ChibiMalwareKill Posted April 23, 2010 ID:237839 Share Posted April 23, 2010 I don't know what's wrong with my computer. Earlier, I was surfing the internet at my school looking for a way to fix my i-pod and my computer all of a sudden started running really slow. I also kept getting re-directed to sites that were alternative search engine sites so I decided to do a quick scan using MBAM and I found that there was something infecting my computer. Here's the log:Malwarebytes' Anti-Malware 1.45www.malwarebytes.orgDatabase version: 4003Windows 5.1.2600 Service Pack 3Internet Explorer 6.0.2900.55124/22/2010 5:54:56 PMmbam-log-2010-04-22 (17-54-56).txtScan type: Quick scanObjects scanned: 117836Time elapsed: 18 minute(s), 59 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 3Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Daz\Local Settings\Application Data\MSASCui.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.I cleaned out those lovely little malwares, restarted my computer, then shut it down for the ride home. When I got home, I opened up my laptop and decided to do another scan, but the laptop fan causes it to run slow, so I go to hibernate my computer. It gets ready to go to the hibernate screen, then refuses to hibernate and turns back on. So I do a manual restart and decide I need a little more help with this because what I'm doing isn't working and I believe there's a deeper infection in my computer that needs expert care. Link to post Share on other sites More sharing options...
Kenny94 Posted April 23, 2010 ID:237924 Share Posted April 23, 2010 Hi ChibiMalwareKill And Welcome to Malwarebytes!DeFoggerDownload DeFogger by jpshortstuff from here & save it to your desktop.Right click DeFogger then choose Run as Administrator to run the tool The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A Finished! message will appear Click OK DeFogger will now ask to reboot the machine - click OKIMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.Do not re-enable these drivers until otherwise instructed.NextDownload the GMER Rootkit Scanner. Unzip it to your Desktop.Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan. Double click GMER.exe. If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan.. In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ... IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one)Click the image to enlarge it[*] Then click the Scan button & wait for it to finish.[*] Once done click on the [save..] button, and in the File name area, type in "ark.txt" [*]Save the log where you can easily find it, such as your desktop.**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries Please copy and paste the report into your Post. Link to post Share on other sites More sharing options...
ChibiMalwareKill Posted April 23, 2010 Author ID:237928 Share Posted April 23, 2010 I tried running the defogger as the administrator, but I can't access it as an administrator because there's no password insert. I don't believe I ever set one up when I did a complete cleaning of my computer several months back. Is it okay to just run it normally? Link to post Share on other sites More sharing options...
Kenny94 Posted April 23, 2010 ID:237930 Share Posted April 23, 2010 Yes you can run it normally... Link to post Share on other sites More sharing options...
ChibiMalwareKill Posted April 23, 2010 Author ID:237931 Share Posted April 23, 2010 OK, I've run the defogger and disabled it without any problems, but it hasn't asked me if I want to restart. Should I manually restart my computer before running the GMER scan or just run the GMER scan without restarting? Link to post Share on other sites More sharing options...
Kenny94 Posted April 23, 2010 ID:237933 Share Posted April 23, 2010 Yes restart your PC ChibiMalwareKill. Link to post Share on other sites More sharing options...
ChibiMalwareKill Posted April 23, 2010 Author ID:237934 Share Posted April 23, 2010 Okay, so I ran the GMER Rootkit scan. In the middle of it, it errored and closed. Link to post Share on other sites More sharing options...
Kenny94 Posted April 23, 2010 ID:237942 Share Posted April 23, 2010 Lets do this:Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.--------------------------------------------------------------------------------------------- Download ComboFix from below:Combofix download* IMPORTANT !!! Place combofix.exe on your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.You can get help on disabling your protection programs hereDouble click on combofix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:The Recovery Console was successfully installed.Click on Yes, to continue scanning for malware.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next replyNote:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.---------------------------------------------------------------------------------------------Ensure your AntiVirus and AntiSpyware applications are re-enabled.--------------------------------------------------------------------------------------------- Link to post Share on other sites More sharing options...
ChibiMalwareKill Posted April 23, 2010 Author ID:237964 Share Posted April 23, 2010 McAfee says the ComboFix is a trojan and removed it from my desktop. Should I disable my protection before downloading again so that I can install Combofix and run it? Link to post Share on other sites More sharing options...
Kenny94 Posted April 23, 2010 ID:237967 Share Posted April 23, 2010 McAfee says the ComboFix is a trojan and removed it from my desktop. Should I disable my protection before downloading again so that I can install Combofix and run it?Yes please.... Link to post Share on other sites More sharing options...
ChibiMalwareKill Posted April 23, 2010 Author ID:238005 Share Posted April 23, 2010 OK, ran the ComboFix on my computer. This is the log I received from it:ComboFix 10-04-21.01 - Daz 04/23/2010 7:13.1.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.686 [GMT -7:00]Running from: c:\documents and settings\Daz\Desktop\ComboFix.exeAV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}.PEV Error: MenuFilePEV Error: MenuFolder((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Daz\Application Data\0200000062f9d67b879C.manifestc:\documents and settings\Daz\Application Data\0200000062f9d67b879O.manifestc:\documents and settings\Daz\Application Data\0200000062f9d67b879P.manifestc:\documents and settings\Daz\Application Data\0200000062f9d67b879S.manifestc:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{c0cbb12e-7edf-45db-be0f-1ce8dd92c0d7}c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{c0cbb12e-7edf-45db-be0f-1ce8dd92c0d7}\chrome.manifestc:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{c0cbb12e-7edf-45db-be0f-1ce8dd92c0d7}\chrome\xulcache.jarc:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{c0cbb12e-7edf-45db-be0f-1ce8dd92c0d7}\defaults\preferences\xulcache.jsc:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{c0cbb12e-7edf-45db-be0f-1ce8dd92c0d7}\install.rdfc:\documents and settings\Daz\Local Settings\Application Data\{9AB557F7-4C31-4A0C-86AD-4C58001B6304}c:\documents and settings\Daz\Local Settings\Application Data\{9AB557F7-4C31-4A0C-86AD-4C58001B6304}\chrome\content\_cfg.jsc:\documents and settings\Daz\Local Settings\Application Data\{9AB557F7-4C31-4A0C-86AD-4C58001B6304}\chrome\content\overlay.xulc:\documents and settings\Daz\Local Settings\Application Data\{9AB557F7-4C31-4A0C-86AD-4C58001B6304}\install.rdfc:\windows\system32\1185476829c:\windows\system32\d3d8caps.datc:\windows\system32\unrar.exeInfected copy of c:\windows\system32\drivers\compbatt.sys was found and disinfected Restored copy from - Kitty had a snack .