Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wistler Rootkit in MBR


  • This topic is locked This topic is locked
28 replies to this topic

#1 Night Train

Night Train

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 10 February 2012 - 01:46 AM

I will begin this topic with an explanation of what has occurred prior to this post:

Background:

OS: Windows XP SP3
Primary HDD: WD 320GB IDE partitioned into two separate partitions, one containing my OS.
Slave HDD: WD 500GB IDE
External HDD: LACIE 1TB USB

The original thread can be found here:
http://www.bleepingcomputer.com/forums/topic441137.html

On February 2nd I was greeted by the following Blue Screen:
Posted Image

After restarting several times I realized that this BSOD occurred every time I booted the computer after/during the Windows Xp boot logo. It was only after using Hiren's Boot CD that I was able to force the system to boot past this BSOD( More information on this can be found in the original thread ). After attempting several things on my own I decided to post in the "Windows XP Home and Professional" Forum. After a few days and a large amount of troubleshooting, Forum Member AustrAlien helped me discover that my system was infected with a rootkit. This was discovered using "TDDSKiller". "TDDSKiller" was able to cure/clean all 3 infections found and what is left of them resides in a quarantined folder located on the root of my C drive. Afterwards I was then directed here for further assistance. Here's is the log created by "TDDSKiller":

23:15:05.0500 2792	TDSS rootkit removing tool 2.7.11.0 Feb  9 2012 10:12:57
23:15:05.0734 2792	============================================================
23:15:05.0734 2792	Current date / time: 2012/02/09 23:15:05.0734
23:15:05.0734 2792	SystemInfo:
23:15:05.0734 2792	
23:15:05.0734 2792	OS Version: 5.1.2600 ServicePack: 3.0
23:15:05.0734 2792	Product type: Workstation
23:15:05.0734 2792	ComputerName: STEPHEN
23:15:05.0734 2792	UserName: Steve
23:15:05.0734 2792	Windows directory: C:\WINDOWS
23:15:05.0734 2792	System windows directory: C:\WINDOWS
23:15:05.0734 2792	Processor architecture: Intel x86
23:15:05.0734 2792	Number of processors: 4
23:15:05.0734 2792	Page size: 0x1000
23:15:05.0734 2792	Boot type: Normal boot
23:15:05.0734 2792	============================================================
23:15:07.0156 2792	Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x1D56D, SectorsPerTrack: 0x33, TracksPerCylinder: 0x66, Type 'K0', Flags 0x00000054
23:15:07.0156 2792	Drive \Device\Harddisk1\DR1 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
23:15:07.0156 2792	Drive \Device\Harddisk2\DR5 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
23:15:07.0171 2792	\Device\Harddisk0\DR0:
23:15:07.0171 2792	MBR used
23:15:07.0171 2792	\Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x33, BlocksNum 0x66DB4D7
23:15:07.0187 2792	\Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x66DB53D, BlocksNum 0x1ED5175B
23:15:07.0187 2792	\Device\Harddisk1\DR1:
23:15:07.0187 2792	MBR used
23:15:07.0187 2792	\Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A384C02
23:15:07.0187 2792	\Device\Harddisk2\DR5:
23:15:07.0187 2792	MBR used
23:15:07.0187 2792	\Device\Harddisk2\DR5\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74705982
23:15:07.0281 2792	Initialize success
23:15:07.0281 2792	============================================================
23:15:10.0046 1100	============================================================
23:15:10.0046 1100	Scan started
23:15:10.0046 1100	Mode: Manual; 
23:15:10.0046 1100	============================================================
23:15:10.0796 1100	Abiosdsk - ok
23:15:10.0812 1100	abp480n5 - ok
23:15:10.0859 1100	ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:15:10.0859 1100	ACPI - ok
23:15:10.0890 1100	ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:15:10.0890 1100	ACPIEC - ok
23:15:10.0906 1100	adpu160m - ok
23:15:10.0921 1100	aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:15:10.0921 1100	aec - ok
23:15:10.0968 1100	AFD             (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
23:15:10.0968 1100	AFD - ok
23:15:10.0984 1100	Aha154x - ok
23:15:11.0000 1100	aic78u2 - ok
23:15:11.0000 1100	aic78xx - ok
23:15:11.0015 1100	ALCXWDM - ok
23:15:11.0031 1100	AliIde - ok
23:15:11.0093 1100	Ambfilt         (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
23:15:11.0125 1100	Ambfilt - ok
23:15:11.0140 1100	amsint - ok
23:15:11.0171 1100	Arp1394         (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
23:15:11.0187 1100	Arp1394 - ok
23:15:11.0187 1100	asc - ok
23:15:11.0203 1100	asc3350p - ok
23:15:11.0218 1100	asc3550 - ok
23:15:11.0250 1100	AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:15:11.0250 1100	AsyncMac - ok
23:15:11.0265 1100	atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:15:11.0265 1100	atapi - ok
23:15:11.0281 1100	Atdisk - ok
23:15:11.0312 1100	ATICXCAP        (b27b6cc25e81165bb946ded4ec8eea0b) C:\WINDOWS\system32\drivers\aticxcap.sys
23:15:11.0312 1100	ATICXCAP - ok
23:15:11.0343 1100	ATICXTUN        (2fd0cdfee26d490b6f8de9a035d522b6) C:\WINDOWS\system32\drivers\aticxtun.sys
23:15:11.0343 1100	ATICXTUN - ok
23:15:11.0359 1100	ATICXXBR        (ba877c4698f4477d6a69f9e071337c4b) C:\WINDOWS\system32\drivers\aticxxbr.sys
23:15:11.0359 1100	ATICXXBR - ok
23:15:11.0375 1100	Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:15:11.0390 1100	Atmarpc - ok
23:15:11.0421 1100	audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:15:11.0421 1100	audstub - ok
23:15:11.0453 1100	BANTExt         (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
23:15:11.0453 1100	BANTExt - ok
23:15:11.0500 1100	Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:15:11.0500 1100	Beep - ok
23:15:11.0500 1100	BootScreen - ok
23:15:11.0546 1100	BVRPMPR5        (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
23:15:11.0546 1100	BVRPMPR5 - ok
23:15:11.0640 1100	cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:15:11.0640 1100	cbidf2k - ok
23:15:11.0828 1100	CCDECODE        (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
23:15:11.0828 1100	CCDECODE - ok
23:15:11.0921 1100	cd20xrnt - ok
23:15:12.0031 1100	Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:15:12.0031 1100	Cdaudio - ok
23:15:12.0046 1100	Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:15:12.0046 1100	Cdfs - ok
23:15:12.0062 1100	Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:15:12.0062 1100	Cdrom - ok
23:15:12.0078 1100	Changer - ok
23:15:12.0093 1100	CmdIde - ok
23:15:12.0109 1100	Cpqarray - ok
23:15:12.0156 1100	ctsfm2k         (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
23:15:12.0156 1100	ctsfm2k - ok
23:15:12.0203 1100	CYUSB           (56da869b46a09f57166fc86bf46d0084) C:\WINDOWS\system32\Drivers\CYUSB.sys
23:15:12.0203 1100	CYUSB - ok
23:15:12.0218 1100	dac2w2k - ok
