Jump to content

Multiple viruses, including Rootkit.TDSS


Recommended Posts

Hey guys I got infected while trying to watch a clip of a tv show online. Firstly my AVG popped up with a virus warning. When I told it to clean it up, the computer screen flashed blue and shut down. I booted into safemode and disabled the internet connection and ran both malware bites and spybot search and destroy one after the other.

I then rebooted the computer into normal windows and got a message saying my hardware has changed significantly and I needed to revalidate windows. I ignored this and ran malware bites twice more. The first time it found nothing then the second time it found two more. Now it comes up with nothing, but I still have several suspicious processes and the windows error and I think i'm still infected. Here are is the DDS log. The other logs requested are attached and I've also attached in zip my malware bites logs and spybot search and destroy log.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Dom at 13:46:00.73 on 04/05/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1488 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe

C:\Documents and Settings\Dom\Desktop\Defogger.exe

C:\Documents and Settings\Dom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asuswi~1.lnk - c:\program files\asus wifi-ap solo\RtWLan.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264625361687

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dom\applic~1\mozilla\firefox\profiles\g9qc68rb.default\

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-27 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-27 29512]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-27 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-15 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]

R3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\drivers\aveodcnt.sys [2010-1-29 171520]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2010-1-27 176128]

S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2010-1-27 13532]

=============== Created Last 30 ================

2010-05-04 12:37:15 0 ----a-w- c:\documents and settings\dom\defogger_reenable

2010-05-04 01:09:32 171008 ----a-w- c:\windows\Sbusoa.exe

2010-05-04 01:09:19 0 d-----w- c:\docume~1\dom\applic~1\8E09B4C51A71E6E0CDB9A9A45BD814B6

2010-04-25 23:21:40 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-04-22 13:32:26 4526 ----a-w- c:\windows\system32\PerfStringBackup.TMP

==================== Find3M ====================

2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-25 21:40:32 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-15 14:07:20 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-15 14:06:59 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 13:46:26.00 ===============

ark___attach.zip

MBAM_logs_and_Spybot_log.zip

Link to post
Share on other sites

Hi Dom And Welcome to Malwarebytes!

Your PC has a rootkit that has replaced your ide driver nvata.sys file with malware.

Kaspersky has a tool called TDSSKiller that has done well removing this rootkit. So lets try it first. Run it in normal mode please.

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

First thanks very much for taking the time out to help. Ok so I've also run Combofix.exe after posting as it was suggested by friend, then I ran the second program sometime later, without rebooting the computer. When I did then reboot windows ran a scandisk which was done instantly. The windows countdown is still running and now I only have 2 days to reactivate windows. It would seem my computer is genuinely confused and still infected. Here is the log for TDSSKiller and I've attached the combofix log incase it is needed.

03:00:20:484 2700 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

03:00:20:484 2700 ================================================================================

03:00:20:484 2700 SystemInfo:

03:00:20:484 2700 OS Version: 5.1.2600 ServicePack: 3.0

03:00:20:484 2700 Product type: Workstation

03:00:20:484 2700 ComputerName: DOMSPALACE

03:00:20:484 2700 UserName: Dom

03:00:20:484 2700 Windows directory: C:\WINDOWS

03:00:20:484 2700 Processor architecture: Intel x86

03:00:20:484 2700 Number of processors: 2

03:00:20:484 2700 Page size: 0x1000

03:00:20:484 2700 Boot type: Normal boot

03:00:20:484 2700 ================================================================================

03:00:20:484 2700 UnloadDriverW: NtUnloadDriver error 2

03:00:20:484 2700 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

03:00:20:515 2700 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

03:00:20:515 2700 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

03:00:20:515 2700 wfopen_ex: Trying to KLMD file open

03:00:20:515 2700 wfopen_ex: File opened ok (Flags 2)

03:00:20:515 2700 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

03:00:20:515 2700 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

03:00:20:515 2700 wfopen_ex: Trying to KLMD file open

03:00:20:515 2700 wfopen_ex: File opened ok (Flags 2)

03:00:20:515 2700 Initialize success

03:00:20:515 2700

03:00:20:515 2700 Scanning Services ...

