Jump to content
LSF76

Rootkit virus- Need help with GMER log

Recommended Posts

I'm infected with the channel1reports.com virus. Anti-malware scans with MBAM, Spybot S+D, and Lavasoft AdAware did not remove it. I followed the directions for using GMER Rootkit Scanner. Resulting logs are posted/attached.

MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6481

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

5/1/2011 1:33:42 AM

mbam-log-2011-05-01 (01-33-42).txt

Scan type: Full scan (C:\|)

Objects scanned: 239837

Time elapsed: 1 hour(s), 35 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS log:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Sam Mogilensky at 11:31:01.35 on Mon 05/02/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1322 [GMT -4:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

FW: ZoneAlarm Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\WINDOWS\system32\ThpSrv.exe

C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\00THotkey.exe

C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe

C:\WINDOWS\system32\TPSMain.exe

C:\WINDOWS\system32\thpsrv.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\system32\TFNF5.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\WINDOWS\system32\RAMASST.exe

C:\WINDOWS\system32\igfxext.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Documents and Settings\Sam Mogilensky\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

mURLSearchHooks: H - No File

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {089FD14D-132B-48FC-8861-0048AE113215} - No File

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [00THotkey] c:\windows\system32\00THotkey.exe

mRun: [000StTHK] 000StTHK.exe

mRun: [DpUtil] c:\program files\toshiba\dualpointutility\TEDTray.exe

mRun: [TPSMain] TPSMain.exe

mRun: [TPSODDCtl] TPSODDCtl.exe

mRun: [ThpSrv] thpsrv /logon

mRun: [TFncKy] TFncKy.exe

mRun: [TOSDCR] TOSDCR.EXE

mRun: [PINGER] c:\toshiba\ivp\ism\pinger.exe /run

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [TFNF5] TFNF5.exe

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe

IE: Google Sidewiki...

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1240407552625

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

Notify: igfxcui - igfxdev.dll

Notify: psfus - psqlpwd.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli psqlpwd

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\sammog~1\applic~1\mozilla\firefox\profiles\zs2vu2sc.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.washingtonpost.com/

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - plugin: c:\documents and settings\sam mogilensky\application data\mozilla\firefox\profiles\zs2vu2sc.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video

FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa

.

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-25 64512]

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-28 16384]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-5-20 6144]

R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2006-5-20 5888]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-5-28 532224]

R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-5-5 13568]

R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-5-5 33024]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2146496]

R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-5-5 3456]

R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2006-5-20 126976]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-5-20 35968]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-29 15232]

.

=============== Created Last 30 ================

.

2011-05-02 05:01:49 16432 ----a-w- c:\windows\system32\lsdelete.exe

.

==================== Find3M ====================

.

2011-05-01 12:03:25 24576 ----a-w- c:\windows\system32\userinit.exe

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: FUJITSU_MHV2100BH_PL rev.0000002A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x89B064F0]<<

c:\windows\system32\drivers\thpdrv.sys TOSHIBA Corporation TOSHIBA HDD Protection

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89b0c7d0]; MOV EAX, [0x89b0c84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x89BB2AB8]

3 CLASSPNP[0xF765805B] -> nt!IofCallDriver[0x804E13B9] -> \Device\THPDRV[0x89B8F908]

5 thpdrv[0xF768971D] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000082[0x89BB4510]

7 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x89B99940]

\Driver\atapi[0x89BF2F38] -> IRP_MJ_CREATE -> 0x89B064F0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x89B0633B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 11:34:23.18 ===============

Attach log and Ark log are attached in .zip format

Attach.zip

ark.zip

Please help!

Share this post


Link to post
Share on other sites

:welcome:

Looks as this might be one of those new ones.

Step 1.

aswMBR:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

Step 2.

MBRCheck:

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Step 3.

CKScanner:

Download CKScanner from here

Important : Save it to your desktop.

  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Step 4.

Things I would like to see in your reply:

  1. The content of the log from aswMBR in step 1.
  2. The content of the log from MBRCheck in step 2.
  3. The content of the log from CKScanner in step 3.

Share this post


Link to post
Share on other sites

1. aswMBR log:

aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software

Run date: 2011-05-03 10:14:05

-----------------------------

10:14:05.078 OS Version: Windows 5.1.2600 Service Pack 2

10:14:05.093 Number of processors: 2 586 0xF02

10:14:05.125 ComputerName: SAMMYMO UserName:

10:14:08.890 Initialize success

10:14:13.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

10:14:13.734 Disk 0 Vendor: FUJITSU_MHV2100BH_PL 0000002A Size: 95396MB BusType: 3

10:14:13.734 Device \Driver\atapi -> DriverStartIo 89b3533b

10:14:15.734 Disk 0 MBR read successfully

10:14:15.765 Disk 0 MBR scan

10:14:15.765 Disk 0 TDL4@MBR code has been found

10:14:15.781 Disk 0 Windows XP default MBR code found via API

10:14:15.796 Disk 0 MBR hidden

10:14:15.796 Disk 0 MBR [TDL4] **ROOTKIT**

10:14:15.812 Disk 0 trace - called modules:

