Jump to content

Need Help!


Recommended Posts

I don't know what's wrong with my computer. Earlier, I was surfing the internet at my school looking for a way to fix my i-pod and my computer all of a sudden started running really slow. I also kept getting re-directed to sites that were alternative search engine sites so I decided to do a quick scan using MBAM and I found that there was something infecting my computer. Here's the log:

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4003

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

4/22/2010 5:54:56 PM

mbam-log-2010-04-22 (17-54-56).txt

Scan type: Quick scan

Objects scanned: 117836

Time elapsed: 18 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Daz\Local Settings\Application Data\MSASCui.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

I cleaned out those lovely little malwares, restarted my computer, then shut it down for the ride home. When I got home, I opened up my laptop and decided to do another scan, but the laptop fan causes it to run slow, so I go to hibernate my computer. It gets ready to go to the hibernate screen, then refuses to hibernate and turns back on. So I do a manual restart and decide I need a little more help with this because what I'm doing isn't working and I believe there's a deeper infection in my computer that needs expert care.

Link to post
Share on other sites

Hi ChibiMalwareKill And Welcome to Malwarebytes!

DeFogger

Download DeFogger by jpshortstuff from here & save it to your desktop.

  • Right click DeFogger then choose Run as Administrator to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

Link to post
Share on other sites

Lets do this:

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

OK, ran the ComboFix on my computer. This is the log I received from it:

ComboFix 10-04-21.01 - Daz 04/23/2010 7:13.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.686 [GMT -7:00]

Running from: c:\documents and settings\Daz\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

PEV Error: MenuFile

PEV Error: MenuFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Daz\Application Data\0200000062f9d67b879C.manifest

c:\documents and settings\Daz\Application Data\0200000062f9d67b879O.manifest

c:\documents and settings\Daz\Application Data\0200000062f9d67b879P.manifest

c:\documents and settings\Daz\Application Data\0200000062f9d67b879S.manifest

c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{c0cbb12e-7edf-45db-be0f-1ce8dd92c0d7}

c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{c0cbb12e-7edf-45db-be0f-1ce8dd92c0d7}\chrome.manifest

c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{c0cbb12e-7edf-45db-be0f-1ce8dd92c0d7}\chrome\xulcache.jar

c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{c0cbb12e-7edf-45db-be0f-1ce8dd92c0d7}\defaults\preferences\xulcache.js

c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{c0cbb12e-7edf-45db-be0f-1ce8dd92c0d7}\install.rdf

c:\documents and settings\Daz\Local Settings\Application Data\{9AB557F7-4C31-4A0C-86AD-4C58001B6304}

c:\documents and settings\Daz\Local Settings\Application Data\{9AB557F7-4C31-4A0C-86AD-4C58001B6304}\chrome\content\_cfg.js

c:\documents and settings\Daz\Local Settings\Application Data\{9AB557F7-4C31-4A0C-86AD-4C58001B6304}\chrome\content\overlay.xul

c:\documents and settings\Daz\Local Settings\Application Data\{9AB557F7-4C31-4A0C-86AD-4C58001B6304}\install.rdf

c:\windows\system32\1185476829

c:\windows\system32\d3d8caps.dat

c:\windows\system32\unrar.exe

Infected copy of c:\windows\system32\drivers\compbatt.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-04-23 )))))))))))))))))))))))))))))))

.

2010-04-23 10:49 . 2010-04-23 11:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-23 10:49 . 2010-04-23 11:02 -------- d-----w- c:\documents and settings\Daz\Local Settings\Application Data\avG

2010-04-23 10:14 . 2010-04-23 10:14 -------- d-----w- c:\windows\system32\wbem\Repository

2010-04-23 04:07 . 2010-04-23 10:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-04-22 17:28 . 2010-04-23 10:13 -------- d-----w- c:\documents and settings\Daz\Application Data\CopyTransDoctor

2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\Daz\Application Data\WindSolutions

2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions

2010-04-18 08:15 . 2010-04-18 08:15 20480 ----a-w- c:\documents and settings\Daz\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll

2010-04-18 08:15 . 2010-04-18 08:15 18944 ----a-w- c:\documents and settings\Daz\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll

2010-04-18 08:15 . 2010-04-18 08:15 17408 ----a-w- c:\documents and settings\Daz\Application Data\LimeWire\browser\xulrunner\components\auth.dll

2010-04-18 08:15 . 2010-04-18 08:15 8192 ----a-w- c:\documents and settings\Daz\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll

2010-04-18 08:15 . 2010-04-18 08:15 20480 ----a-w- c:\documents and settings\Daz\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll

2010-04-18 08:15 . 2010-04-23 13:30 -------- d-----w- c:\documents and settings\Daz\Application Data\LimeWire

2010-04-18 08:14 . 2010-04-18 08:14 -------- d-----w- c:\program files\LimeWire

2010-04-17 23:02 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-15 06:30 . 2010-04-15 06:30 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-04-15 06:29 . 2010-04-15 06:27 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-04-15 06:29 . 2010-04-15 06:26 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-04-15 06:29 . 2010-04-15 06:29 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-04-15 06:29 . 2010-04-15 06:29 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe

2010-04-15 06:29 . 2010-04-15 06:29 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

2010-04-15 06:29 . 2010-04-15 06:29 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe

2010-04-15 06:28 . 2010-04-15 06:28 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe

2010-04-15 06:28 . 2010-04-15 06:28 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe

2010-04-15 06:28 . 2010-04-15 06:28 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-04-15 06:27 . 2010-04-15 06:29 -------- d-----w- c:\program files\DivX

2010-04-15 06:27 . 2010-04-15 06:27 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe

2010-04-15 06:26 . 2010-04-15 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-04-12 01:14 . 2010-04-12 01:14 1078 ----a-r- c:\documents and settings\Daz\Application Data\Microsoft\Installer\{6624A46E-1215-4525-A7BB-237B6C877EA9}\_235022ee.exe