((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-04-23 ))))))))))))))))))))))))))))))).2010-04-23 10:49 . 2010-04-23 11:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avG2010-04-23 10:49 . 2010-04-23 11:02 -------- d-----w- c:\documents and settings\Daz\Local Settings\Application Data\avG2010-04-23 10:14 . 2010-04-23 10:14 -------- d-----w- c:\windows\system32\wbem\Repository2010-04-23 04:07 . 2010-04-23 10:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe2010-04-22 17:28 . 2010-04-23 10:13 -------- d-----w- c:\documents and settings\Daz\Application Data\CopyTransDoctor2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\Daz\Application Data\WindSolutions2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions2010-04-18 08:15 . 2010-04-18 08:15 20480 ----a-w- c:\documents and settings\Daz\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll2010-04-18 08:15 . 2010-04-18 08:15 18944 ----a-w- c:\documents and settings\Daz\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll2010-04-18 08:15 . 2010-04-18 08:15 17408 ----a-w- c:\documents and settings\Daz\Application Data\LimeWire\browser\xulrunner\components\auth.dll2010-04-18 08:15 . 2010-04-18 08:15 8192 ----a-w- c:\documents and settings\Daz\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll2010-04-18 08:15 . 2010-04-18 08:15 20480 ----a-w- c:\documents and settings\Daz\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll2010-04-18 08:15 . 2010-04-23 13:30 -------- d-----w- c:\documents and settings\Daz\Application Data\LimeWire2010-04-18 08:14 . 2010-04-18 08:14 -------- d-----w- c:\program files\LimeWire2010-04-17 23:02 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll2010-04-15 06:30 . 2010-04-15 06:30 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll2010-04-15 06:29 . 2010-04-15 06:27 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll2010-04-15 06:29 . 2010-04-15 06:26 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe2010-04-15 06:29 . 2010-04-15 06:29 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe2010-04-15 06:29 . 2010-04-15 06:29 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe2010-04-15 06:29 . 2010-04-15 06:29 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe2010-04-15 06:29 . 2010-04-15 06:29 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe2010-04-15 06:28 . 2010-04-15 06:28 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe2010-04-15 06:28 . 2010-04-15 06:28 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe2010-04-15 06:28 . 2010-04-15 06:28 -------- d-----w- c:\program files\Common Files\DivX Shared2010-04-15 06:27 . 2010-04-15 06:29 -------- d-----w- c:\program files\DivX2010-04-15 06:27 . 2010-04-15 06:27 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe2010-04-15 06:26 . 2010-04-15 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX2010-04-12 01:14 . 2010-04-12 01:14 1078 ----a-r- c:\documents and settings\Daz\Application Data\Microsoft\Installer\{6624A46E-1215-4525-A7BB-237B6C877EA9}\_235022ee.exe2010-04-12 01:14 . 2010-04-12 01:14 1078 ----a-r- c:\documents and settings\Daz\Application Data\Microsoft\Installer\{6624A46E-1215-4525-A7BB-237B6C877EA9}\_120759a.exe2010-04-12 01:14 . 2010-04-12 01:14 -------- d-----w- c:\program files\e-Speaking2010-04-07 00:17 . 2010-04-07 00:17 -------- d-----w- c:\program files\ESET2010-04-06 21:10 . 2010-04-07 22:18 -------- d-----w- c:\program files\QuickTime2010-04-06 21:01 . 2010-04-06 21:01 0 ----a-w- c:\windows\Dyotoxuquxojap.bin2010-04-06 21:01 . 2010-04-06 21:01 120 ----a-w- c:\windows\Qnamacanuv.dat2010-04-06 01:19 . 2010-04-06 21:10 -------- d-----w- c:\program files\QuickTime(2)2010-04-04 21:47 . 2010-04-04 21:47 95652 ---ha-w- c:\windows\system32\mlfcache.dat2010-04-03 17:56 . 2010-04-03 17:56 -------- d-----w- c:\documents and settings\Daz\Local Settings\Application Data\Toshiba2010-04-03 17:47 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys2010-04-03 17:47 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys2010-03-30 22:09 . 2010-03-30 22:09 -------- d-----w- c:\program files\Common Files\Skype.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-04-23 13:47 . 2006-07-25 15:04 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys2010-04-23 11:12 . 2010-02-20 21:04 -------- d-----w- c:\documents and settings\Daz\Application Data\Skype2010-04-23 11:02 . 2010-02-20 21:07 -------- d-----w- c:\documents and settings\Daz\Application Data\skypePM2010-04-23 10:13 . 2006-07-25 15:19 -------- d-----w- c:\program files\Common Files\Java2010-04-20 16:22 . 2010-02-13 22:22 -------- d-----w- c:\documents and settings\Daz\Application Data\U32010-04-18 08:21 . 2010-02-13 09:08 -------- d-----w- c:\documents and settings\Daz\Application Data\Apple Computer2010-04-17 23:02 . 2006-07-25 15:19 -------- d-----w- c:\program files\Java2010-04-14 10:11 . 2010-02-14 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help2010-04-07 00:00 . 2010-02-13 04:47 145832 ----a-w- c:\documents and settings\Daz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2010-04-06 23:57 . 2010-02-13 20:56 -------- d-----w- c:\program files\McAfee2010-03-30 22:27 . 2010-02-25 05:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-03-30 22:27 . 2010-02-19 08:41 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe2010-03-30 07:46 . 2010-02-19 08:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-03-30 07:45 . 2010-02-19 08:39 20824 ----a-w- c:\windows\system32\drivers\mbam.sys2010-03-17 10:13 . 2010-03-17 10:13 -------- d-----w- c:\program files\MSBuild2010-03-17 10:13 . 2010-03-17 10:13 -------- d-----w- c:\program files\Reference Assemblies2010-03-15 21:43 . 2010-03-15 21:43 -------- d-----w- c:\documents and settings\Daz\Application Data\SharePod2010-03-12 16:30 . 2010-03-12 16:30 -------- d-----w- c:\program files\AviSynth 2.52010-03-12 16:26 . 2010-03-12 16:26 -------- d-----w- c:\program files\eRightSoft2010-03-12 08:43 . 2006-07-25 15:22 -------- d--h--w- c:\program files\InstallShield Installation Information2010-03-09 11:09 . 2004-08-11 22:00 430080 ----a-w- c:\windows\system32\vbscript.dll2010-03-07 07:05 . 2010-03-07 07:05 503808 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-775beaeb-n\msvcp71.dll2010-03-07 07:05 . 2010-03-07 07:05 499712 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-775beaeb-n\jmc.dll2010-03-07 07:05 . 2010-03-07 07:05 348160 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-775beaeb-n\msvcr71.dll2010-03-07 07:05 . 2010-03-07 07:05 61440 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47969600-n\decora-sse.dll2010-03-07 07:05 . 2010-03-07 07:05 12800 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47969600-n\decora-d3d.dll2010-03-06 22:38 . 2010-03-06 22:38 -------- d-----w- c:\program files\BestGameEver2010-03-06 20:00 . 2010-03-06 20:00 -------- d-----w- c:\program files\Elaborate Bytes2010-03-06 19:18 . 2010-02-13 09:06 -------- d-----w- c:\program files\LIAM2_v1.2.42010-02-26 05:43 . 2004-08-11 22:00 667136 ----a-w- c:\windows\system32\wininet.dll2010-02-26 05:43 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\ieencode.dll2010-02-24 13:11 . 