Jump to content

System Tool 2100

dogface

By dogface
in Resolved Malware Removal Logs

 Share

Recommended Posts

dogface

dogface

Posted
Posted

My XP Pro SP3 laptop got infected with the System Tool 2011 malware, making it pretty much unusable.

Following the information in several other posts, in safe mode I ran rkill.com, then MalwareBytes Anti-Malware. It found 3 items which were successfully deleted. I rebooted and ran MBAM in regular mode, finding nothing. I tried to run dds.scr, but it hung and required hard reboots. I did uninstall AVG Free Anti-Virus before running dds.scr.

Here are the logs:

*****************************************

rkill:

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 12/18/2010 at 18:51:06.

Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 12/18/2010 at 18:51:11.

*********************************************************

MBAM in safe mode:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5350

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 6.0.2900.5512

12/18/2010 7:34:51 PM

mbam-log-2010-12-18 (19-34-50).txt

Scan type: Quick scan

Objects scanned: 138416

Time elapsed: 9 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oGfAe06301 (Rogue.SystemTool) -> Value: oGfAe06301 -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\all users\application data\ogfae06301\ogfae06301.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.

c:\documents and settings\Jeff\local settings\temporary internet files\Content.IE5\4HAJOHM7\99dfad[2].exe (Rogue.SystemTool) -> Quarantined and deleted successfully.

c:\documents and settings\Jeff\Desktop\system tool 2011.lnk (Rogue.SystemTool) -> Quarantined and deleted successfully.

**********************************************************

MBAM in regular mode:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5350

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

12/18/2010 7:47:30 PM

mbam-log-2010-12-18 (19-47-30).txt

Scan type: Quick scan

Objects scanned: 139383

Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

:rolleyes:

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites
dogface

dogface

Posted
  • Author
Posted

Hi, thanks for responding!

I did as directed, things went well, and my laptop seems to be functioning normally. TDSS did not require a re-boot.

BTW, I installed the Online Armor firewall which I really like as it lets me know what's going on. I also installed Avira anit-virus; both were recommended in another post.

Thanks,

dogface (or nama)

TDSS file

**********************************************

2010/12/19 14:11:13.0175 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46

2010/12/19 14:11:13.0175 ================================================================================

2010/12/19 14:11:13.0175 SystemInfo:

2010/12/19 14:11:13.0175

2010/12/19 14:11:13.0175 OS Version: 5.1.2600 ServicePack: 3.0

2010/12/19 14:11:13.0175 Product type: Workstation

2010/12/19 14:11:13.0175 ComputerName: UINA

2010/12/19 14:11:13.0175 UserName: Jeff

2010/12/19 14:11:13.0175 Windows directory: C:\WINDOWS

2010/12/19 14:11:13.0175 System windows directory: C:\WINDOWS

2010/12/19 14:11:13.0175 Processor architecture: Intel x86

2010/12/19 14:11:13.0175 Number of processors: 1

2010/12/19 14:11:13.0175 Page size: 0x1000

2010/12/19 14:11:13.0175 Boot type: Normal boot

2010/12/19 14:11:13.0175 ================================================================================

2010/12/19 14:11:14.0066 Initialize success

2010/12/19 14:11:20.0526 ================================================================================

2010/12/19 14:11:20.0526 Scan started

2010/12/19 14:11:20.0526 Mode: Manual;

2010/12/19 14:11:20.0526 ================================================================================

2010/12/19 14:11:21.0527 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/12/19 14:11:21.0717 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/12/19 14:11:21.0978 actccid (10e8eb6dfd825d21d2a4667c13833ed8) C:\WINDOWS\system32\DRIVERS\actccid.sys

2010/12/19 14:11:22.0328 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/12/19 14:11:22.0538 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/12/19 14:11:22.0869 AgereSoftModem (c844975ed0c2fafee617777aac7b8671) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/12/19 14:11:23.0159 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/12/19 14:11:23.0951 ALCXWDM (97e3a6a6c6cf4a1d58fcd6ead2faa942) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/12/19 14:11:24.0481 ApfiltrService (71ca37c04f7322ec875856ca81b57214) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2010/12/19 14:11:24.0752 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/12/19 14:11:25.0533 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/12/19 14:11:25.0743 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/12/19 14:11:26.0134 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/12/19 14:11:26.0344 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/12/19 14:11:26.0534 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2010/12/19 14:11:26.0765 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2010/12/19 14:11:27.0005 avipbb (7cefb5eca1f711d0ab996c98b38a2d5a) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2010/12/19 14:11:27.0235 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys

2010/12/19 14:11:27.0486 BCMH43XX (b770039886598aab7cf5eaeec2409e31) C:\WINDOWS\system32\DRIVERS\bcmwlhigh5.sys

2010/12/19 14:11:28.0137 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/12/19 14:11:28.0407 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/12/19 14:11:28.0637 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/12/19 14:11:29.0108 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/12/19 14:11:29.0298 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/12/19 14:11:29.0488 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/12/19 14:11:29.0989 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/12/19 14:11:30.0350 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/12/19 14:11:30.0690 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2010/12/19 14:11:31.0291 DgivEcp (1ec27a51a2f9df052bc2b4c8376c8fea) C:\WINDOWS\system32\Drivers\DgivEcp.Sys

2010/12/19 14:11:31.0511 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/12/19 14:11:31.0782 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/12/19 14:11:32.0032 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/12/19 14:11:32.0212 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/12/19 14:11:32.0413 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/12/19 14:11:32.0653 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys

2010/12/19 14:11:32.0943 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys

2010/12/19 14:11:33.0134 Dot4Scan (bd05306428da63369692477ddc0f6f5f) C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys

2010/12/19 14:11:33.0334 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys

2010/12/19 14:11:33.0745 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/12/19 14:11:34.0215 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/12/19 14:11:34.0396 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/12/19 14:11:34.0596 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys

2010/12/19 14:11:34.0946 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/12/19 14:11:35.0147 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/12/19 14:11:35.0367 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/12/19 14:11:35.0547 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/12/19 14:11:35.0757 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/12/19 14:11:36.0068 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys

2010/12/19 14:11:36.0428 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/12/19 14:11:36.0679 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/12/19 14:11:37.0590 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/12/19 14:11:37.0850 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/12/19 14:11:38.0071 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/12/19 14:11:38.0281 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/12/19 14:11:38.0962 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/12/19 14:11:39.0162 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/12/19 14:11:39.0543 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/12/19 14:11:39.0723 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/12/19 14:11:39.0994 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/12/19 14:11:40.0204 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/12/19 14:11:40.0424 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/12/19 14:11:40.0634 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/12/19 14:11:40.0985 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/12/19 14:11:41.0185 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys

2010/12/19 14:11:41.0386 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/12/19 14:11:41.0586 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/12/19 14:11:41.0766 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/12/19 14:11:42.0016 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/12/19 14:11:42.0227 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/12/19 14:11:42.0437 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/12/19 14:11:43.0028 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys

2010/12/19 14:11:43.0248 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\WINDOWS\system32\DRIVERS\lvrs.sys

2010/12/19 14:11:43.0459 lvselsus (e6ba3db1e07745a79e67fa5afe34bdfb) C:\WINDOWS\system32\DRIVERS\lvselsus.sys

2010/12/19 14:11:45.0031 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys

2010/12/19 14:11:45.0642 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/12/19 14:11:45.0962 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/12/19 14:11:46.0152 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/12/19 14:11:46.0353 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/12/19 14:11:46.0553 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/12/19 14:11:46.0974 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/12/19 14:11:47.0174 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/12/19 14:11:47.0364 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/12/19 14:11:47.0564 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/12/19 14:11:47.0775 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/12/19 14:11:48.0035 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/12/19 14:11:48.0225 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/12/19 14:11:48.0426 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/12/19 14:11:48.0636 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/12/19 14:11:48.0946 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/12/19 14:11:49.0167 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/12/19 14:11:49.0347 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/12/19 14:11:49.0537 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/12/19 14:11:49.0768 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/12/19 14:11:50.0048 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/12/19 14:11:50.0288 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/12/19 14:11:50.0479 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/12/19 14:11:50.0679 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/12/19 14:11:51.0059 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/12/19 14:11:51.0280 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\DRIVERS\npf.sys

