help me get rid of Shi5Aiku and file.exe

hridhoy · March 6, 2010

Malware bytes not identifying the trojans but AVG keep on appearing as it is blocking both trojans. Please help

Malwarebytes' Anti-Malware 1.44

Database version: 3830

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

06/03/2010 22:13:06

mbam-log-2010-03-06 (22-13-06).txt

Scan type: Quick Scan

Objects scanned: 104838

Time elapsed: 3 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_09-12-01.01) - NTFSx86

Run by Administrator at 22:31:39.67 on 06/03/2010

Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_16

Microsoft

Attach.zip

fenzodahl512 · March 7, 2010

Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:

Tools->Options->Main tab
Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

hridhoy · March 7, 2010

Here is the log from TDSSKILLER but combo fix is not generating any log it freezes in the last bit when it says Preparing log..Thx

6:55:39:035 4668 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25

16:55:39:035 4668 ================================================================================

16:55:39:035 4668 SystemInfo:

16:55:39:035 4668 OS Version: 6.0.6002 ServicePack: 2.0

16:55:39:035 4668 Product type: Workstation

16:55:39:035 4668 ComputerName: USER-PC2

16:55:39:035 4668 UserName: Administrator

16:55:39:035 4668 Windows directory: C:\Windows

16:55:39:035 4668 Processor architecture: Intel x86

16:55:39:035 4668 Number of processors: 2

16:55:39:035 4668 Page size: 0x1000

16:55:39:035 4668 Boot type: Normal boot

16:55:39:035 4668 ================================================================================

16:55:39:128 4668 UnloadDriverW: NtUnloadDriver error 2

16:55:39:128 4668 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

16:55:43:793 4668 Initialize success

16:55:43:793 4668

16:55:43:793 4668 Scanning Services ...

16:55:43:793 4668 wfopen_ex: Trying to open file C:\Windows\system32\config\system

16:55:43:840 4668 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

16:55:43:840 4668 wfopen_ex: Trying to KLMD file open

16:55:43:840 4668 wfopen_ex: File opened ok (Flags 2)

16:55:43:855 4668 wfopen_ex: Trying to open file C:\Windows\system32\config\software

16:55:43:871 4668 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

16:55:43:871 4668 wfopen_ex: Trying to KLMD file open

16:55:43:871 4668 wfopen_ex: File opened ok (Flags 2)

16:55:45:103 4668 GetAdvancedServicesInfo: Raw services enum returned 443 services

16:55:45:119 4668 fclose_ex: Trying to close file C:\Windows\system32\config\system

16:55:45:119 4668 fclose_ex: Trying to close file C:\Windows\system32\config\software

16:55:45:119 4668

16:55:45:119 4668 Scanning Kernel memory ...