2010-04-12 01:14 . 2010-04-12 01:14 1078 ----a-r- c:\documents and settings\Daz\Application Data\Microsoft\Installer\{6624A46E-1215-4525-A7BB-237B6C877EA9}\_120759a.exe

2010-04-12 01:14 . 2010-04-12 01:14 -------- d-----w- c:\program files\e-Speaking

2010-04-07 00:17 . 2010-04-07 00:17 -------- d-----w- c:\program files\ESET

2010-04-06 21:10 . 2010-04-07 22:18 -------- d-----w- c:\program files\QuickTime

2010-04-06 21:01 . 2010-04-06 21:01 0 ----a-w- c:\windows\Dyotoxuquxojap.bin

2010-04-06 21:01 . 2010-04-06 21:01 120 ----a-w- c:\windows\Qnamacanuv.dat

2010-04-06 01:19 . 2010-04-06 21:10 -------- d-----w- c:\program files\QuickTime(2)

2010-04-04 21:47 . 2010-04-04 21:47 95652 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-03 17:56 . 2010-04-03 17:56 -------- d-----w- c:\documents and settings\Daz\Local Settings\Application Data\Toshiba

2010-04-03 17:47 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-04-03 17:47 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

2010-03-30 22:09 . 2010-03-30 22:09 -------- d-----w- c:\program files\Common Files\Skype

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-23 13:47 . 2006-07-25 15:04 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys

2010-04-23 11:12 . 2010-02-20 21:04 -------- d-----w- c:\documents and settings\Daz\Application Data\Skype

2010-04-23 11:02 . 2010-02-20 21:07 -------- d-----w- c:\documents and settings\Daz\Application Data\skypePM

2010-04-23 10:13 . 2006-07-25 15:19 -------- d-----w- c:\program files\Common Files\Java

2010-04-20 16:22 . 2010-02-13 22:22 -------- d-----w- c:\documents and settings\Daz\Application Data\U3

2010-04-18 08:21 . 2010-02-13 09:08 -------- d-----w- c:\documents and settings\Daz\Application Data\Apple Computer

2010-04-17 23:02 . 2006-07-25 15:19 -------- d-----w- c:\program files\Java

2010-04-14 10:11 . 2010-02-14 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-04-07 00:00 . 2010-02-13 04:47 145832 ----a-w- c:\documents and settings\Daz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-06 23:57 . 2010-02-13 20:56 -------- d-----w- c:\program files\McAfee

2010-03-30 22:27 . 2010-02-25 05:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-30 22:27 . 2010-02-19 08:41 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-30 07:46 . 2010-02-19 08:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 07:45 . 2010-02-19 08:39 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-17 10:13 . 2010-03-17 10:13 -------- d-----w- c:\program files\MSBuild

2010-03-17 10:13 . 2010-03-17 10:13 -------- d-----w- c:\program files\Reference Assemblies

2010-03-15 21:43 . 2010-03-15 21:43 -------- d-----w- c:\documents and settings\Daz\Application Data\SharePod

2010-03-12 16:30 . 2010-03-12 16:30 -------- d-----w- c:\program files\AviSynth 2.5

2010-03-12 16:26 . 2010-03-12 16:26 -------- d-----w- c:\program files\eRightSoft

2010-03-12 08:43 . 2006-07-25 15:22 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-09 11:09 . 2004-08-11 22:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-07 07:05 . 2010-03-07 07:05 503808 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-775beaeb-n\msvcp71.dll

2010-03-07 07:05 . 2010-03-07 07:05 499712 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-775beaeb-n\jmc.dll

2010-03-07 07:05 . 2010-03-07 07:05 348160 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-775beaeb-n\msvcr71.dll

2010-03-07 07:05 . 2010-03-07 07:05 61440 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47969600-n\decora-sse.dll

2010-03-07 07:05 . 2010-03-07 07:05 12800 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47969600-n\decora-d3d.dll

2010-03-06 22:38 . 2010-03-06 22:38 -------- d-----w- c:\program files\BestGameEver

2010-03-06 20:00 . 2010-03-06 20:00 -------- d-----w- c:\program files\Elaborate Bytes

2010-03-06 19:18 . 2010-02-13 09:06 -------- d-----w- c:\program files\LIAM2_v1.2.4

2010-02-26 05:43 . 2004-08-11 22:00 667136 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 05:43 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-02-24 13:11 . 2004-08-11 22:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-22 18:05 . 2010-02-22 00:10 -------- d-----w- c:\documents and settings\Daz\Application Data\AdobeUM

2010-02-21 14:54 . 2010-02-14 11:38 79488 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-02-20 21:07 . 2010-02-20 21:07 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-02-16 14:08 . 2004-08-11 22:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-04 03:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-14 02:43 . 2010-02-14 02:43 286720 ------w- c:\windows\Setup1.exe

2010-02-14 02:43 . 2010-02-14 02:43 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-02-13 23:10 . 2010-02-13 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-02-13 23:10 . 2010-02-13 23:10 8 --sh--r- c:\windows\system32\646ED66E7F.sys

2010-02-13 06:48 . 2004-08-11 22:14 88659 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-02-13 05:08 . 2010-02-13 05:08 61440 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-334455c9-n\decora-sse.dll

2010-02-13 05:08 . 2010-02-13 05:08 12800 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-334455c9-n\decora-d3d.dll

2010-02-13 04:47 . 2010-02-13 04:47 0 ----a-w- c:\windows\nsreg.dat

2010-02-13 01:33 . 2010-02-13 01:33 126 ----a-w- c:\documents and settings\Daz\Local Settings\Application Data\fusioncache.dat

2010-02-12 04:33 . 2004-08-11 22:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2004-08-11 22:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2006-05-03 10:06 . 2010-03-12 16:26 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47 . 2010-03-12 16:26 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 . 2010-03-12 16:26 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"ECenter"="c:\dell\E-Center\gtb.exe" [2006-06-14 49152]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

c:\documents and settings\Daz\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2010-2-13 25214]

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-25 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2/13/2010 1:59 PM 93320]

