Jump to content

Rootkit virus - removed?


Recommended Posts

Hello,

I'm hoping you could help me to check if my computer is clean...

I have been working on eradicating a rootkit virus from my laptop for a couple of days now. I believe it was initially picked up by surfing to an infected website.

The initial problems were:

- Google search results looked okay, but when I clicked them, I was being redirected to a variety of other websites.

- Exe files for MBAM and other anti-malware programs were unclickable.

Here is what I did:

- I renamed MBAM and was able to run it. It detected a trojan and successfully removed it on reboot.

After that:

- MBAM and other anti-malware programs could still NOT be accessed unless they were renamed.

- After restarting, I would get a mysterious "IE script error" even when no programs were running.

- If I restarted with my wireless internet switch turned off, I would also get a "Generic Host Process for Win32 Services has encountered an error and needs to close". This didn't happen if the wireless switch was on at restart. The error would cause my desktop to look a bit odd, but still worked (eg. changed some display fonts and sizes).

Next:

- I downloaded and ran TDSSKiller. It detected the following: Rootkit.Win32.TDSS.tdl3 (compbatt), at C:\windows\system32\drivers\compbatt.sys

- I allowed TDSSKiller to "Cure" this, which was done after reboot.

- Subsequent scans on TDSSKiller don't reveal any recurrence of this rootkit.

Currently:

- My laptop appears to be running okay.

- No redirecting websites, no script errors or other errors at startup, MBAM and other anti-malware programs are openable using their proper names.

- MBAM isn't detecting anything wrong.

The problem is, I'm no expert and I really want to be sure my computer is as clean as possible. I know that rootkits are insidious and I want my laptop to be as close to secure as possible.

Could you please advise? I'm happy to provide whatever scans you would need to see to help me confirm this rootkit is gone... I have downloaded some of the scanning programs already but am unsure which results you would like to see first.

Thanks so much for your assistance.

Link to post
Share on other sites

Just to update this further - I ran MBAM again just now and it came up clean (nothing detected).

However, during the MBAM scan, my Avast popped up with a virus alert and I moved the file in question into the virus chest.

Details:

93i7qG17a.sys in C:\windows\temp

Win32: Malware-gen

Successfully moved to the virus chest, but MBAM still finds nothing and I'm sure there is still a problem. Some of my web pages are not loading on the first try either - but they do load when I refresh. This is happening more often than usual.

Can anyone help?

Link to post
Share on other sites

Hello fionamac

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    netsvcs

    %SYSTEMDRIVE%\*.*

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\drivers\*.sys /90

    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Please download Rootkit Unhooker and save it to your desktop.

  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it, typically your desktop. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

Kahdah, thanks so much for being willing to help me.

Here are the results you requested:

OTL logfile created on: 02/10/2010 14:55:05 - Run 1

OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Carey\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 163.88 Gb Free Space | 70.37% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: HOME

Current User Name: Carey

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Carey\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe (Microsoft ® Corporation)

PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)

PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)

PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)

PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)

PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)

PRC - C:\Program Files\Toshiba\TPHM\TPCHSrv.exe (TOSHIBA Corporation)

PRC - C:\Program Files\Toshiba\TPHM\TPCHWMsg.exe (TOSHIBA Corporation)

PRC - C:\WINDOWS\system32\igfxext.exe (Intel Corporation)

PRC - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe (TOSHIBA Corporation)

PRC - C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe ()

PRC - C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)

PRC - C:\Program Files\Toshiba\TME3\TMERzCtl.exe (TOSHIBA)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\WINDOWS\system32\ThpSrv.exe (TOSHIBA Corporation)

PRC - C:\WINDOWS\system32\TODDSrv.exe (TOSHIBA Corporation)

PRC - C:\WINDOWS\system32\TPSMain.exe (TOSHIBA Corporation)

PRC - C:\Program Files\Toshiba\Wireless Hotkey\TosHKCW.exe (TOSHIBA CORPORATION)

PRC - C:\WINDOWS\system32\TPSBattM.exe (TOSHIBA Corporation)

PRC - C:\Program Files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe (TOSHIBA Corporation)

PRC - C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)

PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)

PRC - C:\Program Files\ltmoh\ltmoh.exe (Agere Systems)

PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)

PRC - C:\WINDOWS\system32\agrsmsvc.exe (Agere Systems)

PRC - C:\Program Files\Toshiba\TAudEffect\TAudEff.exe (TOSHIBA)

PRC - C:\WINDOWS\system32\00THotkey.exe (TOSHIBA Corporation)

PRC - C:\WINDOWS\system32\TFNF5.exe (TOSHIBA Corp.)

