Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The aftermath of Trojan.Maljava & Trojan.Gen


  • Please log in to reply
3 replies to this topic

#1 LMoseley

LMoseley

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 09 February 2012 - 12:51 AM

I am trying to help a friend’s wife recover from an infestation.

The computer is an older Dell running WinXP Prof SP3 with all WindowsUpdates installed. Everything was running fine until she opened an attachment on a spoofed e-mail from her “mom.” The immediate symptoms: VERY slow to boot up and shut down (up to 5 minutes each way). Programs work OK. Browser works. Clicking links, including Google links, randomly went to the intended site OR redirected to abnow.com or mediashifting.com. System restore appeared to work: SR program ran, allowed picking a restore date, rebooted, then showed a failure message. Trying different dates didn’t change the outcome. AUTORUNS shows no obvious problems. HOSTS file contents is normal (set by Spybot S&D, lots of 128.0.0.1 entries).

The machine was on my bench today at noon, and Norton AV ran at its scheduled time, It reported deleting Trojan.Maljava, Trogan.Gen and Suspicious.Mystic. After a (SLOW) reboot, Norton’s AutoProtect started showing multiple deletions of Trojan.Gen.2 and Trojan.Zeroaccess, sometimes one at a time and sometimes in batches, one right after another.

Current situation: The computer boots normally to a normal desktop, but is still very slow to boot and shutdown. Programs run as expected. Internet Explorer runs, but cannot connect to the internet. The computer cannot see, or be seen by, other computers on the home local network. ON bootup, Norton AV complains that the TCP/IP is not working. Using “netsh int ip reset” had no effect. Results of Microsoft diagnostics:

Posted Image

I am not sure where to go from here. I could restore an image, but I am concerned about rootkits, etc. The USB does work, so I can copy programs and save results via thumb drive.

Any help would be appreciated...

Edited by LMoseley, 09 February 2012 - 01:19 AM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:44 AM

Posted 09 February 2012 - 12:57 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)


Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

#3 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 09 February 2012 - 03:35 PM

Thanks, narenxp. I was able to run fresh downloads of the program from a USB thumbdrive and save the logs back to the thumbdrive.

Presumably because of the network problems, aswMBR was not able to update its defs, but it was a fresh download of the program.