2004-08-11 22:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2010-02-22 18:05 . 2010-02-22 00:10 -------- d-----w- c:\documents and settings\Daz\Application Data\AdobeUM2010-02-21 14:54 . 2010-02-14 11:38 79488 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll2010-02-20 21:07 . 2010-02-20 21:07 56 ---ha-w- c:\windows\system32\ezsidmv.dat2010-02-16 14:08 . 2004-08-11 22:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe2010-02-16 13:25 . 2004-08-04 03:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe2010-02-14 02:43 . 2010-02-14 02:43 286720 ------w- c:\windows\Setup1.exe2010-02-14 02:43 . 2010-02-14 02:43 73216 ----a-w- c:\windows\ST6UNST.EXE2010-02-13 23:10 . 2010-02-13 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys2010-02-13 23:10 . 2010-02-13 23:10 8 --sh--r- c:\windows\system32\646ED66E7F.sys2010-02-13 06:48 . 2004-08-11 22:14 88659 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat2010-02-13 05:08 . 2010-02-13 05:08 61440 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-334455c9-n\decora-sse.dll2010-02-13 05:08 . 2010-02-13 05:08 12800 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-334455c9-n\decora-d3d.dll2010-02-13 04:47 . 2010-02-13 04:47 0 ----a-w- c:\windows\nsreg.dat2010-02-13 01:33 . 2010-02-13 01:33 126 ----a-w- c:\documents and settings\Daz\Local Settings\Application Data\fusioncache.dat2010-02-12 04:33 . 2004-08-11 22:00 100864 ----a-w- c:\windows\system32\6to4svc.dll2010-02-11 12:02 . 2004-08-11 22:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys2006-05-03 10:06 . 2010-03-12 16:26 163328 --sh--r- c:\windows\system32\flvDX.dll2007-02-21 11:47 . 2010-03-12 16:26 31232 --sh--r- c:\windows\system32\msfDX.dll2008-03-16 13:30 . 2010-03-12 16:26 216064 --sh--r- c:\windows\system32\nbDX.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]"ECenter"="c:\dell\E-Center\gtb.exe" [2006-06-14 49152]"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]c:\documents and settings\Daz\Start Menu\Programs\Startup\LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2010-2-13 25214]Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-25 24576][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@=""[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"="c:\\Program Files\\LimeWire\\LimeWire.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2/13/2010 1:59 PM 93320]S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?].Contents of the 'Scheduled Tasks' folder2010-04-15 c:\windows\Tasks\McDefragTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 20:22]2010-04-01 c:\windows\Tasks\McQcTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 20:22]2010-04-23 c:\windows\Tasks\OGALogon.job- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=usmStart Page = hxxp://www.dell.comuInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=usuInternet Settings,ProxyOverride = *.localIE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000Trusted Zone: musicmatch.com\onlineFF - ProfilePath - c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\FF - component: c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dllFF - component: c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dllFF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dllFF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\---- FIREFOX POLICIES ----FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);.- - - - ORPHANS REMOVED - - - -BHO-{01A9C5D8-95D1-415B-894F-2275E3074479} - c:\windows\System32\dxtrans32.dllAddRemove-HijackThis - c:\documents and settings\Daz\My Documents\Downloads\HijackThis.exeAddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-04-23 07:53Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.netdevice: opened successfullyuser: MBR read successfullycalled modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EB4AC8]<< kernel: MBR read successfullydetected MBR rootkit hooks:\Driver\Disk -> CLASSPNP.SYS @ 0xf7515f28\Driver\ACPI -> ACPI.sys @ 0xf73a8cb8\Driver\atapi -> atapi.sys @ 0xf733a852IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0user & kernel MBR OK **************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1260)c:\windows\system32\Ati2evxx.dll.Completion time: 2010-04-23 08:12:21ComboFix-quarantined-files.txt 2010-04-23 15:11Pre-Run: 65,186,627,584 bytes freePost-Run: 66,116,177,920 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect- - End Of File - - BA40053867934DCB3BE65CCE588777C0 Link to post Share on other sites More sharing options...
Kenny94 Posted April 23, 2010 ID:238010 Share Posted April 23, 2010 I know your PC is runing better now ChibiMalwareKill.OK,,, we still are not out of the woods yet..... Please read the following through carefully so that you understand what to do. Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -vIf it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.It may ask you to reboot the computer to complete the process. Allow it to do so.When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here. Link to post Share on other sites More sharing options...
ChibiMalwareKill Posted April 23, 2010 Author ID:238012 Share Posted April 23, 2010 I also forgot to add in the above post that my security center decided that it was going to restart when my computer restarted, so I manually went in via my task manager and shut it down before ComboFix began running (I got the warning that it was running). It's been re-enabled as per the instructions of step 7. Computer is running a bit faster now, luckily, and not freezing up so much. Link to post Share on other sites More sharing options...
Kenny94 Posted April 23, 2010 ID:238014 Share Posted April 23, 2010 OK post the TDSSKiller.txt. By the way, do you use Limewire? I bet this is how your pc got infected. Link to post Share on other sites More sharing options...
ChibiMalwareKill Posted April 23, 2010 Author ID:238023 Share Posted April 23, 2010 I don't use it all that often, just occasionally and recently. But I'm for sure removing it and never touching it again, especially after this.Here's the TDSS log:08:44:59:921 3912 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:0408:44:59:921 3912 ================================================================================08:44:59:921 3912 SystemInfo:08:44:59:921 3912 OS Version: 5.1.2600 ServicePack: 3.008:44:59:921 3912 Product type: Workstation08:44:59:921 3912 ComputerName: HANA08:44:59:953 3912 UserName: Daz08:44:59:953 3912 Windows directory: C:\WINDOWS08:44:59:953 3912 Processor architecture: Intel x8608:44:59:953 3912 Number of processors: 208:44:59:953 3912 Page size: 0x100008:45:00:218 3912 Boot type: Normal boot08:45:00:218 3912 ================================================================================08:45:00:265 3912 UnloadDriverW: NtUnloadDriver error 208:45:00:265 3912 ForceUnloadDriverW: UnloadDriverW(klmd21) error 208:45:01:421 3912 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system08:45:01:421 3912 wfopen_ex: MyNtCreateFileW error 32 (C0000043)08:45:01:421 3912 wfopen_ex: Trying to KLMD file open08:45:01:421 3912 wfopen_ex: File opened ok (Flags 2)08:45:01:421 3912 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software08:45:01:421 3912 wfopen_ex: MyNtCreateFileW error 32 (C0000043)08:45:01:421 3912 wfopen_ex: Trying to KLMD file