:09:29.0902 0280 Pcmcia - ok
20:09:30.0246 0280 PDCOMP - ok
20:09:30.0574 0280 PDFRAME - ok
20:09:30.0949 0280 PDRELI - ok
20:09:31.0277 0280 PDRFRAME - ok
20:09:31.0637 0280 perc2 - ok
20:09:31.0965 0280 perc2hib - ok
20:09:32.0449 0280 pfc (e5ac9f8c128b597dd7919af96b84172e) C:\WINDOWS\System32\drivers\pfc.sys
20:09:32.0449 0280 pfc - ok
20:09:32.0902 0280 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:09:32.0933 0280 PptpMiniport - ok
20:09:33.0308 0280 PQNTDrv (4228630829c0e521c43d882a00533374) C:\WINDOWS\system32\drivers\PQNTDrv.sys
20:09:33.0308 0280 PQNTDrv - ok
20:09:33.0777 0280 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
20:09:33.0793 0280 Processor - ok
20:09:34.0246 0280 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:09:34.0277 0280 PSched - ok
20:09:34.0668 0280 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:09:34.0683 0280 Ptilink - ok
20:09:35.0121 0280 pwd_2k (4f1948a73db89ee4b34feeedd6745ee1) C:\WINDOWS\system32\drivers\pwd_2k.sys
20:09:35.0168 0280 pwd_2k - ok
20:09:35.0605 0280 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
20:09:35.0621 0280 PxHelp20 - ok
20:09:35.0996 0280 ql1080 - ok
20:09:36.0340 0280 Ql10wnt - ok
20:09:36.0699 0280 ql12160 - ok
20:09:37.0012 0280 ql1240 - ok
20:09:37.0371 0280 ql1280 - ok
20:09:37.0746 0280 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:09:37.0762 0280 RasAcd - ok
20:09:38.0168 0280 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:09:38.0183 0280 Rasl2tp - ok
20:09:38.0652 0280 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:09:38.0668 0280 RasPppoe - ok
20:09:39.0043 0280 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:09:39.0058 0280 Raspti - ok
20:09:39.0512 0280 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:09:39.0590 0280 Rdbss - ok
20:09:39.0965 0280 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:09:39.0965 0280 RDPCDD - ok
20:09:40.0449 0280 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:09:40.0558 0280 rdpdr - ok
20:09:41.0043 0280 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
20:09:41.0090 0280 RDPWD - ok
20:09:41.0590 0280 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:09:41.0605 0280 redbook - ok
20:09:41.0996 0280 RimUsb - ok
20:09:42.0355 0280 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
20:09:42.0371 0280 RimVSerPort - ok
20:09:42.0793 0280 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
20:09:42.0793 0280 ROOTMODEM - ok
20:09:42.0980 0280 SASDIFSV (39763504067962108505bff25f024345) E:\Program Files\SASDIFSV.SYS
20:09:42.0996 0280 SASDIFSV - ok
20:09:43.0090 0280 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) E:\Program Files\SASKUTIL.SYS
20:09:43.0121 0280 SASKUTIL - ok
20:09:43.0590 0280 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:09:43.0605 0280 Secdrv - ok
20:09:44.0043 0280 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:09:44.0043 0280 serenum - ok
20:09:44.0465 0280 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:09:44.0480 0280 Serial - ok
20:09:44.0887 0280 SetupNT (549ea830a5d9edd9cd14311126c2849b) C:\WINDOWS\system32\SetupNT.sys
20:09:44.0902 0280 SetupNT - ok
20:09:45.0215 0280 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:09:45.0230 0280 Sfloppy - ok
20:09:45.0605 0280 Simbad - ok
20:09:45.0902 0280 Sparrow - ok
20:09:46.0183 0280 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
20:09:46.0183 0280 speedfan - ok
20:09:46.0621 0280 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:09:46.0637 0280 splitter - ok
20:09:47.0012 0280 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:09:47.0058 0280 sr - ok
20:09:47.0574 0280 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:09:47.0715 0280 Srv - ok
20:09:48.0152 0280 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:09:48.0152 0280 swenum - ok
20:09:48.0543 0280 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:09:48.0574 0280 swmidi - ok
20:09:48.0996 0280 symc810 - ok
20:09:49.0324 0280 symc8xx - ok
20:09:49.0683 0280 sym_hi - ok
20:09:50.0043 0280 sym_u3 - ok
20:09:50.0433 0280 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:09:50.0465 0280 sysaudio - ok
20:09:51.0043 0280 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:09:51.0168 0280 Tcpip - ok
20:09:51.0590 0280 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:09:51.0590 0280 TDPIPE - ok
20:09:52.0012 0280 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:09:52.0012 0280 TDTCP - ok