TDSS LOG

13:12:22.0234 1952 TDSS rootkit removing tool 2.7.11.0 Feb 9 2012 10:12:57
13:12:22.0250 1952 ============================================================
13:12:22.0250 1952 Current date / time: 2012/02/09 13:12:22.0250
13:12:22.0250 1952 SystemInfo:
13:12:22.0250 1952
13:12:22.0250 1952 OS Version: 5.1.2600 ServicePack: 3.0
13:12:22.0250 1952 Product type: Workstation
13:12:22.0250 1952 ComputerName: OPTIPLEX-745
13:12:22.0265 1952 UserName: Denise
13:12:22.0265 1952 Windows directory: C:\WINDOWS
13:12:22.0265 1952 System windows directory: C:\WINDOWS
13:12:22.0265 1952 Processor architecture: Intel x86
13:12:22.0265 1952 Number of processors: 2
13:12:22.0265 1952 Page size: 0x1000
13:12:22.0265 1952 Boot type: Normal boot
13:12:22.0265 1952 ============================================================
13:12:23.0781 1952 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
13:12:23.0781 1952 Drive \Device\Harddisk1\DR3 - Size: 0x1DCC00000 (7.45 Gb), SectorSize: 0x200, Cylinders: 0x3CC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
13:12:23.0781 1952 \Device\Harddisk0\DR0:
13:12:23.0781 1952 MBR used
13:12:23.0781 1952 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x30D7B35
13:12:23.0781 1952 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x30D7B74, BlocksNum 0x642AD0A
13:12:23.0781 1952 \Device\Harddisk1\DR3:
13:12:23.0781 1952 MBR used
13:12:23.0781 1952 \Device\Harddisk1\DR3\Partition0: MBR, Type 0xC, StartLBA 0x1F80, BlocksNum 0xEE4080
13:12:23.0828 1952 Initialize success
13:12:23.0828 1952 ============================================================
13:12:29.0687 1164 ============================================================
13:12:29.0687 1164 Scan started
13:12:29.0687 1164 Mode: Manual; TDLFS;
13:12:29.0687 1164 ============================================================
13:12:29.0812 1164 .afd - ok
13:12:29.0812 1164 .cdrom - ok
13:12:29.0812 1164 .ipsec - ok
13:12:29.0828 1164 .mrxsmb - ok
13:12:29.0828 1164 .netbt - ok
13:12:29.0843 1164 .redbook - ok
13:12:29.0843 1164 .serial - ok
13:12:30.0062 1164 Abiosdsk - ok
13:12:30.0078 1164 abp480n5 - ok
13:12:30.0125 1164 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:12:30.0125 1164 ACPI - ok
13:12:30.0171 1164 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:12:30.0171 1164 ACPIEC - ok
13:12:30.0203 1164 ADIHdAudAddService (62afc64108bbdb8d3ca32aad559e5af1) C:\WINDOWS\system32\drivers\ADIHdAud.sys
13:12:30.0203 1164 ADIHdAudAddService - ok
13:12:30.0218 1164 adpu160m - ok
13:12:30.0234 1164 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:12:30.0234 1164 aec - ok
13:12:30.0437 1164 Aha154x - ok
13:12:30.0437 1164 aic78u2 - ok
13:12:30.0453 1164 aic78xx - ok
13:12:30.0468 1164 AliIde - ok
13:12:30.0484 1164 amsint - ok
13:12:30.0484 1164 asc - ok
13:12:30.0500 1164 asc3350p - ok
13:12:30.0515 1164 asc3550 - ok
13:12:30.0562 1164 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:12:30.0562 1164 AsyncMac - ok
13:12:30.0593 1164 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:12:30.0593 1164 atapi - ok
13:12:30.0609 1164 Atdisk - ok
13:12:30.0687 1164 ati2mtag (f5fc6ac1e7bc776871361d463fc86be2) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
13:12:30.0703 1164 ati2mtag - ok
13:12:30.0734 1164 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:12:30.0734 1164 Atmarpc - ok
13:12:30.0984 1164 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:12:30.0984 1164 audstub - ok
13:12:31.0031 1164 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
13:12:31.0031 1164 b57w2k - ok
13:12:31.0078 1164 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:12:31.0078 1164 Beep - ok
13:12:31.0125 1164 BrPar (2fe6d5be0629f706197b30c0aa05de30) C:\WINDOWS\System32\drivers\BrPar.sys
13:12:31.0125 1164 BrPar - ok
13:12:31.0156 1164 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:12:31.0156 1164 cbidf2k - ok
13:12:31.0171 1164 cd20xrnt - ok
13:12:31.0218 1164 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:12:31.0218 1164 Cdaudio - ok
13:12:31.0265 1164 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:12:31.0265 1164 Cdfs - ok