open08:45:01:421 3912 wfopen_ex: File opened ok (Flags 2)08:45:01:421 3912 Initialize success08:45:01:421 3912 08:45:01:421 3912 Scanning Services ...08:45:02:765 3912 Raw services enum returned 387 services08:45:02:984 3912 08:45:02:984 3912 Scanning Kernel memory ...08:45:02:984 3912 Devices to scan: 408:45:02:984 3912 08:45:02:984 3912 Driver Name: Disk08:45:02:984 3912 IRP_MJ_CREATE : F7517BB008:45:02:984 3912 IRP_MJ_CREATE_NAMED_PIPE : 804F456208:45:02:984 3912 IRP_MJ_CLOSE : F7517BB008:45:02:984 3912 IRP_MJ_READ : F7511D1F08:45:02:984 3912 IRP_MJ_WRITE : F7511D1F08:45:02:984 3912 IRP_MJ_QUERY_INFORMATION : 804F456208:45:02:984 3912 IRP_MJ_SET_INFORMATION : 804F456208:45:02:984 3912 IRP_MJ_QUERY_EA : 804F456208:45:02:984 3912 IRP_MJ_SET_EA : 804F456208:45:02:984 3912 IRP_MJ_FLUSH_BUFFERS : F75122E208:45:02:984 3912 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F456208:45:02:984 3912 IRP_MJ_SET_VOLUME_INFORMATION : 804F456208:45:02:984 3912 IRP_MJ_DIRECTORY_CONTROL : 804F456208:45:02:984 3912 IRP_MJ_FILE_SYSTEM_CONTROL : 804F456208:45:02:984 3912 IRP_MJ_DEVICE_CONTROL : F75123BB08:45:02:984 3912 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7515F2808:45:02:984 3912 IRP_MJ_SHUTDOWN : F75122E208:45:02:984 3912 IRP_MJ_LOCK_CONTROL : 804F456208:45:02:984 3912 IRP_MJ_CLEANUP : 804F456208:45:02:984 3912 IRP_MJ_CREATE_MAILSLOT : 804F456208:45:02:984 3912 IRP_MJ_QUERY_SECURITY : 804F456208:45:02:984 3912 IRP_MJ_SET_SECURITY : 804F456208:45:02:984 3912 IRP_MJ_POWER : F7513C8208:45:02:984 3912 IRP_MJ_SYSTEM_CONTROL : F751899E08:45:02:984 3912 IRP_MJ_DEVICE_CHANGE : 804F456208:45:02:984 3912 IRP_MJ_QUERY_QUOTA : 804F456208:45:02:984 3912 IRP_MJ_SET_QUOTA : 804F456208:45:03:062 3912 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 108:45:03:062 3912 08:45:03:062 3912 Driver Name: Disk08:45:03:062 3912 IRP_MJ_CREATE : F7517BB008:45:03:062 3912 IRP_MJ_CREATE_NAMED_PIPE : 804F456208:45:03:062 3912 IRP_MJ_CLOSE : F7517BB008:45:03:062 3912 IRP_MJ_READ : F7511D1F08:45:03:062 3912 IRP_MJ_WRITE : F7511D1F08:45:03:062 3912 IRP_MJ_QUERY_INFORMATION : 804F456208:45:03:062 3912 IRP_MJ_SET_INFORMATION : 804F456208:45:03:062 3912 IRP_MJ_QUERY_EA : 804F456208:45:03:062 3912 IRP_MJ_SET_EA : 804F456208:45:03:062 3912 IRP_MJ_FLUSH_BUFFERS : F75122E208:45:03:062 3912 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F456208:45:03:062 3912 IRP_MJ_SET_VOLUME_INFORMATION : 804F456208:45:03:062 3912 IRP_MJ_DIRECTORY_CONTROL : 804F456208:45:03:062 3912 IRP_MJ_FILE_SYSTEM_CONTROL : 804F456208:45:03:062 3912 IRP_MJ_DEVICE_CONTROL : F75123BB08:45:03:062 3912 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7515F2808:45:03:062 3912 IRP_MJ_SHUTDOWN : F75122E208:45:03:062 3912 IRP_MJ_LOCK_CONTROL : 804F456208:45:03:062 3912 IRP_MJ_CLEANUP : 804F456208:45:03:062 3912 IRP_MJ_CREATE_MAILSLOT : 804F456208:45:03:062 3912 IRP_MJ_QUERY_SECURITY : 804F456208:45:03:062 3912 IRP_MJ_SET_SECURITY : 804F456208:45:03:078 3912 IRP_MJ_POWER : F7513C8208:45:03:078 3912 IRP_MJ_SYSTEM_CONTROL : F751899E08:45:03:078 3912 IRP_MJ_DEVICE_CHANGE : 804F456208:45:03:078 3912 IRP_MJ_QUERY_QUOTA : 804F456208:45:03:078 3912 IRP_MJ_SET_QUOTA : 804F456208:45:03:093 3912 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 108:45:03:093 3912 08:45:03:093 3912 Driver Name: Disk08:45:03:093 3912 IRP_MJ_CREATE : F7517BB008:45:03:093 3912 IRP_MJ_CREATE_NAMED_PIPE : 804F456208:45:03:093 3912 IRP_MJ_CLOSE : F7517BB008:45:03:093 3912 IRP_MJ_READ : F7511D1F08:45:03:093 3912 IRP_MJ_WRITE : F7511D1F08:45:03:093 3912 IRP_MJ_QUERY_INFORMATION : 804F456208:45:03:093 3912 IRP_MJ_SET_INFORMATION : 804F456208:45:03:093 3912 IRP_MJ_QUERY_EA : 804F456208:45:03:093 3912 IRP_MJ_SET_EA : 804F456208:45:03:093 3912 IRP_MJ_FLUSH_BUFFERS : F75122E208:45:03:093 3912 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F456208:45:03:093 3912 IRP_MJ_SET_VOLUME_INFORMATION : 804F456208:45:03:093 3912 IRP_MJ_DIRECTORY_CONTROL : 804F456208:45:03:093 3912 IRP_MJ_FILE_SYSTEM_CONTROL : 804F456208:45:03:093 3912 IRP_MJ_DEVICE_CONTROL : F75123BB08:45:03:093 3912 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7515F2808:45:03:093 3912 IRP_MJ_SHUTDOWN : F75122E208:45:03:093 3912 IRP_MJ_LOCK_CONTROL : 804F456208:45:03:093 3912 IRP_MJ_CLEANUP : 804F456208:45:03:093 3912 IRP_MJ_CREATE_MAILSLOT : 804F456208:45:03:093 3912 IRP_MJ_QUERY_SECURITY : 804F456208:45:03:093 3912 IRP_MJ_SET_SECURITY : 804F456208:45:03:093 3912 IRP_MJ_POWER : F7513C8208:45:03:093 3912 IRP_MJ_SYSTEM_CONTROL : F751899E08:45:03:093 3912 IRP_MJ_DEVICE_CHANGE : 804F456208:45:03:093 3912 IRP_MJ_QUERY_QUOTA : 804F456208:45:03:093 3912 IRP_MJ_SET_QUOTA : 804F456208:45:03:125 3912 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 108:45:03:125 3912 08:45:03:125 3912 Driver Name: atapi08:45:03:125 3912 IRP_MJ_CREATE : 86EB4AC808:45:03:125 3912 IRP_MJ_CREATE_NAMED_PIPE : 86EB4AC808:45:03:125 3912 IRP_MJ_CLOSE : 86EB4AC808:45:03:125 3912 IRP_MJ_READ : 86EB4AC808:45:03:125 3912 IRP_MJ_WRITE : 86EB4AC808:45:03:125 3912 IRP_MJ_QUERY_INFORMATION : 86EB4AC808:45:03:125 3912 IRP_MJ_SET_INFORMATION : 86EB4AC808:45:03:125 3912 IRP_MJ_QUERY_EA : 86EB4AC808:45:03:125 3912 IRP_MJ_SET_EA : 86EB4AC808:45:03:125 3912 IRP_MJ_FLUSH_BUFFERS : 86EB4AC808:45:03:125 3912 IRP_MJ_QUERY_VOLUME_INFORMATION : 86EB4AC808:45:03:125 3912 IRP_MJ_SET_VOLUME_INFORMATION : 86EB4AC808:45:03:125 3912 IRP_MJ_DIRECTORY_CONTROL : 86EB4AC808:45:03:125 3912 IRP_MJ_FILE_SYSTEM_CONTROL : 86EB4AC808:45:03:125 3912 IRP_MJ_DEVICE_CONTROL : 86EB4AC808:45:03:125 3912 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86EB4AC808:45:03:125 3912 IRP_MJ_SHUTDOWN : 86EB4AC808:45:03:125 3912 IRP_MJ_LOCK_CONTROL : 86EB4AC808:45:03:125 3912 IRP_MJ_CLEANUP : 86EB4AC808:45:03:125 3912 IRP_MJ_CREATE_MAILSLOT : 86EB4AC808:45:03:125 3912 IRP_MJ_QUERY_SECURITY : 86EB4AC808:45:03:125 3912 IRP_MJ_SET_SECURITY : 86EB4AC808:45:03:125 3912 IRP_MJ_POWER : 86EB4AC808:45:03:125 3912 IRP_MJ_SYSTEM_CONTROL : 86EB4AC808:45:03:125 3912 IRP_MJ_DEVICE_CHANGE : 86EB4AC808:45:03:125 3912 IRP_MJ_QUERY_QUOTA : 86EB4AC808:45:03:125 3912 IRP_MJ_SET_QUOTA : 86EB4AC808:45:03:125 3912 Driver "atapi" infected by TDSS rootkit!08:45:03:234 3912 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 108:45:03:234 3912 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 08:45:03:234 3912 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys08:45:03:234 3912 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 308:45:04:078 3912 vfvi608:45:05:046 3912 !dsvbh108:45:13:109 3912 dsvbh208:45:13:125 3912 fdfb208:45:13:125 3912 Backup copy found, using it..08:45:13:187 3912 will be cured on next reboot08:45:13:187 3912 Reboot required for cure complete..08:45:14:718 3912 Cure on reboot scheduled successfully08:45:14:734 3912 08:45:14:750 3912 Completed08:45:14:750 3912 08:45:14:750 3912 Results:08:45:14:750 3912 Memory objects infected / cured / cured on reboot: 1 / 0 / 008:45:14:750 3912 Registry objects infected / cured / cured on reboot: 0 / 0 / 008:45:14:750 3912 File objects infected / cured / cured on reboot: 1 / 0 / 108:45:14:750 3912 08:45:14:750 3912 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system08:45:14:750 3912 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software08:45:14:765 3912 UnloadDriverW: NtUnloadDriver error 108:45:14:796 3912 KLMD(ARK) unloaded successfully Link to post Share on other sites More sharing options...
Kenny94 Posted April 23, 2010 ID:238031 Share Posted April 23, 2010 Go to Start > Control Panel > Add/Remove Programs.Please remove these entries from Add/Remove Programs in the Control Panel LimeWireRun CFScriptClose any open browsers.Open Notepad by click startClick RunType notepad into the box and click enterNotepad will openCopy and Paste everything from the Code box into Notepad:KILLALL::File::c:\windows\system32\646ED66E7F.sysFolder::c:\program files\LimeWireRegistry:: [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\Program Files\\LimeWire\\LimeWire.exe"=-[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000000"FirewallOverride"=dword:00000000Save the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with Malwarebytes log..Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.NextUpdate Run MalwarebytesLaunch Malwarebytes' Anti-MalwareIf an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites More sharing options...
ChibiMalwareKill Posted April 23, 2010 Author ID:238116 Share Posted April 23, 2010 Ran both ComboFix and MBAM. Here's the logs for both:ComboFixComboFix 10-04-21.01 - Daz 04/23/2010 10:50:34.2.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.493 [GMT -7:00]Running from: c:\documents and settings\Daz\Desktop\COMBOFIX.EXECommand switches used :: c:\documents and settings\Daz\Desktop\CFScript.txtAV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}FILE ::"c:\windows\system32\646ED66E7F.sys".((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).Infected copy of c:\windows\system32\drivers\compbatt.sys was found and disinfected Restored copy from - Kitty had a snack .((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-04-23 ))))))))))))))))))))))))))))))).2010-04-23 10:49 . 2010-04-23 11:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avG2010-04-23 10:49 . 2010-04-23 11:02 -------- d-----w- c:\documents and settings\Daz\Local Settings\Application Data\avG2010-04-23 10:14 . 2010-04-23 10:14 -------- d-----w- c:\windows\system32\wbem\Repository2010-04-23 04:07 . 2010-04-23 10:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe2010-04-22 17:28 . 2010-04-23 10:13 -------- d-----w- c:\documents and settings\Daz\Application Data\CopyTransDoctor2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\Daz\Application Data\WindSolutions2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions2010-04-17 23:02 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll2010-04-15 06:28 . 2010-04-15 06:28 -------- d-----w- c:\program files\Common Files\DivX Shared2010-04-15 06:27 . 2010-04-15 06:29 -------- d-----w- c:\program files\DivX2010-04-15 06:26 . 2010-04-15 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX2010-04-12 01:14 . 2010-04-12 01:14 -------- d-----w- c:\program files\e-Speaking2010-04-07 00:17 . 2010-04-07 00:17 -------- d-----w- c:\program files\ESET2010-04-06 21:10 . 2010-04-07 22:18 -------- d-----w- c:\program files\QuickTime2010-04-06 21:01 . 2010-04-06 21:01 0 ----a-w- c:\windows\Dyotoxuquxojap.bin2010-04-06 21:01 . 2010-04-06 21:01 120 ----a-w- c:\windows\Qnamacanuv.dat2010-04-06 01:19 . 2010-04-06 21:10 -------- d-----w- c:\program files\QuickTime(2)2010-04-04 21:47 . 2010-04-04 21:47 95652 ---ha-w- c:\windows\system32\mlfcache.dat2010-04-03 17:56 . 2010-04-03 17:56 -------- d-----w- c:\documents and settings\Daz\Local Settings\Application Data\Toshiba2010-04-03 17:47 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys2010-04-03 17:47 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys2010-03-30 22:09 . 2010-03-30 22:09 -------- d-----w- c:\program files\Common Files\Skype.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-04-23 17:35 . 2006-07-25 15:04 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys2010-04-23 15:49 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys2010-04-23 11:12 . 2010-02-20 21:04 -------- d-----w- c:\documents and settings\Daz\Application Data\Skype2010-04-23 11:02 . 2010-02-20 21:07 -------- d-----w- c:\documents and settings\Daz\Application Data\skypePM2010-04-23 10:13 . 2006-07-25 15:19 -------- d-----w- c:\program files\Common Files\Java2010-04-20 16:22 . 2010-02-13 22:22 -------- d-----w- c:\documents and settings\Daz\Application Data\U32010-04-18 08:21 . 2010-02-13 09:08 -------- d-----w- c:\documents and settings\Daz\Application Data\Apple Computer2010-04-17 23:02 . 2006-07-25 15:19 -------- d-----w- c:\program files\Java2010-04-15 06:30 . 2010-04-15 06:30 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll2010-04-15 06:29 . 2010-04-15 06:29 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe2010-04-15 06:29 . 2010-04-15 06:29 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe2010-04-15 06:29 . 2010-04-15 06:29 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe2010-04-15 06:29 . 2010-04-15 06:29 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe2010-04-15 06:28 . 2010-04-15 06:28 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe2010-04-15 06:28 . 2010-04-15 06:28 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe2010-04-15 06:27 . 2010-04-15 06:27 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe2010-04-15 06:27 . 2010-04-15 06:29 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll2010-04-15 06:26 . 2010-04-15 06:29 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe2010-04-14 10:11 . 2010-02-14 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help2010-04-12 01:14 . 2010-04-12 01:14 1078 ----a-r- c:\documents and settings\Daz\Application Data\Microsoft\Installer\{6624A46E-1215-4525-A7BB-237B6C877EA9}\_235022ee.exe2010-04-12 01:14 . 2010-04-12 01:14 1078 ----a-r- c:\documents and settings\Daz\Application Data\Microsoft\Installer\{6624A46E-1215-4525-A7BB-237B6C877EA9}\_120759a.exe2010-04-07 00:00 . 2010-02-13 04:47 145832 ----a-w- c:\documents and settings\Daz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2010-04-06 23:57 . 2010-02-13 20:56 -------- d-----w- c:\program files\McAfee2010-03-30 22:27 . 2010-02-25 05:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-03-30 22:27 . 2010-02-19 08:41 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe2010-03-30 07:46 . 2010-02-19 08:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-03-30 07:45 . 2010-02-19 08:39 20824 ----a-w- c:\windows\system32\drivers\mbam.sys2010-03-17 10:13 . 2010-03-17 10:13 -------- d-----w- c:\program files\MSBuild2010-03-17 10:13 . 2010-03-17 10:13 -------- d-----w- c:\program files\Reference Assemblies2010-03-15 21:43 . 2010-03-15 21:43 -------- d-----w- c:\documents and settings\Daz\Application Data\SharePod2010-03-12 16:30 . 2010-03-12 16:30 -------- d-----w- c:\program files\AviSynth 2.52010-03-12 16:26 . 2010-03-12 16:26 -------- d-----w- c:\program files\eRightSoft2010-03-12 08:43 . 2006-07-25 15:22 -------- d--h--w- c:\program files\InstallShield Installation Information2010-03-09 11:09 . 2004-08-11 22:00 430080 ----a-w- c:\windows\system32\vbscript.dll2010-03-07 07:05 . 2010-03-07 07:05 503808 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-775beaeb-n\msvcp71.dll2010-03-07 07:05 . 2010-03-07 07:05 499712 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-775beaeb-n\jmc.dll2010-03-07 07:05 . 2010-03-07 07:05 348160 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-775beaeb-n\msvcr71.dll2010-03-07 07:05 . 2010-03-07 07:05 61440 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47969600-n\decora-sse.dll2010-03-07 07:05 . 2010-03-07 07:05 12800 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47969600-n\decora-d3d.dll2010-03-06 22:38 . 2010-03-06 22:38 -------- d-----w- c:\program files\BestGameEver2010-03-06 20:00 . 2010-03-06 20:00 -------- d-----w- c:\program files\Elaborate Bytes2010-03-06 19:18 . 2010-02-13 09:06 -------- d-----w- c:\program files\LIAM2_v1.2.42010-02-26 05:43 . 2004-08-11 22:00 667136 ----a-w- c:\windows\system32\wininet.dll2010-02-26 05:43 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\ieencode.dll2010-02-24 13:11 . 2004-08-11 22:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2010-02-21 14:54 . 2010-02-14 11:38 79488 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll2010-02-20 21:07 . 2010-02-20 21:07 56 ---ha-w- c:\windows\system32\ezsidmv.dat2010-02-16 14:08 . 2004-08-11 22:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe2010-02-16 13:25 . 2004-08-04 03:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe2010-02-14 02:43 . 2010-02-14 02:43 286720 ------w- c:\windows\Setup1.exe2010-02-14 02:43 . 2010-02-14 02:43 73216 ----a-w- c:\windows\ST6UNST.EXE2010-02-13 23:10 . 2010-02-13 23:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys2010-02-13 23:10 . 2010-02-13 23:10 8 --sh--r- c:\windows\system32\646ED66E7F.sys2010-02-13 06:48 . 2004-08-11 22:14 88659 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat2010-02-13 05:08 . 2010-02-13 05:08 61440 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-334455c9-n\decora-sse.dll2010-02-13 05:08 . 2010-02-13 05:08 12800 ----a-w- c:\documents and settings\Daz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-334455c9-n\decora-d3d.dll2010-02-13 04:47 . 2010-02-13 04:47 0 ----a-w- c:\windows\nsreg.dat2010-02-13 01:33 . 2010-02-13 01:33 126 ----a-w- c:\documents and settings\Daz\Local Settings\Application Data\fusioncache.dat2010-02-12 04:33 . 2004-08-11 22:00 100864 ----a-w- c:\windows\system32\6to4svc.dll2010-02-11 12:02 . 2004-08-11 22:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys2006-05-03 10:06 . 2010-03-12 16:26 163328 --sh--r- c:\windows\system32\flvDX.dll2007-02-21 11:47 . 2010-03-12 16:26 31232 --sh--r- c:\windows\system32\msfDX.dll2008-03-16 13:30 . 2010-03-12 16:26 216064 --sh--r- c:\windows\system32\nbDX.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2005-05-15 332800][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]"ECenter"="c:\dell\E-Center\gtb.exe" [2006-06-14 49152]"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2010-2-13 25214]Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-25 24576][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@=""[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2/13/2010 1:59 PM 93320]S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?].Contents of the 'Scheduled Tasks' folder2010-04-15 c:\windows\Tasks\McDefragTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 20:22]2010-04-01 c:\windows\Tasks\McQcTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 20:22]2010-04-23 c:\windows\Tasks\OGALogon.job- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=usmStart Page = hxxp://www.dell.comuInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=usuInternet Settings,ProxyOverride = *.localIE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000Trusted Zone: musicmatch.com\onlineFF - ProfilePath - c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\FF - component: c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dllFF - component: c:\documents and settings\Daz\Application Data\Mozilla\Firefox\Profiles\07k32dna.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dllFF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dllFF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\---- FIREFOX POLICIES ----FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);.- - - - ORPHANS REMOVED - - - -SafeBoot-klmdb.sys**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-04-23 11:17Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.netdevice: opened successfullyuser: MBR read successfullycalled modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EACAC8]<< kernel: MBR read successfullydetected MBR rootkit hooks:\Driver\Disk -> CLASSPNP.SYS @ 0xf7515f28\Driver\ACPI -> ACPI.sys @ 0xf73a8cb8\Driver\atapi -> atapi.sys @ 0xf733a852IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0user & kernel MBR OK **************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1256)c:\windows\system32\Ati2evxx.dll- - - - - - - > 'explorer.exe'(5944)c:\windows\IME\SPGRMR.DLL.------------------------ Other Running Processes ------------------------.c:\windows\system32\Ati2evxx.exec:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Intel\Wireless\Bin\S24EvMon.exec:\program files\Intel\Wireless\Bin\WLKeeper.exec:\windows\system32\Ati2evxx.exec:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\progra~1\McAfee\MSC\mcmscsvc.exec:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exec:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exec:\progra~1\McAfee\VIRUSS~1\mcshield.exec:\program files\McAfee\MPF\MPFSrv.exec:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exec:\program files\McAfee\MSK\MskSrver.exec:\program files\Dell\QuickSet\NICCONFIGSVC.exec:\program files\Intel\Wireless\Bin\RegSrvc.exec:\windows\system32\wdfmgr.exec:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exec:\progra~1\mcafee.com\agent\mcagent.exec:\windows\system32\wscntfy.exec:\windows\stsystra.exec:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exec:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exec:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exec:\program files\iPod\bin\iPodService.exec:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exec:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exec:\dell\E-center\gtb2.exec:\dell\E-center\gtb2.exe.**************************************************************************.Completion time: 2010-04-23 11:25:57 - machine was rebootedComboFix-quarantined-files.txt 2010-04-23 18:25ComboFix2.txt 2010-04-23 15:12Pre-Run: 66,257,575,936 bytes freePost-Run: 66,221,965,312 bytes free- - End Of File - - D7E5F5DD0E0182F86E6D92A4F81231BFand MBAMMalwarebytes' Anti-Malware 1.45www.malwarebytes.orgDatabase version: 4027Windows 5.1.2600 Service Pack 3Internet Explorer 6.0.2900.55124/23/2010 11:35:45 AMmbam-log-2010-04-23 (11-35-45).txtScan type: Quick scanObjects scanned: 113821Time elapsed: 6 minute(s), 53 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Kenny94 Posted April 23, 2010 ID:238119 Share Posted April 23, 2010 How are things now? Link to post Share on other sites More sharing options...
ChibiMalwareKill Posted April 23, 2010 Author ID:238124 Share Posted April 23, 2010 Well, everything seems to be running a lot more quickly and smoothly so far. I haven't taken to browsing the internet just yet, but should I see if it works? Everytime I went to google and searched for anything, I was getting redirects to different sites that probably were infected with malware and I haven't used it since I began the process of cleaning. My firewall and protection has been re-enabled also. Link to post Share on other sites More sharing options...
