Jfschafer Posted November 19, 2010 ID:348101 Share Posted November 19, 2010 I have a question as I help clean machines quite a bit. I just started using the DSS scanner recently, love it but have a quick question. What does this mean at the end of DSS log results. Does this mean it's detected a possible rootkit? or does it simply mean it's running the TDL4 detector and just giving info on the drive it detected??Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.netWindows 5.1.2600 Disk: ST31000340AS rev.SD15 -> Harddisk0DR0 -> DeviceIdeIdeDeviceP1T0L0-e device: opened successfullyuser: MBR read successfullyDisk trace:called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> DeviceHarddisk0DR0[0x8AEDBAB8]3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> DeviceIdeIdeDeviceP0T0L0-3[0x8AF30D98]kernel: MBR read successfully_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }Forgot the last line. This was at the end of the Rootkit section:user != kernel MBR !!! Link to post Share on other sites More sharing options...
Maniac Posted November 21, 2010 ID:348541 Share Posted November 21, 2010 Hello Jfschafer! Welcome to Malwarebytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.It means that your system is infected with rootkit.Please download Rootkit Unhooker and save it to your desktop.Double-click RKUnhookerLE.exe to run it.Click the Report tab, then click ScanCheck Drivers, Stealth Code, Files, and Code HooksUncheck the rest, then click OKWhen prompted to Select Disks for Scan, make sure C:\ is checked and click OKWait till the scanner has finished then go File > Save ReportSave the report somewhere you can find it, typically your desktop. Click CloseCopy the entire contents of the report and paste it in your next reply.Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!It is recommended to remove parasite, okay?" Link to post Share on other sites More sharing options...
Jfschafer Posted November 22, 2010 Author ID:349455 Share Posted November 22, 2010 Thanks Borislav! Working on it now. (not my system) Should have something soon for you. Link to post Share on other sites More sharing options...
Jfschafer Posted November 23, 2010 Author ID:349835 Share Posted November 23, 2010 Here's the logs. I'd like to get the actual rootkit code/driver file so we can submit to AV vendor if possible. Logs for RkUnhooker below.RkUnhooker report generator v0.7 ============================================== Rootkit Unhooker kernel version: 3.7.300.509 ============================================== Windows Major Version: 5 Windows Minor Version: 1 Windows Build Number: 2600 ============================================== >Drivers Driver: C:\WINDOWS\System32\ati3duag.dll Address: 0xBF0DD000 Size: 2756608 bytes Driver: C:\WINDOWS\system32\ntkrnlpa.exe Address: 0x804D7000 Size: 2150400 bytes Driver: PnpManager Address: 0x804D7000 Size: 2150400 bytes Driver: RAW Address: 0x804D7000 Size: 2150400 bytes Driver: WMIxWDM Address: 0x804D7000 Size: 2150400 bytes Driver: Win32k Address: 0xBF800000 Size: 1855488 bytes Driver: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1855488 bytes Driver: C:\WINDOWS\System32\ativvaxx.dll Address: 0xBF37E000 Size: 1753088 bytes Driver: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys Address: 0xB9A6B000 Size: 1642496 bytes Driver: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101122.002\NAVEX15.SYS Address: 0xA4ED1000 Size: 1368064 bytes Driver: C:\WINDOWS\system32\drivers\hardlock.sys Address: 0xA682C000 Size: 589824 bytes Driver: Ntfs.sys Address: 0xB9E1F000 Size: 577536 bytes Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Address: 0xA921F000 Size: 458752 bytes Driver: timntr.sys Address: 0xB9D87000 Size: 438272 bytes Driver: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys Address: 0xA92E2000 Size: 434176 bytes Driver: C:\WINDOWS\system32\drivers\Senfilt.sys Address: 0xA970F000 Size: 393216 bytes Driver: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys Address: 0xA91C1000 Size: 385024 bytes Driver: C:\WINDOWS\system32\DRIVERS\update.sys Address: 0xB98BB000 Size: 385024 bytes Driver: C:\WINDOWS\system32\drivers\aksfridge.sys Address: 0xA6A4C000 Size: 372736 bytes Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys Address: 0xA9489000 Size: 364544 bytes Driver: tdrpman.sys Address: 0xB9D2E000 Size: 364544 bytes Driver: C:\WINDOWS\system32\DRIVERS\srv.sys Address: 0xA66C0000 Size: 360448 bytes Driver: C:\WINDOWS\System32\Drivers\SRTSP.SYS Address: 0xA96C4000 