13:12:31.0453 1164 Cdrom - ok
13:12:31.0468 1164 cerc6 - ok
13:12:31.0468 1164 Changer - ok
13:12:31.0500 1164 CmdIde - ok
13:12:31.0515 1164 Cpqarray - ok
13:12:31.0515 1164 dac2w2k - ok
13:12:31.0531 1164 dac960nt - ok
13:12:31.0546 1164 DefragFS (e08557f41650b505571d50c9247a1e03) C:\WINDOWS\system32\drivers\DefragFS.sys
13:12:31.0546 1164 DefragFS - ok
13:12:31.0578 1164 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:12:31.0578 1164 Disk - ok
13:12:31.0609 1164 DLABMFSM (a53723176d0002feb486eff8e17812f2) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
13:12:31.0609 1164 DLABMFSM - ok
13:12:31.0625 1164 DLABOIOM (d4587063acea776699251e177d719586) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
13:12:31.0625 1164 DLABOIOM - ok
13:12:31.0625 1164 DLACDBHM (5230cdb7e715f3a3b4a882e254cdd35d) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
13:12:31.0640 1164 DLACDBHM - ok
13:12:31.0656 1164 DLADResM (c950c2e7b9ed1a4fc4a2ac7ec044f1d6) C:\WINDOWS\system32\DLA\DLADResM.SYS
13:12:31.0656 1164 DLADResM - ok
13:12:31.0656 1164 DLAIFS_M (24400137e387a24410c52a591f3cfb4d) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
13:12:31.0671 1164 DLAIFS_M - ok
13:12:31.0671 1164 DLAOPIOM (29a303feceb28641ecebdae89eb71c63) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
13:12:31.0671 1164 DLAOPIOM - ok
13:12:31.0687 1164 DLAPoolM (c93e33a22a1ae0c5508f3fb1f6d0a50c) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
13:12:31.0687 1164 DLAPoolM - ok
13:12:31.0718 1164 DLARTL_M (77fe51f0f8d86804cb81f6ef6bfb86dd) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
13:12:31.0718 1164 DLARTL_M - ok
13:12:31.0906 1164 DLAUDFAM (b953498c35a31e5ac98f49adbcf3e627) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
13:12:31.0906 1164 DLAUDFAM - ok
13:12:31.0937 1164 DLAUDF_M (4897704c093c1f59ce58fc65e1e1ef1e) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
13:12:31.0937 1164 DLAUDF_M - ok
13:12:32.0000 1164 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:12:32.0000 1164 dmboot - ok
13:12:32.0046 1164 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:12:32.0046 1164 dmio - ok
13:12:32.0250 1164 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:12:32.0250 1164 dmload - ok
13:12:32.0296 1164 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:12:32.0296 1164 DMusic - ok
13:12:32.0312 1164 dpti2o - ok
13:12:32.0328 1164 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:12:32.0328 1164 drmkaud - ok
13:12:32.0359 1164 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
13:12:32.0359 1164 DRVMCDB - ok
13:12:32.0359 1164 DRVNDDM (ffc371525aa55d1bae18715ebcb8797c) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
13:12:32.0375 1164 DRVNDDM - ok
13:12:32.0500 1164 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
13:12:32.0500 1164 eeCtrl - ok
13:12:32.0515 1164 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
13:12:32.0515 1164 EraserUtilRebootDrv - ok
13:12:32.0750 1164 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:12:32.0765 1164 Fastfat - ok
13:12:32.0781 1164 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
13:12:32.0781 1164 Fdc - ok
13:12:32.0843 1164 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:12:32.0843 1164 Fips - ok
13:12:32.0859 1164 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
13:12:32.0875 1164 Flpydisk - ok
13:12:32.0906 1164 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
13:12:32.0906 1164 FltMgr - ok
13:12:32.0937 1164 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:12:32.0953 1164 Fs_Rec - ok
13:12:33.0156 1164 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:12:33.0156 1164 Ftdisk - ok
13:12:33.0187 1164 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:12:33.0187 1164 Gpc - ok
13:12:33.0250 1164 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
13:12:33.0250 1164 HDAudBus - ok
13:12:33.0296 1164 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:12:33.0296 1164 hidusb - ok
13:12:33.0312 1164 hpn - ok
13:12:33.0343 1164 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
