voight75 Posted September 25, 2009 Author ID:133020 Share Posted September 25, 2009 Dakeyras,No problem at all. Ok, here are the logs:mbr log:Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.netdevice: opened successfullyuser: MBR read successfullykernel: MBR read successfullyuser & kernel MBR OK report.txt:Host Name: RICHARDOS Name: Microsoft Windows XP ProfessionalOS Version: 5.1.2600 Service Pack 3 Build 2600OS Manufacturer: Microsoft CorporationOS Configuration: Standalone WorkstationOS Build Type: Multiprocessor FreeRegistered Owner: Richard LunanRegistered Organization: Product ID: 76487-OEM-0011903-00817Original Install Date: 12/22/2006, 3:06:34 AMSystem Up Time: 0 Days, 0 Hours, 15 Minutes, 48 SecondsSystem Manufacturer: TOSHIBASystem Model: Satellite U205System type: X86-based PCProcessor(s): 1 Processor(s) Installed. [01]: x86 Family 6 Model 15 Stepping 6 GenuineIntel ~1995 MhzBIOS Version: TOSHIB - 970814Windows Directory: C:\WINDOWSSystem Directory: C:\WINDOWS\system32Boot Device: \Device\HarddiskVolume1System Locale: en-us;English (United States)Input Locale: en-us;English (United States)Time Zone: (GMT-06:00) Central Time (US & Canada)Total Physical Memory: 2,039 MBAvailable Physical Memory: 1,236 MBVirtual Memory: Max Size: 2,048 MBVirtual Memory: Available: 2,001 MBVirtual Memory: In Use: 47 MBPage File Location(s): C:\pagefile.sysDomain: WORKGROUPLogon Server: \\RICHARDHotfix(s): 197 Hotfix(s) Installed. [01]: File 1 [02]: File 1 [03]: File 1 [04]: File 1 [05]: File 1 [06]: File 1 [07]: File 1 [08]: File 1 [09]: File 1 [10]: File 1 [11]: File 1 [12]: File 1 [13]: File 1 [14]: File 1 [15]: File 1 [16]: File 1 [17]: File 1 [18]: File 1 [19]: File 1 [20]: File 1 [21]: File 1 [22]: File 1 [23]: File 1 [24]: File 1 [25]: File 1 [26]: File 1 [27]: File 1 [28]: File 1 [29]: File 1 [30]: File 1 [31]: File 1 [32]: File 1 [33]: File 1 [34]: File 1 [35]: File 1 [36]: File 1 [37]: File 1 [38]: File 1 [39]: File 1 [40]: File 1 [41]: File 1 [42]: File 1 [43]: File 1 [44]: File 1 [45]: File 1 [46]: File 1 [47]: File 1 [48]: File 1 [49]: File 1 [50]: File 1 [51]: File 1 [52]: File 1 [53]: File 1 [54]: File 1 [55]: File 1 [56]: File 1 [57]: File 1 [58]: File 1 [59]: File 1 [60]: File 1 [61]: File 1 [62]: File 1 [63]: File 1 [64]: File 1 [65]: File 1 [66]: File 1 [67]: File 1 [68]: File 1 [69]: File 1 [70]: File 1 [71]: File 1 [72]: File 1 [73]: File 1 [74]: File 1 [75]: File 1 [76]: File 1 [77]: File 1 [78]: File 1 [79]: File 1 [80]: File 1 [81]: File 1 [82]: File 1 [83]: Q147222 [84]: KB887998 - QFE [85]: KB930494 - QFE [86]: SP3 - SP [87]: M928366 - Update [88]: S867460 - Update [89]: KB888316 - Update [90]: KB894553 - Update [91]: KB895678 - Update [92]: MC05Upd1 - Update [93]: KB900325 - Update [94]: Q927978 [95]: Q936181 [96]: Q954430 [97]: IDNMitigationAPIs - Update [98]: NLSDownlevelMapping - Update [99]: KB929399 [100]: KB952069_WM9 [101]: KB968816_WM9 [102]: KB973540_WM9 [103]: KB911565 [104]: KB913800 [105]: KB917734_WMP10 [106]: KB926251 [107]: KB936782_WMP10 [108]: KB936782_WMP11 [109]: KB939683 [110]: KB954154_WM11 [111]: KB959772_WM11 [112]: KB925398_WMP64 [113]: KB923689 [114]: KB941569 [115]: KB928090-IE7 - Update [116]: KB929969 - Update [117]: KB931768-IE7 - Update [118]: KB933566-IE7 - Update [119]: KB937143-IE7 - Update [120]: KB938127-IE7 - Update [121]: KB939653-IE7 - Update [122]: KB942615-IE7 - Update [123]: KB944533-IE7 - Update [124]: KB947864-IE7 - Update [125]: KB950759-IE7 - Update [126]: KB953838-IE7 - Update [127]: KB956390-IE7 - Update [128]: KB958215-IE7 - Update [129]: KB960714-IE7 - Update [130]: KB961260-IE7 - Update [131]: KB963027-IE7 - Update [132]: KB969897-IE7 - Update [133]: KB969897-IE8 - Update [134]: KB971930-IE8 - Update [135]: KB971961-IE8 - Update [136]: KB972260-IE8 - Update [137]: MSCompPackV1 - Update [138]: KB936929 - Service Pack [139]: KB923561 - Update [140]: KB938464 - Update [141]: KB938464-v2 - Update [142]: KB946648 - Update [143]: KB950760 - Update [144]: KB950762 - Update [145]: KB950974 - Update [146]: KB951066 - Update [147]: KB951072-v2 - Update [148]: KB951376 - Update [149]: KB951376-v2 - Update [150]: KB951698 - Update [151]: KB951748 - Update [152]: KB951978 - Update [153]: KB952004 - Update [154]: KB952287 - Update [155]: KB952954 - Update [156]: KB953839 - Update [157]: KB954211 - Update [158]: KB954459 - Update [159]: KB954550-v5 - Update [160]: KB954600 - Update [161]: KB955069 - Update [162]: KB955839 - Update [163]: KB956391 - Update [164]: KB956572 - Update [165]: KB956744 - Update [166]: KB956802 - Update [167]: KB956803 - Update [168]: KB956841 - Update [169]: KB956844 - Update [170]: KB957095 - Update [171]: KB957097 - Update [172]: KB958644 - Update [173]: KB958687 - Update [174]: KB958690 - Update [175]: KB959426 - Update [176]: KB960225 - Update [177]: KB960715 - Update [178]: KB960803 - Update [179]: KB960859 - Update [180]: KB961118 - Update [181]: KB961371 - Update [182]: KB961373 - Update [183]: KB961501 - Update [184]: KB967715 - Update [185]: KB968389 - Update [186]: KB968537 - Update [187]: KB969898 - Update [188]: KB970238 - Update [189]: KB970653-v3 - Update [190]: KB971557 - Update [191]: KB971633 - Update [192]: KB971657 - Update [193]: KB973346 - Update [194]: KB973354 - Update [195]: KB973507 - Update [196]: KB973815 - Update [197]: KB973869 - UpdateNetWork Card(s): 3 NIC(s) Installed. [01]: Intel® PRO/100 VE Network Connection Connection Name: Local Area Connection [02]: Intel® PRO/Wireless 3945ABG Network Connection Connection Name: Wireless Network Connection DHCP Enabled: Yes DHCP Server: 192.168.2.1 IP address(es) [01]: 192.168.2.2 [03]: 1394 Net Adapter Connection Name: 1394 Connection10:33:14:406 SetPrivileges: OpenThreadToken error 100810:33:14:406 ForceUnloadDriver: NtUnloadDriver error 210:33:14:406 ForceUnloadDriver: NtUnloadDriver error 210:33:14:406 ForceUnloadDriver: NtUnloadDriver error 210:33:14:500 main: Driver KLMD successfully dropped10:33:14:546 main: Driver KLMD successfully loaded10:33:14:546 scanning registry ...10:33:14:593 ScanServices: Searching service UACd.sys10:33:14:593 ScanServices: Open/Create key error 210:33:14:593 ScanServices: Searching service TDSSserv.sys10:33:14:593 ScanServices: Open/Create key error 210:33:14:593 ScanServices: Searching service gaopdxserv.sys10:33:14:593 ScanServices: Open/Create key error 210:33:14:593 ScanServices: Searching service gxvxcserv.sys10:33:14:593 ScanServices: Open/Create key error 210:33:14:593 ScanServices: Searching service MSIVXserv.sys10:33:14:593 ScanServices: Open/Create key error 210:33:14:609 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D700010:33:14:812 UnhookRegistry: Kernel local addr: C0000010:33:15:15 UnhookRegistry: KeServiceDescriptorTable addr: C8B52010:33:15:15 UnhookRegistry: KiServiceTable addr: C0D8B010:33:15:62 UnhookRegistry: NtEnumerateKey service number (local): 4710:33:15:62 UnhookRegistry: NtEnumerateKey local addr: CA1E1410:33:15:234 KLMD_OpenDevice: Trying to open KLMD device10:33:15:234 KLMD_GetSystemRoutineAddress: Trying to get system routine address ZwEnumerateKey10:33:15:234 KLMD_ReadMem: Trying to ReadMemory 0x804E380F[0x4]10:33:15:234 UnhookRegistry: NtEnumerateKey service