Kenny94 Posted April 23, 2010 ID:238129 Share Posted April 23, 2010 Well, everything seems to be running a lot more quickly and smoothly so far. I haven't taken to browsing the internet just yet, but should I see if it works? Everytime I went to google and searched for anything, I was getting redirects to different sites that probably were infected with malware and I haven't used it since I began the process of cleaning. My firewall and protection has been re-enabled also.You'll be fine. I have deal with this rootkit many times..... You did a nice job. I wish all users was like you.Be sure to use:Secunia software inspector & update checker Your Computer is CleanSome final items:Follow these steps to uninstall Combofix and tools used in the removal of malwarePlease press the Windows Key and R on your keyboard. This will bring up the Run... command.Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)Please follow the prompts to uninstall Combofix.You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.This will uninstall Combofix and anything assoicated with it.Here are some additional links for you to check out to help you with your computer security. BrowsersJust because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE. If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.Make your Internet Explorer more secure - This can be done by following these simple instructions:From within Internet Explorer click on the Tools menu and then click on Options.Click once on the Security tabClick once on the Internet icon so it becomes highlighted.Click once on the Custom Level button.Change the Download signed ActiveX controls to PromptChange the Download unsigned ActiveX controls to DisableChange the Initialize and script ActiveX controls not marked as safe to DisableChange the Installation of desktop items to PromptChange the Launching programs and files in an IFRAME to PromptChange the Navigate sub-frames across different domains to PromptWhen all these settings have been made, click on the OK buttonIf it prompts you as to whether or not you want to save the settings, press the Yes button.Next press the Apply button and then the OK to exit the Internet Properties page.Additional Security MeasuresVisit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.Secunia software inspector & update checker My Blog Malware And Spyware TipsAlso, see here for system improvement: Help! My computer is slow!It was a pleasure working with you ChibiMalwareKill. Link to post Share on other sites More sharing options...
Kenny94 Posted April 23, 2010 ID:238140 Share Posted April 23, 2010 Hold on ChibiMalwareKill. Something just caught my eye. Link to post Share on other sites More sharing options...
ChibiMalwareKill Posted April 23, 2010 Author ID:238143 Share Posted April 23, 2010 Thank you very much for all your help! My computer is running a lot smoother and much better than it has been in weeks. Just one more little question: is it okay to re-enable the defogger, since my computer is clean? Link to post Share on other sites More sharing options...
ChibiMalwareKill Posted April 23, 2010 Author ID:238144 Share Posted April 23, 2010 Ooh, ok. I haven't done anything with my computer yet so fire away. Link to post Share on other sites More sharing options...
Kenny94 Posted April 23, 2010 ID:238154 Share Posted April 23, 2010 Please run TDSSKiller again and post the log as before. And 1.Download Norman TDSS Cleaner2.Run the downloaded program to clean the infected computer from the TDSS rootkit.3.In some cases you may be prompted to restart the computer to completely remove an infection. Please do.4.After the scan a report will be produced on your desktop in the for of NFix_Date_Time.txt. Post its contents in a reply.Please post both logs. Link to post Share on other sites More sharing options...
ChibiMalwareKill Posted April 23, 2010 Author ID:238165 Share Posted April 23, 2010 Okay. I ran the TDSS again. Here's the log:12:10:13:093 5040 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:0412:10:13:093 5040 ================================================================================12:10:13:093 5040 SystemInfo:12:10:13:093 5040 OS Version: 5.1.2600 ServicePack: 3.012:10:13:093 5040 Product type: Workstation12:10:13:093 5040 ComputerName: HANA12:10:13:093 5040 UserName: Daz12:10:13:093 5040 Windows directory: C:\WINDOWS12:10:13:093 5040 Processor architecture: Intel x8612:10:13:093 5040 Number of processors: 212:10:13:093 5040 Page size: 0x100012:10:13:093 5040 Boot type: Normal boot12:10:13:093 5040 ================================================================================12:10:13:109 5040 UnloadDriverW: NtUnloadDriver error 212:10:13:109 5040 ForceUnloadDriverW: UnloadDriverW(klmd21) error 212:10:13:140 5040 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system12:10:13:140 5040 wfopen_ex: MyNtCreateFileW error 32 (C0000043)12:10:13:140 5040 wfopen_ex: Trying to KLMD file open12:10:13:140 5040 wfopen_ex: File opened ok (Flags 2)12:10:13:140 5040 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software12:10:13:140 5040 wfopen_ex: MyNtCreateFileW error 32 (C0000043)12:10:13:140 5040 wfopen_ex: Trying to KLMD file open12:10:13:140 5040 wfopen_ex: File opened ok (Flags 2)12:10:13:140 5040 Initialize success12:10:13:140 5040 12:10:13:140 5040 Scanning Services ...12:10:13:750 5040 Raw services enum returned 387 services12:10:13:781 5040 12:10:13:781 5040 Scanning Kernel memory ...12:10:13:781 5040 Devices to scan: 412:10:13:781 5040 12:10:13:781 5040 Driver Name: Disk12:10:13:781 5040 IRP_MJ_CREATE : F7517BB012:10:13:781 5040 IRP_MJ_CREATE_NAMED_PIPE : 804F456212:10:13:781 5040 IRP_MJ_CLOSE : F7517BB012:10:13:781 5040 IRP_MJ_READ : F7511D1F12:10:13:781 5040 IRP_MJ_WRITE : F7511D1F12:10:13:796 5040 IRP_MJ_QUERY_INFORMATION : 804F456212:10:13:796 5040 IRP_MJ_SET_INFORMATION : 804F456212:10:13:796 5040 IRP_MJ_QUERY_EA : 804F456212:10:13:796 5040 IRP_MJ_SET_EA : 804F456212:10:13:796 5040 IRP_MJ_FLUSH_BUFFERS : F75122E212:10:13:796 5040 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F456212:10:13:796 5040 IRP_MJ_SET_VOLUME_INFORMATION : 804F456212:10:13:796 5040 IRP_MJ_DIRECTORY_CONTROL : 804F456212:10:13:796 5040 IRP_MJ_FILE_SYSTEM_CONTROL : 804F456212:10:13:796 5040 IRP_MJ_DEVICE_CONTROL : F75123BB12:10:13:796 5040 