PRC - C:\Program Files\Toshiba\TME3\TMESRV31.exe (TOSHIBA)

PRC - C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe (TOSHIBA Corporation)

PRC - C:\Program Files\Toshiba\DualPointUtility\TEDTray.exe (TOSHIBA)

PRC - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)

PRC - C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)

PRC - C:\Program Files\Toshiba\TME3\TMEEJME.exe (TOSHIBA)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Carey\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (DMService) -- C:\WINDOWS\Downloaded Program Files\DM.0\DMService.exe ()

SRV - (whliocsv) -- C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\whliocsv.exe (Microsoft ® Corporation)

SRV - (uagqecsvc) -- C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe (Microsoft ® Corporation)

SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)

SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)

SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)

SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)

SRV - (TPCHSrv) -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe (TOSHIBA Corporation)

SRV - (TNaviSrv) -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe (TOSHIBA Corporation)

SRV - (Thpsrv) -- C:\WINDOWS\system32\ThpSrv.exe (TOSHIBA Corporation)

SRV - (TODDSrv) -- C:\WINDOWS\system32\TODDSrv.exe (TOSHIBA Corporation)

SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)

SRV - (Viewpoint Manager Service) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)

SRV - (AgereModemAudio) -- C:\WINDOWS\system32\agrsmsvc.exe (Agere Systems)

SRV - (Tmesrv) -- C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe (TOSHIBA)

SRV - (CFSvcs) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)

========== Driver Services (SafeList) ==========

DRV - (MEMSWEEP2) -- C:\WINDOWS\System32\1E.tmp File not found

DRV - (whlva) -- C:\WINDOWS\system32\drivers\whlva.sys (Microsoft

Link to post
Share on other sites

You have a few leftovers but rootkit wise you are clean.

Please o the following to remove the leftovers and check with an online scan after that.

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    [2010/03/29 18:44:46 | 000,013,858 | -HS- | C] () -- C:\Documents and Settings\Carey\Local Settings\Application Data\TA45p2
    [2010/03/29 18:44:46 | 000,013,858 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\TA45p2
    [2010/02/20 00:17:15 | 000,011,920 | -HS- | C] () -- C:\Documents and Settings\Carey\Local Settings\Application Data\v66l66MW5Tq


    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

=========

As a final check - Please perform the following online scan:

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Thanks kahdah. Here are the two logs:

All processes killed

========== OTL ==========

C:\Documents and Settings\Carey\Local Settings\Application Data\TA45p2 moved successfully.

C:\Documents and Settings\All Users\Application Data\TA45p2 moved successfully.

C:\Documents and Settings\Carey\Local Settings\Application Data\v66l66MW5Tq moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: All Users

User: Carey

->Temp folder emptied: 30652806 bytes

->Temporary Internet Files folder emptied: 12002463 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 82361885 bytes

->Flash cache emptied: 2505 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: Guest

->Temp folder emptied: 1758344 bytes

->Temporary Internet Files folder emptied: 377135035 bytes

->FireFox cache emptied: 63963380 bytes

->Flash cache emptied: 3837 bytes

User: LocalService

->Temp folder emptied: 65984 bytes

->Temporary Internet Files folder emptied: 171571 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 303144 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 35019 bytes

RecycleBin emptied: 14753750 bytes

Total Files Cleaned = 556.00 mb

OTL by OldTimer - Version 3.2.14.1 log created on 10022010_230104

Files\Folders moved on Reboot...

File\Folder C:\WINDOWS\temp\_av_proI.tm~a03476\setup.lok not found!

File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.

C:\WINDOWS\temp\Perflib_Perfdata_140.dat moved successfully.

Registry entries deleted on Reboot...