20:09:52.0402 0280 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:09:52.0418 0280 TermDD - ok
20:09:52.0840 0280 TosIde - ok
20:09:53.0277 0280 UdfReadr_xp (d4777fcb3ad6d140ed3e520b7bcf9041) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
20:09:53.0355 0280 UdfReadr_xp ( Virus.Win32.ZAccess.g ) - infected
20:09:53.0355 0280 UdfReadr_xp - detected Virus.Win32.ZAccess.g (0)
20:09:53.0746 0280 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:09:53.0777 0280 Udfs - ok
20:09:54.0137 0280 ultra - ok
20:09:54.0246 0280 UnlockerDriver5 (4847639d852763ee39415c929470f672) E:\Program Files\Unlocker\UnlockerDriver5.sys
20:09:54.0262 0280 UnlockerDriver5 - ok
20:09:54.0777 0280 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:09:54.0949 0280 Update - ok
20:09:55.0387 0280 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
20:09:55.0418 0280 usbaudio - ok
20:09:55.0824 0280 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:09:55.0840 0280 usbccgp - ok
20:09:56.0215 0280 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:09:56.0230 0280 usbehci - ok
20:09:56.0621 0280 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:09:56.0668 0280 usbhub - ok
20:09:57.0058 0280 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:09:57.0074 0280 usbprint - ok
20:09:57.0480 0280 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:09:57.0480 0280 USBSTOR - ok
20:09:57.0887 0280 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:09:57.0887 0280 usbuhci - ok
20:09:58.0277 0280 vdiskbus (6706ead63acd955fc1e3117f5c16d007) C:\WINDOWS\system32\DRIVERS\vdiskbus.sys
20:09:58.0293 0280 vdiskbus - ok
20:09:58.0699 0280 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:09:58.0730 0280 VgaSave - ok
20:09:59.0105 0280 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
20:09:59.0121 0280 viaagp - ok
20:09:59.0527 0280 viaagp1 (501ba806d8a9a289c17a1af2ae45317d) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
20:09:59.0543 0280 viaagp1 - ok
20:09:59.0933 0280 ViaIde (a5d8b6c8d43786d4215c1df6fab0aae0) C:\WINDOWS\system32\DRIVERS\viaidexp.sys
20:09:59.0949 0280 ViaIde - ok
20:10:00.0340 0280 VIAudio (7c6dd89e2b5e78a8247e327c2b301db1) C:\WINDOWS\system32\drivers\viaudio.sys
20:10:00.0355 0280 VIAudio - ok
20:10:00.0808 0280 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:10:00.0824 0280 VolSnap - ok
20:10:01.0355 0280 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys
20:10:01.0574 0280 vsdatant - ok
20:10:02.0058 0280 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:10:02.0074 0280 Wanarp - ok
20:10:02.0465 0280 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
20:10:02.0465 0280 WDC_SAM - ok
20:10:03.0043 0280 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
20:10:03.0230 0280 Wdf01000 - ok
20:10:03.0543 0280 WDICA - ok
20:10:03.0965 0280 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:10:03.0996 0280 wdmaud - ok
20:10:04.0637 0280 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:10:04.0668 0280 WudfPf - ok
20:10:04.0824 0280 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:10:05.0324 0280 \Device\Harddisk0\DR0 - ok
20:10:05.0387 0280 Boot (0x1200) (765f6fd956dcf9e37fc0970fed7a3a4d) \Device\Harddisk0\DR0\Partition0
20:10:05.0387 0280 \Device\Harddisk0\DR0\Partition0 - ok
20:10:05.0402 0280 Boot (0x1200) (225d76c3db1b4ebe0811caf97546b169) \Device\Harddisk0\DR0\Partition1
20:10:05.0418 0280 \Device\Harddisk0\DR0\Partition1 - ok
20:10:05.0465 0280 Boot (0x1200) (d36c6eac7fda8e51bdda93378d9898b2) \Device\Harddisk0\DR0\Partition2
20:10:05.0465 0280 \Device\Harddisk0\DR0\Partition2 - ok
20:10:05.0465 0280 ============================================================
20:10:05.0465 0280 Scan finished
20:10:05.0465 0280 ============================================================
20:10:05.0543 3148 Detected object count: 1
20:10:05.0543 3148 Actual detected object count: 1
19:51:21.0012 3148 C:\WINDOWS\system32\drivers\UdfReadr_xp.sys - copied to quarantine
19:51:21.0199 3148 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\UdfReadr_xp.sys) error 1813
19:51:22.0730 3148 Backup copy not found, trying to cure infected file..
19:51:22.0949 3148 Cure success, using it..
19:51:23.0043 3148 C:\WINDOWS\system32\drivers\UdfReadr_xp.sys - will be cured on reboot
19:51:46.0137 3148 UdfReadr_xp ( Virus.Win32.ZAccess.g ) - User select action: Cure