10:14:15.812 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x89b354f0]<<

10:14:15.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bb4ab8]

10:14:15.828 3 CLASSPNP.SYS[f765805b] -> nt!IofCallDriver -> \Device\THPDRV[0x89b46908]

10:14:15.828 5 thpdrv.sys[f768971d] -> nt!IofCallDriver -> \Device\00000082[0x89b49490]

10:14:16.312 7 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x89b9f940]

10:14:16.343 \Driver\atapi[0x89b6a030] -> IRP_MJ_CREATE -> 0x89b354f0

10:14:16.375 Scan finished successfully

10:14:26.734 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\XXXXX\Desktop\MBR.dat" (edited to remove name)

10:14:26.750 The log file has been saved successfully to "C:\Documents and Settings\XXXXX\Desktop\aswMBR.txt" (edited to remove name)

2. MBRCheck log:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 2 (build 2600)

Logical Drives Mask: 0x0000000c

Kernel Drivers (total 153):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x806FF000 \WINDOWS\system32\hal.dll

0x89AF5000 \WINDOWS\system32\KDCOM.DLL

0xF789B000 \WINDOWS\system32\BOOTVID.dll

0xF75A8000 ACPI.sys

0xF7987000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF7597000 pci.sys

0xF75F7000 isapnp.sys

0xF7607000 ohci1394.sys

0xF7617000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xF789F000 compbatt.sys

0xF78A3000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xF7A4F000 pciide.sys

0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF74D9000 pcmcia.sys

0xF7627000 MountMgr.sys

0xF74BA000 ftdisk.sys

0xF7989000 dmload.sys

0xF7494000 dmio.sys

0xF770F000 PartMgr.sys

0xF7637000 VolSnap.sys

0xF747C000 atapi.sys

0xF7647000 disk.sys

0xF7657000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF745C000 fltMgr.sys

0xF744A000 sr.sys

0xF7667000 Lbd.sys

0xF7871000 DRVMCDB.SYS

0xF7677000 PxHelp20.sys

0xF785A000 KSecDD.sys

0xF7847000 WudfPf.sys

0xF7B52000 Ntfs.sys

0xF795A000 NDIS.sys

0xF7717000 TVALZ.SYS

0xF798B000 Thpevm.SYS

0xF7687000 thpdrv.sys

0xF782C000 Mup.sys

0xF76B7000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xBA13E000 \SystemRoot\system32\DRIVERS\igxpmp32.sys

0xBA12A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xBA105000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xB9F64000 \SystemRoot\system32\DRIVERS\NETw3x32.sys

0xF77B7000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xB9F41000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF77E7000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB9F2E000 \SystemRoot\system32\DRIVERS\sdbus.sys

0xF7527000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF7817000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xB9F15000 \SystemRoot\system32\DRIVERS\Apfiltr.sys

0xF775F000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF7517000 \SystemRoot\system32\DRIVERS\IFXTPM.SYS

0xF7507000 \SystemRoot\system32\DRIVERS\serial.sys

0xBA7FC000 \SystemRoot\system32\DRIVERS\serenum.sys

0xB9F01000 \SystemRoot\system32\DRIVERS\parport.sys

0xF74F7000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF7997000 \SystemRoot\System32\Drivers\DLACDBHM.SYS

0xF743A000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF742A000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB9EDE000 \SystemRoot\system32\DRIVERS\ks.sys

0xBA7E8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys

0xBA7DC000 \SystemRoot\system32\DRIVERS\tosrfec.sys

0xBA7D4000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xF741A000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xF7AAD000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF740A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xBA7CC000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB9EC7000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF7887000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA764000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF7757000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB9DEE000 \SystemRoot\system32\DRIVERS\psched.sys

0xBA754000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF7787000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF7797000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB9DBD000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xBA744000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF799F000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB9D64000 \SystemRoot\system32\DRIVERS\update.sys

0xBA7A4000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA79C000 \SystemRoot\system32\DRIVERS\tbiosdrv.sys

0xBA724000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xA9841000 \SystemRoot\system32\drivers\RtkHDAud.sys

0xA981F000 \SystemRoot\system32\drivers\portcls.sys

0xBA714000 \SystemRoot\system32\drivers\drmk.sys

0xA9703000 \SystemRoot\system32\DRIVERS\AGRSM.sys

0xF79AF000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF7807000 \SystemRoot\System32\Drivers\Modem.SYS

0xBA6F4000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF79B3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7A62000 \SystemRoot\System32\Drivers\Null.SYS

0xF79B7000 \SystemRoot\System32\Drivers\Beep.SYS

0xF779F000 \SystemRoot\System32\Drivers\DLARTL_N.SYS

0xF77AF000 \SystemRoot\System32\drivers\vga.sys

0xF79BB000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF79BF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xA9652000 \SystemRoot\System32\Drivers\meiudf.sys

0xA9641000 \SystemRoot\System32\Drivers\Udfs.SYS

0xF77F7000 \SystemRoot\System32\Drivers\Msfs.SYS

0xA96FB000 \SystemRoot\System32\Drivers\Npfs.SYS

0xA9C9C000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xA962E000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xA95D6000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xA95AE000 \SystemRoot\system32\DRIVERS\netbt.sys