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=19d19e46519b014cb5bf9030486ca3fd

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=false

# utc_time=2010-10-02 10:37:44

# local_time=2010-10-02 11:37:44 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=769 16775125 100 98 428 222342399 0 0

# compatibility_mode=8192 67108863 100 0 206 206 0 0

# scanned=68427

# found=0

# cleaned=0

# scan_time=1418

Please let me know if these look okay, and if there is anything else I can do to ensure the virus is completely gone.

Thanks so much.

Link to post
Share on other sites

  1. Please download mbrcheck from Here
  2. Save that file to your desktop and double click on it to run it.
  3. It will show a Black screen with some data on it then hit any key to continue.
  4. Once it finishes there will be a log produced on your desktop that is labeled mbrcheck*.txt (where the * is date)
  5. Please post the contents of that log in your next reply.

Link to post
Share on other sites

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000000c

Kernel Drivers (total 151):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E4000 \WINDOWS\system32\hal.dll

0xBA5A8000 \WINDOWS\system32\KDCOM.DLL

0xBA4B8000 \WINDOWS\system32\BOOTVID.dll

0xB9F79000 ACPI.sys

0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB9F68000 pci.sys

0xBA0A8000 isapnp.sys

0xBA0B8000 ohci1394.sys

0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xBA4BC000 compbatt.sys

0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xBA670000 pciide.sys

0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xB9F4A000 pcmcia.sys

0xBA0D8000 MountMgr.sys

0xB9F2B000 ftdisk.sys

0xBA5AC000 dmload.sys

0xB9F05000 dmio.sys

0xBA330000 PartMgr.sys

0xBA0E8000 VolSnap.sys

0xB9EED000 atapi.sys

0xB9E1F000 iaStor.sys

0xBA0F8000 disk.sys

0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB9DFF000 fltMgr.sys

0xB9DED000 sr.sys

0xBA118000 PxHelp20.sys

0xB9DD6000 KSecDD.sys

0xB9D49000 Ntfs.sys

0xB9D1C000 NDIS.sys

0xBA338000 TVALZ.SYS

0xB9CD9000 tos_sps32.sys

0xBA5AE000 Thpevm.SYS

0xBA340000 thpdrv.sys

0xB9CBF000 Mup.sys

0xB9631000 \SystemRoot\system32\DRIVERS\igxpmp32.sys

0xB961D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xB95DF000 \SystemRoot\system32\DRIVERS\e1y5132.sys

0xBA370000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xB95BB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xBA3A0000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB9593000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xB921B000 \SystemRoot\system32\DRIVERS\NETw5x32.sys

0xBA2B8000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xB9207000 \SystemRoot\system32\DRIVERS\sdbus.sys

0xB91F6000 \SystemRoot\system32\DRIVERS\rimmptsk.sys

0xB91E2000 \SystemRoot\system32\DRIVERS\rimsptsk.sys

0xB9190000 \SystemRoot\system32\DRIVERS\rixdptsk.sys

0xBA2C8000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xBA3D0000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xB9177000 \SystemRoot\system32\DRIVERS\Apfiltr.sys

0xBA3F8000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xBA2D8000 \SystemRoot\system32\DRIVERS\IFXTPM.SYS

0xBA2E8000 \SystemRoot\system32\DRIVERS\serial.sys

0xB9C87000 \SystemRoot\system32\DRIVERS\serenum.sys

0xB9C7F000 \SystemRoot\system32\DRIVERS\tdcmdpst.sys

0xBA2F8000 \SystemRoot\system32\DRIVERS\imapi.sys

0xBA308000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xBA318000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB912C000 \SystemRoot\system32\DRIVERS\ks.sys

0xB9C6B000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xBA5C4000 \SystemRoot\system32\DRIVERS\TVALZFL.sys

0xBA148000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xBA781000 \SystemRoot\system32\DRIVERS\audstub.sys

0xBA158000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xB9C63000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB9115000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xBA168000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA178000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xBA4A8000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB9064000 \SystemRoot\system32\DRIVERS\psched.sys

0xBA188000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xBA378000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xBA388000 \SystemRoot\system32\DRIVERS\raspti.sys