#4 tonto58

tonto58
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 05 February 2012 - 02:52 PM

After the TDSS scan, I was instructed by TDSS to reboot which I did. It took a very long time for the computer to shut down. When it did reboot the system did a chkdsk as apparently there were serious errors. That has never happened before. I have attempted to do a gmer scan but it was taking a long time...but it was scanning. At one point I noticed the scan found a hidden "no name" module. It was highlighted in red. However the scan never completed as the computer just rebooted itself and when I came back there was a dialogue box that said "System recovered from a serious error". I was trying to relaunch gmer again but I am unable to shutdown zone alarm first which is sitting in the system tray. It won't let me pick it to shut it down. Any suggestions?


Update: Uninstalled Zone Alarm and am running gmer in safemode now.

Edited by tonto58, 05 February 2012 - 04:52 PM.


#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:56 AM

Posted 05 February 2012 - 06:52 PM

If you receive bluescreen in safemode then ignore GMER and run aswmbr

#6 tonto58

tonto58
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 05 February 2012 - 10:31 PM

gmer log - running asw now

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-05 22:07:46
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3120022A rev.3.06
Running: 0e0q7tn9.exe; Driver: C:\DOCUME~1\LITHOA~1\LOCALS~1\Temp\kgtdapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\vdiskbus.sys (Virtual Disk Bus Enumerator/Winternals) ZwCreateSymbolicLinkObject [0xF77300DC]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 11C 804E2788 1 Byte [DC]
.text cdrom.sys F76F8000 84 Bytes [43, 02, C7, 43, 0C, 00, 00, ...]
.text cdrom.sys F76F8055 93 Bytes [85, C0, 74, 26, 56, FF, 15, ...]
.text cdrom.sys F76F80B3 13 Bytes [89, 45, FC, 89, 7D, 0C, 74, ...]
.text cdrom.sys F76F80C1 13 Bytes [74, 49, 81, FF, 04, 40, 07, ...]
.text cdrom.sys F76F80CF 138 Bytes [07, 00, 74, 39, F6, 05, 14, ...]
.text ...
? C:\WINDOWS\System32\DRIVERS\cdrom.sys suspicious PE modification