0xA958D000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xBA6E4000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xA950C000 \SystemRoot\System32\vsdatant.sys

0xF76C7000 \SystemRoot\system32\DRIVERS\arp1394.sys

0xA96C3000 \SystemRoot\System32\Drivers\tcusb.sys

0xA944A000 \SystemRoot\System32\drivers\afd.sys

0xF7557000 \SystemRoot\system32\DRIVERS\netbios.sys

0xF79C7000 \SystemRoot\System32\Drivers\TMEI3E.SYS

0xA93F7000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xA9388000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF780F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xF7537000 \SystemRoot\System32\Drivers\Fips.SYS

0xA9370000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF79EF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xA9CA0000 \SystemRoot\System32\drivers\Dxapi.sys

0xF781F000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xBA776000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF024000 \SystemRoot\System32\igxpgd32.dll

0xBF012000 \SystemRoot\System32\igxprd32.dll

0xBF04F000 \SystemRoot\System32\igxpdv32.DLL

0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xA929A000 \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys

0xA9C94000 \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys

0xA928A000 \SystemRoot\System32\Drivers\DRVNDDM.SYS

0xF7A75000 \SystemRoot\System32\DLA\DLADResN.SYS

0xA9184000 \SystemRoot\System32\DLA\DLAIFS_M.SYS

0xF793F000 \SystemRoot\System32\DLA\DLAOPIOM.SYS

0xF79C3000 \SystemRoot\System32\DLA\DLAPoolM.SYS

0xF7A79000 \??\C:\Program Files\Protector Suite QL\smihlp.sys

0xA96F3000 \SystemRoot\System32\DLA\DLABOIOM.SYS

0xA916C000 \SystemRoot\System32\DLA\DLAUDFAM.SYS

0xA9156000 \SystemRoot\System32\DLA\DLAUDF_M.SYS

0xF77DF000 \SystemRoot\system32\DRIVERS\AegisP.sys

0xA91CA000 \SystemRoot\system32\DRIVERS\s24trans.sys

0xA9122000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xA911A000 \SystemRoot\system32\DRIVERS\netdevio.sys

0xA8BF1000 \SystemRoot\system32\drivers\wdmaud.sys

0xA8DFE000 \SystemRoot\system32\drivers\sysaudio.sys

0xA8AAF000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xF79CD000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xA8940000 \SystemRoot\system32\DRIVERS\srv.sys

0xA7620000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xA78E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xA7658000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xA73DD000 \SystemRoot\system32\drivers\kmixer.sys

0xA7828000 \??\C:\DOCUME~1\SAMMOG~1\LOCALS~1\Temp\aswMBR.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 52):

0 System Idle Process

4 System

648 C:\WINDOWS\system32\smss.exe

708 csrss.exe

732 C:\WINDOWS\system32\winlogon.exe

784 C:\WINDOWS\system32\services.exe

796 C:\WINDOWS\system32\lsass.exe

992 C:\WINDOWS\system32\svchost.exe

1076 svchost.exe

1120 C:\WINDOWS\system32\svchost.exe

1176 C:\WINDOWS\system32\svchost.exe

1280 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

1388 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

1500 svchost.exe

1552 svchost.exe

1708 C:\WINDOWS\system32\ZoneLabs\vsmon.exe

288 C:\WINDOWS\explorer.exe

184 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

1648 C:\WINDOWS\system32\spoolsv.exe

508 svchost.exe

560 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe

596 C:\WINDOWS\system32\DVDRAMSV.exe

664 C:\Program Files\Java\jre6\bin\jqs.exe

124 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

1328 C:\WINDOWS\system32\svchost.exe

1528 C:\TOSHIBA\IVP\swupdate\swupdtmr.exe

352 C:\WINDOWS\system32\ThpSrv.exe

1812 C:\Program Files\Toshiba\TME3\TMESRV31.exe

2084 C:\Program Files\Toshiba\TME3\TMEEJME.exe

2520 C:\WINDOWS\system32\wbem\wmiapsrv.exe

2632 unsecapp.exe

2896 wmiprvse.exe

2916 alg.exe

3436 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

3648 C:\WINDOWS\system32\DLA\DLACTRLW.EXE

3664 C:\WINDOWS\RTHDCPL.exe

3688 C:\WINDOWS\system32\00THotkey.exe

3712 C:\Program Files\Toshiba\DualPointUtility\TEDTray.exe

3720 C:\WINDOWS\system32\TPSMain.exe

3740 C:\WINDOWS\system32\ThpSrv.exe

3764 C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe

3788 C:\Program Files\Apoint2K\Apoint.exe

3832 C:\WINDOWS\system32\TFNF5.exe

3840 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

3872 C:\Program Files\DivX\DivX Update\DivXUpdate.exe

3884 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

3928 C:\WINDOWS\system32\RAMASST.exe

2124 C:\WINDOWS\system32\TPSBattM.exe

2436 C:\WINDOWS\system32\igfxext.exe

1992 C:\WINDOWS\system32\igfxsrvc.exe

3156 C:\Program Files\Apoint2K\ApntEx.exe

4088 C:\Documents and Settings\XXXXX\Desktop\MBRCheck.exe (edited to remove name)

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHV2100BHPL, Rev: 0000002A

Size Device Name MBR Status

--------------------------------------------

93 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: 31D100779DE502702C374F7C15687B56FCFD5528

Done!