S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-04-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 20:22]

2010-04-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 20:22]

2010-04-23 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

uInternet Settings,ProxyOverride = *.local

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\

FF - component: c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - component: c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

BHO-{01A9C5D8-95D1-415B-894F-2275E3074479} - c:\windows\System32\dxtrans32.dll

AddRemove-HijackThis - c:\documents and settings\Daz\My Documents\Downloads\HijackThis.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-23 07:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EB4AC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7515f28

\Driver\ACPI -> ACPI.sys @ 0xf73a8cb8

\Driver\atapi -> atapi.sys @ 0xf733a852

IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1260)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-04-23 08:12:21

ComboFix-quarantined-files.txt 2010-04-23 15:11

Pre-Run: 65,186,627,584 bytes free

Post-Run: 66,116,177,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BA40053867934DCB3BE65CCE588777C0

Link to post
Share on other sites

I know your PC is runing better now ChibiMalwareKill.

OK,,, we still are not out of the woods yet..... :)

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

I also forgot to add in the above post that my security center decided that it was going to restart when my computer restarted, so I manually went in via my task manager and shut it down before ComboFix began running (I got the warning that it was running). It's been re-enabled as per the instructions of step 7. Computer is running a bit faster now, luckily, and not freezing up so much.

Link to post
Share on other sites

I don't use it all that often, just occasionally and recently. But I'm for sure removing it and never touching it again, especially after this.

Here's the TDSS log:

08:44:59:921 3912 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

08:44:59:921 3912 ================================================================================

08:44:59:921 3912 SystemInfo:

08:44:59:921 3912 OS Version: 5.1.2600 ServicePack: 3.0

08:44:59:921 3912 Product type: Workstation

08:44:59:921 3912 ComputerName: HANA

08:44:59:953 3912 UserName: Daz

08:44:59:953 3912 Windows directory: C:\WINDOWS

08:44:59:953 3912 Processor architecture: Intel x86

08:44:59:953 3912 Number of processors: 2

08:44:59:953 3912 Page size: 0x1000

08:45:00:218 3912 Boot type: Normal boot

08:45:00:218 3912 ================================================================================

08:45:00:265 3912 UnloadDriverW: NtUnloadDriver error 2

08:45:00:265 3912 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

08:45:01:421 3912 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

08:45:01:421 3912 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

08:45:01:421 3912 wfopen_ex: Trying to KLMD file open

08:45:01:421 3912 wfopen_ex: File opened ok (Flags 2)

08:45:01:421 3912 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

08:45:01:421 3912 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

08:45:01:421 3912 wfopen_ex: Trying to KLMD file open

08:45:01:421 3912 wfopen_ex: File opened ok (Flags 2)

08:45:01:421 3912 Initialize success

08:45:01:421 3912

08:45:01:421 3912 Scanning Services ...

08:45:02:765 3912 Raw services enum returned 387 services

08:45:02:984 3912

08:45:02:984 3912 Scanning Kernel memory ...