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExFreePoolWithTag] 8B184D8B
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwClose] D1AC0FD6
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoQueryFileInformation] C1C68B08
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExInitializeResourceLite] 453210E8
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExDeleteResourceLite] 08EAC1FF
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeInitializeEvent] 4588FF85
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeEnterCriticalRegion] 0F4D88FB
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExAcquireFastMutexUnsafe] B60F2D79
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExReleaseFastMutexUnsafe] B60F52D3
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeLeaveCriticalRegion] B60F50C0
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlInsertElementGenericTableAvl] 986850C1
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlDeleteElementGenericTableAvl] 6AF7702E
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlInitializeGenericTableAvl] 0C35FF21
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtOpenFile] FFF7702F
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtQueryVolumeInformationFile] 702F0835
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtClose] 6614E8F7
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!swprintf] 3D8BFFFF
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlInitUnicodeString] [F7702F14] \SystemRoot\System32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation)
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ObReferenceObjectByHandle] 8AFB458A
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoGetRelatedDeviceObject] 4D320F4D
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExAcquireResourceExclusiveLite] C1D68BFF
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExReleaseResourceLite] D13A18EA
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExAcquireResourceSharedLite] C7F71874
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwCreateFile] 40000000
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoGetStackLimits] 00CB840F
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!MmFlushImageSection] 98680000
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!CcInitializeCacheMap] 6AF7702E
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!CcPurgeCacheSection] 00AEE922
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!CcSetFileSizes] CE8B0000
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 3208E9C1
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeSetEvent] D38A0F4D
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!CcFlushCache] CA3AD032
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!CcUninitializeCacheMap] C7F71874
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IofCallDriver] 40000000
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IofCompleteRequest] 00A3840F
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoSetInformation] 98680000
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!CcCopyWrite] 6AF7702E
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!FsRtlCopyRead] 0086E923
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoCreateDevice] 4D8B0000
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwAllocateVirtualMemory] 14558B10
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtQuerySystemInformation] 0DD1AC0F
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!_stricmp] 8B0DEAC1
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtOpenThread] AC0F1855
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtQueryInformationThread] CA3210F2
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlEqualUnicodeString] 3A10EEC1
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!PsLookupProcessThreadByCid] F71174CB
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeInitializeApc] 000000C7
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ObfReferenceObject] 68727440
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeInsertQueueApc] [F7702E98] \SystemRoot\System32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation)
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeDelayExecutionThread] 58EB246A
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtConnectPort] 8B14758B
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!PsCreateSystemThread] AC0F104D
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!LpcRequestPort] 4D3217F1
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!LpcRequestWaitReplyPort] 17EEC118
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeQuerySystemTime] 1174C83A
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlTimeToSecondsSince1980] 0000C7F7
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!qsort] 4D744000
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtCreateSection] 702E9868
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExAllocatePoolWithTag] EB256AF7
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwUnmapViewOfSection] FB75FF33
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwFlushVirtualMemory] FFF871E8
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtDeviceIoControlFile] 74C084FF
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwCreateSymbolicLinkObject] 1705F612
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoFreeWorkItem] 40F7702F
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExUuidCreate] 98682F74
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtCreateFile] 6AF7702E
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtSetInformationFile] 8015EB26
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtQueryDirectoryFile] 347202FB
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlTimeToTimeFields] 2F1705F6
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlUnicodeStringToInteger] 7440F770
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlTimeToSecondsSince1970] 2E986818
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtWriteFile] 276AF770
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlSecondsSince1970ToTime] 2F0C35FF
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwQueryInformationFile] 35FFF770
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwReadFile] [F7702F08] \SystemRoot\System32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation)
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlIpv4AddressToStringA] FF62E7E8
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlRandomEx] 20458BFF
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeQueryInterruptTime] 8B0000C6
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeInsertQueue] 00C62445
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeRemoveQueue] 026AB800
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeRundownQueue] 30EBC000
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoFreeIrp] 2F1705F6
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeInitializeQueue] 7480F770
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 2E986818
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeInitializeTimer] 286AF770
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeInitializeDpc] 2F0C35FF
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExQueueWorkItem] 35FFF770
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAllocateWorkItem] [F7702F08] \SystemRoot\System32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation)
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoQueueWorkItem] FF62B3E8
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeSetTimerEx] 20458BFF
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwOpenSection] 88FB4D8A
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwMapViewOfSection] 24458B08
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!MmAllocatePagesForMdl] C0331888
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!MmUnmapLockedPages] C95B5E5F
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!MmFreePagesFromMdl] CC0020C2
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwOpenFile] CCCCCCCC
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlHashUnicodeString] 8B55FF8B
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlPrefixUnicodeString] 0C7D83EC
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAllocateIrp] 758B560B
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeWaitForSingleObject] F616741C
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwOpenKey] 702F1705
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwEnumerateKey] 840F40F7
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwDeleteKey] 00000097
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!PoStartNextPowerIrp] 702E9868
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!PoCallDriver] EB296AF7
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwQueryKey] 147D837D
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwSetSystemInformation] F6267408
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoCreateDriver] 702F1705
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ObMakeTemporaryObject] 7F7440F7
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwDeleteFile] 681475FF
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ObReferenceObjectByName] [F7702E98] \SystemRoot\System32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation)
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoDriverObjectType] 35FF2A6A
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoEnumerateDeviceObjectList] [F7702F0C] \SystemRoot\System32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation)
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!wcsrchr] 2F0835FF
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoDeleteDevice] 25E8F770
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoDetachDevice] EBFFFF64
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!NtMapViewOfSection] 10458B62
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!ObfDereferenceObject] 408B088B
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!_allmul] 0BD18B04
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!memset] F61275D0
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!memcpy] 702F1705
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!_aulldiv] 4B7440F7
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[HAL.dll!KfLowerIrql] 185D8BE6
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[HAL.dll!KeGetCurrentIrql] AC0FCE8B
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[HAL.dll!KfRaiseIrql] 5D3218CB

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) F7697000-F76A5000 (57344 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:124] F769E540

