Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No internet connectivity after removing win32/sirefef.b


  • This topic is locked This topic is locked
8 replies to this topic

#1 platypus11

platypus11

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 08 February 2012 - 10:41 AM

Hello, the topic should be pretty self explanitory.
I ran FSS as per another thread, and here is the complete result.
I have noticed tds and afd are not running.

Following this log will be the Systemlook for both files

Can anyone help?

Farbar Service Scanner Version: 08-02-2012
Ran by lthomas (administrator) on 08-02-2012 at 09:35:05
Running from "F:\"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open afd registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open afd registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

ystemlook for tdx.sys

SystemLook 30.07.11 by jpshortstuff
Log created at 09:41 on 08/02/2012 by lthomas
Administrator - Elevation successful

========== filefind ==========

Searching for "tdx.sys"
C:\Windows\ERDNT\cache\tdx.sys --a---- 74752 bytes [06:46 08/02/2012] [06:08 08/02/2012] B459575348C20E8121D6039DA063C704
C:\Windows\System32\drivers\tdx.sys --a---- 74752 bytes [14:47 08/02/2012] [06:08 08/02/2012] B459575348C20E8121D6039DA063C704
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys --a---- 74240 bytes [23:12 13/07/2009] [23:12 13/07/2009] CB39E896A2A83702D1737BFD402B3542
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys --a---- 74752 bytes [15:49 11/08/2011] [07:19 08/02/2012] (Unable to calculate MD5)

-= EOF =-

System look for afd.sys

SystemLook 30.07.11 by jpshortstuff
Log created at 09:45 on 08/02/2012 by lthomas
Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"
C:\Windows\System32\drivers\afd.sys --a---- 338944 bytes [14:49 08/02/2012] [23:12 13/07/2009] DDC040FDB01EF1712A6B13E52AFB104C
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys --a---- 338944 bytes [23:12 13/07/2009] [23:12 13/07/2009] DDC040FDB01EF1712A6B13E52AFB104C
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys --a---- 338944 bytes [19:27 10/08/2011] [02:35 25/04/2011] 0DB7A48388D54D154EBEC120461A0FCD
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_d864ad9ad8c98d1f\afd.sys --a---- 338944 bytes [19:27 10/08/2011] [02:27 25/04/2011] C114AB7A1550D42EA1700FFD4179CF5A
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --a---- 338944 bytes [15:49 11/08/2011] [08:40 20/11/2010] 1151FD4FB0216CFED887BFDE29EBD516
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys --a---- 338944 bytes [19:27 10/08/2011] [06:39 08/02/2012] (Unable to calculate MD5)
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys ------- 338944 bytes [19:27 10/08/2011] [03:24 25/04/2011] C427F91A748CD342A2B3F9278D9FD6A5

-= EOF =-

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:48 PM

Posted 08 February 2012 - 11:11 AM

To be on safer side before running registry fixes i would suggest you to

Download

http://www.snapfiles.com/get/erunt.html

Install it and backup your registry to C:/Windows/erdnt

Download afd.reg

http://www.mediafire.com/?bke30e98jwcsb27

Download tdx.reg

http://www.mediafire.com/?tkh1kri9w847pzm

Launch them,click YES when you get UAC prompt

Restart the PC and post the new FSS log

good luck

Edited by narenxp, 08 February 2012 - 11:11 AM.


#3 platypus11

platypus11
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 08 February 2012 - 01:18 PM

I ran ERNDT and AFD, TDX. Restarted.
Internet connectivity returned.
Shortly thereafter, Microsoft FOrefront Security informed me that I needed to restart. This happenened just before I lost connectivity the first time.
This is the FSS document AFTER Microsoft Forefront told me to restart, but BEFORE I restarted. I have not restarted yet.

As well, my DVD drive is no longer recognised, because of a missing registry value.(Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19))
I cannot print on network printers either. Spool Service is online, the document is pending in the task bar, but is never successfully sent.

Farbar Service Scanner Version: 08-02-2012
Ran by lthomas (administrator) on 08-02-2012 at 12:20:19
Running from "C:\Users\lthomas\Downloads"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
Attention! C:\Windows\system32\Drivers\afd.sys is missing.
Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#4 platypus11

platypus11
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 08 February 2012 - 01:34 PM

Repeated the location of AFD, TDX, replaced them in C:\windows\system32\drivers, restarted, internet connectivity has returned.
Hoping that Forefront does not delte them again.