23:15:12.0234 1100	dac960nt - ok
23:15:12.0265 1100	danewFltr       (c512b618d0e19339572ad125e26b9cb5) C:\WINDOWS\system32\drivers\danew.sys
23:15:12.0265 1100	danewFltr - ok
23:15:12.0265 1100	Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:15:12.0281 1100	Disk - ok
23:15:12.0312 1100	dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:15:12.0328 1100	dmboot - ok
23:15:12.0359 1100	dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:15:12.0359 1100	dmio - ok
23:15:12.0375 1100	dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:15:12.0375 1100	dmload - ok
23:15:12.0406 1100	DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:15:12.0406 1100	DMusic - ok
23:15:12.0421 1100	dpti2o - ok
23:15:12.0437 1100	drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:15:12.0437 1100	drmkaud - ok
23:15:12.0468 1100	eamon           (9309c5c9831203436e64cf2ae605c5d7) C:\WINDOWS\system32\DRIVERS\eamon.sys
23:15:12.0468 1100	eamon - ok
23:15:12.0500 1100	ehdrv           (deff87f04ab5f6dd5edf2b80853bbe10) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
23:15:12.0500 1100	ehdrv - ok
23:15:12.0531 1100	epfwtdir        (06c65ac0a703cf8eea4f284d901a1550) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
23:15:12.0531 1100	epfwtdir - ok
23:15:12.0593 1100	Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:15:12.0593 1100	Fastfat - ok
23:15:12.0625 1100	Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:15:12.0625 1100	Fdc - ok
23:15:12.0640 1100	Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:15:12.0640 1100	Fips - ok
23:15:12.0656 1100	Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:15:12.0656 1100	Flpydisk - ok
23:15:12.0671 1100	FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
23:15:12.0687 1100	FltMgr - ok
23:15:12.0718 1100	FNETTBOH        (a9e2df40ed6ec9e8885da72b6e1818f3) C:\WINDOWS\system32\drivers\FNETTBOH.SYS
23:15:12.0718 1100	FNETTBOH - ok
23:15:12.0750 1100	FNETURPX        (784ffba7ee5c5f3a396407e4712f72f0) C:\WINDOWS\system32\drivers\FNETURPX.SYS
23:15:12.0750 1100	FNETURPX - ok
23:15:12.0781 1100	Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:15:12.0781 1100	Fs_Rec - ok
23:15:12.0796 1100	Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:15:12.0796 1100	Ftdisk - ok
23:15:12.0812 1100	gameenum        (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
23:15:12.0812 1100	gameenum - ok
23:15:12.0843 1100	GEARAspiWDM     (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
23:15:12.0843 1100	GEARAspiWDM - ok
23:15:12.0875 1100	giveio          (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
23:15:12.0906 1100	giveio - ok
23:15:12.0906 1100	GMSIPCI - ok
23:15:12.0937 1100	Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:15:12.0937 1100	Gpc - ok
23:15:12.0968 1100	HDAudBus        (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
23:15:12.0984 1100	HDAudBus - ok
23:15:13.0000 1100	HidUsb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:15:13.0000 1100	HidUsb - ok
23:15:13.0015 1100	hpn - ok
23:15:13.0062 1100	HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
23:15:13.0062 1100	HTTP - ok
23:15:13.0093 1100	i2omgmt - ok
23:15:13.0093 1100	i2omp - ok
23:15:13.0109 1100	i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:15:13.0109 1100	i8042prt - ok
23:15:13.0140 1100	Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:15:13.0140 1100	Imapi - ok
23:15:13.0156 1100	ini910u - ok
23:15:13.0312 1100	IntcAzAudAddService (aa5eefcdb0869d45560fab917316645a) C:\WINDOWS\system32\drivers\RtkHDAud.sys
23:15:13.0421 1100	IntcAzAudAddService - ok
23:15:13.0468 1100	IntelIde - ok
23:15:13.0500 1100	intelppm        (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:15:13.0500 1100	intelppm - ok
23:15:13.0531 1100	ip6fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
23:15:13.0531 1100	ip6fw - ok
23:15:13.0562 1100	IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:15:13.0562 1100	IpFilterDriver - ok
23:15:13.0593 1100	IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:15:13.0593 1100	IpInIp - ok
23:15:13.0609 1100	IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:15:13.0609 1100	IpNat - ok
23:15:13.0625 1100	IPSec           (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:15:13.0640 1100	IPSec - ok
23:15:13.0656 1100	IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:15:13.0656 1100	IRENUM - ok
23:15:13.0671 1100	isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:15:13.0687 1100	isapnp - ok
23:15:13.0687 1100	Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:15:13.0687 1100	Kbdclass - ok
23:15:13.0718 1100	kbdhid          (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
23:15:13.0718 1100	kbdhid - ok
23:15:13.0734 1100	kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:15:13.0750 1100	kmixer - ok
23:15:13.0765 1100	KSecDD          (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
23:15:13.0765 1100	KSecDD - ok
23:15:13.0781 1100	lbrtfdc - ok
23:15:13.0812 1100	libusb0         (34d6730e198a5b0fce0790a6b4769ef2) C:\WINDOWS\system32\drivers\libusb0.sys
23:15:13.0812 1100	libusb0 - ok
23:15:13.0843 1100	LycoFltr        (f90bde6e9c7b6015edf1dc99a97b00c9) C:\WINDOWS\system32\Drivers\Lycosa.sys
23:15:13.0843 1100	LycoFltr - ok
23:15:13.0875 1100	mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:15:13.0875 1100	mnmdd - ok
23:15:13.0906 1100	Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:15:13.0906 1100	Modem - ok
23:15:13.0953 1100	Monfilt         (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
23:15:13.0984 1100	Monfilt - ok
23:15:14.0015 1100	Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:15:14.0015 1100	Mouclass - ok
23:15:14.0046 1100	mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
23:15:14.0046 1100	mouhid - ok
23:15:14.0062 1100	MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:15:14.0078 1100	MountMgr - ok
23:15:14.0078 1100	mraid35x - ok
23:15:14.0109 1100	MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:15:14.0109 1100	MRxDAV - ok
23:15:14.0156 1100	MRxSmb          (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:15:14.0171 1100	MRxSmb - ok
23:15:14.0234 1100	Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:15:14.0234 1100	Msfs - ok
23:15:14.0234 1100	MSI_MSIBIOS_010507 - ok
23:15:14.0265 1100	MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:15:14.0265 1100	MSKSSRV - ok
23:15:14.0296 1100	MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:15:14.0296 1100	MSPCLOCK - ok
23:15:14.0312 1100	MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:15:14.0312 1100	MSPQM - ok
23:15:14.0343 1100	mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:15:14.0343 1100	mssmbios - ok
23:15:14.0359 1100	MSTEE           (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
23:15:14.0359 1100	MSTEE - ok
23:15:14.0390 1100	ms_mpu401       (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