3. ckfiles.txt:

CKScanner - Additional Security Risks - These are not necessarily bad

c:\program files\microsoft directx sdk (november 2008)\samples\c++\direct3d\uvatlas\crackdecl.cpp

c:\program files\microsoft directx sdk (november 2008)\samples\c++\direct3d\uvatlas\crackdecl.h

c:\program files\mount&blade\sounds\fire_small_crackle_slick_op.ogg

c:\program files\toshiba games\bejeweled 2 deluxe\sounds\firecrackle.ogg

scanner sequence 3.CA.11

----- EOF -----

Share this post


Link to post
Share on other sites
(edited to remove name)

Please don't edit logs. The fixes laid out to you might fail or even cause more trouble on the computer.

Please repost unedited logs.

Share this post


Link to post
Share on other sites

aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software

Run date: 2011-05-03 10:14:05

-----------------------------

10:14:05.078 OS Version: Windows 5.1.2600 Service Pack 2

10:14:05.093 Number of processors: 2 586 0xF02

10:14:05.125 ComputerName: SAMMYMO UserName:

10:14:08.890 Initialize success

10:14:13.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

10:14:13.734 Disk 0 Vendor: FUJITSU_MHV2100BH_PL 0000002A Size: 95396MB BusType: 3

10:14:13.734 Device \Driver\atapi -> DriverStartIo 89b3533b

10:14:15.734 Disk 0 MBR read successfully

10:14:15.765 Disk 0 MBR scan

10:14:15.765 Disk 0 TDL4@MBR code has been found

10:14:15.781 Disk 0 Windows XP default MBR code found via API

10:14:15.796 Disk 0 MBR hidden

10:14:15.796 Disk 0 MBR [TDL4] **ROOTKIT**

10:14:15.812 Disk 0 trace - called modules:

10:14:15.812 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x89b354f0]<<

10:14:15.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bb4ab8]

10:14:15.828 3 CLASSPNP.SYS[f765805b] -> nt!IofCallDriver -> \Device\THPDRV[0x89b46908]

10:14:15.828 5 thpdrv.sys[f768971d] -> nt!IofCallDriver -> \Device\00000082[0x89b49490]

10:14:16.312 7 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x89b9f940]

10:14:16.343 \Driver\atapi[0x89b6a030] -> IRP_MJ_CREATE -> 0x89b354f0

10:14:16.375 Scan finished successfully

10:14:26.734 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Sam Mogilensky\Desktop\MBR.dat"

10:14:26.750 The log file has been saved successfully to "C:\Documents and Settings\Sam Mogilensky\Desktop\aswMBR.txt"

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 2 (build 2600)

Logical Drives Mask: 0x0000000c

Kernel Drivers (total 153):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x806FF000 \WINDOWS\system32\hal.dll

0x89AF5000 \WINDOWS\system32\KDCOM.DLL

0xF789B000 \WINDOWS\system32\BOOTVID.dll

0xF75A8000 ACPI.sys

0xF7987000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF7597000 pci.sys

0xF75F7000 isapnp.sys

0xF7607000 ohci1394.sys

0xF7617000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xF789F000 compbatt.sys

0xF78A3000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xF7A4F000 pciide.sys

0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF74D9000 pcmcia.sys

0xF7627000 MountMgr.sys

0xF74BA000 ftdisk.sys

0xF7989000 dmload.sys

0xF7494000 dmio.sys

0xF770F000 PartMgr.sys

0xF7637000 VolSnap.sys

0xF747C000 atapi.sys

0xF7647000 disk.sys

0xF7657000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF745C000 fltMgr.sys

0xF744A000 sr.sys

0xF7667000 Lbd.sys

0xF7871000 DRVMCDB.SYS

0xF7677000 PxHelp20.sys

0xF785A000 KSecDD.sys

0xF7847000 WudfPf.sys

0xF7B52000 Ntfs.sys

0xF795A000 NDIS.sys

0xF7717000 TVALZ.SYS

0xF798B000 Thpevm.SYS

0xF7687000 thpdrv.sys

0xF782C000 Mup.sys

0xF76B7000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xBA13E000 \SystemRoot\system32\DRIVERS\igxpmp32.sys

0xBA12A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xBA105000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xB9F64000 \SystemRoot\system32\DRIVERS\NETw3x32.sys

0xF77B7000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xB9F41000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF77E7000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB9F2E000 \SystemRoot\system32\DRIVERS\sdbus.sys

0xF7527000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF7817000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xB9F15000 \SystemRoot\system32\DRIVERS\Apfiltr.sys

0xF775F000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF7517000 \SystemRoot\system32\DRIVERS\IFXTPM.SYS