Size: 307200 bytes Driver: C:\WINDOWS\System32\ati2cqag.dll Address: 0xBF055000 Size: 286720 bytes Driver: C:\WINDOWS\System32\ATMFD.DLL Address: 0xBFFA0000 Size: 286720 bytes Driver: C:\WINDOWS\System32\ati2dvag.dll Address: 0xBF012000 Size: 274432 bytes Driver: C:\WINDOWS\System32\atikvmag.dll Address: 0xBF09B000 Size: 270336 bytes Driver: C:\WINDOWS\system32\drivers\ADIHdAud.sys Address: 0xA9793000 Size: 262144 bytes Driver: C:\WINDOWS\system32\DRIVERS\rdpdr.sys Address: 0xB9963000 Size: 196608 bytes Driver: ACPI.sys Address: 0xB9F79000 Size: 188416 bytes Driver: NDIS.sys Address: 0xB9DF2000 Size: 184320 bytes Driver: C:\WINDOWS\System32\Drivers\SYMTDI.SYS Address: 0xA9396000 Size: 184320 bytes Driver: C:\WINDOWS\system32\drivers\kmixer.sys Address: 0xA4E92000 Size: 176128 bytes Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys Address: 0xA92B7000 Size: 176128 bytes Driver: C:\WINDOWS\system32\DRIVERS\b57xp32.sys Address: 0xB99E1000 Size: 172032 bytes Driver: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys Address: 0xB9A0B000 Size: 163840 bytes Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys Address: 0xA936E000 Size: 163840 bytes Driver: C:\WINDOWS\system32\drivers\WpsHelper.sys Address: 0xA501F000 Size: 163840 bytes Driver: dmio.sys Address: 0xB9F23000 Size: 155648 bytes Driver: C:\WINDOWS\system32\DRIVERS\ipnat.sys Address: 0xA93C3000 Size: 155648 bytes Driver: C:\WINDOWS\system32\Drivers\SYMEVENT.SYS Address: 0xA9551000 Size: 151552 bytes Driver: C:\WINDOWS\System32\Drivers\Fastfat.SYS Address: 0xA6808000 Size: 147456 bytes Driver: C:\WINDOWS\system32\drivers\portcls.sys Address: 0xA976F000 Size: 147456 bytes Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS Address: 0xB9A33000 Size: 147456 bytes Driver: C:\WINDOWS\system32\DRIVERS\ks.sys Address: 0xB99AA000 Size: 143360 bytes Driver: C:\WINDOWS\System32\Drivers\RDPWD.SYS Address: 0xA619D000 Size: 143360 bytes Driver: C:\WINDOWS\System32\drivers\afd.sys Address: 0xA934C000 Size: 139264 bytes Driver: C:\WINDOWS\system32\DRIVERS\teefer2.sys Address: 0xB9919000 Size: 139264 bytes Driver: ACPI_HAL Address: 0x806E4000 Size: 134400 bytes Driver: C:\WINDOWS\system32\hal.dll Address: 0x806E4000 Size: 134400 bytes Driver: fltmgr.sys Address: 0xB9EEB000 Size: 131072 bytes Driver: ftdisk.sys Address: 0xB9F49000 Size: 126976 bytes Driver: snapman.sys Address: 0xB9D0F000 Size: 126976 bytes Driver: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys Address: 0xA91A4000 Size: 118784 bytes Driver: Mup.sys Address: 0xB9CF5000 Size: 106496 bytes Driver: atapi.sys Address: 0xB9F0B000 Size: 98304 bytes Driver: C:\WINDOWS\System32\DLA\DLAUDFAM.SYS Address: 0xA701E000 Size: 98304 bytes Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xA918C000 Size: 98304 bytes Driver: KSecDD.sys Address: 0xB9EAC000 Size: 94208 bytes Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys Address: 0xB9993000 Size: 94208 bytes Driver: C:\WINDOWS\System32\DLA\DLAIFS_M.SYS Address: 0xA7036000 Size: 90112 bytes Driver: C:\WINDOWS\System32\DLA\DLAUDF_M.SYS Address: 0xA7008000 Size: 90112 bytes Driver: DRVMCDB.SYS Address: 0xB9EC3000 Size: 90112 bytes Driver: C:\WINDOWS\system32\drivers\wdmaud.sys Address: 0xA6188000 Size: 86016 bytes Driver: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101122.002\NAVENG.SYS Address: 0xA4EBD000 Size: 81920 bytes Driver: C:\WINDOWS\system32\DRIVERS\parport.sys Address: 0xB99CD000 Size: 81920 bytes Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS Address: 0xB9A57000 Size: 81920 bytes Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys Address: 0xA94E2000 Size: 77824 bytes Driver: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF000000 Size: 73728 bytes Driver: sr.sys Address: 0xB9ED9000 Size: 73728 bytes Driver: C:\WINDOWS\System32\Drivers\adfs.SYS Address: 0xA6ACF000 Size: 69632 bytes Driver: pci.sys Address: 0xB9F68000 Size: 69632 bytes Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS Address: 0xA9469000 Size: 65536 bytes Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys Address: 0xBA298000 Size: 65536 bytes Driver: C:\WINDOWS\system32\DRIVERS\nic1394.sys Address: 0xBA278000 Size: 65536 bytes Driver: ohci1394.sys Address: 0xBA0B8000 Size: 65536 bytes Driver: C:\WINDOWS\system32\DRIVERS\serial.sys Address: 0xBA288000 Size: 65536 bytes Driver: C:\WINDOWS\system32\DRIVERS\arp1394.sys Address: 0xBA1C8000 Size: 61440 bytes Driver: C:\WINDOWS\system32\drivers\drmk.sys Address: 0xBA1D8000 Size: 61440 