0xBA574000 \SystemRoot\system32\DRIVERS\whlva.sys

0xB900C000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xBA198000 \SystemRoot\system32\DRIVERS\termdd.sys

0xBA5CA000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB8FAE000 \SystemRoot\system32\DRIVERS\update.sys

0xBA58C000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA1B8000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xBA1C8000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xBA5D2000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xA8841000 \SystemRoot\system32\drivers\RtkHDAud.sys

0xA881D000 \SystemRoot\system32\drivers\portcls.sys

0xBA1D8000 \SystemRoot\system32\drivers\drmk.sys

0xA87B2000 \SystemRoot\system32\DRIVERS\TEchoCan.sys

0xA8696000 \SystemRoot\system32\DRIVERS\AGRSM.sys

0xBA438000 \SystemRoot\System32\Drivers\Modem.SYS

0xBA5E0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xBA70C000 \SystemRoot\System32\Drivers\Null.SYS

0xBA5E4000 \SystemRoot\System32\Drivers\Beep.SYS

0xBA480000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xBA490000 \SystemRoot\System32\drivers\vga.sys

0xBA5E8000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA5EC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xBA4A0000 \SystemRoot\System32\Drivers\Msfs.SYS

0xBA350000 \SystemRoot\System32\Drivers\Npfs.SYS

0xA8CEA000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xA8613000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xA85BA000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xBA248000 \SystemRoot\System32\Drivers\aswTdi.SYS

0xA856C000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xBA258000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xA8544000 \SystemRoot\system32\DRIVERS\netbt.sys

0xBA268000 \SystemRoot\system32\DRIVERS\arp1394.sys

0xA8692000 \SystemRoot\System32\drivers\ws2ifsl.sys

0xA8482000 \SystemRoot\System32\drivers\afd.sys

0xBA278000 \SystemRoot\system32\DRIVERS\netbios.sys

0xBA5F2000 \SystemRoot\System32\Drivers\TMEI3E.SYS

0xA8461000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

0xBA3A8000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

0xA8436000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xA83C6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xBA288000 \SystemRoot\System32\Drivers\Fips.SYS

0xA83A5000 \SystemRoot\System32\Drivers\aswSP.SYS

0xA866A000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xBA2A8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xBA398000 \SystemRoot\System32\Drivers\Aavmker4.SYS

0xBA468000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xA864E000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xB90F5000 \SystemRoot\System32\Drivers\UVCFTR_S.SYS

0xA835F000 \SystemRoot\System32\Drivers\usbvideo.sys

0xB90E5000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xA8291000 \SystemRoot\System32\Drivers\dump_iaStor.sys

0xBF800000 \SystemRoot\System32\win32k.sys

0xA85B6000 \SystemRoot\System32\drivers\Dxapi.sys

0xBA368000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xBA6B9000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF024000 \SystemRoot\System32\igxpgd32.dll

0xBF012000 \SystemRoot\System32\igxprd32.dll

0xBF04F000 \SystemRoot\System32\igxpdv32.DLL

0xBF25B000 \SystemRoot\System32\igxpdx32.DLL

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xBA420000 \SystemRoot\system32\DRIVERS\aswFsBlk.sys

0xBA5DE000 \??\C:\WINDOWS\system32\drivers\TBiosDrv.sys

0xA8137000 \SystemRoot\system32\DRIVERS\tdudf.sys

0xA8126000 \SystemRoot\System32\Drivers\Udfs.SYS

0xA8105000 \SystemRoot\system32\DRIVERS\trudf.sys

0xA81C1000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xA80F9000 \SystemRoot\system32\DRIVERS\netdevio.sys

0xA7F87000 \SystemRoot\System32\Drivers\aswMon2.SYS

0xA7C3A000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xA7C25000 \SystemRoot\system32\drivers\wdmaud.sys

0xA7CAF000 \SystemRoot\system32\drivers\sysaudio.sys

0xA7914000 \SystemRoot\system32\DRIVERS\srv.sys

0xA70B9000 \SystemRoot\System32\Drivers\HTTP.sys

0xA7312000 \SystemRoot\System32\Drivers\aswRdr.SYS

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 66):