0xF7507000 \SystemRoot\system32\DRIVERS\serial.sys

0xBA7FC000 \SystemRoot\system32\DRIVERS\serenum.sys

0xB9F01000 \SystemRoot\system32\DRIVERS\parport.sys

0xF74F7000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF7997000 \SystemRoot\System32\Drivers\DLACDBHM.SYS

0xF743A000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF742A000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB9EDE000 \SystemRoot\system32\DRIVERS\ks.sys

0xBA7E8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys

0xBA7DC000 \SystemRoot\system32\DRIVERS\tosrfec.sys

0xBA7D4000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xF741A000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xF7AAD000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF740A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xBA7CC000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB9EC7000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF7887000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA764000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF7757000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB9DEE000 \SystemRoot\system32\DRIVERS\psched.sys

0xBA754000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF7787000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF7797000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB9DBD000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xBA744000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF799F000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB9D64000 \SystemRoot\system32\DRIVERS\update.sys

0xBA7A4000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA79C000 \SystemRoot\system32\DRIVERS\tbiosdrv.sys

0xBA724000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xA9841000 \SystemRoot\system32\drivers\RtkHDAud.sys

0xA981F000 \SystemRoot\system32\drivers\portcls.sys

0xBA714000 \SystemRoot\system32\drivers\drmk.sys

0xA9703000 \SystemRoot\system32\DRIVERS\AGRSM.sys

0xF79AF000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF7807000 \SystemRoot\System32\Drivers\Modem.SYS

0xBA6F4000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF79B3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7A62000 \SystemRoot\System32\Drivers\Null.SYS

0xF79B7000 \SystemRoot\System32\Drivers\Beep.SYS

0xF779F000 \SystemRoot\System32\Drivers\DLARTL_N.SYS

0xF77AF000 \SystemRoot\System32\drivers\vga.sys

0xF79BB000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF79BF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xA9652000 \SystemRoot\System32\Drivers\meiudf.sys

0xA9641000 \SystemRoot\System32\Drivers\Udfs.SYS

0xF77F7000 \SystemRoot\System32\Drivers\Msfs.SYS

0xA96FB000 \SystemRoot\System32\Drivers\Npfs.SYS

0xA9C9C000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xA962E000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xA95D6000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xA95AE000 \SystemRoot\system32\DRIVERS\netbt.sys

0xA958D000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xBA6E4000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xA950C000 \SystemRoot\System32\vsdatant.sys

0xF76C7000 \SystemRoot\system32\DRIVERS\arp1394.sys

0xA96C3000 \SystemRoot\System32\Drivers\tcusb.sys

0xA944A000 \SystemRoot\System32\drivers\afd.sys

0xF7557000 \SystemRoot\system32\DRIVERS\netbios.sys

0xF79C7000 \SystemRoot\System32\Drivers\TMEI3E.SYS

0xA93F7000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xA9388000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF780F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xF7537000 \SystemRoot\System32\Drivers\Fips.SYS

0xA9370000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF79EF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xA9CA0000 \SystemRoot\System32\drivers\Dxapi.sys

0xF781F000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xBA776000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF024000 \SystemRoot\System32\igxpgd32.dll

0xBF012000 \SystemRoot\System32\igxprd32.dll

0xBF04F000 \SystemRoot\System32\igxpdv32.DLL

0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xA929A000 \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys

0xA9C94000 \??\C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys

0xA928A000 \SystemRoot\System32\Drivers\DRVNDDM.SYS

0xF7A75000 \SystemRoot\System32\DLA\DLADResN.SYS

0xA9184000 \SystemRoot\System32\DLA\DLAIFS_M.SYS

0xF793F000 \SystemRoot\System32\DLA\DLAOPIOM.SYS

0xF79C3000 \SystemRoot\System32\DLA\DLAPoolM.SYS

0xF7A79000 \??\C:\Program Files\Protector Suite QL\smihlp.sys

0xA96F3000 \SystemRoot\System32\DLA\DLABOIOM.SYS

0xA916C000 \SystemRoot\System32\DLA\DLAUDFAM.SYS

0xA9156000 \SystemRoot\System32\DLA\DLAUDF_M.SYS

0xF77DF000 \SystemRoot\system32\DRIVERS\AegisP.sys

0xA91CA000 \SystemRoot\system32\DRIVERS\s24trans.sys

0xA9122000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xA911A000 \SystemRoot\system32\DRIVERS\netdevio.sys

0xA8BF1000 \SystemRoot\system32\drivers\wdmaud.sys

0xA8DFE000 \SystemRoot\system32\drivers\sysaudio.sys

0xA8AAF000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xF79CD000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xA8940000 \SystemRoot\system32\DRIVERS\srv.sys

0xA7620000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xA78E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xA7658000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xA73DD000 \SystemRoot\system32\drivers\kmixer.sys

0xA7828000 \??\C:\DOCUME~1\SAMMOG~1\LOCALS~1\Temp\aswMBR.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 52):