08:45:02:984 3912 Devices to scan: 4

08:45:02:984 3912

08:45:02:984 3912 Driver Name: Disk

08:45:02:984 3912 IRP_MJ_CREATE : F7517BB0

08:45:02:984 3912 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

08:45:02:984 3912 IRP_MJ_CLOSE : F7517BB0

08:45:02:984 3912 IRP_MJ_READ : F7511D1F

08:45:02:984 3912 IRP_MJ_WRITE : F7511D1F

08:45:02:984 3912 IRP_MJ_QUERY_INFORMATION : 804F4562

08:45:02:984 3912 IRP_MJ_SET_INFORMATION : 804F4562

08:45:02:984 3912 IRP_MJ_QUERY_EA : 804F4562

08:45:02:984 3912 IRP_MJ_SET_EA : 804F4562

08:45:02:984 3912 IRP_MJ_FLUSH_BUFFERS : F75122E2

08:45:02:984 3912 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

08:45:02:984 3912 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

08:45:02:984 3912 IRP_MJ_DIRECTORY_CONTROL : 804F4562

08:45:02:984 3912 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

08:45:02:984 3912 IRP_MJ_DEVICE_CONTROL : F75123BB

08:45:02:984 3912 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7515F28

08:45:02:984 3912 IRP_MJ_SHUTDOWN : F75122E2

08:45:02:984 3912 IRP_MJ_LOCK_CONTROL : 804F4562

08:45:02:984 3912 IRP_MJ_CLEANUP : 804F4562

08:45:02:984 3912 IRP_MJ_CREATE_MAILSLOT : 804F4562

08:45:02:984 3912 IRP_MJ_QUERY_SECURITY : 804F4562

08:45:02:984 3912 IRP_MJ_SET_SECURITY : 804F4562

08:45:02:984 3912 IRP_MJ_POWER : F7513C82

08:45:02:984 3912 IRP_MJ_SYSTEM_CONTROL : F751899E

08:45:02:984 3912 IRP_MJ_DEVICE_CHANGE : 804F4562

08:45:02:984 3912 IRP_MJ_QUERY_QUOTA : 804F4562

08:45:02:984 3912 IRP_MJ_SET_QUOTA : 804F4562

08:45:03:062 3912 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

08:45:03:062 3912

08:45:03:062 3912 Driver Name: Disk

08:45:03:062 3912 IRP_MJ_CREATE : F7517BB0

08:45:03:062 3912 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

08:45:03:062 3912 IRP_MJ_CLOSE : F7517BB0

08:45:03:062 3912 IRP_MJ_READ : F7511D1F

08:45:03:062 3912 IRP_MJ_WRITE : F7511D1F

08:45:03:062 3912 IRP_MJ_QUERY_INFORMATION : 804F4562

08:45:03:062 3912 IRP_MJ_SET_INFORMATION : 804F4562

08:45:03:062 3912 IRP_MJ_QUERY_EA : 804F4562

08:45:03:062 3912 IRP_MJ_SET_EA : 804F4562

08:45:03:062 3912 IRP_MJ_FLUSH_BUFFERS : F75122E2

08:45:03:062 3912 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

08:45:03:062 3912 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

08:45:03:062 3912 IRP_MJ_DIRECTORY_CONTROL : 804F4562

08:45:03:062 3912 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

08:45:03:062 3912 IRP_MJ_DEVICE_CONTROL : F75123BB

08:45:03:062 3912 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7515F28

08:45:03:062 3912 IRP_MJ_SHUTDOWN : F75122E2

08:45:03:062 3912 IRP_MJ_LOCK_CONTROL : 804F4562

08:45:03:062 3912 IRP_MJ_CLEANUP : 804F4562

08:45:03:062 3912 IRP_MJ_CREATE_MAILSLOT : 804F4562

08:45:03:062 3912 IRP_MJ_QUERY_SECURITY : 804F4562

08:45:03:062 3912 IRP_MJ_SET_SECURITY : 804F4562

08:45:03:078 3912 IRP_MJ_POWER : F7513C82

08:45:03:078 3912 IRP_MJ_SYSTEM_CONTROL : F751899E

08:45:03:078 3912 IRP_MJ_DEVICE_CHANGE : 804F4562

08:45:03:078 3912 IRP_MJ_QUERY_QUOTA : 804F4562

08:45:03:078 3912 IRP_MJ_SET_QUOTA : 804F4562

08:45:03:093 3912 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

08:45:03:093 3912

08:45:03:093 3912 Driver Name: Disk

08:45:03:093 3912 IRP_MJ_CREATE : F7517BB0

08:45:03:093 3912 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

08:45:03:093 3912 IRP_MJ_CLOSE : F7517BB0

08:45:03:093 3912 IRP_MJ_READ : F7511D1F

08:45:03:093 3912 IRP_MJ_WRITE : F7511D1F

08:45:03:093 3912 IRP_MJ_QUERY_INFORMATION : 804F4562

08:45:03:093 3912 IRP_MJ_SET_INFORMATION : 804F4562

08:45:03:093 3912 IRP_MJ_QUERY_EA : 804F4562

08:45:03:093 3912 IRP_MJ_SET_EA : 804F4562

08:45:03:093 3912 IRP_MJ_FLUSH_BUFFERS : F75122E2

08:45:03:093 3912 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

08:45:03:093 3912 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

08:45:03:093 3912 IRP_MJ_DIRECTORY_CONTROL : 804F4562

08:45:03:093 3912 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

08:45:03:093 3912 IRP_MJ_DEVICE_CONTROL : F75123BB

08:45:03:093 3912 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7515F28

08:45:03:093 3912 IRP_MJ_SHUTDOWN : F75122E2

08:45:03:093 3912 IRP_MJ_LOCK_CONTROL : 804F4562

08:45:03:093 3912 IRP_MJ_CLEANUP : 804F4562

08:45:03:093 3912 IRP_MJ_CREATE_MAILSLOT : 804F4562

08:45:03:093 3912 IRP_MJ_QUERY_SECURITY : 804F4562

08:45:03:093 3912 IRP_MJ_SET_SECURITY : 804F4562

08:45:03:093 3912 IRP_MJ_POWER : F7513C82

08:45:03:093 3912 IRP_MJ_SYSTEM_CONTROL : F751899E

08:45:03:093 3912 IRP_MJ_DEVICE_CHANGE : 804F4562

08:45:03:093 3912 IRP_MJ_QUERY_QUOTA : 804F4562

08:45:03:093 3912 IRP_MJ_SET_QUOTA : 804F4562

08:45:03:125 3912 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

08:45:03:125 3912

08:45:03:125 3912 Driver Name: atapi

08:45:03:125 3912 IRP_MJ_CREATE : 86EB4AC8

08:45:03:125 3912 IRP_MJ_CREATE_NAMED_PIPE : 86EB4AC8

08:45:03:125 3912 IRP_MJ_CLOSE : 86EB4AC8

08:45:03:125 3912 IRP_MJ_READ : 86EB4AC8

08:45:03:125 3912 IRP_MJ_WRITE : 86EB4AC8

08:45:03:125 3912 IRP_MJ_QUERY_INFORMATION : 86EB4AC8

08:45:03:125 3912 IRP_MJ_SET_INFORMATION : 86EB4AC8

08:45:03:125 3912 IRP_MJ_QUERY_EA : 86EB4AC8

08:45:03:125 3912 IRP_MJ_SET_EA : 86EB4AC8

08:45:03:125 3912 IRP_MJ_FLUSH_BUFFERS : 86EB4AC8

08:45:03:125 3912 IRP_MJ_QUERY_VOLUME_INFORMATION : 86EB4AC8

08:45:03:125 3912 IRP_MJ_SET_VOLUME_INFORMATION : 86EB4AC8

08:45:03:125 3912 IRP_MJ_DIRECTORY_CONTROL : 86EB4AC8

08:45:03:125 3912 IRP_MJ_FILE_SYSTEM_CONTROL : 86EB4AC8

08:45:03:125 3912 IRP_MJ_DEVICE_CONTROL : 86EB4AC8

08:45:03:125 3912 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86EB4AC8

08:45:03:125 3912 IRP_MJ_SHUTDOWN : 86EB4AC8

08:45:03:125 3912 IRP_MJ_LOCK_CONTROL : 86EB4AC8

08:45:03:125 3912 IRP_MJ_CLEANUP : 86EB4AC8

08:45:03:125 3912 IRP_MJ_CREATE_MAILSLOT : 86EB4AC8

08:45:03:125 3912 IRP_MJ_QUERY_SECURITY : 86EB4AC8

08:45:03:125 3912 IRP_MJ_SET_SECURITY : 86EB4AC8

08:45:03:125 3912 IRP_MJ_POWER : 86EB4AC8

08:45:03:125 3912 IRP_MJ_SYSTEM_CONTROL : 86EB4AC8

08:45:03:125 3912 IRP_MJ_DEVICE_CHANGE : 86EB4AC8

08:45:03:125 3912 IRP_MJ_QUERY_QUOTA : 86EB4AC8

08:45:03:125 3912 IRP_MJ_SET_QUOTA : 86EB4AC8

08:45:03:125 3912 Driver "atapi" infected by TDSS rootkit!