13:12:33.0359 1164 HTTP - ok
13:12:33.0546 1164 i2omgmt - ok
13:12:33.0562 1164 i2omp - ok
13:12:33.0609 1164 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:12:33.0609 1164 i8042prt - ok
13:12:33.0687 1164 ialm (6fcb904910da07c9dc2593d66438fa29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
13:12:33.0687 1164 ialm - ok
13:12:33.0734 1164 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:12:33.0734 1164 Imapi - ok
13:12:33.0750 1164 ini910u - ok
13:12:33.0765 1164 IntelIde - ok
13:12:33.0812 1164 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:12:33.0812 1164 intelppm - ok
13:12:34.0015 1164 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
13:12:34.0031 1164 Ip6Fw - ok
13:12:34.0046 1164 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:12:34.0062 1164 IpFilterDriver - ok
13:12:34.0062 1164 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:12:34.0078 1164 IpInIp - ok
13:12:34.0093 1164 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:12:34.0109 1164 IpNat - ok
13:12:34.0140 1164 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:12:34.0140 1164 IRENUM - ok
13:12:34.0218 1164 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:12:34.0218 1164 isapnp - ok
13:12:34.0437 1164 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:12:34.0437 1164 Kbdclass - ok
13:12:34.0484 1164 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
13:12:34.0484 1164 kbdhid - ok
13:12:34.0531 1164 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:12:34.0531 1164 kmixer - ok
13:12:34.0578 1164 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:12:34.0578 1164 KSecDD - ok
13:12:34.0593 1164 lbrtfdc - ok
13:12:34.0625 1164 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:12:34.0625 1164 mnmdd - ok
13:12:34.0671 1164 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:12:34.0687 1164 Modem - ok
13:12:34.0906 1164 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:12:34.0906 1164 Mouclass - ok
13:12:34.0953 1164 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:12:34.0953 1164 mouhid - ok
13:12:34.0968 1164 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:12:34.0968 1164 MountMgr - ok
13:12:34.0968 1164 mraid35x - ok
13:12:35.0000 1164 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:12:35.0000 1164 MRxDAV - ok
13:12:35.0000 1164 MRxSmb - ok
13:12:35.0031 1164 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:12:35.0031 1164 Msfs - ok
13:12:35.0062 1164 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:12:35.0062 1164 MSKSSRV - ok
13:12:35.0109 1164 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:12:35.0125 1164 MSPCLOCK - ok
13:12:35.0140 1164 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:12:35.0140 1164 MSPQM - ok
13:12:35.0359 1164 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:12:35.0375 1164 mssmbios - ok
13:12:35.0406 1164 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
13:12:35.0406 1164 Mup - ok
13:12:35.0546 1164 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120207.005\naveng.sys
13:12:35.0562 1164 NAVENG - ok
13:12:35.0625 1164 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120207.005\navex15.sys
13:12:35.0640 1164 NAVEX15 - ok
13:12:35.0875 1164 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:12:35.0875 1164 NDIS - ok
13:12:35.0921 1164 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:12:35.0921 1164 NdisTapi - ok
13:12:35.0953 1164 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:12:35.0968 1164 Ndisuio - ok
13:12:35.0984 1164 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:12:35.0984 1164 NdisWan - ok
13:12:36.0031 1164 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
13:12:36.0031 1164 NDProxy - ok
13:12:36.0265 1164 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:12:36.0265 1164 NetBIOS - ok
13:12:36.0265 1164 NetBT - ok
13:12:36.0296 1164 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:12:36.0296 1164 Npfs - ok
13:12:36.0343 1164 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:12:36.0343 1164 Ntfs - ok
13:12:36.0390 1164 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:12:36.0406 1164 Null - ok