0 System Idle Process

4 System

648 C:\WINDOWS\system32\smss.exe

708 csrss.exe

732 C:\WINDOWS\system32\winlogon.exe

784 C:\WINDOWS\system32\services.exe

796 C:\WINDOWS\system32\lsass.exe

992 C:\WINDOWS\system32\svchost.exe

1076 svchost.exe

1120 C:\WINDOWS\system32\svchost.exe

1176 C:\WINDOWS\system32\svchost.exe

1280 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

1388 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

1500 svchost.exe

1552 svchost.exe

1708 C:\WINDOWS\system32\ZoneLabs\vsmon.exe

288 C:\WINDOWS\explorer.exe

184 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

1648 C:\WINDOWS\system32\spoolsv.exe

508 svchost.exe

560 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe

596 C:\WINDOWS\system32\DVDRAMSV.exe

664 C:\Program Files\Java\jre6\bin\jqs.exe

124 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

1328 C:\WINDOWS\system32\svchost.exe

1528 C:\TOSHIBA\IVP\swupdate\swupdtmr.exe

352 C:\WINDOWS\system32\ThpSrv.exe

1812 C:\Program Files\Toshiba\TME3\TMESRV31.exe

2084 C:\Program Files\Toshiba\TME3\TMEEJME.exe

2520 C:\WINDOWS\system32\wbem\wmiapsrv.exe

2632 unsecapp.exe

2896 wmiprvse.exe

2916 alg.exe

3436 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

3648 C:\WINDOWS\system32\DLA\DLACTRLW.EXE

3664 C:\WINDOWS\RTHDCPL.exe

3688 C:\WINDOWS\system32\00THotkey.exe

3712 C:\Program Files\Toshiba\DualPointUtility\TEDTray.exe

3720 C:\WINDOWS\system32\TPSMain.exe

3740 C:\WINDOWS\system32\ThpSrv.exe

3764 C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe

3788 C:\Program Files\Apoint2K\Apoint.exe

3832 C:\WINDOWS\system32\TFNF5.exe

3840 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

3872 C:\Program Files\DivX\DivX Update\DivXUpdate.exe

3884 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

3928 C:\WINDOWS\system32\RAMASST.exe

2124 C:\WINDOWS\system32\TPSBattM.exe

2436 C:\WINDOWS\system32\igfxext.exe

1992 C:\WINDOWS\system32\igfxsrvc.exe

3156 C:\Program Files\Apoint2K\ApntEx.exe

4088 C:\Documents and Settings\Sam Mogilensky\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHV2100BHPL, Rev: 0000002A

Size Device Name MBR Status

--------------------------------------------

93 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: 31D100779DE502702C374F7C15687B56FCFD5528

Done!

CKScanner - Additional Security Risks - These are not necessarily bad

c:\program files\microsoft directx sdk (november 2008)\samples\c++\direct3d\uvatlas\crackdecl.cpp

c:\program files\microsoft directx sdk (november 2008)\samples\c++\direct3d\uvatlas\crackdecl.h

c:\program files\mount&blade\sounds\fire_small_crackle_slick_op.ogg

c:\program files\toshiba games\bejeweled 2 deluxe\sounds\firecrackle.ogg

scanner sequence 3.CA.11

----- EOF -----

Share this post


Link to post
Share on other sites

Thanks!

There is a MBR Rootkit that needs to be taken care of.

Step 1.

MBR-backup:

Open notepad and copy/paste the text in the codebox below into it:

MBRCheck -s 0 -d MBRbckp.dat

Save this as bmbr.bat

Choose to "Save type as - All Files"

Save it on your desktop.

It should look like this: bat_icon.gif

Double click on bmbr.bat & allow it to run.

The file MBRbckp.dat will be created on your desktop.

Step 2.

Filescan:

Please go to: VirusTotal

  • On the page you'll find a Browse - button.
  • Click on the Browse button.
  • In the Choose File to Upload window which opens, copy and paste this into the File Name box.

    C:\Documents and Settings\Sam Mogilensky\Desktop\MBR.dat


  • Next, click the Open button.
  • Then click the Send File - button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.

Please repeat for the following file:

C:\Documents and Settings\Sam Mogilensky\Desktop\MBRbckp.dat

Step 3.

Upload files:

Please zip MBRbckp.dat and attach it in your reply.

Please also zip MBR.dat and attach that one in your reply as well

Step 4.

Things I would like to see in your reply:

  1. The links to the filescans from step 2.
  2. The two zipped files attached from step 3.

Share this post


Link to post
Share on other sites

Let's start fixing things then

Step 1.

aswMBR:

Close all applications

Run aswMBR and Click Scan

On completion of the scan, click the Fix - button

TLD4v2reboot.png

When prompted to restart click Yes

Rerun aswMBR and save the log as before and post in your next reply

Step 2.

DSS:

Rerun DDS and post a fresh set of logs (DDS.txt and Attach.txt) in your reply.

Step 3.