16:55:45:119 4668 Devices to scan: 5

16:55:45:119 4668

16:55:45:119 4668 Driver Name: USBSTOR

16:55:45:119 4668 IRP_MJ_CREATE : 8F120FC8

16:55:45:119 4668 IRP_MJ_CREATE_NAMED_PIPE : 84234A22

16:55:45:119 4668 IRP_MJ_CLOSE : 8F121040

16:55:45:119 4668 IRP_MJ_READ : 8F1210B8

16:55:45:119 4668 IRP_MJ_WRITE : 8F1210B8

16:55:45:119 4668 IRP_MJ_QUERY_INFORMATION : 84234A22

16:55:45:119 4668 IRP_MJ_SET_INFORMATION : 84234A22

16:55:45:119 4668 IRP_MJ_QUERY_EA : 84234A22

16:55:45:119 4668 IRP_MJ_SET_EA : 84234A22

16:55:45:119 4668 IRP_MJ_FLUSH_BUFFERS : 84234A22

16:55:45:119 4668 IRP_MJ_QUERY_VOLUME_INFORMATION : 84234A22

16:55:45:119 4668 IRP_MJ_SET_VOLUME_INFORMATION : 84234A22

16:55:45:119 4668 IRP_MJ_DIRECTORY_CONTROL : 84234A22

16:55:45:119 4668 IRP_MJ_FILE_SYSTEM_CONTROL : 84234A22

16:55:45:119 4668 IRP_MJ_DEVICE_CONTROL : 8F120BC4

16:55:45:119 4668 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8F1147E4

16:55:45:119 4668 IRP_MJ_SHUTDOWN : 84234A22

16:55:45:119 4668 IRP_MJ_LOCK_CONTROL : 84234A22

16:55:45:119 4668 IRP_MJ_CLEANUP : 84234A22

16:55:45:119 4668 IRP_MJ_CREATE_MAILSLOT : 84234A22

16:55:45:119 4668 IRP_MJ_QUERY_SECURITY : 84234A22

16:55:45:119 4668 IRP_MJ_SET_SECURITY : 84234A22

16:55:45:119 4668 IRP_MJ_POWER : 8F11F59C

16:55:45:119 4668 IRP_MJ_SYSTEM_CONTROL : 8F11C7A2

16:55:45:119 4668 IRP_MJ_DEVICE_CHANGE : 84234A22

16:55:45:119 4668 IRP_MJ_QUERY_QUOTA : 84234A22

16:55:45:119 4668 IRP_MJ_SET_QUOTA : 84234A22

16:55:45:150 4668 siohd: 0

16:55:45:150 4668 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

16:55:45:150 4668

16:55:45:150 4668 Driver Name: USBSTOR

16:55:45:150 4668 IRP_MJ_CREATE : 8F120FC8

16:55:45:150 4668 IRP_MJ_CREATE_NAMED_PIPE : 84234A22

16:55:45:150 4668 IRP_MJ_CLOSE : 8F121040

16:55:45:150 4668 IRP_MJ_READ : 8F1210B8

16:55:45:150 4668 IRP_MJ_WRITE : 8F1210B8

16:55:45:150 4668 IRP_MJ_QUERY_INFORMATION : 84234A22

16:55:45:150 4668 IRP_MJ_SET_INFORMATION : 84234A22

16:55:45:150 4668 IRP_MJ_QUERY_EA : 84234A22

16:55:45:150 4668 IRP_MJ_SET_EA : 84234A22

16:55:45:150 4668 IRP_MJ_FLUSH_BUFFERS : 84234A22

16:55:45:150 4668 IRP_MJ_QUERY_VOLUME_INFORMATION : 84234A22

16:55:45:150 4668 IRP_MJ_SET_VOLUME_INFORMATION : 84234A22

16:55:45:150 4668 IRP_MJ_DIRECTORY_CONTROL : 84234A22

16:55:45:150 4668 IRP_MJ_FILE_SYSTEM_CONTROL : 84234A22

16:55:45:150 4668 IRP_MJ_DEVICE_CONTROL : 8F120BC4

16:55:45:150 4668 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8F1147E4

16:55:45:150 4668 IRP_MJ_SHUTDOWN : 84234A22

16:55:45:150 4668 IRP_MJ_LOCK_CONTROL : 84234A22

16:55:45:150 4668 IRP_MJ_CLEANUP : 84234A22

16:55:45:150 4668 IRP_MJ_CREATE_MAILSLOT : 84234A22

16:55:45:150 4668 IRP_MJ_QUERY_SECURITY : 84234A22

16:55:45:150 4668 IRP_MJ_SET_SECURITY : 84234A22

16:55:45:150 4668 IRP_MJ_POWER : 8F11F59C

16:55:45:150 4668 IRP_MJ_SYSTEM_CONTROL : 8F11C7A2

16:55:45:150 4668 IRP_MJ_DEVICE_CHANGE : 84234A22

16:55:45:150 4668 IRP_MJ_QUERY_QUOTA : 84234A22

16:55:45:150 4668 IRP_MJ_SET_QUOTA : 84234A22

16:55:45:166 4668 siohd: 0