bytes Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys Address: 0xBA2A8000 Size: 61440 bytes Driver: C:\WINDOWS\system32\drivers\sysaudio.sys Address: 0xA6660000 Size: 61440 bytes Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys Address: 0xBA1B8000 Size: 61440 bytes Driver: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS Address: 0xBA0C8000 Size: 57344 bytes Driver: C:\WINDOWS\system32\drivers\wpsdrvnt.sys Address: 0xB980B000 Size: 57344 bytes Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS Address: 0xBA108000 Size: 53248 bytes Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys Address: 0xBA318000 Size: 53248 bytes Driver: VolSnap.sys Address: 0xBA0E8000 Size: 53248 bytes Driver: C:\WINDOWS\system32\drivers\Haspnt.sys Address: 0xB981B000 Size: 49152 bytes Driver: PxHelp20.sys Address: 0xBA118000 Size: 49152 bytes Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys Address: 0xBA148000 Size: 49152 bytes Driver: C:\WINDOWS\system32\DRIVERS\usbccid.sys Address: 0xB987B000 Size: 49152 bytes Driver: C:\WINDOWS\System32\Drivers\Fips.SYS Address: 0xBA218000 Size: 45056 bytes Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys Address: 0xBA2B8000 Size: 45056 bytes Driver: MountMgr.sys Address: 0xBA0D8000 Size: 45056 bytes Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys Address: 0xBA138000 Size: 45056 bytes Driver: C:\WINDOWS\System32\Drivers\DRVNDDM.SYS Address: 0xA93F9000 Size: 40960 bytes Driver: isapnp.sys Address: 0xBA0A8000 Size: 40960 bytes Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xBA188000 Size: 40960 bytes Driver: C:\WINDOWS\System32\Drivers\SRTSPX.SYS Address: 0xBA2D8000 Size: 40960 bytes Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys Address: 0xBA158000 Size: 40960 bytes Driver: C:\WINDOWS\system32\DRIVERS\tifsfilt.sys Address: 0xBA2F8000 Size: 40960 bytes Driver: disk.sys Address: 0xBA0F8000 Size: 36864 bytes Driver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS Address: 0xB988B000 Size: 36864 bytes Driver: C:\WINDOWS\system32\DRIVERS\intelppm.sys Address: 0xBA268000 Size: 36864 bytes Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys Address: 0xB983B000 Size: 36864 bytes Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys Address: 0xBA1E8000 Size: 36864 bytes Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys Address: 0xB97FB000 Size: 36864 bytes Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xBA3B8000 Size: 32768 bytes Driver: C:\WINDOWS\system32\DRIVERS\usbccgp.sys Address: 0xBA340000 Size: 32768 bytes Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys Address: 0xBA3D0000 Size: 32768 bytes Driver: C:\WINDOWS\System32\DLA\DLABOIOM.SYS Address: 0xBA3F8000 Size: 28672 bytes Driver: C:\WINDOWS\system32\DRIVERS\fdc.sys Address: 0xBA3E8000 Size: 28672 bytes Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS Address: 0xBA378000 Size: 28672 bytes Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys Address: 0xBA4B0000 Size: 28672 bytes Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Address: 0xBA328000 Size: 28672 bytes Driver: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS Address: 0xBA4A8000 Size: 28672 bytes Driver: C:\WINDOWS\System32\Drivers\DLARTL_N.SYS Address: 0xBA388000 Size: 24576 bytes Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys Address: 0xBA440000 Size: 24576 bytes Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys Address: 0xBA448000 Size: 24576 bytes Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS Address: 0xBA400000 Size: 24576 bytes Driver: C:\WINDOWS\System32\Drivers\TDTCP.SYS Address: 0xBA438000 Size: 24576 bytes Driver: C:\WINDOWS\system32\DRIVERS\usbuhci.sys Address: 0xBA3C8000 Size: 24576 bytes Driver: C:\WINDOWS\System32\drivers\vga.sys Address: 0xBA398000 Size: 24576 bytes Driver: C:\WINDOWS\system32\DRIVERS\flpydisk.sys Address: 0xBA470000 Size: 20480 bytes Driver: C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys Address: 0xBA390000 Size: 20480 bytes Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xBA3A8000 Size: 20480 bytes Driver: PartMgr.sys Address: 0xBA330000 Size: 20480 bytes Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys Address: 0xBA420000 Size: 20480 bytes Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys Address: 0xBA430000 Size: 20480 bytes Driver: C:\WINDOWS\System32\Drivers\SYMREDRV.SYS Address: 0xBA498000 Size: 20480 bytes Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS Address: 0xBA410000 Size: 20480 bytes Driver: C:\WINDOWS\System32\watchdog.sys Address: 