13:12:36.0453 1164 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:12:36.0453 1164 NwlnkFlt - ok
13:12:36.0453 1164 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:12:36.0453 1164 NwlnkFwd - ok
13:12:36.0703 1164 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:12:36.0703 1164 Parport - ok
13:12:36.0750 1164 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:12:36.0750 1164 PartMgr - ok
13:12:36.0765 1164 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:12:36.0781 1164 ParVdm - ok
13:12:36.0812 1164 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:12:36.0828 1164 PCI - ok
13:12:36.0828 1164 PCIDump - ok
13:12:36.0843 1164 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
13:12:36.0843 1164 PCIIde - ok
13:12:36.0875 1164 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:12:36.0875 1164 Pcmcia - ok
13:12:36.0890 1164 PDCOMP - ok
13:12:36.0906 1164 PDFRAME - ok
13:12:36.0906 1164 PDRELI - ok
13:12:36.0921 1164 PDRFRAME - ok
13:12:36.0937 1164 perc2 - ok
13:12:36.0937 1164 perc2hib - ok
13:12:36.0984 1164 Point32 (e5582e43e167cf367757d81e9727da2a) C:\WINDOWS\system32\DRIVERS\point32.sys
13:12:36.0984 1164 Point32 - ok
13:12:37.0015 1164 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:12:37.0015 1164 PptpMiniport - ok
13:12:37.0234 1164 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
13:12:37.0234 1164 PSched - ok
13:12:37.0234 1164 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:12:37.0234 1164 Ptilink - ok
13:12:37.0265 1164 PxHelp20 (0c8da0a8b0d227319c285e0eae65defd) C:\WINDOWS\system32\Drivers\PxHelp20.sys
13:12:37.0265 1164 PxHelp20 - ok
13:12:37.0281 1164 ql1080 - ok
13:12:37.0281 1164 Ql10wnt - ok
13:12:37.0296 1164 ql12160 - ok
13:12:37.0312 1164 ql1240 - ok
13:12:37.0312 1164 ql1280 - ok
13:12:37.0343 1164 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:12:37.0343 1164 RasAcd - ok
13:12:37.0390 1164 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:12:37.0390 1164 Rasl2tp - ok
13:12:37.0421 1164 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:12:37.0421 1164 RasPppoe - ok
13:12:37.0421 1164 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:12:37.0421 1164 Raspti - ok
13:12:37.0468 1164 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:12:37.0468 1164 Rdbss - ok
13:12:37.0687 1164 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:12:37.0687 1164 RDPCDD - ok
13:12:37.0750 1164 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:12:37.0750 1164 rdpdr - ok
13:12:37.0796 1164 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
13:12:37.0796 1164 RDPWD - ok
13:12:37.0937 1164 SAVRT (e768eff5753906272e375282d7a511e0) C:\Program Files\Symantec AntiVirus\savrt.sys
13:12:37.0937 1164 SAVRT - ok
13:12:37.0937 1164 SAVRTPEL (d9d45ad65063e8966acafb1f574c8617) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
13:12:37.0953 1164 SAVRTPEL - ok
13:12:38.0015 1164 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:12:38.0015 1164 Secdrv - ok
13:12:38.0218 1164 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
13:12:38.0218 1164 SenFiltService - ok
13:12:38.0250 1164 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:12:38.0250 1164 serenum - ok
13:12:38.0265 1164 Serial - ok
13:12:38.0281 1164 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:12:38.0281 1164 Sfloppy - ok
13:12:38.0296 1164 Simbad - ok
13:12:38.0312 1164 Sparrow - ok
13:12:38.0437 1164 SPBBCDrv (60053e9c1fc4f6887c296c19cb825244) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
13:12:38.0437 1164 SPBBCDrv - ok
13:12:38.0500 1164 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:12:38.0500 1164 splitter - ok
13:12:38.0671 1164 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:12:38.0671 1164 sr - ok
13:12:38.0718 1164 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
13:12:38.0734 1164 Srv - ok
13:12:38.0781 1164 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
13:12:38.0781 1164 StillCam - ok
13:12:38.0828 1164 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:12:38.0828 1164 swenum - ok