08:45:03:234 3912 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1

08:45:03:234 3912 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 08:45:03:234 3912 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

08:45:03:234 3912 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3

08:45:04:078 3912 vfvi6

08:45:05:046 3912 !dsvbh1

08:45:13:109 3912 dsvbh2

08:45:13:125 3912 fdfb2

08:45:13:125 3912 Backup copy found, using it..

08:45:13:187 3912 will be cured on next reboot

08:45:13:187 3912 Reboot required for cure complete..

08:45:14:718 3912 Cure on reboot scheduled successfully

08:45:14:734 3912

08:45:14:750 3912 Completed

08:45:14:750 3912

08:45:14:750 3912 Results:

08:45:14:750 3912 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

08:45:14:750 3912 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

08:45:14:750 3912 File objects infected / cured / cured on reboot: 1 / 0 / 1

08:45:14:750 3912

08:45:14:750 3912 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

08:45:14:750 3912 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

08:45:14:765 3912 UnloadDriverW: NtUnloadDriver error 1

08:45:14:796 3912 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Go to Start > Control Panel > Add/Remove Programs.

Please remove these entries from Add/Remove Programs in the Control Panel

LimeWire

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::

File::
c:\windows\system32\646ED66E7F.sys

Folder::
c:\program files\LimeWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with Malwarebytes log..

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Next

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Ran both ComboFix and MBAM. Here's the logs for both:

ComboFix

ComboFix 10-04-21.01 - Daz 04/23/2010 10:50:34.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.493 [GMT -7:00]

Running from: c:\documents and settings\Daz\Desktop\COMBOFIX.EXE

Command switches used :: c:\documents and settings\Daz\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\windows\system32\646ED66E7F.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\compbatt.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-04-23 )))))))))))))))))))))))))))))))

.

2010-04-23 10:49 . 2010-04-23 11:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-23 10:49 . 2010-04-23 11:02 -------- d-----w- c:\documents and settings\Daz\Local Settings\Application Data\avG

2010-04-23 10:14 . 2010-04-23 10:14 -------- d-----w- c:\windows\system32\wbem\Repository

2010-04-23 04:07 . 2010-04-23 10:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-04-22 17:28 . 2010-04-23 10:13 -------- d-----w- c:\documents and settings\Daz\Application Data\CopyTransDoctor

2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\Daz\Application Data\WindSolutions

2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions

2010-04-17 23:02 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-15 06:28 . 2010-04-15 06:28 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-04-15 06:27 . 2010-04-15 06:29 -------- d-----w- c:\program files\DivX

2010-04-15 06:26 . 2010-04-15 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-04-12 01:14 . 2010-04-12 01:14 -------- d-----w- c:\program files\e-Speaking

2010-04-07 00:17 . 2010-04-07 00:17 -------- d-----w- c:\program files\ESET

2010-04-06 21:10 . 2010-04-07 22:18 -------- d-----w- c:\program files\QuickTime

2010-04-06 21:01 . 2010-04-06 21:01 0 ----a-w- c:\windows\Dyotoxuquxojap.bin

2010-04-06 21:01 . 2010-04-06 21:01 120 ----a-w- c:\windows\Qnamacanuv.dat

2010-04-06 01:19 . 2010-04-06 21:10 -------- d-----w- c:\program files\QuickTime(2)

2010-04-04 21:47 . 2010-04-04 21:47 95652 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-03 17:56 . 2010-04-03 17:56 -------- d-----w- c:\documents and settings\Daz\Local Settings\Application Data\Toshiba

2010-04-03 17:47 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-04-03 17:47 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

2010-03-30 22:09 . 2010-03-30 22:09 -------- d-----w- c:\program files\Common Files\Skype

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-23 17:35 . 2006-07-25 15:04 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys

2010-04-23 15:49 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-04-23 11:12 . 2010-02-20 21:04 -------- d-----w- c:\documents and settings\Daz\Application Data\Skype

2010-04-23 11:02 . 2010-02-20 21:07 -------- d-----w- c:\documents and settings\Daz\Application Data\skypePM

2010-04-23 10:13 . 2006-07-25 15:19 -------- d-----w- c:\program files\Common Files\Java

2010-04-20 16:22 . 2010-02-13 22:22 -------- d-----w- c:\documents and settings\Daz\Application Data\U3

2010-04-18 08:21 . 2010-02-13 09:08 -------- d-----w- c:\documents and settings\Daz\Application Data\Apple Computer

2010-04-17 23:02 . 2006-07-25 15:19 -------- d-----w- c:\program files\Java

2010-04-15 06:30 . 2010-04-15 06:30 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-04-15 06:29 . 2010-04-15 06:29 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-04-15 06:29 . 2010-04-15 06:29 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe

2010-04-15 06:29 . 2010-04-15 06:29 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

2010-04-15 06:29 . 2010-04-15 06:29 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe

2010-04-15 06:28 . 2010-04-15 06:28 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe

2010-04-15 06:28 . 2010-04-15 06:28 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe

2010-04-15 06:27 . 2010-04-15 06:27 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe

2010-04-15 06:27 . 2010-04-15 06:29 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-04-15 06:26 . 2010-04-15 06:29 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-04-14 10:11 . 2010-02-14 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-04-12 01:14 . 2010-04-12 01:14 1078 ----a-r- c:\documents and settings\Daz\Application Data\Microsoft\Installer\{6624A46E-1215-4525-A7BB-237B6C877EA9}\_235022ee.exe

2010-04-12 01:14 . 2010-04-12 01:14 1078 ----a-r- c:\documents and settings\Daz\Application Data\Microsoft\Installer\{6624A46E-1215-4525-A7BB-237B6C877EA9}\_120759a.exe