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\nv@EventMessageFile %SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\nv4_mini.sys
Reg HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\nv@TypesSupported 7
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\nv@EventMessageFile %SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\nv4_mini.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\nv@TypesSupported 7
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost@netsvcs 6to4?AppMgmt?AudioSrv?Browser?CryptSvc?DMServer?DHCP?ERSvc?EventSystem?FastUserSwitchingCompatibility?HidServ?Ias?Iprip?Irmon?LanmanServer?LanmanWorkstation?Messenger?Netman?Nla?Ntmssvc?NWCWorkstation?Nwsapagent?Rasauto?Rasman?Nsynas32?PEVSystemStart?AYDrvNT_ALYAC?dirms_defragmentation?camdrl?U81xobex?REVO?vpcusb?prepdrvr?dvpapi?{95808DC4-FA4A-4c74-92FE-5B863F82066B}?Remoteaccess?Schedule?Seclogon?SENS?Sharedaccess?SRService?Tapisrv?Themes?TrkWks?W32Time?WZCSVC?Wmi?WmdmPmSp?winmgmt?TermService?wuauserv?BITS?ShellHWDetection?helpsvc?xmlprov?wscsvc?WmdmPmSN?napagent?hkmsvc?

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB5651$\175298907 0 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973 0 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\L 0 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\L\akygdmgo 62976 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\loader.tlb 2632 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\U 0 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\U\@00000001 45968 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\U\@000000c0 3072 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\U\@000000cb 3072 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\U\@80000000 73728 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\U\@800000c0 41984 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\U\@800000cb 24576 bytes
File C:\WINDOWS\$NtUninstallKB5651$\3623956973\U\@800000cf 31232 bytes

---- EOF - GMER 1.0.15 ----

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:56 AM

Posted 06 February 2012 - 07:14 AM

Your gmer log indicates presence of zero access rootkit which needs advanced tools

Read the guide here

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

#8 tonto58

tonto58
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 06 February 2012 - 08:38 AM

Thank you for your help thus far narenxp. Computer crashed again during asw scan. I will post once i have results. In the meantime I will continue with your latest instructions.
Do I select the "Fix" toggle after the scan?

aswMBR LOG:


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-06 08:31:01
-----------------------------
08:31:01.468 OS Version: Windows 5.1.2600 Service Pack 3
08:31:01.468 Number of processors: 1 586 0x801
08:31:01.468 ComputerName: DESIGN UserName:
08:31:06.609 Initialize success
08:31:52.562 AVAST engine defs: 12020503
08:31:59.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:31:59.781 Disk 0 Vendor: ST3120022A 3.06 Size: 114473MB BusType: 3
08:31:59.843 Disk 0 MBR read successfully
08:31:59.859 Disk 0 MBR scan
08:32:00.140 Disk 0 Windows XP default MBR code
08:32:00.187 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 16002 MB offset 63
08:32:00.281 Disk 0 Partition - 00 0F Extended LBA 98468 MB offset 32772600
08:32:00.359 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 23007 MB offset 32772663
08:32:00.359 Disk 0 Partition - 00 05 Extended 75461 MB offset 79891245
08:32:00.453 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 75461 MB offset 79891308
08:32:00.562 Disk 0 scanning sectors +234436545
08:32:00.765 Disk 0 scanning C:\WINDOWS\system32\drivers
08:32:09.531 File: C:\WINDOWS\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-F [Drp]
08:32:40.703 Disk 0 trace - called modules:
08:32:40.718 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xf76bdbc0]<<
08:32:40.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a4acab8]
08:32:40.718 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8a5083b8]
08:32:40.734 \Driver\00001103[0x8a5084e0] -> IRP_MJ_CREATE -> 0xf76bdbc0
08:32:43.484 AVAST engine scan C:\WINDOWS
08:33:00.828 AVAST engine scan C:\WINDOWS\system32
08:41:12.812 File: C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini **INFECTED** Win32:Trojan-gen
08:43:08.937 AVAST engine scan C:\WINDOWS\system32\drivers
08:43:16.125 File: C:\WINDOWS\system32\drivers\cdrom.sys **INFECTED** Win32:Sirefef-F [Drp]
08:43:50.953 AVAST engine scan C:\Documents and Settings\Litho Art
08:46:44.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\All Users\Documents\ToMac\New Folder\MBR.dat"
08:46:44.843 The log file has been saved successfully to "C:\Documents and Settings\All Users\Documents\ToMac\New Folder\aswMBR.txt"

Edited by tonto58, 06 February 2012 - 08:49 AM.


#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:56 AM

Posted 06 February 2012 - 08:58 AM

Do not fix anything.

I want you stop posting logs in this thread.

You have to take help of experts as you need advanced tools to remove the rootkit.

Please follow my instructions ,read the guide on preparing logs

Create a topic in virus removal forum and wait for experts advice

Good luck

Edited by narenxp, 06 February 2012 - 08:58 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users