13:12:38.0906 1164 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:12:38.0906 1164 swmidi - ok
13:12:39.0046 1164 symc810 - ok
13:12:39.0046 1164 symc8xx - ok
13:12:39.0093 1164 SymEvent (c5eafb6a8c73fb26b73ee613c1a5aef6) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
13:12:39.0093 1164 SymEvent - ok
13:12:39.0140 1164 SYMREDRV (4ed314756eb2811a9d4226ed4385d35c) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
13:12:39.0140 1164 SYMREDRV - ok
13:12:39.0187 1164 SYMTDI (4aed788390802b1500e6b05127af3a2e) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
13:12:39.0187 1164 SYMTDI - ok
13:12:39.0218 1164 sym_hi - ok
13:12:39.0234 1164 sym_u3 - ok
13:12:39.0265 1164 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:12:39.0265 1164 sysaudio - ok
13:12:39.0453 1164 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:12:39.0453 1164 Tcpip - ok
13:12:39.0515 1164 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:12:39.0515 1164 TDPIPE - ok
13:12:39.0562 1164 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:12:39.0562 1164 TDTCP - ok
13:12:39.0609 1164 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:12:39.0609 1164 TermDD - ok
13:12:39.0781 1164 TosIde - ok
13:12:39.0812 1164 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
13:12:39.0828 1164 tunmp - ok
13:12:39.0875 1164 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:12:39.0875 1164 Udfs - ok
13:12:39.0890 1164 ultra - ok
13:12:39.0921 1164 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
13:12:39.0937 1164 Update - ok
13:12:40.0000 1164 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:12:40.0000 1164 usbccgp - ok
13:12:40.0187 1164 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:12:40.0187 1164 usbehci - ok
13:12:40.0203 1164 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:12:40.0203 1164 usbhub - ok
13:12:40.0250 1164 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
13:12:40.0250 1164 usbprint - ok
13:12:40.0281 1164 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:12:40.0281 1164 usbscan - ok
13:12:40.0343 1164 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:12:40.0343 1164 USBSTOR - ok
13:12:40.0421 1164 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:12:40.0421 1164 usbuhci - ok
13:12:40.0437 1164 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:12:40.0437 1164 VgaSave - ok
13:12:40.0593 1164 ViaIde - ok
13:12:40.0640 1164 vncmirror (3b8f222b23917c041e4da29ccc57e7d0) C:\WINDOWS\system32\DRIVERS\vncmirror.sys
13:12:40.0656 1164 vncmirror - ok
13:12:40.0703 1164 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:12:40.0703 1164 VolSnap - ok
13:12:40.0718 1164 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:12:40.0718 1164 Wanarp - ok
13:12:40.0734 1164 WDICA - ok
13:12:40.0781 1164 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:12:40.0781 1164 wdmaud - ok
13:12:40.0890 1164 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:12:40.0890 1164 WudfPf - ok
13:12:41.0062 1164 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:12:41.0062 1164 WudfRd - ok
13:12:41.0093 1164 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
13:12:41.0312 1164 \Device\Harddisk0\DR0 - ok
13:12:41.0328 1164 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR3
13:12:44.0359 1164 \Device\Harddisk1\DR3 - ok
13:12:44.0359 1164 Boot (0x1200) (80ac0861e1f717d4ed33e82d806c5d07) \Device\Harddisk0\DR0\Partition0
13:12:44.0359 1164 \Device\Harddisk0\DR0\Partition0 - ok
13:12:44.0375 1164 Boot (0x1200) (6def4c3a40a31aaaea192b99dde32f8a) \Device\Harddisk0\DR0\Partition1
13:12:44.0390 1164 \Device\Harddisk0\DR0\Partition1 - ok
13:12:44.0390 1164 Boot (0x1200) (e91d0d7ee801418c352bfbfca9616290) \Device\Harddisk1\DR3\Partition0
13:12:44.0390 1164 \Device\Harddisk1\DR3\Partition0 - ok
13:12:44.0390 1164 ============================================================
13:12:44.0390 1164 Scan finished
13:12:44.0390 1164 ============================================================
13:12:44.0390 3888 Detected object count: 0
13:12:44.0390 3888 Actual detected object count: 0
13:12:48.0250 2288 Deinitialize success