0 System Idle Process

4 System

1100 C:\WINDOWS\system32\smss.exe

1164 csrss.exe

1192 C:\WINDOWS\system32\winlogon.exe

1236 C:\WINDOWS\system32\services.exe

1248 C:\WINDOWS\system32\lsass.exe

1408 C:\WINDOWS\system32\svchost.exe

1504 svchost.exe

1584 C:\WINDOWS\system32\svchost.exe

1816 svchost.exe

1868 svchost.exe

300 C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

360 C:\Program Files\Alwil Software\Avast4\ashServ.exe

1252 C:\WINDOWS\system32\spoolsv.exe

1764 C:\WINDOWS\explorer.exe

1896 svchost.exe

1964 C:\WINDOWS\system32\agrsmsvc.exe

1992 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe

628 C:\Program Files\Java\jre6\bin\jqs.exe

912 C:\WINDOWS\system32\svchost.exe

976 C:\WINDOWS\system32\ThpSrv.exe

1440 C:\Program Files\Toshiba\TME3\TMESRV31.exe

1712 C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe

1728 C:\Program Files\Toshiba\TME3\TMEEJME.exe

2256 C:\WINDOWS\system32\TODDSrv.exe

2292 C:\Program Files\Toshiba\TPHM\TPCHSrv.exe

2348 C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe

2396 C:\Program Files\Viewpoint\Common\ViewpointService.exe

2448 C:\Program Files\Canon\CAL\CALMAIN.exe

2476 C:\Program Files\Toshiba\DualPointUtility\TEDTray.exe

2564 C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe

2572 C:\Program Files\Toshiba\TME3\TMERzCtl.exe

2624 C:\WINDOWS\system32\TPSMain.exe

2632 C:\WINDOWS\system32\ThpSrv.exe

2652 C:\Program Files\Toshiba\TPHM\TPCHWMsg.exe

2768 C:\WINDOWS\system32\TPSBattM.exe

2784 C:\WINDOWS\RTHDCPL.exe

2800 C:\WINDOWS\system32\00THotkey.exe

2816 C:\WINDOWS\system32\wuauclt.exe

2828 C:\Program Files\Toshiba\TAudEffect\TAudEff.exe

2836 C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

2872 C:\Program Files\Toshiba\Wireless Hotkey\TosHKCW.exe

2896 C:\Program Files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe

2992 C:\Program Files\ltmoh\ltmoh.exe

3024 C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe

3032 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

3048 C:\Program Files\Apoint2K\Apoint.exe

3100 C:\WINDOWS\system32\igfxtray.exe

3128 C:\WINDOWS\system32\hkcmd.exe

3140 C:\WINDOWS\system32\igfxpers.exe

3172 C:\WINDOWS\system32\igfxsrvc.exe

3180 C:\WINDOWS\system32\TFNF5.exe

3188 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

3200 C:\WINDOWS\system32\ctfmon.exe

3244 C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe

3256 C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe

3340 C:\WINDOWS\system32\igfxext.exe

3404 C:\Program Files\Apoint2K\ApntEx.exe

3728 wmiprvse.exe

3940 C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

3972 C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

1912 alg.exe

3620 wmiprvse.exe

2100 C:\Program Files\Alwil Software\Avast4\Setup\avast.setup

3572 C:\Documents and Settings\Carey\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543225L9SA00, Rev: FBEOC43C

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: 31D100779DE502702C374F7C15687B56FCFD5528

Done!

Link to post
Share on other sites

All of your logs are clean.

How are things running?

It seems to be running fine. Occasionally when I click on a web page, the browser displays "Done" but the page is blank until I refresh again. This could be a normal minor glitch, or a slow internet connection issue, though. I think I need to change antivirus programs as well. (Not happy with avast.)

I'm not getting any particular errors and I can access MBAM without any problems now.

Link to post
Share on other sites

Sounds like a network issue.

Try to unplug the cable from the modem and power it down.

Then plug it back in once it has powered down and see if that makes a difference.

Let me know the results.

I'm using a wireless connection on my laptop. The network here can be patchy, so I would assume it's just that. Other than the occasional pause, web pages are loading a bit more quickly than they were before, which is nice.

I have a continuing problem where sometimes my browsers (either IE or Firefox) freeze completely, while any other internet-based activities (e.g. instant messaging) are still working, and windows does not detect any issues with my wireless internet connection. Closing/reopening the browser, disconnecting then reconnecting the internet, repairing the connection... none of these solve the issue. It's not limited to wireless connections either. I wondered if that was malware-related but was somehow not being picked up by MBAM or my anti-virus. I kind of hoped it might have been resolved through the work we have done on this rootkit virus, but I guess that was optimistic thinking. The browser-freeze problem has already happened once today.

I believe I have narrowed it down to a problem with Avast (i.e. if I switch off Avast - dangerous, I know - then the browsers work perfectly again). I plan to uninstall avast and install another antivirus program in its place to hopefully resolve this, as it doesn't seem like it's malware related (unless I am missing something!). There is also a moment - usually 1 or 2 seconds - when I start up the laptop, when I get an error message warning me that my firewall is switched off, then the message switfly disappears and both Avast and my wireless icon appear, showing me I am online. When I check Windows Firewall, it is definitely on. Again, I wondered if this was undetected malware, but I think it's more likely a problem with the antivirus program based on the symptoms.

I'm not sure if the above info is relevant to any of the checks we have been doing but thought I would mention it just in case there is still something evil hiding in my laptop that must be found and cleaned...

Thanks again for helping me.

Link to post
Share on other sites

I'm using a wireless connection on my laptop. The network here can be patchy, so I would assume it's just that. Other than the occasional pause, web pages are loading a bit more quickly than they were before, which is nice.
Wireless is patchy anyway sometimes it behaves like that.
I have a continuing problem where sometimes my browsers (either IE or Firefox) freeze completely, while any other internet-based activities (e.g. instant messaging) are still working, and windows does not detect any issues with my wireless internet connection. Closing/reopening the browser, disconnecting then reconnecting the internet, repairing the connection... none of these solve the issue. It's not limited to wireless connections either. I wondered if that was malware-related but was somehow not being picked up by MBAM or my anti-virus. I kind of hoped it might have been resolved through the work we have done on this rootkit virus, but I guess that was optimistic thinking. The browser-freeze problem has already happened once today.

I believe I have narrowed it down to a problem with Avast (i.e. if I switch off Avast - dangerous, I know - then the browsers work perfectly again). I plan to uninstall avast and install another antivirus program in its place to hopefully resolve this, as it doesn't seem like it's malware related (unless I am missing something!). There is also a moment - usually 1 or 2 seconds - when I start up the laptop, when I get an error message warning me that my firewall is switched off, then the message switfly disappears and both Avast and my wireless icon appear, showing me I am online. When I check Windows Firewall, it is definitely on. Again, I wondered if this was undetected malware, but I think it's more likely a problem with the antivirus program based on the symptoms.

If it quits when you disable Avast then by all means switch antivirus.

I am not a big fan of Avast myself.

The firewall thing I have seen on most xp machines almost like it takes a few minutes sometimes for everything to initialize.

None of your logs show any infections and tdsskiller removed the rootkit.

I'm not sure if the above info is relevant to any of the checks we have been doing but thought I would mention it just in case there is still something evil hiding in my laptop that must be found and cleaned...
No you are all clean these are common issues that can be explained.

You are welcome.

==========

  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

After that your all set.

===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

"How did I get infected in the first place?" Also this one by Tony Klein.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...

===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware

superantispyware

===Free antivirus links===

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free 9.0

This is just antivirus protection.

Antivir

This is antivirus and antispyware protection.

Avast

Link to post
Share on other sites

Okay. I've done the "cleanup" on OTL, uninstalled old Java and installed new Java, and reset the System Restore point.

I have a few other leftover programs on my desktop that were downloaded to scan for the rootkit, including GMER, MBRCheck, RKUnhookerLE, Rootrepeal. Is it just a matter of deleting these exe files from my desktop to remove them? Also ESET is showing in my add/remove programs - is that the best way to remove it? Or would you recommend keeping any of these programs? Sorry if these are really basic questions. I haven't used any of these programs before.

Thank you!!!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.