23:15:14.0390 1100	ms_mpu401 - ok
23:15:14.0421 1100	MTsensor        (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
23:15:14.0421 1100	MTsensor - ok
23:15:14.0437 1100	Mup             (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
23:15:14.0437 1100	Mup - ok
23:15:14.0453 1100	NABTSFEC        (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
23:15:14.0453 1100	NABTSFEC - ok
23:15:14.0484 1100	NDIS            (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:15:14.0484 1100	NDIS - ok
23:15:14.0515 1100	NdisIP          (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
23:15:14.0515 1100	NdisIP - ok
23:15:14.0562 1100	NdisTapi        (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:15:14.0562 1100	NdisTapi - ok
23:15:14.0578 1100	Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:15:14.0578 1100	Ndisuio - ok
23:15:14.0593 1100	NdisWan         (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:15:14.0593 1100	NdisWan - ok
23:15:14.0625 1100	NDProxy         (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
23:15:14.0625 1100	NDProxy - ok
23:15:14.0640 1100	NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:15:14.0640 1100	NetBIOS - ok
23:15:14.0656 1100	NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:15:14.0656 1100	NetBT - ok
23:15:14.0687 1100	NIC1394         (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
23:15:14.0687 1100	NIC1394 - ok
23:15:14.0718 1100	Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:15:14.0718 1100	Npfs - ok
23:15:14.0750 1100	Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:15:14.0765 1100	Ntfs - ok
23:15:14.0765 1100	NTIOLib_1_0_4 - ok
23:15:14.0781 1100	Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:15:14.0781 1100	Null - ok
23:15:15.0109 1100	nv              (4b54dcd6adee535df80f07c59ddd8f14) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
23:15:15.0375 1100	nv - ok
23:15:15.0437 1100	nvcap           (fc5096f04f28f08b98206acbd9be94ac) C:\WINDOWS\system32\DRIVERS\nvcap.sys
23:15:15.0437 1100	nvcap - ok
23:15:15.0468 1100	NVENETFD        (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
23:15:15.0468 1100	NVENETFD - ok
23:15:15.0484 1100	nvgts           (332f341f8fc3196499e61464355fea41) C:\WINDOWS\system32\DRIVERS\nvgts.sys
23:15:15.0500 1100	nvgts - ok
23:15:15.0515 1100	nvnetbus        (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
23:15:15.0531 1100	nvnetbus - ok
23:15:15.0531 1100	NVXBAR          (9bd01bfa8e161f3078856f0159275965) C:\WINDOWS\system32\DRIVERS\NVxbar.sys
23:15:15.0531 1100	NVXBAR - ok
23:15:15.0562 1100	NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:15:15.0578 1100	NwlnkFlt - ok
23:15:15.0593 1100	NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:15:15.0593 1100	NwlnkFwd - ok
23:15:15.0640 1100	ohci1394        (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
23:15:15.0640 1100	ohci1394 - ok
23:15:15.0671 1100	ossrv           (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
23:15:15.0671 1100	ossrv - ok
23:15:15.0734 1100	P17             (df886ffed69aead0cf608b89b18c3f6f) C:\WINDOWS\system32\drivers\P17.sys
23:15:15.0750 1100	P17 - ok
23:15:15.0781 1100	Parport         (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
23:15:15.0781 1100	Parport - ok
23:15:15.0796 1100	PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:15:15.0796 1100	PartMgr - ok
23:15:15.0828 1100	ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:15:15.0828 1100	ParVdm - ok
23:15:15.0843 1100	PCI             (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:15:15.0843 1100	PCI - ok
23:15:15.0859 1100	PCIDump - ok
23:15:15.0875 1100	PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:15:15.0875 1100	PCIIde - ok
23:15:15.0890 1100	Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:15:15.0890 1100	Pcmcia - ok
23:15:15.0921 1100	pcouffin        (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
23:15:15.0921 1100	pcouffin - ok
23:15:15.0937 1100	PDCOMP - ok
23:15:15.0953 1100	PDFRAME - ok
23:15:15.0953 1100	PDRELI - ok
23:15:15.0968 1100	PDRFRAME - ok
23:15:15.0984 1100	perc2 - ok
23:15:15.0984 1100	perc2hib - ok
23:15:16.0031 1100	PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:15:16.0031 1100	PptpMiniport - ok
23:15:16.0078 1100	Processor       (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
23:15:16.0078 1100	Processor - ok
23:15:16.0093 1100	PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:15:16.0093 1100	PSched - ok
23:15:16.0109 1100	Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:15:16.0109 1100	Ptilink - ok
23:15:16.0125 1100	ql1080 - ok
23:15:16.0125 1100	Ql10wnt - ok
23:15:16.0140 1100	ql12160 - ok
23:15:16.0156 1100	ql1240 - ok
23:15:16.0171 1100	ql1280 - ok
23:15:16.0171 1100	RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:15:16.0171 1100	RasAcd - ok
23:15:16.0187 1100	Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:15:16.0203 1100	Rasl2tp - ok
23:15:16.0218 1100	RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:15:16.0218 1100	RasPppoe - ok
23:15:16.0218 1100	Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:15:16.0234 1100	Raspti - ok
23:15:16.0250 1100	Rdbss           (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:15:16.0250 1100	Rdbss - ok
23:15:16.0265 1100	RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:15:16.0265 1100	RDPCDD - ok
23:15:16.0312 1100	RDPWD           (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
23:15:16.0312 1100	RDPWD - ok
23:15:16.0343 1100	redbook         (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:15:16.0343 1100	redbook - ok
23:15:16.0375 1100	SCDEmu          (9feb2026a460916d1a1198b460632630) C:\WINDOWS\system32\drivers\SCDEmu.sys
23:15:16.0375 1100	SCDEmu - ok
23:15:16.0406 1100	Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:15:16.0421 1100	Secdrv - ok
23:15:16.0437 1100	serenum         (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
23:15:16.0437 1100	serenum - ok
23:15:16.0453 1100	Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
23:15:16.0453 1100	Serial - ok
23:15:16.0484 1100	Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:15:16.0484 1100	Sfloppy - ok
23:15:16.0484 1100	Simbad - ok
23:15:16.0515 1100	SLIP            (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
23:15:16.0515 1100	SLIP - ok
23:15:16.0531 1100	Sparrow - ok
23:15:16.0562 1100	speedfan        (3fa2e254bfbce52b3c6f1bf23aab6911) C:\WINDOWS\system32\speedfan.sys
23:15:16.0578 1100	speedfan - ok
23:15:16.0609 1100	splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:15:16.0609 1100	splitter - ok
23:15:16.0625 1100	sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:15:16.0625 1100	sr - ok
23:15:16.0671 1100	Srv             (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
23:15:16.0687 1100	Srv - ok
23:15:16.0703 1100	streamip        (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
23:15:16.0703 1100	streamip - ok
23:15:16.0734 1100	swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:15:16.0734 1100	swenum - ok
23:15:16.0750 1100	swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:15:16.0750 1100	swmidi - ok
23:15:16.0765 1100	symc810 - ok
23:15:16.0781 1100	symc8xx - ok
23:15:16.0781 1100	sym_hi - ok
23:15:16.0796 1100	sym_u3 - ok
23:15:16.0812 1100	sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:15:16.0812 1100	sysaudio - ok
23:15:16.0890 1100	Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:15:16.0906 1100	Tcpip - ok
23:15:16.0937 1100	TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:15:16.0937 1100	TDPIPE - ok
23:15:16.0968 1100	TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:15:16.0968 1100	TDTCP - ok
23:15:17.0000 1100	TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:15:17.0000 1100	TermDD - ok
23:15:17.0046 1100	TIEHDUSB        (a1124ebc672aa3ae1b327096c1dcc346) C:\WINDOWS\system32\drivers\tiehdusb.sys
23:15:17.0046 1100	TIEHDUSB - ok
23:15:17.0046 1100	TosIde - ok
23:15:17.0078 1100	Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
23:15:17.0078 1100	Udfs - ok
23:15:17.0093 1100	ultra - ok
23:15:17.0125 1100	Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
23:15:17.0125 1100	Update - ok
23:15:17.0171 1100	USBAAPL         (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
23:15:17.0171 1100	USBAAPL - ok
23:15:17.0218 1100	usbaudio        (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
23:15:17.0218 1100	usbaudio - ok
23:15:17.0250 1100	usbccgp         (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:15:17.0250 1100	usbccgp - ok
23:15:17.0281 1100	usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:15:17.0281 1100	usbehci - ok
23:15:17.0312 1100	usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:15:17.0312 1100	usbhub - ok
23:15:17.0328 1100	usbohci         (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
23:15:17.0328 1100	usbohci - ok
23:15:17.0375 1100	usbprint        (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:15:17.0375 1100	usbprint - ok
23:15:17.0390 1100	usbscan         (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
23:15:17.0406 1100	usbscan - ok
23:15:17.0437 1100	usbser          (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
23:15:17.0437 1100	usbser - ok
23:15:17.0453 1100	USBSTOR         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:15:17.0453 1100	USBSTOR - ok
23:15:17.0500 1100	VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
23:15:17.0500 1100	VgaSave - ok
23:15:17.0562 1100	vHidDev         (949aa00a83b0c4d7a3010035d8af93d9) C:\WINDOWS\system32\DRIVERS\vHidDev.sys
23:15:17.0562 1100	vHidDev - ok
23:15:17.0609 1100	ViaIde - ok
23:15:17.0640 1100	VolSnap         (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
23:15:17.0640 1100	VolSnap - ok
23:15:17.0718 1100	VX3000          (42870675b4d84acd81a9da69b83f14c5) C:\WINDOWS\system32\DRIVERS\VX3000.sys
23:15:17.0781 1100	VX3000 - ok
23:15:17.0812 1100	Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:15:17.0812 1100	Wanarp - ok
23:15:17.0812 1100	WDICA - ok
23:15:17.0828 1100	wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
23:15:17.0828 1100	wdmaud - ok
23:15:17.0968 1100	WinRing0_1_2_0  (845af1ba23c8d5e64def61bcc441604c) D:\Desktop\Modding\Computer\RealTemp\WinRing0.sys
23:15:17.0968 1100	WinRing0_1_2_0 - ok
23:15:18.0000 1100	WS2IFSL         (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
23:15:18.0000 1100	WS2IFSL - ok
23:15:18.0046 1100	WSTCODEC        (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
23:15:18.0046 1100	WSTCODEC - ok
23:15:18.0078 1100	WudfPf          (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
23:15:18.0078 1100	WudfPf - ok
23:15:18.0109 1100	WudfRd          (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
23:15:18.0109 1100	WudfRd - ok
23:15:18.0171 1100	yukonwxp        (e279c4e1287751dffa0a1f3ec4097491) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
23:15:18.0171 1100	yukonwxp - ok
23:15:18.0187 1100	MBR (0x1B8)     (87d88fa4d3efd4431866ea91949644bf) \Device\Harddisk0\DR0
23:15:18.0218 1100	\Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - infected
23:15:18.0218 1100	\Device\Harddisk0\DR0 - detected Rootkit.Boot.Wistler.a (0)
23:15:18.0218 1100	MBR (0x1B8)     (87d88fa4d3efd4431866ea91949644bf) \Device\Harddisk1\DR1
23:15:18.0218 1100	\Device\Harddisk1\DR1 ( Rootkit.Boot.Wistler.a ) - infected
23:15:18.0218 1100	\Device\Harddisk1\DR1 - detected Rootkit.Boot.Wistler.a (0)
23:15:18.0218 1100	MBR (0x1B8)     (87d88fa4d3efd4431866ea91949644bf) \Device\Harddisk2\DR5
23:15:18.0218 1100	\Device\Harddisk2\DR5 ( Rootkit.Boot.Wistler.a ) - infected
23:15:18.0218 1100	\Device\Harddisk2\DR5 - detected Rootkit.Boot.Wistler.a (0)
23:15:18.0218 1100	Boot (0x1200)   (9032d41fb55d1749fd6ad28910ea6d74) \Device\Harddisk0\DR0\Partition0
23:15:18.0218 1100	\Device\Harddisk0\DR0\Partition0 - ok
23:15:18.0250 1100	Boot (0x1200)   (5207d7ce3be75bec36c428fb5db3d9f2) \Device\Harddisk0\DR0\Partition1
23:15:18.0250 1100	\Device\Harddisk0\DR0\Partition1 - ok
23:15:18.0250 1100	Boot (0x1200)   (7ef1c3a9028a014b935692d91b753ea2) \Device\Harddisk1\DR1\Partition0
23:15:18.0250 1100	\Device\Harddisk1\DR1\Partition0 - ok
23:15:18.0250 1100	Boot (0x1200)   (63d3e70219078018fb6f773defd8d213) \Device\Harddisk2\DR5\Partition0
23:15:18.0250 1100	\Device\Harddisk2\DR5\Partition0 - ok
23:15:18.0250 1100	============================================================
23:15:18.0250 1100	Scan finished
23:15:18.0250 1100	============================================================
23:15:18.0250 2720	Detected object count: 3
23:15:18.0250 2720	Actual detected object count: 3
23:23:39.0062 2720	\Device\Harddisk0\DR0\# - copied to quarantine
23:23:39.0062 2720	\Device\Harddisk0\DR0 - copied to quarantine
23:23:39.0109 2720	\Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - will be cured on reboot
23:23:39.0109 2720	\Device\Harddisk0\DR0 - ok
23:23:39.0109 2720	\Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - User select action: Cure 
23:23:39.0234 2720	\Device\Harddisk1\DR1\# - copied to quarantine
23:23:39.0234 2720	\Device\Harddisk1\DR1 - copied to quarantine
23:23:39.0234 2720	\Device\Harddisk1\DR1 - processing error
23:23:47.0031 2720	\Device\Harddisk1\DR1 - will be restored on reboot
23:23:47.0031 2720	\Device\Harddisk1\DR1 ( Rootkit.Boot.Wistler.a ) - User select action: Cure Restore 
23:23:47.0093 2720	\Device\Harddisk2\DR5\# - copied to quarantine
23:23:47.0093 2720	\Device\Harddisk2\DR5 - copied to quarantine
23:23:47.0109 2720	\Device\Harddisk2\DR5 - processing error
23:23:47.0875 2720	\Device\Harddisk2\DR5 - restored
23:23:47.0875 2720	\Device\Harddisk2\DR5 ( Rootkit.Boot.Wistler.a ) - User select action: Cure Restore 
23:24:01.0062 3820	Deinitialize success