===========================================

GMER LOG

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-09 15:20:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-75MSA3 rev.10.01E04
Running: 42ob93uj.exe; Driver: C:\DOCUME~1\Denise\LOCALS~1\Temp\kxddaaod.sys


---- System - GMER 1.0.15 ----

SSDT 86393BB0 ZwAlertResumeThread
SSDT 86393ED8 ZwAlertThread
SSDT 8647B3E0 ZwAllocateVirtualMemory
SSDT 864A5E70 ZwConnectPort
SSDT 86390DD8 ZwCreateMutant
SSDT 86555DE0 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA9D4B690]
SSDT 864A9008 ZwFreeVirtualMemory
SSDT 863925A0 ZwImpersonateAnonymousToken
SSDT 86392898 ZwImpersonateThread
SSDT 864AABC8 ZwMapViewOfSection
SSDT 8638A688 ZwOpenEvent
SSDT 863891C0 ZwOpenProcessToken
SSDT 865848B0 ZwOpenThreadToken
SSDT 8639A558 ZwQueryValueKey
SSDT 863991D0 ZwResumeThread
SSDT 863865B0 ZwSetContextThread
SSDT 8640FCB0 ZwSetInformationProcess
SSDT 86385848 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA9D4B8E0]
SSDT 86396A90 ZwSuspendProcess
SSDT 86395868 ZwSuspendThread
SSDT 863984A0 ZwTerminateProcess
SSDT 86395C88 ZwTerminateThread
SSDT 865774F0 ZwUnmapViewOfSection
SSDT 865E2DE0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xA9E0BA00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB1096$\1870369996 0 bytes
File C:\WINDOWS\$NtUninstallKB1096$\1870369996\L 0 bytes
File C:\WINDOWS\$NtUninstallKB1096$\1870369996\U 0 bytes
File C:\WINDOWS\$NtUninstallKB1096$\2917684444 0 bytes

---- EOF - GMER 1.0.15 ----


===========================================

aswMBR LOG

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-09 15:20:58
-----------------------------
15:20:58.843 OS Version: Windows 5.1.2600 Service Pack 3
15:20:58.843 Number of processors: 2 586 0xF02
15:20:58.843 ComputerName: OPTIPLEX-745 UserName: Denise
15:21:00.484 Initialize success
15:21:27.093 AVAST engine download error: 0
15:21:51.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:21:51.656 Disk 0 Vendor: WDC_WD800JD-75MSA3 10.01E04 Size: 76293MB BusType: 3
15:21:51.703 Disk 0 MBR read successfully
15:21:51.703 Disk 0 MBR scan
15:21:51.703 Disk 0 Windows XP default MBR code
15:21:51.703 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 25007 MB offset 63
15:21:51.734 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 51285 MB offset 51215220
15:21:51.734 Disk 0 scanning sectors +156248190
15:21:51.828 Disk 0 scanning C:\WINDOWS\system32\drivers
15:22:12.968 Service scanning
15:22:13.625 Service .afd \? **LOCKED** 123
15:22:13.625 Service .cdrom \? **LOCKED** 123
15:22:13.625 Service .ipsec \? **LOCKED** 123
15:22:13.625 Service .mrxsmb \? **LOCKED** 123
15:22:13.625 Service .netbt \? **LOCKED** 123
15:22:13.625 Service .redbook \? **LOCKED** 123
15:22:13.640 Service .serial \? **LOCKED** 123
15:22:14.312 Modules scanning
15:22:48.671 Disk 0 trace - called modules:
15:22:48.718 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
15:22:48.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8652cab8]
15:22:48.718 3 CLASSPNP.SYS[f7632fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86530d98]
15:22:48.718 Scan finished successfully
15:26:24.171 Disk 0 MBR has been saved successfully to "F:\Trojan tools\Logs\MBR.dat"
15:26:24.187 The log file has been saved successfully to "F:\Trojan tools\Logs\aswMBR.txt"


Thanks again for your help.

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:44 AM

Posted 09 February 2012 - 04:28 PM

Your PC is infected with zero access rootkit on your PC,we need some advanced tools to remove it

Read the guide here

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users