number (kernel): 4710:33:15:234 KLMD_ReadMem: Trying to ReadMemory 0x804E49CC[0x4]10:33:15:234 UnhookRegistry: NtEnumerateKey real addr: 80578E1410:33:15:234 UnhookRegistry: NtEnumerateKey calc addr: 80578E1410:33:15:234 UnhookRegistry: No SDT hooks found on NtEnumerateKey10:33:15:234 KLMD_ReadMem: Trying to ReadMemory 0x80578E14[0xA]10:33:15:234 UnhookRegistry: Splicing found on NtEnumerateKey10:33:15:234 KLMD_WriteMem: Trying to WriteMemory 0x80578E14[0xA]10:33:15:234 UnhookRegistry: NtEnumerateKey (Splicing) unhooked successfully10:33:15:234 completed10:33:15:234 Files deleted on next reboot: 010:33:15:234 Registry node deleted on next reboot: 010:33:15:234 Link to post Share on other sites More sharing options...
Dakeyras Posted September 25, 2009 ID:133073 Share Posted September 25, 2009 Hi. Please delete your current copy of ComboFix and empty the Recycle Bin.Download/Run ComboFix:Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware ProgramsPlease include the C:\ComboFix.txt in your next reply for further review. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.If that happened we want to know, and also what process you had to end.Extra Note: Please ensure that you allow the Recovery Console to be installed if prompted as we may need to use this.When completed the above, please post back the following in the order asked for:How is you computer performing now, any other symptoms and or problems encountered?ComboFix Log. Link to post Share on other sites More sharing options...
voight75 Posted September 25, 2009 Author ID:133118 Share Posted September 25, 2009 Dakeyras,Same problem with combofix, yet again. It just will not start the auto-scan. It loads, creates system restore, then states that scan is about to begin (may take 10 minutes etc.), then nothing at all. I let it sit for almost 40 minutes, and still nothing. This has happened every time I have tried to run combofix, except the once I ran it in Safe Mode. Link to post Share on other sites More sharing options...
Dakeyras Posted September 25, 2009 ID:133160 Share Posted September 25, 2009 Hi. Hmmmm not looking good at all I'm afraid. Be prepared as mentioned prior I may have to recommend a reformat and reinstallation of the Windows operating system. The below may seem tedious but bare with myself on this please.OK was the Recovery Console installed during the last or any of the previous ComboFix runs in Normal Mode?If not sure a quick easy way to check is to reboot your machine and just after the post(power on self test) check you should see these options as shown here.Next:Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):C:\windows\ntbtlog.txt Then empty the Recycle Bin.Restart your computer.Just before the XP loading screen starts hit F8 as if going to safe mode. From the advanced boot menu choose "enable boot logging" then hit enter.Post the following file:C:\windows\ntbtlog.txt Next:Please download IceSword and extract it to the desktop.Once IceSword is extracted, with all browser and Explorer windows closed, run IceSword Once IceSword is open, click the Win32 Service Function on the left Menu Bar If any red entries are found, click the blue Log Tab at the top of the screen and save the log to documents folder as service-list.txt. Now, Click IceSword's Process Function on the left Menu Bar If any red entries are found, click the blue Log tab at the top of the screen and save the log to documents folder as processlist.txt.Note: If the need use multiple replies to post any logs and or upload to my channel. Link to post Share on other sites More sharing options...
voight75 Posted September 25, 2009 Author ID:133178 Share Posted September 25, 2009 Dakeyras,There were no red entries found using Ice Sword. If I need to reformat/reinstall, what do I need to do to prepare? I am going to buy a couple of memory sticks to put all of my personal files on (photos, music etc) Is there anything else I need to be doing? Also, are your colleagues having as much trouble with this Rootkit as we are, or is there something especially pernicious about my situation? I appreciate all of your help. Thanks.Here is the ntblog.txt: Service Pack 3 9 25 2009 15:31:22.375Loaded driver \WINDOWS\system32\ntoskrnl.exeLoaded driver \WINDOWS\system32\hal.dllLoaded driver \WINDOWS\system32\KDCOM.DLLLoaded driver \WINDOWS\system32\BOOTVID.dllLoaded driver ACPI.sysLoaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYSLoaded driver pci.sysLoaded driver isapnp.sysLoaded driver ohci1394.sysLoaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYSLoaded driver compbatt.sysLoaded driver \WINDOWS\system32\DRIVERS\BATTC.SYSLoaded driver pciide.sysLoaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYSLoaded driver pcmcia.sysLoaded driver MountMgr.sysLoaded driver ftdisk.sysLoaded driver dmload.sysLoaded driver dmio.sysLoaded driver PartMgr.sysLoaded driver VolSnap.sysLoaded driver atapi.sysLoaded driver disk.sysLoaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYSLoaded driver fltmgr.sysLoaded driver sr.sysLoaded driver PxHelp20.sysLoaded driver KSecDD.sysLoaded driver Ntfs.sysLoaded driver NDIS.sysLoaded driver TVALZ.SYSLoaded driver Thpevm.SYSLoaded driver thpdrv.sysLoaded driver Mup.sysLoaded driver \SystemRoot\system32\DRIVERS\ialmnt5.sysLoaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sysLoaded driver \SystemRoot\system32\DRIVERS\w39n51.sysLoaded driver \SystemRoot\system32\DRIVERS\usbuhci.sysLoaded driver \SystemRoot\system32\DRIVERS\usbehci.sysLoaded driver \SystemRoot\system32\drivers\tifm21.sysLoaded driver \SystemRoot\system32\DRIVERS\sdbus.sysLoaded driver \SystemRoot\system32\DRIVERS\i8042prt.sysLoaded driver \SystemRoot\system32\DRIVERS\kbdclass.sysLoaded driver \SystemRoot\system32\DRIVERS\Apfiltr.sysLoaded driver \SystemRoot\system32\DRIVERS\mouclass.sysLoaded driver \SystemRoot\system32\DRIVERS\tdcmdpst.sysLoaded driver \SystemRoot\system32\DRIVERS\imapi.sysLoaded driver \SystemRoot\system32\drivers\iviaspi.sysLoaded driver \SystemRoot\system32\drivers\pfc.sysLoaded driver \SystemRoot\system32\DRIVERS\cdrom.sysLoaded driver \SystemRoot\system32\DRIVERS\redbook.sysLoaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sysLoaded driver \SystemRoot\system32\DRIVERS\CmBatt.sysLoaded driver \SystemRoot\system32\DRIVERS\intelppm.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\DRIVERS\audstub.sysLoaded driver \SystemRoot\system32\DRIVERS\Tvs.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\DRIVERS\Tvs.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\DRIVERS\Tvs.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\DRIVERS\Tvs.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\DRIVERS\Tvs.sysLoaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sysLoaded driver \SystemRoot\system32\DRIVERS\ndistapi.sysLoaded driver \SystemRoot\system32\DRIVERS\ndiswan.sysLoaded driver \SystemRoot\system32\DRIVERS\raspppoe.sysLoaded driver \SystemRoot\system32\DRIVERS\raspptp.sysLoaded driver \SystemRoot\system32\DRIVERS\msgpc.sysLoaded driver \SystemRoot\system32\DRIVERS\psched.sysLoaded driver \SystemRoot\system32\DRIVERS\ptilink.sysLoaded driver \SystemRoot\system32\DRIVERS\raspti.sysLoaded driver \SystemRoot\system32\DRIVERS\rdpdr.sysLoaded driver \SystemRoot\system32\DRIVERS\termdd.sysLoaded driver \SystemRoot\system32\DRIVERS\swenum.sysLoaded driver \SystemRoot\system32\DRIVERS\update.sysLoaded driver \SystemRoot\system32\DRIVERS\mssmbios.sysLoaded driver \SystemRoot\system32\DRIVERS\tbiosdrv.sysLoaded driver \SystemRoot\System32\Drivers\NDProxy.SYSDid not load driver \SystemRoot\System32\Drivers\NDProxy.SYSLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\drivers\ADIHdAud.sysLoaded driver \SystemRoot\system32\drivers\AEAudio.sysLoaded driver \SystemRoot\system32\DRIVERS\Tvs.sysLoaded driver \SystemRoot\system32\DRIVERS\AGRSM.sysLoaded driver \SystemRoot\System32\Drivers\Modem.SYSLoaded driver \SystemRoot\system32\DRIVERS\usbhub.sysDid not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYSDid not load driver \SystemRoot\System32\Drivers\Fdc.SYSDid not load driver \SystemRoot\System32\Drivers\Flpydisk.SYSDid not load driver \SystemRoot\System32\Drivers\Sfloppy.SYSDid not load driver \SystemRoot\System32\Drivers\i2omgmt.SYSDid not load driver \SystemRoot\System32\Drivers\Changer.SYSDid not load driver \SystemRoot\System32\Drivers\Cdaudio.SYSLoaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYSLoaded driver \SystemRoot\System32\Drivers\Null.SYSLoaded driver \SystemRoot\System32\Drivers\Beep.SYSLoaded driver \SystemRoot\System32\drivers\vga.sysLoaded driver \SystemRoot\System32\Drivers\mnmdd.SYSLoaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sysLoaded driver \SystemRoot\System32\Drivers\Udfs.SYSLoaded driver \SystemRoot\System32\Drivers\meiudf.sysLoaded driver \SystemRoot\System32\Drivers\Msfs.SYSLoaded driver \SystemRoot\System32\Drivers\Npfs.SYSLoaded driver \SystemRoot\system32\DRIVERS\rasacd.sysLoaded driver \SystemRoot\system32\DRIVERS\ipsec.sysLoaded driver \SystemRoot\system32\DRIVERS\tcpip.sysLoaded driver \SystemRoot\system32\DRIVERS\ipnat.sysLoaded driver \SystemRoot\System32\DRIVERS\ipfltdrv.sysLoaded driver \SystemRoot\system32\DRIVERS\wanarp.sysLoaded driver \SystemRoot\System32\Drivers\Mpfp.sysLoaded driver \SystemRoot\system32\DRIVERS\netbt.sysLoaded driver \SystemRoot\System32\drivers\afd.sysLoaded driver \SystemRoot\system32\DRIVERS\netbios.sysDid not load driver \SystemRoot\System32\Drivers\PCIDump.SYSLoaded driver \SystemRoot\system32\DRIVERS\rdbss.sysLoaded driver \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sysLoaded driver \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sysLoaded driver \SystemRoot\System32\Drivers\tcusb.sysLoaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sysLoaded driver \SystemRoot\system32\drivers\mfehidk.sysLoaded driver \SystemRoot\System32\Drivers\Fips.SYSLoaded driver \SystemRoot\System32\Drivers\Cdfs.SYSLoaded driver \SystemRoot\system32\DRIVERS\tdudf.sysLoaded driver \SystemRoot\system32\DRIVERS\AegisP.sysLoaded driver \SystemRoot\system32\DRIVERS\s24trans.sysLoaded driver \SystemRoot\system32\DRIVERS\ndisuio.sysLoaded driver \SystemRoot\system32\DRIVERS\netdevio.sysDid not load driver \SystemRoot\system32\DRIVERS\rdbss.sysDid not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sysLoaded driver \SystemRoot\system32\DRIVERS\mrxdav.sysDid not load driver \SystemRoot\System32\Drivers\Serial.SYSLoaded driver \SystemRoot\System32\Drivers\ASCTRM.SYSLoaded driver \SystemRoot\System32\Drivers\HTTP.sysLoaded driver \SystemRoot\system32\DRIVERS\srv.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\drivers\wdmaud.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\drivers\sysaudio.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\drivers\splitter.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\drivers\aec.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\drivers\swmidi.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysDid not load driver \SystemRoot\system32\drivers\DMusic.sys Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\drivers\kmixer.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\drivers\drmkaud.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\drivers\aec.sysDid not load driver \SystemRoot\System32\Drivers\Cdfs.SYSLoaded driver \SystemRoot\system32\drivers\mfebopk.sysLoaded driver \SystemRoot\system32\drivers\mfeavfk.sysLoaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sysDid not load driver \SystemRoot\system32\DRIVERS\ipnat.sysLoaded driver \SystemRoot\system32\DRIVERS\LVPr2Mon.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\drivers\kmixer.sysLoaded driver \SystemRoot\System32\Drivers\IsDrv122.sysLoaded driver \SystemRoot\system32\drivers\LVUSBSta.sysLoaded driver \SystemRoot\system32\drivers\kmixer.sys Link to post Share on other sites More sharing options...
voight75 Posted September 25, 2009 Author ID:133180 Share Posted September 25, 2009 Oh, I almost forgot, the Recovery Console is installed. Link to post Share on other sites More sharing options...
Dakeyras Posted September 25, 2009 ID:133233 Share Posted September 25, 2009 Hi. If I need to reformat/reinstall, what do I need to do to prepare? I am going to buy a couple of memory sticks to put all of my personal files on (photos, music etc) Is there anything else I need to be doing?What you have mentioned RE backing up is fine and I will provide advice on how to use your Toshiba CD's to do so if the need.Also, are your colleagues having as much trouble with this Rootkit as we are, or is there something especially pernicious about my situation? I appreciate all of your help. Thanks.It is proving is proving to be somewhat of a challenge to pinpoint exactly what is the launch vector and you are very welcome!Oh, I almost forgot, the Recovery Console is installed.Good to know.Boot.ini Check:I would like to check the current state of the Boot.ini file to check if it is corrupted or not as follows:Open Notepad.Copy and Paste everything from the Code Box below into Notepad: <----Start >> Run... type in notepad and select OK@Echo offxcopy C:\boot.ini "%userprofile%\desktop\" /hattrib -s -h "%userprofile%\desktop\boot.ini"ren "%userprofile%\desktop\boot.ini" bootini.txtDel %0Go to File >> Save AsSave File name as "Look.bat" <-- Make sure to include the qoutes'.Change Save as Type to All Files and save the file to your Desktop.It should look like this: Now double click on the desktop Look.bat to run the batch file. It will self-delete when completed and produce a notepad text file named bootini on your desktop. Link to post Share on other sites More sharing options...
voight75 Posted September 25, 2009 Author ID:133242 Share Posted September 25, 2009 Dakeyras,Here you go:[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /forceresetreg Link to post Share on other sites More sharing options...