Things I would like to see in your reply:

  1. The content of the log from aswMBR in step 1.
  2. The logs from DDS in step 2.

Share this post


Link to post
Share on other sites

I ran aswMBR. After the scan, I clicked "Fix". It said the problem was fixed, and it was verifying. At that point my computer crashed. I had to manually shut down and reboot. As a precaution, I disabled AdAware AdWatch Live and Spybot S+D Tea Timer this time just in case they were interfering with aswMBR. I ran aswMBR again and the second time it did not report any problems. Here is the log file for the second scan:

aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software

Run date: 2011-05-04 09:29:05

-----------------------------

09:29:05.984 OS Version: Windows 5.1.2600 Service Pack 2

09:29:05.984 Number of processors: 2 586 0xF02

09:29:05.984 ComputerName: SAMMYMO UserName:

09:29:06.484 Initialize success

09:29:43.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

09:29:43.062 Disk 0 Vendor: FUJITSU_MHV2100BH_PL 0000002A Size: 95396MB BusType: 3

09:29:45.093 Disk 0 MBR read successfully

09:29:45.093 Disk 0 MBR scan

09:29:45.093 Disk 0 Windows XP default MBR code

09:29:47.093 Disk 0 scanning sectors +195366465

09:29:47.140 Disk 0 scanning C:\WINDOWS\system32\drivers

09:29:52.437 Service scanning

09:29:54.171 Disk 0 trace - called modules:

09:29:54.187 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys atapi.sys pciide.sys

09:29:54.203 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89ba3ab8]

09:29:54.203 3 CLASSPNP.SYS[f765805b] -> nt!IofCallDriver -> \Device\THPDRV[0x89b63908]

09:29:54.203 5 thpdrv.sys[f768971d] -> nt!IofCallDriver -> \Device\00000082[0x89b66490]

09:29:54.203 7 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89b94940]

09:29:54.218 Scan finished successfully

09:30:27.687 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Sam Mogilensky\Desktop\MBR.dat"

09:30:27.687 The log file has been saved successfully to "C:\Documents and Settings\Sam Mogilensky\Desktop\aswMBR2.txt"

DDS logs:

Attach2.zip

DDS2.zip

Share this post


Link to post
Share on other sites
It said the problem was fixed, and it was verifying. At that point my computer crashed. I had to manually shut down and reboot.
Forgot to mention that that could happen.

Step 1.

Uninstall unwanted softwares:

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Azureus

BitTorrent 5.0.9

DC++ 0.782

J2SE Runtime Environment 5.0 Update 6

Viewpoint Media Player

Vuze

Optional removals

Azureus, BitTorrent, DC++ and P2P programs in general are legal themselves, but much of the content downloaded with them is downloaded illegally. They are also a great way to infect yourself with malware.

It's up to you if you want to remove the above programs, however I recommend you do.

Step 2.

ComboFix:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Step 3.

Things I would like to see in your reply:

  1. Which softwares were uninstalled in step 1.
  2. The content of C:\ComboFix.txt from step 2.

Share this post


Link to post
Share on other sites

1. Softwares uninstalled:

J2SE Runtime Environment 5.0 Update 6

Viewpoint Media Player

2. ComboFix log:

ComboFix 11-05-04.03 - Sam Mogilensky 05/04/2011 23:34:31.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1558 [GMT -4:00]

Running from: c:\documents and settings\Sam Mogilensky\Desktop\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\Thumbs.db

.

.

((((((((((((((((((((((((( Files Created from 2011-04-05 to 2011-05-05 )))))))))))))))))))))))))))))))

.

.

2011-05-02 19:17 . 2011-05-02 19:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-05-02 05:01 . 2011-05-01 14:39 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-05-01 20:13 . 2011-05-01 20:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-01 12:03 . 2006-05-20 17:31 24576 ----a-w- c:\windows\system32\userinit.exe

2011-04-29 16:12 . 2009-11-25 19:46 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="thpsrv" [X]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]

"RTHDCPL"="RTHDCPL.EXE" [2006-05-09 16207360]

"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-04-25 253952]

"000StTHK"="000StTHK.exe" [2001-06-23 24576]

"DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-29 155648]

"TPSMain"="TPSMain.exe" [2006-04-25 315392]

"TPSODDCtl"="TPSODDCtl.exe" [2006-04-25 110592]

"TFncKy"="TFncKy.exe" [bU]

"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]

"PINGER"="c:\toshiba\IVP\ISM\pinger.exe" [2005-03-18 151552]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]

"TFNF5"="TFNF5.exe" [2006-04-10 622592]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-5-20 155648]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2006-05-06 00:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^Sam Mogilensky^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-01-22 05:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

2006-06-30 12:32 89541 ----a-w- c:\windows\agrsmmsg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2008-02-15 17:46 159744 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2008-02-15 17:46 135168 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2008-02-15 17:46 131072 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]

2006-05-06 00:36 30208 ----a-w- c:\program files\Protector Suite QL\launcher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

2006-04-24 22:20 1448960 ----a-w- c:\windows\SkyTel.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMERzCtl.EXE]

2006-02-23 00:41 86016 ----a-w- c:\program files\Toshiba\TME3\TMERzCtl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMESRV.EXE]

2005-12-14 19:00 126976 ----a-w- c:\program files\Toshiba\TME3\TMESRV31.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=3 (0x3)

"FastUserSwitchingCompatibility"=3 (0x3)

"WMPNetworkSvc"=3 (0x3)

"SSDPSRV"=3 (0x3)

"seclogon"=3 (0x3)

"RemoteRegistry"=2 (0x2)

"RDSessMgr"=3 (0x3)

"iPod Service"=3 (0x3)

"ERSvc"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/25/2009 3:46 PM 64512]

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [12/28/2004 2:31 AM 16384]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [5/20/2006 2:20 PM 6144]

R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [5/20/2006 2:21 PM 5888]

R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 9:00 PM 13568]

R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 8:59 PM 33024]

R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 8:33 PM 3456]

R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [5/20/2006 2:21 PM 126976]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/20/2006 1:49 PM 35968]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/29/2011 12:11 PM 2146496]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [4/29/2011 12:11 PM 15232]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-29 15:14]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Google Sidewiki...