03:00:20:546 2700 Raw services enum returned 320 services

03:00:20:546 2700

03:00:20:546 2700 Scanning Kernel memory ...

03:00:20:546 2700 Devices to scan: 4

03:00:20:546 2700

03:00:20:546 2700 Driver Name: Disk

03:00:20:546 2700 IRP_MJ_CREATE : B810EBB0

03:00:20:546 2700 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

03:00:20:546 2700 IRP_MJ_CLOSE : B810EBB0

03:00:20:546 2700 IRP_MJ_READ : B8108D1F

03:00:20:546 2700 IRP_MJ_WRITE : B8108D1F

03:00:20:546 2700 IRP_MJ_QUERY_INFORMATION : 804F4562

03:00:20:546 2700 IRP_MJ_SET_INFORMATION : 804F4562

03:00:20:546 2700 IRP_MJ_QUERY_EA : 804F4562

03:00:20:546 2700 IRP_MJ_SET_EA : 804F4562

03:00:20:546 2700 IRP_MJ_FLUSH_BUFFERS : B81092E2

03:00:20:546 2700 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

03:00:20:546 2700 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

03:00:20:546 2700 IRP_MJ_DIRECTORY_CONTROL : 804F4562

03:00:20:546 2700 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

03:00:20:546 2700 IRP_MJ_DEVICE_CONTROL : B81093BB

03:00:20:546 2700 IRP_MJ_INTERNAL_DEVICE_CONTROL : B810CF28

03:00:20:546 2700 IRP_MJ_SHUTDOWN : B81092E2

03:00:20:546 2700 IRP_MJ_LOCK_CONTROL : 804F4562

03:00:20:546 2700 IRP_MJ_CLEANUP : 804F4562

03:00:20:546 2700 IRP_MJ_CREATE_MAILSLOT : 804F4562

03:00:20:546 2700 IRP_MJ_QUERY_SECURITY : 804F4562

03:00:20:546 2700 IRP_MJ_SET_SECURITY : 804F4562

03:00:20:546 2700 IRP_MJ_POWER : B810AC82

03:00:20:546 2700 IRP_MJ_SYSTEM_CONTROL : B810F99E

03:00:20:546 2700 IRP_MJ_DEVICE_CHANGE : 804F4562

03:00:20:546 2700 IRP_MJ_QUERY_QUOTA : 804F4562

03:00:20:546 2700 IRP_MJ_SET_QUOTA : 804F4562

03:00:20:593 2700 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

03:00:20:593 2700

03:00:20:593 2700 Driver Name: USBSTOR

03:00:20:593 2700 IRP_MJ_CREATE : B83A5218

03:00:20:593 2700 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

03:00:20:593 2700 IRP_MJ_CLOSE : B83A5218

03:00:20:593 2700 IRP_MJ_READ : B83A523C

03:00:20:593 2700 IRP_MJ_WRITE : B83A523C

03:00:20:593 2700 IRP_MJ_QUERY_INFORMATION : 804F4562

03:00:20:593 2700 IRP_MJ_SET_INFORMATION : 804F4562

03:00:20:593 2700 IRP_MJ_QUERY_EA : 804F4562

03:00:20:593 2700 IRP_MJ_SET_EA : 804F4562

03:00:20:593 2700 IRP_MJ_FLUSH_BUFFERS : 804F4562

03:00:20:593 2700 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

03:00:20:593 2700 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

03:00:20:593 2700 IRP_MJ_DIRECTORY_CONTROL : 804F4562

03:00:20:593 2700 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

03:00:20:593 2700 IRP_MJ_DEVICE_CONTROL : B83A5180

03:00:20:593 2700 IRP_MJ_INTERNAL_DEVICE_CONTROL : B83A09E6

03:00:20:593 2700 IRP_MJ_SHUTDOWN : 804F4562

03:00:20:593 2700 IRP_MJ_LOCK_CONTROL : 804F4562

03:00:20:593 2700 IRP_MJ_CLEANUP : 804F4562

03:00:20:593 2700 IRP_MJ_CREATE_MAILSLOT : 804F4562

03:00:20:593 2700 IRP_MJ_QUERY_SECURITY : 804F4562

03:00:20:593 2700 IRP_MJ_SET_SECURITY : 804F4562

03:00:20:593 2700 IRP_MJ_POWER : B83A45F0