2010/12/19 14:11:51.0490 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/12/19 14:11:51.0720 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/12/19 14:11:51.0961 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/12/19 14:11:52.0241 nv (5d709cb0b6114cef04e054f8fe272137) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/12/19 14:11:52.0532 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/12/19 14:11:52.0752 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/12/19 14:11:53.0002 OADevice (422cf292a3fd758418c5b79405c93331) C:\WINDOWS\system32\drivers\OADriver.sys

2010/12/19 14:11:53.0173 oahlpXX (7c6d7532a8fcbcbda241215e808354c2) C:\WINDOWS\system32\drivers\oahlp32.sys

2010/12/19 14:11:53.0383 OAmon (6243e6db6399a95fd401090fc0d0c3ab) C:\WINDOWS\system32\drivers\OAmon.sys

2010/12/19 14:11:53.0583 OAnet (f87647d8e994032ee9a50f8a3a144671) C:\WINDOWS\system32\drivers\OAnet.sys

2010/12/19 14:11:53.0954 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/12/19 14:11:54.0124 PalmUSBD (240c0d4049a833b16b63b636acf01672) C:\WINDOWS\system32\drivers\PalmUSBD.sys

2010/12/19 14:11:54.0304 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/12/19 14:11:54.0524 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/12/19 14:11:54.0755 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/12/19 14:11:55.0296 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/12/19 14:11:55.0856 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/12/19 14:11:56.0047 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/12/19 14:11:57.0188 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/12/19 14:11:57.0409 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/12/19 14:11:57.0619 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/12/19 14:11:57.0839 PxHelp20 (f7bb4e7a7c02ab4a2672937e124e306e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/12/19 14:11:58.0781 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/12/19 14:11:59.0001 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys

2010/12/19 14:11:59.0191 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/12/19 14:11:59.0401 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/12/19 14:11:59.0612 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/12/19 14:11:59.0832 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/12/19 14:12:00.0012 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/12/19 14:12:00.0223 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/12/19 14:12:00.0463 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/12/19 14:12:00.0713 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/12/19 14:12:00.0974 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/12/19 14:12:01.0214 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/12/19 14:12:01.0454 Ser2pl (b490ad520257dda26c1d587a71e527b5) C:\WINDOWS\system32\DRIVERS\ser2pl.sys

2010/12/19 14:12:01.0665 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/12/19 14:12:01.0845 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2010/12/19 14:12:02.0065 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2010/12/19 14:12:02.0456 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/12/19 14:12:02.0656 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys

2010/12/19 14:12:02.0876 SNPHV71 (c55aee1892b9a0f283c2584ca531b0dd) C:\WINDOWS\system32\DRIVERS\snphv71.sys

2010/12/19 14:12:03.0247 speedfan (d703f972d23867dfd4ee9a9ef9cb767e) C:\WINDOWS\system32\speedfan.sys

2010/12/19 14:12:03.0447 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/12/19 14:12:03.0648 SpPortEx (f45e10aed3e5fde997a6b7627bbcfa85) C:\WINDOWS\system32\Drivers\SpPortEx.sys

2010/12/19 14:12:03.0858 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/12/19 14:12:04.0078 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/12/19 14:12:04.0258 SrvcEKIOMngr (dd4530a974d5aac46eedcf0e9ce0d738) C:\WINDOWS\system32\Drivers\EKIoMngr.sys

2010/12/19 14:12:04.0459 SrvcSSIOMngr (06819531829fb5b26a8164626bd6858e) C:\WINDOWS\system32\Drivers\SSIoMngr.sys

2010/12/19 14:12:04.0659 sscdbus (de47aea6770be16496704cb8d16d6b82) C:\WINDOWS\system32\DRIVERS\sscdbus.sys

2010/12/19 14:12:04.0849 sscdmdfl (43bf2fcb78da35879289a7b77429f203) C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys

2010/12/19 14:12:05.0070 sscdmdm (436f05ab5b67d7da2a6a37ace21ef8e0) C:\WINDOWS\system32\DRIVERS\sscdmdm.sys