2010-04-07 00:00 . 2010-02-13 04:47 145832 ----a-w- c:\documents and settings\Daz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-06 23:57 . 2010-02-13 20:56 -------- d-----w- c:\program files\McAfee

2010-03-30 22:27 . 2010-02-25 05:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-30 22:27 . 2010-02-19 08:41 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-30 07:46 . 2010-02-19 08:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 07:45 . 2010-02-19 08:39 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-17 10:13 . 2010-03-17 10:13 -------- d-----w- c:\program files\MSBuild

2010-03-17 10:13 . 2010-03-17 10:13 -------- d-----w- c:\program files\Reference Assemblies

2010-03-15 21:43 . 2010-03-15 21:43 -------- d-----w- c:\documents and settings\Daz\Application Data\SharePod

2010-03-12 16:30 . 2010-03-12 16:30 -------- d-----w- c:\program files\AviSynth 2.5

2010-03-12 16:26 . 2010-03-12 16:26 -------- d-----w- c:\program files\eRightSoft

2010-03-12 08:43 . 2006-07-25 15:22 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-09 11:09 . 2004-08-11 22:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-07 07:05 . 2010-03-07 07:05 503808 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-775beaeb-n\msvcp71.dll

2010-03-07 07:05 . 2010-03-07 07:05 499712 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-775beaeb-n\jmc.dll

2010-03-07 07:05 . 2010-03-07 07:05 348160 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-775beaeb-n\msvcr71.dll

2010-03-07 07:05 . 2010-03-07 07:05 61440 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47969600-n\decora-sse.dll

2010-03-07 07:05 . 2010-03-07 07:05 12800 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47969600-n\decora-d3d.dll

2010-03-06 22:38 . 2010-03-06 22:38 -------- d-----w- c:\program files\BestGameEver

2010-03-06 20:00 . 2010-03-06 20:00 -------- d-----w- c:\program files\Elaborate Bytes

2010-03-06 19:18 . 2010-02-13 09:06 -------- d-----w- c:\program files\LIAM2_v1.2.4

2010-02-26 05:43 . 2004-08-11 22:00 667136 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 05:43 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-02-24 13:11 . 2004-08-11 22:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-21 14:54 . 2010-02-14 11:38 79488 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-02-20 21:07 . 2010-02-20 21:07 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-02-16 14:08 . 2004-08-11 22:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-04 03:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-14 02:43 . 2010-02-14 02:43 286720 ------w- c:\windows\Setup1.exe

2010-02-14 02:43 . 2010-02-14 02:43 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-02-13 23:10 . 2010-02-13 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-02-13 23:10 . 2010-02-13 23:10 8 --sh--r- c:\windows\system32\646ED66E7F.sys

2010-02-13 06:48 . 2004-08-11 22:14 88659 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-02-13 05:08 . 2010-02-13 05:08 61440 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-334455c9-n\decora-sse.dll

2010-02-13 05:08 . 2010-02-13 05:08 12800 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-334455c9-n\decora-d3d.dll

2010-02-13 04:47 . 2010-02-13 04:47 0 ----a-w- c:\windows\nsreg.dat

2010-02-13 01:33 . 2010-02-13 01:33 126 ----a-w- c:\documents and settings\Daz\Local Settings\Application Data\fusioncache.dat

2010-02-12 04:33 . 2004-08-11 22:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2004-08-11 22:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2006-05-03 10:06 . 2010-03-12 16:26 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47 . 2010-03-12 16:26 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 . 2010-03-12 16:26 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"ECenter"="c:\dell\E-Center\gtb.exe" [2006-06-14 49152]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2010-2-13 25214]

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-25 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2/13/2010 1:59 PM 93320]

S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-04-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 20:22]

2010-04-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 20:22]

2010-04-23 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

uInternet Settings,ProxyOverride = *.local

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\

FF - component: c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - component: c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-23 11:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EACAC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7515f28

\Driver\ACPI -> ACPI.sys @ 0xf73a8cb8

\Driver\atapi -> atapi.sys @ 0xf733a852

IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1256)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5944)

c:\windows\IME\SPGRMR.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\system32\wscntfy.exe

c:\windows\stsystra.exe

c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe

c:\dell\E-center\gtb2.exe

c:\dell\E-center\gtb2.exe

.

**************************************************************************

.

Completion time: 2010-04-23 11:25:57 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-23 18:25

ComboFix2.txt 2010-04-23 15:12

Pre-Run: 66,257,575,936 bytes free

Post-Run: 66,221,965,312 bytes free

- - End Of File - - D7E5F5DD0E0182F86E6D92A4F81231BF

and MBAM

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4027

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

4/23/2010 11:35:45 AM

mbam-log-2010-04-23 (11-35-45).txt

Scan type: Quick scan

Objects scanned: 113821

Time elapsed: 6 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Well, everything seems to be running a lot more quickly and smoothly so far. I haven't taken to browsing the internet just yet, but should I see if it works? Everytime I went to google and searched for anything, I was getting redirects to different sites that probably were infected with malware and I haven't used it since I began the process of cleaning. My firewall and protection has been re-enabled also.

Link to post
Share on other sites

Well, everything seems to be running a lot more quickly and smoothly so far. I haven't taken to browsing the internet just yet, but should I see if it works? Everytime I went to google and searched for anything, I was getting redirects to different sites that probably were infected with malware and I haven't used it since I began the process of cleaning. My firewall and protection has been re-enabled also.

You'll be fine. I have deal with this rootkit many times..... :) You did a nice job. I wish all users was like you.

Be sure to use:

Secunia software inspector & update checker

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

My Blog Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!

It was a pleasure working with you ChibiMalwareKill.

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Please run TDSSKiller again and post the log as before. And

1.Download Norman TDSS Cleaner

2.Run the downloaded program to clean the infected computer from the TDSS rootkit.

3.In some cases you may be prompted to restart the computer to completely remove an infection. Please do.

4.After the scan a report will be produced on your desktop in the for of NFix_Date_Time.txt. Post its contents in a reply.

Please post both logs.

Link to post
Share on other sites

Okay. I ran the TDSS again. Here's the log:

12:10:13:093 5040 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

12:10:13:093 5040 ================================================================================

12:10:13:093 5040 SystemInfo:

12:10:13:093 5040 OS Version: 5.1.2600 ServicePack: 3.0

12:10:13:093 5040 Product type: Workstation

12:10:13:093 5040 ComputerName: HANA

12:10:13:093 5040 UserName: Daz

12:10:13:093 5040 Windows directory: C:\WINDOWS

12:10:13:093 5040 Processor architecture: Intel x86

12:10:13:093 5040 Number of processors: 2

12:10:13:093 5040 Page size: 0x1000

12:10:13:093 5040 Boot type: Normal boot

12:10:13:093 5040 ================================================================================

12:10:13:109 5040 UnloadDriverW: NtUnloadDriver error 2

12:10:13:109 5040 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

12:10:13:140 5040 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

12:10:13:140 5040 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

12:10:13:140 5040 wfopen_ex: Trying to KLMD file open

12:10:13:140 5040 wfopen_ex: File opened ok (Flags 2)

12:10:13:140 5040 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

12:10:13:140 5040 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

12:10:13:140 5040 wfopen_ex: Trying to KLMD file open

12:10:13:140 5040 wfopen_ex: File opened ok (Flags 2)

12:10:13:140 5040 Initialize success

12:10:13:140 5040

12:10:13:140 5040 Scanning Services ...

12:10:13:750 5040 Raw services enum returned 387 services

12:10:13:781 5040

12:10:13:781 5040 Scanning Kernel memory ...