Here is my DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_26
Run by Steve at 0:12:28 on 2012-02-10
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3071.2154 [GMT -5:00]
.
AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\Icon Remover\IconRemover.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
D:\Desktop\Modding\Computer\RealTemp\RealTemp.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\dllhost.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = local;*.local
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Icon Remover] d:\program files\icon remover\IconRemover.exe /hideapp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
mRun: [LogonStudio] "c:\program files\wincustomize\logonstudio\logonstudio.exe" /RANDOM
mRun: [egui] "d:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\realtemp.lnk - d:\desktop\modding\computer\realtemp\RealTemp.exe
IE: &Download All with FlashGet - c:\documents and settings\default user\local settings\temp\flgpxtryd\jc_all.htm
IE: &Download with FlashGet - c:\documents and settings\default user\local settings\temp\flgpxtryd\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4B6F0B76-253B-4DF1-9EEF-CCD7518A8EDB} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{61BF5AB2-07B0-4777-B4EE-0C77847B5252} : DhcpNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: Antiwpa - antiwpa.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - d:\program files\stardock\object desktop\iconpackager\iprepair.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\steve\application data\mozilla\firefox\profiles\k9jqcvnx.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com.my/search?q=
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\k9jqcvnx.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2011-8-4 118104]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2011-8-4 103112]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2009-2-26 7936]
R2 ekrn;ESET Service;d:\program files\eset\eset nod32 antivirus\ekrn.exe [2011-9-22 974944]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-3-30 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-3-30 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-3-30 9088]
R3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [2010-12-25 11136]
R3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2009-2-26 23680]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2010-12-25 16128]
R3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [2010-12-25 5760]
R3 WinRing0_1_2_0;WinRing0_1_2_0;d:\desktop\modding\computer\realtemp\WinRing0.sys [2012-2-8 14416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-6 1684736]
S3 CYUSB;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [2010-12-25 38528]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-3-18 28672]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;\??\c:\program files\msi\live update 5\msibios32_100507.sys --> c:\program files\msi\live update 5\msibios32_100507.sys [?]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;\??\c:\program files\msi\live update 5\ntiolib.sys --> c:\program files\msi\live update 5\NTIOLib.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-02-10 04:23:38	--------	d-----w-	C:\TDSSKiller_Quarantine
2012-01-22 06:01:28	--------	d-----w-	c:\program files\iPod
2012-01-22 05:57:39	--------	d-----w-	c:\documents and settings\steve\local settings\application data\libimobiledevice
2012-01-19 19:05:36	--------	d-----w-	c:\documents and settings\steve\application data\redsn0w
.
==================== Find3M  ====================
.
2012-01-30 18:15:31	285224	------w-	c:\windows\system32\nvdrsdb1.bin
2012-01-30 18:15:31	285224	------w-	c:\windows\system32\nvdrsdb0.bin
2012-01-30 18:15:31	1	------w-	c:\windows\system32\nvdrssel.bin
2011-11-28 20:39:48	414368	------w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57:19	293376	------w-	c:\windows\system32\winsrv.dll
2011-11-23 13:25:32	1859584	------w-	c:\windows\system32\win32k.sys
2011-11-18 12:35:08	60416	------w-	c:\windows\system32\packager.exe
2011-11-16 14:21:44	354816	------w-	c:\windows\system32\winhttp.dll
2011-11-16 14:21:44	152064	------w-	c:\windows\system32\schannel.dll
.
============= FINISH:  0:13:10.71 ===============

Here is my GMER log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-10 01:38:48
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD3200JB-00KFA0 rev.08.05J08
Running: 57of811r.exe; Driver: C:\DOCUME~1\Steve\LOCALS~1\Temp\fwldypow.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwAssignProcessToJobObject [0xB23B94B0]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwCreateThread [0xB23B97F0]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwDebugActiveProcess [0xB23B9AB0]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwDuplicateObject [0xB23B95D0]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwLoadDriver [0xB23B98B0]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwOpenProcess [0xB23B9350]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwOpenThread [0xB23B9410]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwProtectVirtualMemory [0xB23B9570]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwQueueApcThread [0xB23B9630]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwSetContextThread [0xB23B9530]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwSetInformationThread [0xB23B94F0]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwSetSecurityObject [0xB23B9670]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwSetSystemInformation [0xB23B9870]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwSuspendProcess [0xB23B93B0]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwSuspendThread [0xB23B9430]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwSystemDebugControl [0xB23B9830]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwTerminateProcess [0xB23B9370]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwTerminateThread [0xB23B9470]
SSDT            \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET)                                                                                                                                                               ZwWriteVirtualMemory [0xB23B95F0]

---- Kernel code sections - GMER 1.0.15 ----

.text           ntoskrnl.exe!ZwYieldExecution + 46A                                                                                                                                                                                            804E4CC4 12 Bytes  [B0, 93, 3B, B2, 30, 94, 3B, ...]
.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                                                                                                                                       section is writeable [0xB7069380, 0x8D6CD5, 0xE8000020]
?               C:\DOCUME~1\Steve\LOCALS~1\Temp\mbr.sys                                                                                                                                                                                        The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text           D:\Program Files\Mozilla Firefox\plugin-container.exe[172] USER32.dll!SetWindowLongA                                                                                                                                           7E42C29D 5 Bytes  JMP 106B66DC D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           D:\Program Files\Mozilla Firefox\plugin-container.exe[172] USER32.dll!SetWindowLongW                                                                                                                                           7E42C2BB 5 Bytes  JMP 106B666E D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           D:\Program Files\Mozilla Firefox\plugin-container.exe[172] USER32.dll!GetWindowInfo                                                                                                                                            7E42C49C 5 Bytes  JMP 1044A4E7 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           D:\Program Files\Mozilla Firefox\plugin-container.exe[172] USER32.dll!TrackPopupMenu                                                                                                                                           7E46531E 5 Bytes  JMP 1044AABD D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[720] kernel32.dll!SetUnhandledExceptionFilter                                                                                                                              7C84495D 4 Bytes  [C2, 04, 00, 00]
.text           D:\Program Files\Mozilla Firefox\firefox.exe[3288] ntdll.dll!LdrLoadDll                                                                                                                                                        7C91632D 5 Bytes  JMP 01321B30 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                                                                                         eamon.sys (Amon monitor/ESET)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                                                                                      epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                                                                                                       eamon.sys (Amon monitor/ESET)

---- Registry - GMER 1.0.15 ----

Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C54EE86C-5789-84AF-1056-656CD9DEDFB4}                                                                                                                
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C54EE86C-5789-84AF-1056-656CD9DEDFB4}@nafmkheclkmlcjpgnefoghccdkim                                                                                   0x6A 0x61 0x62 0x6C ...
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C54EE86C-5789-84AF-1056-656CD9DEDFB4}@mapleodddlpkajbiehfcmebhin                                                                                     0x6A 0x61 0x62 0x6C ...
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E7AA155F-9061-8241-F922-1DA0EB91BF7E}                                                                                                                
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E7AA155F-9061-8241-F922-1DA0EB91BF7E}@abcikhkihjbgeciecifphnfdpphmekkpke                                                                             0x61 0x61 0x00 0x00 
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E7AA155F-9061-8241-F922-1DA0EB91BF7E}@bbcikhkihjbgeciecicaohopjmpfnhllbaeb                                                                           0x61 0x61 0x00 0x00 

---- Files - GMER 1.0.15 ----

File            C:\Documents and Settings\Steve\Local Settings\Application Data\Xenocode\Sandbox\LdR_Alcohol_r.exe\2.0.1.2033\2010.09.18T21.28\Virtual\SXS\Alcohol Soft Development Team@1.0.0.\Alcohol Soft Development Team.manifest         588 bytes
File            C:\Documents and Settings\Steve\Local Settings\Application Data\Xenocode\Sandbox\LdR_Alcohol_r.exe\2.0.1.2033\2010.09.18T21.28\Virtual\SXS\Alcohol Soft Development Team@1.0.0.\Alcohol Soft Development Team@1.0.0..manifest  588 bytes
File            C:\Documents and Settings\Steve\Local Settings\Application Data\Xenocode\Sandbox\LdR_Alcohol_r.exe\2.0.1.2033\2010.09.18T21.28\Virtual\SXS\Alcohol Soft Development Team@1.9.7.\Alcohol Soft Development Team.manifest         588 bytes
File            C:\Documents and Settings\Steve\Local Settings\Application Data\Xenocode\Sandbox\LdR_Alcohol_r.exe\2.0.1.2033\2010.09.18T21.28\Virtual\SXS\Alcohol Soft Development Team@1.9.7.\Alcohol Soft Development Team@1.9.7..manifest  588 bytes
File            C:\Documents and Settings\Steve\Local Settings\Application Data\Xenocode\Sandbox\LdR_Alcohol_r.exe\2.0.1.2033\2010.09.18T21.28\Virtual\SXS\Alcohol Soft Development Team@1.9.9.\Alcohol Soft Development Team.manifest         588 bytes
File            C:\Documents and Settings\Steve\Local Settings\Application Data\Xenocode\Sandbox\LdR_Alcohol_r.exe\2.0.1.2033\2010.09.18T21.28\Virtual\SXS\Alcohol Soft Development Team@1.9.9.\Alcohol Soft Development Team@1.9.9..manifest  588 bytes

---- EOF - GMER 1.0.15 ----

Also from the previous thread:



From the MbrScan report:

SystemStartOptions : FASTDETECT TUTAG=KZBZSL LASTBOOTSTATUS=2

The highlighted entry above is from your boot.ini file, and it is altered from "normal" (ie modified), presumably by the installation of TuneUp Utilities at some time in the past. Do you still have TuneUp Utilities installed on the system?


Ahhh I see, at one point or another I did have that program, and I use that term lightly, installed. I no longer do.

Put this on your list of "things to be attended to" ... and hopefully your helper in the malware removal forum will take care of that for you too.


I would like to thank everyone in advance for the help I may receive, it is appreciated :lol:

Attached Files


Edited by Night Train, 10 February 2012 - 02:00 AM.


BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:24 PM

Posted 13 February 2012 - 08:34 AM

Greetings Night Train and Welcome to the Forums,

I gather from what you've posted here that your rootkit issue was resolved and you're concerned only about cleaning up? Do I have that right? Should I assume that you've rebooted since you ran the TDSSKiller scan? The log does show item(s) which will be cured on reboot.

Are you still getting the bsod on each bootup? Please detail for me exactly what issues you are still experiencing that you would like me to address. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 13 February 2012 - 11:20 AM

Greetings Night Train and Welcome to the Forums,

I gather from what you've posted here that your rootkit issue was resolved and you're concerned only about cleaning up? Do I have that right? Should I assume that you've rebooted since you ran the TDSSKiller scan? The log does show item(s) which will be cured on reboot.

Are you still getting the bsod on each bootup? Please detail for me exactly what issues you are still experiencing that you would like me to address. Thanks!


My issue was resolved, I was directed here in order to ensure my computer was free of infection as the individual who helped me assumed that the rootkit was not the only infection on my machine. Also I would like to fix the small boot.ini problem I have which is shown at the bottom of my original post. I have rebooted, several times at this point, I no longer get the BSOD and don't seem to be experiencing any other problems, however I felt I should take the advice of the individual who helped me and post here.

#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:24 PM

Posted 13 February 2012 - 03:30 PM

My issue was resolved, I was directed here in order to ensure my computer was free of infection as the individual who helped me assumed that the rootkit was not the only infection on my machine. Also I would like to fix the small boot.ini problem I have which is shown at the bottom of my original post. I have rebooted, several times at this point, I no longer get the BSOD and don't seem to be experiencing any other problems, however I felt I should take the advice of the individual who helped me and post here.

OK, let's take a deeper look at things:
Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here.
...of those, many people overlook the Windows Defender since, for most, there is no icon for it in the system tray. Scroll through those directives above and look for this application specifically, to make certain it is disabled.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 13 February 2012 - 06:20 PM

Attached is my combofix log file, it seems to have found a couple of remaining traces. Some weird things I'd like to note,
After running combofix:

-Internet explorer was made my default browser and an icon for it was placed on my desktop.
-Several hidden files in all of my drives are now no longer hidden, such as the recycler and MSOcache

Attached Files



#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:24 PM

Posted 13 February 2012 - 07:33 PM

The observations you noted are behavior's of combofix by design. Internet Explorer is, by default, every Window's user's "default" browser. With that in mind, and having in mind the untold numbers of various browers, the author of Combofix must also assume that any browser defined as default, OTHER than Internet Explorer must be considered a hijack. Otherwise, a multitude of users out there would end up quite unhappy with combofix's perceived inability to recognise a hijacked browser when any number of them could, quite possibly, have been either hijacked, or set as default by the system owner. The author of Combofix, you must understand, would have no earthly way of making such determinations. Thus, I'm quite certain, the genius of "sUBs" considered this and made the wise decision to have combofix restore Internet Explorer as default, taking it away from ANY browser other than the native Internet Explorer. I hope you understand now.

You can make whatever changes you wish, but please don't until we finish up here. Likewise, the hidden items you mentioned were set to "unhide" by combofix and that is also by design. When we finish, I will provide instructions which will automate a process by which combfix can be removed and put things back the way they should be "by default". Until then:
Since you've had bsod issues, undoubtedly related to your tdl infection, nonetheless I thought I'd mention this program:
\program files\PhenomMsrTweaker\WinRing0x64.sys
...also has issues reporting bsod issues. Just so you know.

Next, please open a blank Notepad by clicking start-->run...Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

Folder::
d:\Program Files\Azureus

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Azureus\\Azureus.exe"=-

Regnull::
[HKEY_USERS\S-1-5-21-1417001333-1035525444-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C54EE86C-5789-84AF-1056-656CD9DEDFB4}*]
[HKEY_USERS\S-1-5-21-1417001333-1035525444-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E7AA155F-9061-8241-F922-1DA0EB91BF7E}*]
[HKEY_USERS\S-1-5-21-1417001333-1035525444-725345543-1004\Software\SecuROM\License information*]
[HKEY_USERS\S-1-5-21-1417001333-1035525444-725345543-1004\Software\SecuROM\License information*]

Reglock::
[HKEY_USERS\S-1-5-21-1417001333-1035525444-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,15"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,22"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,23"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,24"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="c:\\WINDOWS\\system32\\shell32.dll,-175"
"{21EC2020-3AEA-1069-A2DD-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-137"
"{2227A280-3AEA-1069-A2DE-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-138"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="c:\\WINDOWS\\system32\\shell32.dll,38"
"AudioCD"="c:\\WINDOWS\\System32\\shell32.dll,40"
"{FBF23B42-E3F0-101B-8488-00AA003E56F8}"="c:\\WINDOWS\\system32\\shell32.dll,220"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="c:\\WINDOWS\\system32\\mydocs.dll,0"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="c:\\WINDOWS\\system32\\main.cpl,10"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="c:\\WINDOWS\\system32\\wiashext.dll,0"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="c:\\WINDOWS\\system32\\mstask.dll,-100"
"{88C6C381-2E85-11D0-94DE-444553540000}"="c:\\WINDOWS\\System32\\occache.dll,0"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="c:\\Program Files\\COMMON~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL,0"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="c:\\WINDOWS\\System32\\shdocvw.dll,-20785"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="c:\\WINDOWS\\System32\\webcheck.dll,0"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="c:\\WINDOWS\\system32\\syncui.dll,0"

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 13 February 2012 - 11:49 PM

What you have said makes complete and total sense and I now understand why those are normal behaviors of ComboFix.

Two problems have occurred however, had I known ComboFix was going to reboot automatically I would have alerted you as to what might happen.

The first time I ran ComboFix, I noticed it removed the windows activation hack I had in place. This isn't much of a problem, I could always add it back afterwards with little hassle, however since my computer was rebooted it caused an issue. I followed your instructions, creating the .txt file and running ComboFix using it. ComboFix then rebooted my computer, once my computer returned to the login screen I was alerted that in order to continue I had to activate, something I could not do. The only way at that point that I could boot past the login screen was using safe mode. I therefore started up safe mode and ComboFix still automatically reopened and continued what it was doing. Everything seemed okay and still does, however ComboFix has been sitting at the "Preparing Log report/n Do not run any programs until ComboFix has finished" screen for nearly 20 minutes. It seems to still be running, but I figured I should post here and ask what I should do now.

My second issue is that I noticed ComboFix deleted/quarantined a few program setup files I know to be clean files, that is unless the infection itself infected those specific files.

Thank you for the help so far and sorry for this slight bump in the road.

#8 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 14 February 2012 - 12:37 AM

Edit: Well after another 15 minutes or so it finally pushed forward, attached is the log, my second issue still remains.

Attached Files



#9 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:24 PM

Posted 14 February 2012 - 08:27 AM

Two questions:
1) Why would you need to hack the Windows activation process
2) Why would you be unable to activate Windows


The program "ooVoo" is ad supported software. It's responsible for certain "adware" which will be found on your system from time to time. Nothing malicious about that behavior, however, some ads could be...and one who uses this program would never know which they are unless they endeavor to investigate each and every one that pops up. It's up to you of course, but if you wanted to know how I would deal with it...then I'd have to say, it would be avoided and never have been installed on any of my systems.

And, by the way, the combofix scan log now looks pretty good. What alleged harmless setup file(s) did combofix remove?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#10 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 14 February 2012 - 01:16 PM

I can answer both questions at once. I installed this operating system using a slipstreamed copy of window xp, of which I no longer had any remaining genuine license keys. Therefore in order to continue using my copy of windows I needed a workaround for the activation and did not wish to purchase another copy of windows.

I was always weary of using "ooVoo" due to some adware complaints I had heard about, I'll more than likely remove the program as I no longer use it too often. If one wished to endeavor further into each ad, or block the ads completely without blocking the program, would you know of a method for that?

I'm quite happy the scan log now seems okay. In the script you had me run ComboFix with, the script had the folder D:\program files\azureus deleted, this was an old P2P program I used back in the day, which may or may not have been infected. (I'm actually genuinely curious as to how you determined this folder needed to be killed, I trust your opinion on the matter. ) However I had some program setup files stored in a subfolder, setup files for programs such as photoshop, winrar, dreamweaver, etc. that to my knowledge were clean. The full list can obviously be seen in the log. If these were infected I would remove them, but to my knowledge they were alright.