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

FF - ProfilePath - c:\documents and settings\Sam Mogilensky\Application Data\Mozilla\Firefox\Profiles\zs2vu2sc.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.washingtonpost.com/

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video

FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-05 00:00

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(732)

c:\windows\system32\vrlogon.dll

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\windows\system32\biologon.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\remote.dll

c:\program files\Protector Suite QL\crypto.dll

c:\program files\Protector Suite QL\biokmd.dll

.

- - - - - - - > 'explorer.exe'(1168)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\program files\TOSHIBA\TME3\TMEEJMD.DLL

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Protector Suite QL\mysafe.dll

c:\program files\Protector Suite QL\infra.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\TPwrCfg.DLL

c:\windows\system32\TPwrReg.dll

c:\windows\system32\TPSTrace.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\toshiba\IVP\swupdate\swupdtmr.exe

c:\windows\system32\ThpSrv.exe

c:\program files\TOSHIBA\TME3\TMEEJME.EXE

c:\windows\system32\wbem\wmiapsrv.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\TPSMain.exe

c:\windows\system32\thpsrv.exe

c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

c:\windows\system32\TFNF5.exe

c:\windows\system32\TPSBattM.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Apoint2K\Apntex.exe

.

**************************************************************************

.

Completion time: 2011-05-05 00:08:59 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-05 04:08

.

Pre-Run: 44,964,151,296 bytes free

Post-Run: 45,569,208,320 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg

.

- - End Of File - - 7D296026CD59C96B9D4336C35751B189

Share this post


Link to post
Share on other sites

Looking good, let's follow with a couple of scans for leftovers.

Step 1.

Clean temp locations:

Download TFC to your desktop

  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2.

Scan with MBAM:

  • Launch Malwarebytes' Anti-Malware.
  • Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 3.

Scan with ESET Online Scanner:

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Step 4.

Things I would like to see in your reply:

  1. The content of the report from MBAM from Step 2.
  2. The content of the report from ESET Online Scanner from Step 3.
  3. Information on how your computer is running after those steps.

Share this post


Link to post
Share on other sites

1. MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6513

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

5/5/2011 9:47:56 AM

mbam-log-2011-05-05 (09-47-56).txt

Scan type: Quick scan

Objects scanned: 156370

Time elapsed: 4 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2. ESET log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=38f52542c0704346ad6646fca976e150

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-05 03:49:28

# local_time=2011-05-05 11:49:28 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 100 70 25598598 26368920 0 0

# scanned=83286

# found=1

# cleaned=1

# scan_time=6129

C:\Documents and Settings\Sam Mogilensky\My Documents\Backup of Flash Drive\Removable Disk (E)\Autorun.inf INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C

3. The symptoms which led me to think I was infected (pop-up ads, search results redirected to ads) have disappeared. I do have a concern, which is that ESET found a virus in a backup file I created for the content on my flash drive. Does that mean my flash drive is infected, and how can I remove that infection without reinfecting my computer?

Share this post


Link to post
Share on other sites
3. The symptoms which led me to think I was infected (pop-up ads, search results redirected to ads) have disappeared. I do have a concern, which is that ESET found a virus in a backup file I created for the content on my flash drive. Does that mean my flash drive is infected, and how can I remove that infection without reinfecting my computer?

How do disable Autorun

Better solution for USB and other removable media is:

Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
And if you have Windows 7 use Panda USB Vaccine
Hey there, LSF76 !
OK! Well done, your log is clean again! :)
Time for some housekeeping.
Step 1.
Clean up:
We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.
First:
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    Run_ComboFix {47}Uninstall.jpg

Second:

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Now delete any tools/logs that is left over after you ran OTC.

Step 2.

Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:

Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please go to the link below to download an update.

http://www.adobe.com/products/acrobat/readstep2.html

Remove the older versions and install the latest

--------------

Upgrading Java:

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 25 .
  • Click the JDK 6 Update 25 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u25-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u25-windows-i586.exe and select "Run as an Administrator.")

Second:

One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Automatic Updates for Windows

  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the Internet.
  • Click Apply then OK.

Third:

Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware

  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.

.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

Fourth:

Next lets look at Firewalls. These help to prevent unauthorized access both to and from the Internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls

Fifth:

On to personal Anti Virus programs.

One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs

Sixth:

Nearly done! If you like to use chat, MSN and Yahoo have vulnerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers

Lastly:

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.