12:10:13:781 5040 Devices to scan: 4

12:10:13:781 5040

12:10:13:781 5040 Driver Name: Disk

12:10:13:781 5040 IRP_MJ_CREATE : F7517BB0

12:10:13:781 5040 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

12:10:13:781 5040 IRP_MJ_CLOSE : F7517BB0

12:10:13:781 5040 IRP_MJ_READ : F7511D1F

12:10:13:781 5040 IRP_MJ_WRITE : F7511D1F

12:10:13:796 5040 IRP_MJ_QUERY_INFORMATION : 804F4562

12:10:13:796 5040 IRP_MJ_SET_INFORMATION : 804F4562

12:10:13:796 5040 IRP_MJ_QUERY_EA : 804F4562

12:10:13:796 5040 IRP_MJ_SET_EA : 804F4562

12:10:13:796 5040 IRP_MJ_FLUSH_BUFFERS : F75122E2

12:10:13:796 5040 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

12:10:13:796 5040 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

12:10:13:796 5040 IRP_MJ_DIRECTORY_CONTROL : 804F4562

12:10:13:796 5040 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

12:10:13:796 5040 IRP_MJ_DEVICE_CONTROL : F75123BB

12:10:13:796 5040 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7515F28

12:10:13:796 5040 IRP_MJ_SHUTDOWN : F75122E2

12:10:13:796 5040 IRP_MJ_LOCK_CONTROL : 804F4562

12:10:13:796 5040 IRP_MJ_CLEANUP : 804F4562

12:10:13:796 5040 IRP_MJ_CREATE_MAILSLOT : 804F4562

12:10:13:796 5040 IRP_MJ_QUERY_SECURITY : 804F4562

12:10:13:796 5040 IRP_MJ_SET_SECURITY : 804F4562

12:10:13:796 5040 IRP_MJ_POWER : F7513C82

12:10:13:796 5040 IRP_MJ_SYSTEM_CONTROL : F751899E

12:10:13:796 5040 IRP_MJ_DEVICE_CHANGE : 804F4562

12:10:13:796 5040 IRP_MJ_QUERY_QUOTA : 804F4562

12:10:13:796 5040 IRP_MJ_SET_QUOTA : 804F4562

12:10:13:828 5040 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

12:10:13:828 5040

12:10:13:828 5040 Driver Name: Disk

12:10:13:828 5040 IRP_MJ_CREATE : F7517BB0

12:10:13:828 5040 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

12:10:13:828 5040 IRP_MJ_CLOSE : F7517BB0

12:10:13:828 5040 IRP_MJ_READ : F7511D1F

12:10:13:828 5040 IRP_MJ_WRITE : F7511D1F

12:10:13:828 5040 IRP_MJ_QUERY_INFORMATION : 804F4562

12:10:13:828 5040 IRP_MJ_SET_INFORMATION : 804F4562

12:10:13:828 5040 IRP_MJ_QUERY_EA : 804F4562

12:10:13:843 5040 IRP_MJ_SET_EA : 804F4562

12:10:13:843 5040 IRP_MJ_FLUSH_BUFFERS : F75122E2

12:10:13:843 5040 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

12:10:13:843 5040 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

12:10:13:843 5040 IRP_MJ_DIRECTORY_CONTROL : 804F4562

12:10:13:843 5040 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

12:10:13:843 5040 IRP_MJ_DEVICE_CONTROL : F75123BB

12:10:13:843 5040 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7515F28

12:10:13:843 5040 IRP_MJ_SHUTDOWN : F75122E2

12:10:13:843 5040 IRP_MJ_LOCK_CONTROL : 804F4562

12:10:13:843 5040 IRP_MJ_CLEANUP : 804F4562

12:10:13:843 5040 IRP_MJ_CREATE_MAILSLOT : 804F4562

12:10:13:843 5040 IRP_MJ_QUERY_SECURITY : 804F4562

12:10:13:843 5040 IRP_MJ_SET_SECURITY : 804F4562

12:10:13:843 5040 IRP_MJ_POWER : F7513C82

12:10:13:843 5040 IRP_MJ_SYSTEM_CONTROL : F751899E

12:10:13:843 5040 IRP_MJ_DEVICE_CHANGE : 804F4562

12:10:13:843 5040 IRP_MJ_QUERY_QUOTA : 804F4562

12:10:13:843 5040 IRP_MJ_SET_QUOTA : 804F4562

12:10:13:843 5040 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

12:10:13:843 5040

12:10:13:843 5040 Driver Name: Disk

12:10:13:843 5040 IRP_MJ_CREATE : F7517BB0

12:10:13:843 5040 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

12:10:13:843 5040 IRP_MJ_CLOSE : F7517BB0

12:10:13:843 5040 IRP_MJ_READ : F7511D1F

12:10:13:843 5040 IRP_MJ_WRITE : F7511D1F

12:10:13:843 5040 IRP_MJ_QUERY_INFORMATION : 804F4562

12:10:13:843 5040 IRP_MJ_SET_INFORMATION : 804F4562

12:10:13:843 5040 IRP_MJ_QUERY_EA : 804F4562

12:10:13:843 5040 IRP_MJ_SET_EA : 804F4562

12:10:13:843 5040 IRP_MJ_FLUSH_BUFFERS : F75122E2

12:10:13:843 5040 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

12:10:13:843 5040 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

12:10:13:843 5040 IRP_MJ_DIRECTORY_CONTROL : 804F4562

12:10:13:843 5040 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

12:10:13:843 5040 IRP_MJ_DEVICE_CONTROL : F75123BB

12:10:13:843 5040 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7515F28

12:10:13:843 5040 IRP_MJ_SHUTDOWN : F75122E2

12:10:13:843 5040 IRP_MJ_LOCK_CONTROL : 804F4562

12:10:13:843 5040 IRP_MJ_CLEANUP : 804F4562

12:10:13:843 5040 IRP_MJ_CREATE_MAILSLOT : 804F4562

12:10:13:843 5040 IRP_MJ_QUERY_SECURITY : 804F4562

12:10:13:843 5040 IRP_MJ_SET_SECURITY : 804F4562

12:10:13:843 5040 IRP_MJ_POWER : F7513C82

12:10:13:843 5040 IRP_MJ_SYSTEM_CONTROL : F751899E

12:10:13:843 5040 IRP_MJ_DEVICE_CHANGE : 804F4562

12:10:13:843 5040 IRP_MJ_QUERY_QUOTA : 804F4562

12:10:13:843 5040 IRP_MJ_SET_QUOTA : 804F4562

12:10:13:843 5040 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

12:10:13:843 5040

12:10:13:843 5040 Driver Name: atapi

12:10:13:843 5040 IRP_MJ_CREATE : 86EACAC8

12:10:13:843 5040 IRP_MJ_CREATE_NAMED_PIPE : 86EACAC8

12:10:13:843 5040 IRP_MJ_CLOSE : 86EACAC8

12:10:13:843 5040 IRP_MJ_READ : 86EACAC8

12:10:13:843 5040 IRP_MJ_WRITE : 86EACAC8

12:10:13:843 5040 IRP_MJ_QUERY_INFORMATION : 86EACAC8

12:10:13:843 5040 IRP_MJ_SET_INFORMATION : 86EACAC8

12:10:13:843 5040 IRP_MJ_QUERY_EA : 86EACAC8

12:10:13:843 5040 IRP_MJ_SET_EA : 86EACAC8

12:10:13:843 5040 IRP_MJ_FLUSH_BUFFERS : 86EACAC8

12:10:13:843 5040 IRP_MJ_QUERY_VOLUME_INFORMATION : 86EACAC8

12:10:13:843 5040 IRP_MJ_SET_VOLUME_INFORMATION : 86EACAC8

12:10:13:843 5040 IRP_MJ_DIRECTORY_CONTROL : 86EACAC8

12:10:13:843 5040 IRP_MJ_FILE_SYSTEM_CONTROL : 86EACAC8

12:10:13:843 5040 IRP_MJ_DEVICE_CONTROL : 86EACAC8

12:10:13:843 5040 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86EACAC8

12:10:13:843 5040 IRP_MJ_SHUTDOWN : 86EACAC8

12:10:13:843 5040 IRP_MJ_LOCK_CONTROL : 86EACAC8

12:10:13:843 5040 IRP_MJ_CLEANUP : 86EACAC8

12:10:13:843 5040 IRP_MJ_CREATE_MAILSLOT : 86EACAC8

12:10:13:843 5040 IRP_MJ_QUERY_SECURITY : 86EACAC8

12:10:13:843 5040 IRP_MJ_SET_SECURITY : 86EACAC8

12:10:13:843 5040 IRP_MJ_POWER : 86EACAC8

12:10:13:843 5040 IRP_MJ_SYSTEM_CONTROL : 86EACAC8

12:10:13:843 5040 IRP_MJ_DEVICE_CHANGE : 86EACAC8

12:10:13:843 5040 IRP_MJ_QUERY_QUOTA : 86EACAC8

12:10:13:843 5040 IRP_MJ_SET_QUOTA : 86EACAC8

12:10:13:843 5040 Driver "atapi" infected by TDSS rootkit!

12:10:13:906 5040 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1

12:10:13:906 5040 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 12:10:13:906 5040 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys

12:10:13:906 5040 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3

12:10:14:078 5040 vfvi6

12:10:14:375 5040 !dsvbh1

12:10:22:000 5040 dsvbh2

12:10:22:000 5040 fdfb2

12:10:22:000 5040 Backup copy found, using it..

12:10:22:031 5040 will be cured on next reboot

12:10:22:031 5040 Reboot required for cure complete..

12:10:22:031 5040 Cure on reboot scheduled successfully

12:10:22:031 5040

12:10:22:031 5040 Completed

12:10:22:031 5040

12:10:22:031 5040 Results:

12:10:22:031 5040 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

12:10:22:031 5040 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

12:10:22:031 5040 File objects infected / cured / cured on reboot: 1 / 0 / 1

12:10:22:031 5040

12:10:22:031 5040 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

12:10:22:031 5040 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

12:10:22:031 5040 UnloadDriverW: NtUnloadDriver error 1

12:10:22:031 5040 KLMD(ARK) unloaded successfully

And here is the log for the Norman TDSS Cleaner:

Norman TDSS Cleaner

Version 1.9.1

Copyright

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.