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7515F2812:10:13:796 5040 IRP_MJ_SHUTDOWN : F75122E212:10:13:796 5040 IRP_MJ_LOCK_CONTROL : 804F456212:10:13:796 5040 IRP_MJ_CLEANUP : 804F456212:10:13:796 5040 IRP_MJ_CREATE_MAILSLOT : 804F456212:10:13:796 5040 IRP_MJ_QUERY_SECURITY : 804F456212:10:13:796 5040 IRP_MJ_SET_SECURITY : 804F456212:10:13:796 5040 IRP_MJ_POWER : F7513C8212:10:13:796 5040 IRP_MJ_SYSTEM_CONTROL : F751899E12:10:13:796 5040 IRP_MJ_DEVICE_CHANGE : 804F456212:10:13:796 5040 IRP_MJ_QUERY_QUOTA : 804F456212:10:13:796 5040 IRP_MJ_SET_QUOTA : 804F456212:10:13:828 5040 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 112:10:13:828 5040 12:10:13:828 5040 Driver Name: Disk12:10:13:828 5040 IRP_MJ_CREATE : F7517BB012:10:13:828 5040 IRP_MJ_CREATE_NAMED_PIPE : 804F456212:10:13:828 5040 IRP_MJ_CLOSE : F7517BB012:10:13:828 5040 IRP_MJ_READ : F7511D1F12:10:13:828 5040 IRP_MJ_WRITE : F7511D1F12:10:13:828 5040 IRP_MJ_QUERY_INFORMATION : 804F456212:10:13:828 5040 IRP_MJ_SET_INFORMATION : 804F456212:10:13:828 5040 IRP_MJ_QUERY_EA : 804F456212:10:13:843 5040 IRP_MJ_SET_EA : 804F456212:10:13:843 5040 IRP_MJ_FLUSH_BUFFERS : F75122E212:10:13:843 5040 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F456212:10:13:843 5040 IRP_MJ_SET_VOLUME_INFORMATION : 804F456212:10:13:843 5040 IRP_MJ_DIRECTORY_CONTROL : 804F456212:10:13:843 5040 IRP_MJ_FILE_SYSTEM_CONTROL : 804F456212:10:13:843 5040 IRP_MJ_DEVICE_CONTROL : F75123BB12:10:13:843 5040 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7515F2812:10:13:843 5040 IRP_MJ_SHUTDOWN : F75122E212:10:13:843 5040 IRP_MJ_LOCK_CONTROL : 804F456212:10:13:843 5040 IRP_MJ_CLEANUP : 804F456212:10:13:843 5040 IRP_MJ_CREATE_MAILSLOT : 804F456212:10:13:843 5040 IRP_MJ_QUERY_SECURITY : 804F456212:10:13:843 5040 IRP_MJ_SET_SECURITY : 804F456212:10:13:843 5040 IRP_MJ_POWER : F7513C8212:10:13:843 5040 IRP_MJ_SYSTEM_CONTROL : F751899E12:10:13:843 5040 IRP_MJ_DEVICE_CHANGE : 804F456212:10:13:843 5040 IRP_MJ_QUERY_QUOTA : 804F456212:10:13:843 5040 IRP_MJ_SET_QUOTA : 804F456212:10:13:843 5040 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 112:10:13:843 5040 12:10:13:843 5040 Driver Name: Disk12:10:13:843 5040 IRP_MJ_CREATE : F7517BB012:10:13:843 5040 IRP_MJ_CREATE_NAMED_PIPE : 804F456212:10:13:843 5040 IRP_MJ_CLOSE : F7517BB012:10:13:843 5040 IRP_MJ_READ : F7511D1F12:10:13:843 5040 IRP_MJ_WRITE : F7511D1F12:10:13:843 5040 IRP_MJ_QUERY_INFORMATION : 804F456212:10:13:843 5040 IRP_MJ_SET_INFORMATION : 804F456212:10:13:843 5040 IRP_MJ_QUERY_EA : 804F456212:10:13:843 5040 IRP_MJ_SET_EA : 804F456212:10:13:843 5040 IRP_MJ_FLUSH_BUFFERS : F75122E212:10:13:843 5040 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F456212:10:13:843 5040 IRP_MJ_SET_VOLUME_INFORMATION : 804F456212:10:13:843 5040 IRP_MJ_DIRECTORY_CONTROL : 804F456212:10:13:843 5040 IRP_MJ_FILE_SYSTEM_CONTROL : 804F456212:10:13:843 5040 IRP_MJ_DEVICE_CONTROL : F75123BB12:10:13:843 5040 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7515F2812:10:13:843 5040 IRP_MJ_SHUTDOWN : F75122E212:10:13:843 5040 IRP_MJ_LOCK_CONTROL : 804F456212:10:13:843 5040 IRP_MJ_CLEANUP : 804F456212:10:13:843 5040 IRP_MJ_CREATE_MAILSLOT : 804F456212:10:13:843 5040 IRP_MJ_QUERY_SECURITY : 804F456212:10:13:843 5040 IRP_MJ_SET_SECURITY : 804F456212:10:13:843 5040 IRP_MJ_POWER : F7513C8212:10:13:843 5040 IRP_MJ_SYSTEM_CONTROL : F751899E12:10:13:843 5040 IRP_MJ_DEVICE_CHANGE : 804F456212:10:13:843 5040 IRP_MJ_QUERY_QUOTA : 804F456212:10:13:843 5040 IRP_MJ_SET_QUOTA : 804F456212:10:13:843 5040 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 112:10:13:843 5040 12:10:13:843 5040 Driver Name: atapi12:10:13:843 5040 IRP_MJ_CREATE : 86EACAC812:10:13:843 5040 IRP_MJ_CREATE_NAMED_PIPE : 86EACAC812:10:13:843 5040 IRP_MJ_CLOSE : 86EACAC812:10:13:843 5040 IRP_MJ_READ : 86EACAC812:10:13:843 5040 IRP_MJ_WRITE : 86EACAC812:10:13:843 5040 IRP_MJ_QUERY_INFORMATION : 86EACAC812:10:13:843 5040 IRP_MJ_SET_INFORMATION : 86EACAC812:10:13:843 5040 IRP_MJ_QUERY_EA : 86EACAC812:10:13:843 5040 IRP_MJ_SET_EA : 86EACAC812:10:13:843 5040 IRP_MJ_FLUSH_BUFFERS : 86EACAC812:10:13:843 5040 IRP_MJ_QUERY_VOLUME_INFORMATION : 86EACAC812:10:13:843 5040 IRP_MJ_SET_VOLUME_INFORMATION : 86EACAC812:10:13:843 5040 IRP_MJ_DIRECTORY_CONTROL : 86EACAC812:10:13:843 5040 IRP_MJ_FILE_SYSTEM_CONTROL : 86EACAC812:10:13:843 5040 IRP_MJ_DEVICE_CONTROL : 86EACAC812:10:13:843 5040 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86EACAC812:10:13:843 5040 IRP_MJ_SHUTDOWN : 86EACAC812:10:13:843 5040 IRP_MJ_LOCK_CONTROL : 86EACAC812:10:13:843 5040 IRP_MJ_CLEANUP : 86EACAC812:10:13:843 5040 IRP_MJ_CREATE_MAILSLOT : 86EACAC812:10:13:843 5040 IRP_MJ_QUERY_SECURITY : 86EACAC812:10:13:843 5040 IRP_MJ_SET_SECURITY : 86EACAC812:10:13:843 5040 IRP_MJ_POWER : 86EACAC812:10:13:843 5040 IRP_MJ_SYSTEM_CONTROL : 86EACAC812:10:13:843 5040 IRP_MJ_DEVICE_CHANGE : 86EACAC812:10:13:843 5040 IRP_MJ_QUERY_QUOTA : 86EACAC812:10:13:843 5040 IRP_MJ_SET_QUOTA : 86EACAC812:10:13:843 5040 Driver "atapi" infected by TDSS rootkit!12:10:13:906 5040 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 112:10:13:906 5040 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 12:10:13:906 5040 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys12:10:13:906 5040 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 312:10:14:078 5040 vfvi612:10:14:375 5040 !dsvbh112:10:22:000 5040 dsvbh212:10:22:000 5040 fdfb212:10:22:000 5040 Backup copy found, using it..12:10:22:031 5040 will be cured on next reboot12:10:22:031 5040 Reboot required for cure complete..12:10:22:031 5040 Cure on reboot scheduled successfully12:10:22:031 5040 12:10:22:031 5040 Completed12:10:22:031 5040 12:10:22:031 5040 Results:12:10:22:031 5040 Memory objects infected / cured / cured on reboot: 1 / 0 / 012:10:22:031 5040 Registry objects infected / cured / cured on reboot: 0 / 0 / 012:10:22:031 5040 File objects infected / cured / cured on reboot: 1 / 0 / 112:10:22:031 5040 12:10:22:031 5040 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system12:10:22:031 5040 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software12:10:22:031 5040 UnloadDriverW: NtUnloadDriver error 112:10:22:031 5040 KLMD(ARK) unloaded successfullyAnd here is the log for the Norman TDSS Cleaner:Norman TDSS CleanerVersion 1.9.1Copyright Link to post Share on other sites More sharing options...
Recommended Posts