#5 platypus11

platypus11
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 08 February 2012 - 02:08 PM

And, again, update.
Microsoft Forefront Security client foud Sirefef.b again, wipred it, and AFD and TDS were gone again.
SO, I can only assume my files are all infected on this computer, or the virus is still hidden.

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:48 PM

Posted 08 February 2012 - 03:25 PM

It looks like you're infected

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report


Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

#7 platypus11

platypus11
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 08 February 2012 - 10:11 PM

Ran TDSSKILL.
TDSSKILL resulted in the following:
Infected: Cdrom (Virus.Win32.ZAccess.c)
Copied to quarantine: C:\windows\system32\drivers\cdrom.sys
Will be cured after reboot : C:\windows\system32\drivers\cdrom.sys

Ran GMER. No warnings prior to the scan.
Ran Avast.

GMER log is as follows, Avast log afterwards:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-08 19:52:16
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HITACHI_HTS545016B9A300 rev.PBBZC61H
Running: mnn5sh3i.exe; Driver: C:\Users\lthomas\AppData\Local\Temp\kxrdrkod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 8305D369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83096D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? C:\Windows\system32\DRIVERS\cdrom.sys Access is denied.
? system32\drivers\99757477.sys The system cannot find the path specified. !
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 AEE99000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 AEE99123 629 Bytes JMP E2EF8FD6
PAGE spsys.sys!?SPRevision@@3PADA + 5329 AEE99399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F AEE993FF 51 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 53C3 AEE99433 96 Bytes [E8, AE, 85, C9, 7C, 18, 8D, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

? C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch;
.text C:\Program Files\Mozilla Firefox\firefox.exe[1932] ntdll.dll!LdrLoadDll 773A223E 5 Bytes JMP 002A1410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 83EC8B55
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 458D74EC
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 15FF50F8
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] [00B0F014] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] 01FC7531
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] 458DF875
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 15FF508C
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] [00B0F004] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 458D086A
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 458D50F8
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] 15FF508C
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] [00B0F000] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 508C458D
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] F00815FF
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 458B00B0
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] E84533E4
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtFlushKey] 33EC4533
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] C3C9F045
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 8BEC8B55
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] EC833040
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareMemory] 57565314
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeviceIoControlFile] D98B388B
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] EB04708D
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 46B70F20
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 30448D1A
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] F0F0681C
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 4F5000B0
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 00DCAFE8
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 85595900
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] 811374C0
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] 00011CC6
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] [75FF8500] C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 5FC033DC
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] C2C95B5E
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 468B0008
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] F4458908
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] 8B0C468B
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 45890473
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] [74F685F0] C:\Windows\system32\kerberos.DLL (Kerberos Security Package/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] D8BB8D77
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] 57000000
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] B1015068
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 8D426A00
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 4E50FC45
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] F0E015FF
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] C08500B0
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 458D537C
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 046A50EC
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] 50F8458D
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] [75FF096A] C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] DC15FFFC
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 8500B0F0
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8B317CC0
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 452BF845
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] F0453BF4
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] 006A2673
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] FFFC75FF
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] B0F0D415
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 7CC08500
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] 0C4D8B17
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 1F8B018B
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 8908558B
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 5F8BC21C
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindSetBits] C25C8904
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInterlockedSetBitRun] 01894004
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] FFFC75FF
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] B0F0D815
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 40C78300
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 8F75F685
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] E940C033
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] FFFFFF67
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 51EC8B55
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] 0173A051
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 565300B1
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] C0BE0F57
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 7D89FF33
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] DC2AE8F8
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] DC8B0000
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSerializeBoot] 45C7F633
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 001000FC
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] FC458B00
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 0F73F83B
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 11E8C72B
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 8B0000DC
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 2BC38BF4
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 8DF88BC6
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] 5750FC45
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] FF056A56
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] B0F0D015
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 00043D00
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] D574C000
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 047DC085
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] 60EBC033
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] F003C033
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 468D016A
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!TpReleaseWork] 18685038
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!TpPostWork] FF00B0F1
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocWork] B0F0CC15
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] [75C08400] C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 85068B08
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] EBE375C0
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] 68006A3C
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 00040000
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] F07415FF
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] F88B00B0
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 2974FF85
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] FF016A57
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] 15FF4476
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] [00B0F020] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] 127CC085
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 8B0C75FF
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] 0875FFCE
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 81E8C78B
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 89FFFFFE
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] FF57F845
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] B0F02415
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!TpSetPoolMinThreads] F8458B00
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 5FEC658D
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] C2C95B5E
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] 8B550008
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 3CEC81EC
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 56000002
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] E856F08B
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] 0000DB36
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 00803D59
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] 870F0000
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 000000AC
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] 0F2E3E80
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] 0000A384
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 858D5600
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] FFFFFDC8
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] B0F12068
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 15FF5000
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] [00B0F02C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] FDC8858D
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] 2E6AFFFF
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] DB06E850
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] C4830000
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] [74C08514] C:\Windows\system32\bcryptprimitives.dll (Windows Cryptographic Primitives Library/Microsoft Corporation)
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] 66C9337B
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocAlpcCompletion] C0830889
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocPool] F1906802
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] E85000B0
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] 0000DAF2
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] C0855959
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 858D6275
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] FFFFFDC8
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] CC758D50
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] 000DFFE8
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 19685000
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] 8D000200
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] FF50FC45
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] B0F03815
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsnicmp] 7CC08500
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] EC458D3F
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 50106A50
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 2868026A
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] FF00B0F2
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] F633FC75