2010/12/19 14:12:05.0300 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2010/12/19 14:12:05.0540 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/12/19 14:12:05.0801 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/12/19 14:12:06.0021 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/12/19 14:12:06.0882 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/12/19 14:12:07.0163 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/12/19 14:12:07.0503 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/12/19 14:12:07.0723 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/12/19 14:12:07.0954 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/12/19 14:12:08.0344 truecrypt (db0815523ac07445a2f09dcd2acea8c3) C:\WINDOWS\system32\drivers\truecrypt.sys

2010/12/19 14:12:08.0575 TVicPort (607fc73722f62e1820c8183d58ed1668) C:\WINDOWS\system32\drivers\TVicPort.sys

2010/12/19 14:12:08.0785 U2SP (dfb25fee56f861f879623fd628e8abec) C:\WINDOWS\system32\DRIVERS\U2S2KXPB.SYS

2010/12/19 14:12:09.0035 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/12/19 14:12:09.0406 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/12/19 14:12:09.0646 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/12/19 14:12:09.0826 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/12/19 14:12:10.0077 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/12/19 14:12:10.0287 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/12/19 14:12:10.0487 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/12/19 14:12:10.0698 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/12/19 14:12:10.0918 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/12/19 14:12:11.0118 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/12/19 14:12:11.0309 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/12/19 14:12:11.0519 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2010/12/19 14:12:11.0729 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/12/19 14:12:12.0150 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/12/19 14:12:12.0430 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/12/19 14:12:12.0661 WBSD (3477f23d1b0ab7802c4c3fed753d1178) C:\WINDOWS\system32\Drivers\WBSD.SYS

2010/12/19 14:12:13.0041 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/12/19 14:12:13.0281 WinDriver6 (032793a8e6288c4c60ff30542eeab22b) C:\WINDOWS\system32\drivers\windrvr6.sys

2010/12/19 14:12:13.0582 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/12/19 14:12:14.0403 ================================================================================

2010/12/19 14:12:14.0403 Scan finished

2010/12/19 14:12:14.0403 ================================================================================

2010/12/19 14:20:34.0422 Deinitialize success

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites
dogface

dogface

Posted
  • Author
Posted

This is very frustrating .... death to whoever is responsible for this.

I screwed up running Combofix -

1. On the first run I disabled the Avir Antiir and Online Armor firewall (I thought). Since I disabled these I thought it would be a good idea to disable the wireless also, forgetting that I need to have ComboFix install the Recovery Console. During the run I tried to re-enable it but it wouldn't work. I stopped ComboFix.

2. The second run the firewall was still issuing messages even though it was inactive. ComboFix installed the Recovery Console, but wasn't doing anything (no hard drive activity even after 30 min) so I had to hard reset to get out of it. I completely un-installed the firewall.

3. The third run yielded nothing after 45 minutes.

Thanks for your help so far.

Link to post
Share on other sites
dogface

dogface

Posted
  • Author
Posted

Hi,

I deleted and downloaded a new copy of ComboFix and ran it with pretty much the same results. With no firewall and anti-virus de-activated, ComboFix saves a restore point and pops up a box with the following in it:

Scanning for infected files . . .

This typically doesn't take more than 10 minutes

However, scan times for badly infected machines may easily double

It has been like this for over an hour with no disk activity, and while the mouse moves, nothing else is responsive and required a power cycling to return.

Thank you again.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

We need to make sure AVG is uninstalled.

Due to recent changes in AVG and how it interacts with CF, AVG must be uninstalled to run ComboFix.

If AVG will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. The AVG uninstaller can be downloaded from here > http://www.appremover.com/get/appremover.exe Go to their homepage and you will see they have support for removal of other AV's as well http://www.appremover.com/

Link to post
Share on other sites
dogface

dogface

Posted
  • Author
Posted

LD, thanks for sticking with me on this.

I downloaded AppRemover and ran it. Since I previously un-installed AVG, I choose the option to remove an incomplete de-installation. It ran fine and showed no actions necessary. AntiVir was removed prior to this.

I de-activated Windows firewall and ran ComboFix with the same results - no activity for over an hour.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*] WOT , Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    Green to go

    Yellow for caution

    Red to stop

    WOT has an addon available for both Firefox and IE.

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.