0xBA450000 Size: 20480 bytes Driver: C:\WINDOWS\System32\DLA\DLAOPIOM.SYS Address: 0xA70B4000 Size: 16384 bytes Driver: C:\WINDOWS\system32\DRIVERS\kbdhid.sys Address: 0xB9957000 Size: 16384 bytes Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys Address: 0xB9C18000 Size: 16384 bytes Driver: C:\WINDOWS\system32\DRIVERS\serenum.sys Address: 0xB9C60000 Size: 16384 bytes Driver: C:\WINDOWS\system32\DRIVERS\SMCLIB.SYS Address: 0xB9C38000 Size: 16384 bytes Driver: C:\WINDOWS\system32\BOOTVID.dll Address: 0xBA4B8000 Size: 12288 bytes Driver: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xB9C64000 Size: 12288 bytes Driver: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys Address: 0xB9C54000 Size: 12288 bytes Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys Address: 0xB9C44000 Size: 12288 bytes Driver: C:\WINDOWS\system32\DRIVERS\mouhid.sys Address: 0xA62E8000 Size: 12288 bytes Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys Address: 0xB9C40000 Size: 12288 bytes Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys Address: 0xB994F000 Size: 12288 bytes Driver: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xBA5FE000 Size: 8192 bytes Driver: C:\WINDOWS\System32\Drivers\DLACDBHM.SYS Address: 0xBA5D2000 Size: 8192 bytes Driver: C:\WINDOWS\System32\DLA\DLAPoolM.SYS Address: 0xBA630000 Size: 8192 bytes Driver: dmload.sys Address: 0xBA5AC000 Size: 8192 bytes Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA612000 Size: 8192 bytes Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xBA5FA000 Size: 8192 bytes Driver: C:\WINDOWS\system32\KDCOM.DLL Address: 0xBA5A8000 Size: 8192 bytes Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS Address: 0xBA602000 Size: 8192 bytes Driver: C:\WINDOWS\system32\DRIVERS\MUsbFltr.sys Address: 0xBA5D8000 Size: 8192 bytes Driver: C:\WINDOWS\System32\Drivers\ParVdm.SYS Address: 0xBA5DC000 Size: 8192 bytes Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xBA606000 Size: 8192 bytes Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys Address: 0xBA5EC000 Size: 8192 bytes Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS Address: 0xBA5F2000 Size: 8192 bytes Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS Address: 0xBA5AA000 Size: 8192 bytes Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys Address: 0xBA6A4000 Size: 4096 bytes Driver: C:\WINDOWS\System32\DLA\DLADResN.SYS Address: 0xBA70F000 Size: 4096 bytes Driver: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xBA696000 Size: 4096 bytes Driver: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xBA7A2000 Size: 4096 bytes Driver: pciide.sys Address: 0xBA670000 Size: 4096 bytes ============================================== >Stealth ============================================== >Files Suspect File: C:\Documents and Settings\All Users\Application Data\Real\setup\config.ini::$DATA Status: Hidden ============================================== >Hooks IDT-->Int 0x00000006, Type: IDT modification hook handler located in [Haspnt.sys] IDT-->Int 0x0000000E, Type: IDT modification hook handler located in [Haspnt.sys] ntkrnlpa.exe+0x0002D524, Type: Inline - RelativeJump at address 0x80504524 hook handler located in [ntkrnlpa.exe] ntkrnlpa.exe+0x0002D65C, Type: Inline - RelativeJump at address 0x8050465C hook handler located in [ntkrnlpa.exe] ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump at address 0x80545CBE hook handler located in [ntkrnlpa.exe] [2052]hasplms.exe-->advapi32.dll-->RegCloseKey, Type: IAT modification at address 0x00E0B348 hook handler located in [unknown_code_page] [2052]hasplms.exe-->kernel32.dll-->Sleep, Type: IAT modification at address 0x00E0B338 hook handler located in [unknown_code_page] [2052]hasplms.exe-->user32.dll-->RegisterDeviceNotificationA, Type: IAT modification at address 0x00E0B350 hook handler located in [unknown_code_page] [2052]hasplms.exe-->wininet.dll-->InternetOpenA, Type: IAT modification at address 0x00E0B360 hook handler located in [unknown_code_page] [3644]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll] Link to post Share on other sites More sharing options...
Maniac Posted November 23, 2010 ID:349918 Share Posted November 23, 2010 Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop.Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.Click the Report button and copy/paste the contents of it into your next replyNote:It will also create a log in the C:\ directory. Link to post Share on other sites More sharing options...