16:55:45:166 4668 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

16:55:45:166 4668

16:55:45:166 4668 Driver Name: USBSTOR

16:55:45:166 4668 IRP_MJ_CREATE : 8F120FC8

16:55:45:166 4668 IRP_MJ_CREATE_NAMED_PIPE : 84234A22

16:55:45:166 4668 IRP_MJ_CLOSE : 8F121040

16:55:45:166 4668 IRP_MJ_READ : 8F1210B8

16:55:45:166 4668 IRP_MJ_WRITE : 8F1210B8

16:55:45:166 4668 IRP_MJ_QUERY_INFORMATION : 84234A22

16:55:45:166 4668 IRP_MJ_SET_INFORMATION : 84234A22

16:55:45:166 4668 IRP_MJ_QUERY_EA : 84234A22

16:55:45:166 4668 IRP_MJ_SET_EA : 84234A22

16:55:45:166 4668 IRP_MJ_FLUSH_BUFFERS : 84234A22

16:55:45:166 4668 IRP_MJ_QUERY_VOLUME_INFORMATION : 84234A22

16:55:45:166 4668 IRP_MJ_SET_VOLUME_INFORMATION : 84234A22

16:55:45:166 4668 IRP_MJ_DIRECTORY_CONTROL : 84234A22

16:55:45:166 4668 IRP_MJ_FILE_SYSTEM_CONTROL : 84234A22

16:55:45:166 4668 IRP_MJ_DEVICE_CONTROL : 8F120BC4

16:55:45:166 4668 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8F1147E4

16:55:45:166 4668 IRP_MJ_SHUTDOWN : 84234A22

16:55:45:166 4668 IRP_MJ_LOCK_CONTROL : 84234A22

16:55:45:166 4668 IRP_MJ_CLEANUP : 84234A22

16:55:45:166 4668 IRP_MJ_CREATE_MAILSLOT : 84234A22

16:55:45:166 4668 IRP_MJ_QUERY_SECURITY : 84234A22

16:55:45:166 4668 IRP_MJ_SET_SECURITY : 84234A22

16:55:45:166 4668 IRP_MJ_POWER : 8F11F59C

16:55:45:166 4668 IRP_MJ_SYSTEM_CONTROL : 8F11C7A2

16:55:45:166 4668 IRP_MJ_DEVICE_CHANGE : 84234A22

16:55:45:166 4668 IRP_MJ_QUERY_QUOTA : 84234A22

16:55:45:166 4668 IRP_MJ_SET_QUOTA : 84234A22

16:55:45:166 4668 siohd: 0

16:55:45:181 4668 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

16:55:45:181 4668

16:55:45:181 4668 Driver Name: USBSTOR

16:55:45:181 4668 IRP_MJ_CREATE : 8F120FC8

16:55:45:181 4668 IRP_MJ_CREATE_NAMED_PIPE : 84234A22

16:55:45:181 4668 IRP_MJ_CLOSE : 8F121040

16:55:45:181 4668 IRP_MJ_READ : 8F1210B8

16:55:45:181 4668 IRP_MJ_WRITE : 8F1210B8

16:55:45:181 4668 IRP_MJ_QUERY_INFORMATION : 84234A22

16:55:45:181 4668 IRP_MJ_SET_INFORMATION : 84234A22

16:55:45:181 4668 IRP_MJ_QUERY_EA : 84234A22

16:55:45:181 4668 IRP_MJ_SET_EA : 84234A22

16:55:45:181 4668 IRP_MJ_FLUSH_BUFFERS : 84234A22

16:55:45:181 4668 IRP_MJ_QUERY_VOLUME_INFORMATION : 84234A22

16:55:45:181 4668 IRP_MJ_SET_VOLUME_INFORMATION : 84234A22

16:55:45:181 4668 IRP_MJ_DIRECTORY_CONTROL : 84234A22

16:55:45:181 4668 IRP_MJ_FILE_SYSTEM_CONTROL : 84234A22

16:55:45:181 4668 IRP_MJ_DEVICE_CONTROL : 8F120BC4

16:55:45:181 4668 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8F1147E4

16:55:45:181 4668 IRP_MJ_SHUTDOWN : 84234A22

16:55:45:181 4668 IRP_MJ_LOCK_CONTROL : 84234A22

16:55:45:181 4668 IRP_MJ_CLEANUP : 84234A22

16:55:45:181 4668 IRP_MJ_CREATE_MAILSLOT : 84234A22

16:55:45:181 4668 IRP_MJ_QUERY_SECURITY : 84234A22

16:55:45:181 4668 IRP_MJ_SET_SECURITY : 84234A22

16:55:45:181 4668 IRP_MJ_POWER : 8F11F59C

16:55:45:181 4668 IRP_MJ_SYSTEM_CONTROL : 8F11C7A2

16:55:45:181 4668 IRP_MJ_DEVICE_CHANGE : 84234A22

16:55:45:181 4668 IRP_MJ_QUERY_QUOTA : 84234A22

16:55:45:181 4668 IRP_MJ_SET_QUOTA : 84234A22