03:00:20:593 2700 IRP_MJ_SYSTEM_CONTROL : B83A2A6E

03:00:20:593 2700 IRP_MJ_DEVICE_CHANGE : 804F4562

03:00:20:593 2700 IRP_MJ_QUERY_QUOTA : 804F4562

03:00:20:593 2700 IRP_MJ_SET_QUOTA : 804F4562

03:00:20:609 2700 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

03:00:20:609 2700

03:00:20:609 2700 Driver Name: Disk

03:00:20:609 2700 IRP_MJ_CREATE : B810EBB0

03:00:20:609 2700 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

03:00:20:609 2700 IRP_MJ_CLOSE : B810EBB0

03:00:20:609 2700 IRP_MJ_READ : B8108D1F

03:00:20:609 2700 IRP_MJ_WRITE : B8108D1F

03:00:20:609 2700 IRP_MJ_QUERY_INFORMATION : 804F4562

03:00:20:609 2700 IRP_MJ_SET_INFORMATION : 804F4562

03:00:20:609 2700 IRP_MJ_QUERY_EA : 804F4562

03:00:20:609 2700 IRP_MJ_SET_EA : 804F4562

03:00:20:609 2700 IRP_MJ_FLUSH_BUFFERS : B81092E2

03:00:20:609 2700 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

03:00:20:609 2700 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

03:00:20:609 2700 IRP_MJ_DIRECTORY_CONTROL : 804F4562

03:00:20:609 2700 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

03:00:20:609 2700 IRP_MJ_DEVICE_CONTROL : B81093BB

03:00:20:609 2700 IRP_MJ_INTERNAL_DEVICE_CONTROL : B810CF28

03:00:20:609 2700 IRP_MJ_SHUTDOWN : B81092E2

03:00:20:609 2700 IRP_MJ_LOCK_CONTROL : 804F4562

03:00:20:609 2700 IRP_MJ_CLEANUP : 804F4562

03:00:20:609 2700 IRP_MJ_CREATE_MAILSLOT : 804F4562

03:00:20:609 2700 IRP_MJ_QUERY_SECURITY : 804F4562

03:00:20:609 2700 IRP_MJ_SET_SECURITY : 804F4562

03:00:20:609 2700 IRP_MJ_POWER : B810AC82

03:00:20:609 2700 IRP_MJ_SYSTEM_CONTROL : B810F99E

03:00:20:609 2700 IRP_MJ_DEVICE_CHANGE : 804F4562

03:00:20:609 2700 IRP_MJ_QUERY_QUOTA : 804F4562

03:00:20:609 2700 IRP_MJ_SET_QUOTA : 804F4562

03:00:20:609 2700 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

03:00:20:609 2700

03:00:20:609 2700 Driver Name: nvata

03:00:20:609 2700 IRP_MJ_CREATE : B7EF1894

03:00:20:609 2700 IRP_MJ_CREATE_NAMED_PIPE : B7EF1874

03:00:20:609 2700 IRP_MJ_CLOSE : B7EF1894

03:00:20:609 2700 IRP_MJ_READ : B7EF1874

03:00:20:609 2700 IRP_MJ_WRITE : B7EF1874

03:00:20:609 2700 IRP_MJ_QUERY_INFORMATION : B7EF1874

03:00:20:609 2700 IRP_MJ_SET_INFORMATION : B7EF1874

03:00:20:609 2700 IRP_MJ_QUERY_EA : B7EF1874

03:00:20:609 2700 IRP_MJ_SET_EA : B7EF1874

03:00:20:609 2700 IRP_MJ_FLUSH_BUFFERS : B7EF1874

03:00:20:609 2700 IRP_MJ_QUERY_VOLUME_INFORMATION : B7EF1874

03:00:20:609 2700 IRP_MJ_SET_VOLUME_INFORMATION : B7EF1874

03:00:20:609 2700 IRP_MJ_DIRECTORY_CONTROL : B7EF1874

03:00:20:609 2700 IRP_MJ_FILE_SYSTEM_CONTROL : B7EF1874

03:00:20:609 2700 IRP_MJ_DEVICE_CONTROL : B7EF18AE

03:00:20:609 2700 IRP_MJ_INTERNAL_DEVICE_CONTROL : B7EF1D6E

03:00:20:609 2700 IRP_MJ_SHUTDOWN : B7EF1874

03:00:20:609 2700 IRP_MJ_LOCK_CONTROL : B7EF1874

03:00:20:609 2700 IRP_MJ_CLEANUP : B7EF1874

03:00:20:609 2700 IRP_MJ_CREATE_MAILSLOT : B7EF1874

03:00:20:609 2700 IRP_MJ_QUERY_SECURITY : B7EF1874

03:00:20:609 2700 IRP_MJ_SET_SECURITY : B7EF1874

03:00:20:609 2700 IRP_MJ_POWER : B7EF1D0E