Jfschafer Posted November 23, 2010 Author ID:350028 Share Posted November 23, 2010 2010/11/23 14:30:55.0484 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12 2010/11/23 14:30:55.0484 ================================================================================ 2010/11/23 14:30:55.0484 SystemInfo: 2010/11/23 14:30:55.0484 2010/11/23 14:30:55.0484 OS Version: 5.1.2600 ServicePack: 3.0 2010/11/23 14:30:55.0484 Product type: Workstation 2010/11/23 14:30:55.0484 ComputerName: xxxxxx2010/11/23 14:30:55.0484 UserName: xxxxxx 2010/11/23 14:30:55.0484 Windows directory: C:\WINDOWS 2010/11/23 14:30:55.0484 System windows directory: C:\WINDOWS 2010/11/23 14:30:55.0484 Processor architecture: Intel x86 2010/11/23 14:30:55.0484 Number of processors: 2 2010/11/23 14:30:55.0484 Page size: 0x1000 2010/11/23 14:30:55.0484 Boot type: Normal boot 2010/11/23 14:30:55.0484 ================================================================================ 2010/11/23 14:30:56.0187 Initialize success 2010/11/23 14:31:24.0187 ================================================================================ 2010/11/23 14:31:24.0187 Scan started 2010/11/23 14:31:24.0187 Mode: Manual; 2010/11/23 14:31:24.0187 ================================================================================ 2010/11/23 14:31:27.0609 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2010/11/23 14:31:27.0687 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2010/11/23 14:31:27.0781 adfs (ece68655d81d662bc961abc05ba9680e) C:\WINDOWS\system32\drivers\adfs.sys 2010/11/23 14:31:27.0843 ADIHdAudAddService (62afc64108bbdb8d3ca32aad559e5af1) C:\WINDOWS\system32\drivers\ADIHdAud.sys 2010/11/23 14:31:28.0000 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2010/11/23 14:31:28.0093 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2010/11/23 14:31:28.0250 aksfridge (45f65f2f7ae28e5e56ab64e3ac61bd52) C:\WINDOWS\system32\drivers\aksfridge.sys 2010/11/23 14:31:28.0359 akshasp (64fc197d24a2b240598f29ce0a6660c0) C:\WINDOWS\system32\DRIVERS\akshasp.sys 2010/11/23 14:31:28.0453 akshhl (147b61b81be1ffc38939ea47e5cfb51f) C:\WINDOWS\system32\DRIVERS\akshhl.sys 2010/11/23 14:31:28.0515 aksusb (cce6c56f18d214de8d66f3f2a774cd5b) C:\WINDOWS\system32\DRIVERS\aksusb.sys 2010/11/23 14:31:28.0671 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2010/11/23 14:31:28.0812 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2010/11/23 14:31:28.0843 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2010/11/23 14:31:28.0984 ati2mtag (f5fc6ac1e7bc776871361d463fc86be2) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2010/11/23 14:31:29.0218 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2010/11/23 14:31:29.0296 atmeltpm (dbf0d7e2df33b469eb55406fea759350) C:\WINDOWS\system32\DRIVERS\atmeltpm.sys 2010/11/23 14:31:29.0437 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2010/11/23 14:31:29.0515 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys 2010/11/23 14:31:29.0593 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2010/11/23 14:31:29.0656 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2010/11/23 14:31:29.0765 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2010/11/23 14:31:29.0890 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2010/11/23 14:31:29.0937 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2010/11/23 14:31:29.0984 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/11/23 14:31:30.0187 COH_Mon (de88a385898f6d13026f94f749fbaed2) C:\WINDOWS\system32\Drivers\COH_Mon.sys 2010/11/23 14:31:30.0500 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2010/11/23 14:31:30.0609 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS 2010/11/23 14:31:30.0687 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS 2010/11/23 14:31:30.0796 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS 2010/11/23 14:31:30.0890 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS 2010/11/23 14:31:30.0968 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS 2010/11/23 14:31:31.0062 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS 2010/11/23 14:31:31.0125 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS 2010/11/23 14:31:31.0203 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS 2010/11/23 14:31:31.0281 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS 2010/11/23 14:31:31.0406 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2010/11/23 14:31:31.0500 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2010/11/23 14:31:31.0609 