16:55:45:181 4668 siohd: 0

16:55:45:181 4668 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

16:55:45:181 4668

16:55:45:181 4668 Driver Name: atapi

16:55:45:181 4668 IRP_MJ_CREATE : 870D6CA1

16:55:45:181 4668 IRP_MJ_CREATE_NAMED_PIPE : 870D6CA1

16:55:45:181 4668 IRP_MJ_CLOSE : 870D6CA1

16:55:45:181 4668 IRP_MJ_READ : 870D6CA1

16:55:45:181 4668 IRP_MJ_WRITE : 870D6CA1

16:55:45:181 4668 IRP_MJ_QUERY_INFORMATION : 870D6CA1

16:55:45:181 4668 IRP_MJ_SET_INFORMATION : 870D6CA1

16:55:45:181 4668 IRP_MJ_QUERY_EA : 870D6CA1

16:55:45:181 4668 IRP_MJ_SET_EA : 870D6CA1

16:55:45:181 4668 IRP_MJ_FLUSH_BUFFERS : 870D6CA1

16:55:45:181 4668 IRP_MJ_QUERY_VOLUME_INFORMATION : 870D6CA1

16:55:45:181 4668 IRP_MJ_SET_VOLUME_INFORMATION : 870D6CA1

16:55:45:181 4668 IRP_MJ_DIRECTORY_CONTROL : 870D6CA1

16:55:45:181 4668 IRP_MJ_FILE_SYSTEM_CONTROL : 870D6CA1

16:55:45:181 4668 IRP_MJ_DEVICE_CONTROL : 870D6CA1

16:55:45:181 4668 IRP_MJ_INTERNAL_DEVICE_CONTROL : 870D6CA1

16:55:45:181 4668 IRP_MJ_SHUTDOWN : 870D6CA1

16:55:45:181 4668 IRP_MJ_LOCK_CONTROL : 870D6CA1

16:55:45:181 4668 IRP_MJ_CLEANUP : 870D6CA1

16:55:45:181 4668 IRP_MJ_CREATE_MAILSLOT : 870D6CA1

16:55:45:181 4668 IRP_MJ_QUERY_SECURITY : 870D6CA1

16:55:45:181 4668 IRP_MJ_SET_SECURITY : 870D6CA1

16:55:45:181 4668 IRP_MJ_POWER : 870D6CA1

16:55:45:181 4668 IRP_MJ_SYSTEM_CONTROL : 870D6CA1

16:55:45:181 4668 IRP_MJ_DEVICE_CHANGE : 870D6CA1

16:55:45:181 4668 IRP_MJ_QUERY_QUOTA : 870D6CA1

16:55:45:181 4668 IRP_MJ_SET_QUOTA : 870D6CA1

16:55:45:181 4668 ihd: 0, 0, 0, 480, 3, 462, 1

16:55:45:181 4668 Driver "atapi" Irp handler infected by TDSS rootkit ... 16:55:45:181 4668 TDL3_IrpHookCure: Invalid patch address

16:55:45:181 4668 cure failed

16:55:45:181 4668 siohd: 0

16:55:45:181 4668 C:\Windows\system32\drivers\atapi.sys - Verdict: Clean

16:55:45:181 4668

16:55:45:181 4668 Completed

16:55:45:181 4668

16:55:45:181 4668 Results:

16:55:45:181 4668 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

16:55:45:181 4668 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

16:55:45:181 4668 File objects infected / cured / cured on reboot: 0 / 0 / 0

16:55:45:181 4668

16:55:45:212 4668 KLMD(ARK) unloaded successfully

fenzodahl512 · March 8, 2010

Can you run ComboFix once again? If the similar things happen, pls tell me

hridhoy · March 8, 2010

Hi.. since I have uninstalled Firefox it seems like I am not getting any warning regarding trojans, anyway here is the ComboFix log:

ComboFix 10-03-06.08 - Administrator 08/03/2010 21:08:13.1.2 - x86

Microsoft

fenzodahl512 · March 9, 2010

Try reinstall Firefox.. Will you got the similar warning?

hridhoy · March 12, 2010

Hi, reinstalled firefox. It's all fine no more messages from AVG.

fenzodahl512 · March 23, 2010

Hello.. Sorry for my late reply.. Somehow I missed the topic..

1. How's the computer now? :unsure:

hridhoy · March 27, 2010

it's all fine, Thanx

help me get rid of Shi5Aiku and file.exe

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information