03:00:20:609 2700 IRP_MJ_SYSTEM_CONTROL : B7EF1A9C

03:00:20:609 2700 IRP_MJ_DEVICE_CHANGE : B7EF1874

03:00:20:609 2700 IRP_MJ_QUERY_QUOTA : B7EF1874

03:00:20:609 2700 IRP_MJ_SET_QUOTA : B7EF1874

03:00:20:640 2700 C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: 1

03:00:20:640 2700

03:00:20:640 2700 Completed

03:00:20:640 2700

03:00:20:640 2700 Results:

03:00:20:640 2700 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

03:00:20:640 2700 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

03:00:20:640 2700 File objects infected / cured / cured on reboot: 0 / 0 / 0

03:00:20:640 2700

03:00:20:640 2700 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

03:00:20:640 2700 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

03:00:20:640 2700 KLMD(ARK) unloaded successfully

combofix_log.zip

Link to post
Share on other sites

Hi Dom

ComboFix is a very powerful tool intended by its creator (sUBs) to be "used under the guidance and supervision of an expert", NOT for private use.

http://www.bleepingcomputer.com/forums/topic273628.html

The windows countdown is still running and now I only have 2 days to reactivate windows. It would seem my computer is genuinely confused and still infected.

Lets look at something and see what we have.

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Next

Please run the MGA Diagnostic Tool and post back the report it creates:

  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

Link to post
Share on other sites

Ah lesson learned hopefully not to late. Also any idea when it will be safe to connect to the internet on the pc in question?

Diagnostic Report (1.9.0027.0):

-----------------------------------------

Windows Validation Data-->

Validation Status: Not Activated

Validation Code: 1

Cached Validation Code: N/A

Windows Product Key: *****-*****-BTV99-JQ333-JV6J3

Windows Product Key Hash: UOVqBbdUepw9Ye/1P7caV+7dQk4=

Windows Product ID: 76487-339-3550895-22585

Windows Product ID Type: 5

Windows License Type: Retail

Windows OS version: 5.1.2600.2.00010100.3.0.pro

ID: {39932185-5E38-46DE-BD46-73BE1345FF38}(3)

Is Admin: Yes

TestCab: 0x0

LegitcheckControl ActiveX: Registered, 1.9.9.1

Signed By: Microsoft

Product Name: N/A

Architecture: N/A

Build lab: N/A

TTS Error: N/A

Validation Diagnostic: 025D1FF3-230-1_025D1FF3-238-2_025D1FF3-258-3

Resolution Status: N/A

Vista WgaER Data-->

ThreatID(s): N/A

Version: N/A

Windows XP Notifications Data-->

Cached Result: N/A, hr = 0x80070002

File Exists: No

Version: N/A, hr = 0x80070002

WgaTray.exe Signed By: N/A, hr = 0x80070002

WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->

Cached Result: N/A, hr = 0x80070002

Version: N/A, hr = 0x80070002

OGAExec.exe Signed By: N/A, hr = 0x80070002

OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->

Office Status: 109 N/A

OGA Version: N/A, 0x80070002

Signed By: N/A, hr = 0x80070002

Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1_025D1FF3-238-2_025D1FF3-258-3

Browser Data-->

Proxy settings: N/A

User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)

Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe

Download signed ActiveX controls: Prompt

Download unsigned ActiveX controls: Disabled

Run ActiveX controls and plug-ins: Allowed

Initialize and script ActiveX controls not marked as safe: Disabled

Allow scripting of Internet Explorer Webbrowser control: Disabled

Active scripting: Allowed

Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->

Office Details: <GenuineResults><MachineData><UGUID>{39932185-5E38-46DE-BD46-73BE1345FF38}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-JV6J3</PKey><PID>76487-339-3550895-22585</PID><PIDType>5</PIDType><SID>S-1-5-21-789336058-261478967-682003330</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>ASUS M2N32-SLI DELUXE ACPI BIOS Revision 1701</Version><SMBIOSVersion major="2" minor="4"/><Date>20071226000000.000000+000</Date></BIOS><HWID>2B02307701848B76</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->

N/A

Windows Activation Technologies-->

N/A

HWID Data-->

N/A

OEM Activation 1.0 Data-->

BIOS string matches: no

Marker string from BIOS: N/A

Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->

N/A

Link to post
Share on other sites

Revalidated and here is the new log

Diagnostic Report (1.9.0027.0):

-----------------------------------------

Windows Validation Data-->

Validation Status: Genuine

Validation Code: 0

Cached Validation Code: N/A

Windows Product Key: *****-*****-BTV99-JQ333-JV6J3

Windows Product Key Hash: UOVqBbdUepw9Ye/1P7caV+7dQk4=

Windows Product ID: 76487-339-3550895-22585

Windows Product ID Type: 5

Windows License Type: Retail

Windows OS version: 5.1.2600.2.00010100.3.0.pro

ID: {39932185-5E38-46DE-BD46-73BE1345FF38}(3)

Is Admin: Yes

TestCab: 0x0

LegitcheckControl ActiveX: Registered, 1.9.9.1

Signed By: Microsoft

Product Name: N/A

Architecture: N/A

Build lab: N/A

TTS Error: N/A

Validation Diagnostic: 025D1FF3-230-1

Resolution Status: N/A

Vista WgaER Data-->

ThreatID(s): N/A

Version: N/A

Windows XP Notifications Data-->

Cached Result: N/A, hr = 0x80070002

File Exists: No

Version: N/A, hr = 0x80070002

WgaTray.exe Signed By: N/A, hr = 0x80070002

WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->

Cached Result: N/A, hr = 0x80070002

Version: N/A, hr = 0x80070002

OGAExec.exe Signed By: N/A, hr = 0x80070002

OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->

Office Status: 109 N/A

OGA Version: N/A, 0x80070002

Signed By: N/A, hr = 0x80070002

Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->

Proxy settings: N/A

User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)

Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe

Download signed ActiveX controls: Prompt

Download unsigned ActiveX controls: Disabled

Run ActiveX controls and plug-ins: Allowed

Initialize and script ActiveX controls not marked as safe: Disabled

Allow scripting of Internet Explorer Webbrowser control: Disabled

Active scripting: Allowed

Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->

Office Details: <GenuineResults><MachineData><UGUID>{39932185-5E38-46DE-BD46-73BE1345FF38}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-JV6J3</PKey><PID>76487-339-3550895-22585</PID><PIDType>5</PIDType><SID>S-1-5-21-789336058-261478967-682003330</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>ASUS M2N32-SLI DELUXE ACPI BIOS Revision 1701</Version><SMBIOSVersion major="2" minor="4"/><Date>20071226000000.000000+000</Date></BIOS><HWID>2B02307701848B76</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->

N/A

Windows Activation Technologies-->

N/A

HWID Data-->

N/A

OEM Activation 1.0 Data-->

BIOS string matches: no

Marker string from BIOS: N/A

Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->

N/A

Link to post
Share on other sites

Note: You should remove LimeWire. P2P (peer-to-peer) using P2P software is very risky, because it makes you very susceptible to infection, attack, exposure of personal or company information. But this is up to you to remove LimeWire.