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2010/11/23 14:31:31.0656 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2010/11/23 14:31:31.0781 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2010/11/23 14:31:31.0859 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS 2010/11/23 14:31:31.0937 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS 2010/11/23 14:31:32.0062 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 2010/11/23 14:31:32.0156 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 2010/11/23 14:31:32.0250 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2010/11/23 14:31:32.0328 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2010/11/23 14:31:32.0406 FilterService (f83c0fd028dd37be4a337b138eba6b7b) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys 2010/11/23 14:31:32.0484 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2010/11/23 14:31:32.0546 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2010/11/23 14:31:32.0609 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2010/11/23 14:31:32.0703 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2010/11/23 14:31:32.0765 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2010/11/23 14:31:32.0875 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys 2010/11/23 14:31:32.0953 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2010/11/23 14:31:33.0125 hardlock (995178a443b07fa9eeaea041d7b4b5ca) C:\WINDOWS\system32\drivers\hardlock.sys 2010/11/23 14:31:33.0234 Haspnt (2dd25f060dc9f79b5cdf33d90ed93669) C:\WINDOWS\system32\drivers\Haspnt.sys 2010/11/23 14:31:33.0281 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2010/11/23 14:31:33.0312 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2010/11/23 14:31:33.0390 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2010/11/23 14:31:33.0484 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys 2010/11/23 14:31:33.0515 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2010/11/23 14:31:33.0625 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2010/11/23 14:31:33.0656 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2010/11/23 14:31:33.0703 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2010/11/23 14:31:33.0843 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2010/11/23 14:31:33.0937 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2010/11/23 14:31:34.0093 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2010/11/23 14:31:34.0140 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2010/11/23 14:31:34.0265 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2010/11/23 14:31:34.0343 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2010/11/23 14:31:34.0390 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2010/11/23 14:31:34.0437 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2010/11/23 14:31:34.0671 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2010/11/23 14:31:34.0812 LVcKap (9ce361764c5dd5fa5506510fe5d2297b) C:\WINDOWS\system32\DRIVERS\LVcKap.sys 2010/11/23 14:31:34.0953 LVPr2Mon (94d03b31f36bb362fa5713470fcf1c79) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys 2010/11/23 14:31:35.0062 LVUSBSta (8b79a50360fc31df6b7b979b686b4aa2) C:\WINDOWS\system32\drivers\LVUSBSta.sys 2010/11/23 14:31:35.0281 LVUVC (5c20c4be679842cbee729b0cff5928bd) C:\WINDOWS\system32\DRIVERS\lvuvc.sys 2010/11/23 14:31:35.0640 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2010/11/23 14:31:35.0687 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2010/11/23 14:31:35.0750 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2010/11/23 14:31:35.0812 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2010/11/23 14:31:35.0859 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2010/11/23 14:31:35.0937 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2010/11/23 14:31:36.0062 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2010/11/23 14:31:36.0375 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2010/11/23 14:31:36.0437 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2010/11/23 14:31:36.0484 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2010/11/23 14:31:36.0531 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2010/11/23 14:31:36.0593 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2010/11/23 14:31:36.0656 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 2010/11/23 14:31:36.0734 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2010/11/23 14:31:36.0796 MUsbFltr (2782aa13d6bda4605475b557321044f3) C:\WINDOWS\system32\DRIVERS\MUsbFltr.sys 