#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:24 PM

Posted 14 February 2012 - 02:10 PM

I can answer both questions at once. I installed this operating system using a slipstreamed copy of window xp, of which I no longer had any remaining genuine license keys. Therefore in order to continue using my copy of windows I needed a workaround for the activation and did not wish to purchase another copy of windows.
This brings up another question. Do you mean to say, your licensed version is already activated, in use perhaps on another computer, and this copy is just that...another copy of the same licensed version? Or...do you mean that you lost the license key?

I was always weary of using "ooVoo" due to some adware complaints I had heard about, I'll more than likely remove the program as I no longer use it too often. If one wished to endeavor further into each ad, or block the ads completely without blocking the program, would you know of a method for that?
I know of no way to prevent the ads from within the program. There are plenty of messenger services that are not ad supported to be concerned about it in my opinion.

I'm quite happy the scan log now seems okay. In the script you had me run ComboFix with, the script had the folder D:\program files\azureus deleted, this was an old P2P program I used back in the day, which may or may not have been infected. (I'm actually genuinely curious as to how you determined this folder needed to be killed, I trust your opinion on the matter. ) However I had some program setup files stored in a subfolder, setup files for programs such as photoshop, winrar, dreamweaver, etc. that to my knowledge were clean. The full list can obviously be seen in the log. If these were infected I would remove them, but to my knowledge they were alright.

The program "Azureus", as you have said, is a p2p, or file sharing program. File sharing software, although by themselves are most often not malicious. It's the intended purposes behind the countless millions who use them. Files uploaded are notoriously infected with every kind of malicious code imaginable...to include rootkits. They're all out there waiting for folks to download them. As you have found, once one does, the system is compromised...and once compromised, cannot really be trusted again short of a complete reformat and reinstallation of the operating system.

I assumed, those who helped you in your other thread here already explained this to you and in spite of it, you chose to continue a cleanup session here.

That said, I think you might agree, regardless of whether you thought something might be a clean downloaded setup file, if it was downloaded using the shared servers from p2p software, it needs to go.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 14 February 2012 - 02:34 PM

The original license key is lost to me at this point in time. I do not believe it is on another machine.

I currently also have Skype installed, of which I am not a big fan, however is this a better alternative, or do you suggest something different?

To clarify a few things, I have not used any P2P programs in a while, the program was installed merely as a legacy application in case I needed to use it for some unknown task in the future. I fully understand the potential maliciousness of the files acquired from using these programs. This:

I assumed, those who helped you in your other thread here already explained this to you and in spite of it, you chose to continue a cleanup session here.

was not explained to me, I do slightly agree with you and may simply reformat at a later date.

Those setup files were not downloaded using the P2P software and were stored there simply on a whim. I don't really need them though and therefore will just leave them as is. Do we now continue to uninstall ComboFix as well as perform any other cleanup activities? Also the boot.ini issue posted in the original topic still needs to be addressed.

#13 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:24 PM

Posted 15 February 2012 - 09:15 AM

Download Magic Jelly Bean. Extract the zipped file to your desktop. Open the folder and double-click on the MagicJellyBean Keyfinder icon. A window will open showing you your product key. Please use your key and activate Windows rather than hacking the activation process...then visit Windows updates to download/install everything presented there.

Open your boot.ini file and copy it. Paste the contents back here on your next reply. We're still not done yet...when we are, we can uninstall combofix at that time. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#14 Night Train

Night Train
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 15 February 2012 - 11:42 AM

Download Magic Jelly Bean. Extract the zipped file to your desktop. Open the folder and double-click on the MagicJellyBean Keyfinder icon. A window will open showing you your product key. Please use your key and activate Windows rather than hacking the activation process...then visit Windows updates to download/install everything presented there.

Open your boot.ini file and copy it. Paste the contents back here on your next reply. We're still not done yet...when we are, we can uninstall combofix at that time. Thanks!


At your request I used keyfinder to find my CD key, however this CD key is no longer valid according to the activation program. My computer is up to date with all windows updates prior to the original incident that occurred. Please trust me when I tell you this is not an issue that needs to be resolved here as I plan to resolve it after the closure of this thread. Unless for some reason I need to not be in Safe mode to perform a task, I shall continue to use safe mode for the duration of this cleanup process. I apologize for any inconvenience this causes you.

Here is my boot.ini file:
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /TUTag=KZBZSL

I'm assuming the recovery console part of it will be removed at some point later as well.

#15 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:24 PM

Posted 15 February 2012 - 01:11 PM

I'm betting you still have an infected mbr. I believe you may have been through some of this already, but I'm not going to spend the time reading through your other thread since it's not in the malware removal forum.

Download RogueKiller to your desktop
  • Close all open programs
  • For Vista or Windows 7, right click -> run as administrator, for XP simply double-click RogueKiller.exe
  • When prompted, type 1 and press Enter
  • The RKreport.txt shall be generated.
Note: If the program fails to run, don't hesitate to try several times. If several attempts still fail (it is possible), just rename it to winlogon.exe and try running it again.

Please post the contents of the RKreport.txt in your next reply. Thanks!

I'd like to see what a gmer scan on that system will look like:
Download GMER from the following location and save it to your desktop.

GMER Download Link 1
GMER Download Link 2 (Only use if the previous link does not work)

  • Right-click on the gmer.zip icon and select the Extract all... menu option. You should now see the gmer folder.
  • Open the folder and double-click on the gmer.exe icon. Please "ok" any prompts to allow the program to start.
  • You should now see the main GMER window. If you receive a warning about rootkit activity asking if you want to run a full scan, please click on the NO button.
  • We now need to configure GMER to prevent some features from being used during the scan. Please uncheck the following settings (we do NOT want to see these in our scan):
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All <--Important. Don't miss this one
  • Now that you have removed the check marks from the boxes for those items listed above, please click the Scan button.
    This scan may take quite some time, so please be patient. When it has finished, you will be back at the main screen.
  • Please click on the Save... button and save the report to your desktop. Please name the saved file ark.txt
  • Please do not act on any of the information in this report. Many legitimate programs could be listed there.
  • Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.
I'll need to see the gmer scan results on the next reply. Next:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application. Click the "Change parameters". Under Additional options, check the box next to both options, "Verify Driver Digital Signature" and "Detect TDLFS file system" and click the OK button.
  • Click the Start scan button.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • You may be prompted to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file back here on your next reply.
  • ...otherwise, if a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". If this was the case, then we need to see that log.
Please remember, post the TDSSKiller log, the RKreport.txt log, and the gmer scan log. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users