Also, uTorrent is still allow access for your firewall. Do you want me to write a Script to remove all of these?

I would remove All of LimeWire and uTorrent. These are a invitation for TDSS rootkit. Let me know what you want to do Dom?

Link to post
Share on other sites

Will removing them using control panel work ok? because if so don't worry about writing the script. And should I worry about the mass of extra svchost processes (i have 6) and ones beginning with avg? (Also will I have used up a windows code by revalidating it?)

Link to post
Share on other sites

The svchost are fine. I have 7 going as well.

Also will I have used up a windows code by revalidating it?)

No at all.... :angry: OK,,, The rootkit is gone. Lets run Malwarebytes and do a online scan to look for any remnants.

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

In your next reply, please include these log(s):

MBAM Report

EsetOnlineScanner\log.txt

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

Ok now i was temporarily possessed by an idiot and after running the scan, copied the viruses and then uninstalled without getting log so I had to do it again... I've posted the results of first scan and then the log of the second.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip Win32/Bagle.gen.zip worm

C:\Documents and Settings\Dom\Application Data\Sun\Java\Deployment\cache\6.0\40\6e8db028-7503d594 OSX/Exploit.Smid.B trojan

C:\Qoobox\Quarantine\C\WINDOWS\Sbusoa.exe.vir a variant of Win32/Kryptik.EBP trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\avgldx86.sys.vir Win32/Patched.EQ trojan

Now the results of the second search:

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=746b8caee295c54f992a4fe563e420c6

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-05-05 06:23:53

# local_time=2010-05-05 07:23:53 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777175 100 0 8454431 8454431 0 0

# compatibility_mode=6401 16777213 66 100 4465 1345469 0 0

# compatibility_mode=8192 67108863 100 0 4476 4476 0 0

# scanned=45653

# found=7

# cleaned=0

# scan_time=3435

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I

C:\Documents and Settings\Dom\Application Data\Sun\Java\Deployment\cache\6.0\29\7adbb65d-77e87e3d a variant of Java/TrojanDownloader.Agent.NAN trojan 00000000000000000000000000000000 I

C:\Documents and Settings\Dom\Application Data\Sun\Java\Deployment\cache\6.0\40\6e8db028-7503d594 OSX/Exploit.Smid.B trojan 00000000000000000000000000000000 I

C:\Documents and Settings\Dom\Application Data\Sun\Java\Deployment\cache\6.0\44\5473416c-10a09c08 a variant of Java/TrojanDownloader.Agent.NAN trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\Sbusoa.exe.vir a variant of Win32/Kryptik.EBP trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\avgldx86.sys.vir Win32/Patched.EQ trojan 00000000000000000000000000000000 I

Link to post
Share on other sites

It whoops, it came up blank so i forgot to upload it. Here it is

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4069

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

05/05/2010 21:36:49

mbam-log-2010-05-05 (21-36-49).txt

Scan type: Quick scan

Objects scanned: 108868

Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Please remove these folders

C:\Documents and Settings\Dom\Application Data\Sun\Java

Be sure to run:

Secunia software inspector & update checker

For common programs and vulnerabilities.

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

My Blog Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!

It was a pleasure working with you Dom.

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Are the multiple avg processes (avgemc) (avgnsx) etc i have running despite not having turned on AVG, a problem? As it may be nothing but my firefox takes alot longer than normal to startup.

Link to post
Share on other sites

Thanks very much, it's been a great reassurance having someone help me through everything. I've donated, and thanks again for top quality service to someone who's not to hot on this stuff!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.