2010/11/23 14:31:36.0859 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2010/11/23 14:31:37.0000 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101122.002\NAVENG.SYS 2010/11/23 14:31:37.0156 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101122.002\NAVEX15.SYS 2010/11/23 14:31:37.0359 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2010/11/23 14:31:37.0437 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2010/11/23 14:31:37.0484 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2010/11/23 14:31:37.0546 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2010/11/23 14:31:37.0609 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2010/11/23 14:31:37.0687 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2010/11/23 14:31:37.0734 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2010/11/23 14:31:37.0796 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2010/11/23 14:31:37.0921 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2010/11/23 14:31:37.0984 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2010/11/23 14:31:38.0125 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2010/11/23 14:31:38.0265 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2010/11/23 14:31:38.0359 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2010/11/23 14:31:38.0437 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2010/11/23 14:31:38.0515 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2010/11/23 14:31:38.0656 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2010/11/23 14:31:38.0718 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2010/11/23 14:31:38.0828 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2010/11/23 14:31:38.0937 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2010/11/23 14:31:39.0078 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2010/11/23 14:31:39.0156 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2010/11/23 14:31:39.0468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2010/11/23 14:31:39.0515 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2010/11/23 14:31:39.0625 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2010/11/23 14:31:39.0765 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2010/11/23 14:31:39.0812 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2010/11/23 14:31:39.0875 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2010/11/23 14:31:39.0921 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2010/11/23 14:31:40.0015 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2010/11/23 14:31:40.0125 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2010/11/23 14:31:40.0171 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2010/11/23 14:31:40.0250 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2010/11/23 14:31:40.0328 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2010/11/23 14:31:40.0453 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2010/11/23 14:31:40.0531 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys 2010/11/23 14:31:40.0593 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2010/11/23 14:31:40.0687 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2010/11/23 14:31:40.0750 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys 2010/11/23 14:31:40.0890 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2010/11/23 14:31:40.0984 snapman (c3bf55189aa92b8f919108ef9e4accae) C:\WINDOWS\system32\DRIVERS\snapman.sys 2010/11/23 14:31:41.0140 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 2010/11/23 14:31:41.0296 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2010/11/23 14:31:41.0375 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2010/11/23 14:31:41.0437 SRTSP (5a293729e1f9fce3a2106d1f5dc5e98a) C:\WINDOWS\system32\Drivers\SRTSP.SYS 2010/11/23 14:31:41.0546 SRTSPL (0ddb7fba32be09d8057063c0cee24137) C:\WINDOWS\system32\Drivers\SRTSPL.SYS 2010/11/23 14:31:41.0750 SRTSPX (a99719dfb61b61aa5026341bbb733c0a) C:\WINDOWS\system32\Drivers\SRTSPX.SYS 2010/11/23 14:31:41.0875 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys 2010/11/23 14:31:42.0000 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2010/11/23 14:31:42.0078 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2010/11/23 14:31:42.0140 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2010/11/23 14:31:42.0343 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 2010/11/23 14:31:42.0406 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS 2010/11/23 