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\27978731 \Device\KLMD16012012_207010 99757477.sys
Device \Driver\00001966 \GLOBAL??\4b584d4e cdrom.sys

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB1558$\1264078158 0 bytes
File C:\Windows\$NtUninstallKB1558$\1264078158\L 0 bytes
File C:\Windows\$NtUninstallKB1558$\1264078158\U 0 bytes
File C:\Windows\$NtUninstallKB1558$\1271795031 0 bytes

---- EOF - GMER 1.0.15 ----




AVAST log:

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-08 19:53:29
-----------------------------
19:53:29.923 OS Version: Windows 6.1.7601 Service Pack 1
19:53:29.923 Number of processors: 2 586 0x170A
19:53:29.925 ComputerName: MCSLR89R290 UserName: lthomas
19:53:31.501 Initialize success
19:54:59.097 AVAST engine defs: 12020801
19:56:38.432 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
19:56:38.434 Disk 0 Vendor: HITACHI_HTS545016B9A300 PBBZC61H Size: 152627MB BusType: 11
19:56:38.909 Disk 0 MBR read successfully
19:56:38.912 Disk 0 MBR scan
19:56:38.918 Disk 0 Windows VISTA default MBR code
19:56:38.997 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152625 MB offset 2048
19:56:39.445 Disk 0 scanning sectors +312579760
19:56:40.026 Disk 0 scanning C:\Windows\system32\drivers
19:58:13.374 Service scanning
19:58:14.032 Service .afd \? **LOCKED** 123
19:58:14.037 Service .cdrom \? **LOCKED** 123
19:58:14.042 Service .dfsc \? **LOCKED** 123
19:58:14.048 Service .tdx \? **LOCKED** 123
19:58:14.755 Modules scanning
20:00:52.167 Disk 0 trace - called modules:
20:00:52.247 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys dxgkrnl.sys igdkmd32.sys dxgmms1.sys
20:00:52.252 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86520948]
20:00:52.258 3 CLASSPNP.SYS[8b1c259e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8643e908]
20:00:53.516 AVAST engine scan C:\Windows
20:02:30.015 AVAST engine scan C:\Windows\system32
20:21:20.246 AVAST engine scan C:\Windows\system32\drivers
20:23:17.938 AVAST engine scan C:\Users\lthomas
20:46:12.895 AVAST engine scan C:\ProgramData
21:16:24.576 Scan finished successfully
21:17:37.008 Disk 0 MBR has been saved successfully to "C:\Users\lthomas\Desktop\MBR.dat"
21:17:37.015 The log file has been saved successfully to "C:\Users\lthomas\Desktop\aswMBR.txt"

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:48 PM

Posted 08 February 2012 - 11:11 PM

Still there seems to be traces of zero access rootkit on your PC,we need some advanced tools to make sure that PC is clean

Read the guide here

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

#9 hamluis

hamluis

    Moderator


  • Moderator
  • 55,388 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:48 PM

Posted 09 February 2012 - 09:25 AM

Reference: http://www.bleepingcomputer.com/forums/topic441950.html

Now that you have properly posted a malware log topic, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on, the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users