Dakeyras Posted September 26, 2009 ID:133311 Share Posted September 26, 2009 Hi. I can no longer in good conscience let this malware infection remain on your computer.Being honest so far I have been unable to identify the cause and would be providing your good self with a disservice if I let your computer remain infected and used online.Some may disagree with my attitude/decision about what I have decidecd.............but I was both taught and trained long and hard to get into the position I am today to be able to both assist and provide advice for individuals such as your good self.The first tenant being do no harm to a individuals computer and or leave them exposed to malware unduly. I stand by what I have mentioned above and what is the the most prudent course of action I mention below/now voight75 .With this in mind I my most honest advice now is for your good self to disconnect this computer from the Internet immediately. If you do any banking or other financial transactions on the computer or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Then carry out/perform a reformat and reinstallation of the Windows operating system.How to do so as follows:Using the Toshiba Recovery CD's is outlined here and you can check for your exact modal.If you require further advice about using the above recovery CD's by all means inform myself and I research further on your behalf to find the exact methodology.The below is some advice I do have on what to do after the reformat and reinstallation.Reformat and Reinstallation Advice:Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here are some free Anti Virus programs which I recommend to use:Antivir PersonalEditionClassicFree anti-virus software for Windows.Detects and removes more than 50,000 viruses. Free support.[*]avast! 4 Home EditionAnti-virus program for Windows.The home edition is freeware for noncommercial users.[*]Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.[*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free Firewalls which I recommend to use:(Use only one, and disable your Windows Firewall)Sunbelt KerioOutpostJetico Personal FirewallNote: Only ever have installed/use one Anti-Virus application and Software Firewall. Otherwise a system conflict will occur and this also lessens overall online protection!Keep your system updated-[ b]Microsoft releases patches for Windows and other products regularly:I advise you visit: http://update.microsoft.com/microsoftupdat...t.aspx?ln=en-usInstall the Active XOnce installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:Start >> All Programs >> Microsoft Updates[*]Make your Internet Explorer more secure - This can be done by following these simple instructions:From within Internet Explorer click on the Tools menu and then click on Options.Click once on the Security tabClick once on the Internet icon so it becomes highlighted.Click once on the Custom Level button.Change the Download signed ActiveX controls to PromptChange the Download unsigned ActiveX controls to DisableChange the Initialise and script ActiveX controls not marked as safe to DisableChange the Installation of desktop items to PromptChange the Launching programs and files in an IFRAME to PromptChange the Navigate sub-frames across different domains to PromptWhen all these settings have been made, click on the OK button.If it prompts you as to whether or not you want to save the settings, press the Yes button.[*]Next press the Apply button and then the OK to exit the Internet Properties page.[*]Malwarebytes' Anti-Malware - Download it from hereThe tutorial on how to use MBAM is located here[*]Install WinPatrol - Download it from hereYou can find information about how WinPatrol works here[*]Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.Download it from hereThe tutorial on how to use Spyware Blaster is located here[*]Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.Follow this list and your potential for your computer becoming infected again will reduce dramatically. Any questions feel free to ask OK! Link to post Share on other sites More sharing options...
voight75 Posted September 26, 2009 Author ID:133367 Share Posted September 26, 2009 Dakeyras,Ok, this is what I had feared. I will back up tomorrow and then either Sunday or Monday do the reformat, using the Toshiba provided CDs. Will I lose my McAfee etc when I reformat, ie: wil I have to buy a new subscription etc? I will most likely have other questions relating to the reformat, so please keep an eye out here, as I will definitely have questions. Thank you for all of your help. Link to post Share on other sites More sharing options...
Dakeyras Posted September 26, 2009 ID:133474 Share Posted September 26, 2009 Hi. Not good news I admit but I assure you it is the most prudent course of action to take. If this was one of my machines and or my wife's laptop I would not hesitate to carry out a reformat and reinstallation of the Windows operating system.By all means you can reinstall your McAfee SecurityCenter and reactivate it and continue to use until the subscription runs out. If you have forgotten the reactivation password this article explains how to retrieve it. Feel free to ask myself any questions if in the need for further advice and you are very welcome! Link to post Share on other sites More sharing options...
voight75 Posted September 28, 2009 Author ID:134598 Share Posted September 28, 2009 Dakeyras,Ok! I have successfully reformatted my laptop. I have re-installed the McAfee Security Suite, which I believe provides me with a firewall, anti-virus etc, as you mentioned in your previous post.Thank you again for all of your help. It is very much appreciated. I will know where to come if I ever have any problems again. Link to post Share on other sites More sharing options...
Dakeyras Posted September 28, 2009 ID:134659 Share Posted September 28, 2009 Thanks for the update and you're welcome! B) Link to post Share on other sites More sharing options...
Recommended Posts