14:31:42.0453 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS 2010/11/23 14:31:42.0562 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2010/11/23 14:31:42.0656 SysPlant (5dcc2c7acc29dfba5ba82ed47d99c7e5) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys 2010/11/23 14:31:42.0734 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2010/11/23 14:31:42.0828 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2010/11/23 14:31:42.0921 tdrpman (3b7b6779eb231f731bba8f9fe67aadfc) C:\WINDOWS\system32\DRIVERS\tdrpman.sys 2010/11/23 14:31:43.0000 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2010/11/23 14:31:43.0046 Teefer2 (1d3c046a9106de97ddc8276958700bf4) C:\WINDOWS\system32\DRIVERS\teefer2.sys 2010/11/23 14:31:43.0109 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2010/11/23 14:31:43.0156 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 2010/11/23 14:31:43.0359 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys 2010/11/23 14:31:43.0562 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2010/11/23 14:31:43.0718 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2010/11/23 14:31:43.0859 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys 2010/11/23 14:31:43.0953 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2010/11/23 14:31:44.0031 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINDOWS\system32\DRIVERS\usbccid.sys 2010/11/23 14:31:44.0109 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2010/11/23 14:31:44.0171 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2010/11/23 14:31:44.0250 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2010/11/23 14:31:44.0312 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2010/11/23 14:31:44.0375 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2010/11/23 14:31:44.0453 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2010/11/23 14:31:44.0671 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2010/11/23 14:31:44.0734 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2010/11/23 14:31:44.0906 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2010/11/23 14:31:45.0000 WPS (e8e745b8eee63c7cf7d34833d3b8ca7f) C:\WINDOWS\system32\drivers\wpsdrvnt.sys 2010/11/23 14:31:45.0093 WpsHelper (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys 2010/11/23 14:31:45.0171 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2010/11/23 14:31:45.0281 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2010/11/23 14:31:45.0359 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2010/11/23 14:31:46.0312 ================================================================================ 2010/11/23 14:31:46.0312 Scan finished 2010/11/23 14:31:46.0312 ================================================================================ Link to post Share on other sites More sharing options...
Maniac Posted November 23, 2010 ID:350036 Share Posted November 23, 2010 **Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Link to post Share on other sites More sharing options...
Jfschafer Posted November 24, 2010 Author ID:350087 Share Posted November 24, 2010 Are you seeing something that we can submit to our AV vendor for defs? I don't want to delete the malicous file/files until we grab it first. Link to post Share on other sites More sharing options...
Maniac Posted November 24, 2010 ID:350215 Share Posted November 24, 2010 They already know about it. Link to post Share on other sites More sharing options...
Jfschafer Posted November 24, 2010 Author ID:350569 Share Posted November 24, 2010 What was the file in question?? We have to get it before we delete. Link to post Share on other sites More sharing options...
Maniac Posted November 25, 2010 ID:350740 Share Posted November 25, 2010 I guess this is TDL rootkit. Link to post Share on other sites More sharing options...
Jfschafer Posted November 27, 2010 Author ID:351848 Share Posted November 27, 2010 Yeah. That I know. What I'm wondering is which file specifically is malicous in all the logs. (ie something.exe or something.sys) Link to post Share on other sites More sharing options...
Maniac Posted November 28, 2010 ID:352241 Share Posted November 28, 2010 Still I don't know. Link to post Share on other sites More sharing options...
Maniac Posted December 1, 2010 ID:354227 Share Posted December 1, 2010 What's new? Link to post Share on other sites More sharing options...
LDTate Posted December 5, 2010 ID:356385 Share Posted December 5, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts