Jump to content

Recommended Posts

Hi, trying to get rid of malware that appeared on my desktop May 1. I'm running Windows XP. I've got Avast, Spybot, and MBAB which I've using torubn run full scans every day, just to keep the machine up and running. I get warnings from Avast every few minutes that threats like msmnsfaq.exe, rootkit gen, lckclkl1i1i, and longtriptodayz are being blocked. The process frequently involves svchost.exe and i see that on task manager there are several instances of this process running. I also saw Hiloti at one point, but I seem to have gotten rid of it ( maybe...) When I run boot scan using Avast, I get the message that a Java Agent gen -GT and others are infecting the computer as well. I delete them and they are back again the same day. I've followed the instructions on the "What do I do now" forum and I have posted the MBAB log, the DDS/GMER log below. I've attached the compressed attach.txt, and the ark.txt files as well. Please let me know if you need me to dl anything else and scan and post logs. Thank you in advance for any help you may provide me.

AWM

Attach.zip

ark.zip

Link to post
Share on other sites

:welcome:

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Thank you so much for your reply and advice. I DL and ran STF, GooredFix, and TDSSKiller, then rebooted the computer as instructed. It rebooted fine, and I haven't gotten any new warnings from AVAST. No random browser redirects yet either. The computer seems to be behaving normally.Here is the TDSS log:

2011/05/11 09:32:09.0500 0328 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16

2011/05/11 09:32:09.0953 0328 ================================================================================

2011/05/11 09:32:09.0953 0328 SystemInfo:

2011/05/11 09:32:09.0953 0328

2011/05/11 09:32:09.0953 0328 OS Version: 5.1.2600 ServicePack: 3.0

2011/05/11 09:32:09.0953 0328 Product type: Workstation

2011/05/11 09:32:09.0953 0328 ComputerName: END-897B419AA5E

2011/05/11 09:32:09.0953 0328 UserName: Alaina

2011/05/11 09:32:09.0953 0328 Windows directory: C:\WINDOWS

2011/05/11 09:32:09.0953 0328 System windows directory: C:\WINDOWS

2011/05/11 09:32:09.0953 0328 Processor architecture: Intel x86

2011/05/11 09:32:09.0953 0328 Number of processors: 1

2011/05/11 09:32:09.0953 0328 Page size: 0x1000

2011/05/11 09:32:09.0953 0328 Boot type: Normal boot

2011/05/11 09:32:09.0953 0328 ================================================================================

2011/05/11 09:32:10.0218 0328 Initialize success

2011/05/11 09:32:21.0265 2312 ================================================================================

2011/05/11 09:32:21.0265 2312 Scan started

2011/05/11 09:32:21.0265 2312 Mode: Manual;

2011/05/11 09:32:21.0265 2312 ================================================================================

2011/05/11 09:32:22.0468 2312 Aavmker4 (78a4db23bb4e8d4349e164d1d90af73f) C:\WINDOWS\system32\drivers\Aavmker4.sys

2011/05/11 09:32:22.0562 2312 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/05/11 09:32:22.0625 2312 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/05/11 09:32:22.0687 2312 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys

2011/05/11 09:32:22.0718 2312 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/05/11 09:32:22.0812 2312 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2011/05/11 09:32:22.0875 2312 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys

2011/05/11 09:32:23.0078 2312 aswFsBlk (9bdb29e81abceb883556df44649696c4) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2011/05/11 09:32:23.0109 2312 aswMon2 (2ce6da466687cbb3b97e59f8831a27cb) C:\WINDOWS\system32\drivers\aswMon2.sys

2011/05/11 09:32:23.0140 2312 aswRdr (a90cf680ca7a323913ca3a0810c8e02d) C:\WINDOWS\system32\drivers\aswRdr.sys

2011/05/11 09:32:23.0203 2312 aswSnx (f7969934cca2e566e95df17380a3cb11) C:\WINDOWS\system32\drivers\aswSnx.sys

2011/05/11 09:32:23.0265 2312 aswSP (478d6a0e0630c31bf4a7f5eb0a05b92c) C:\WINDOWS\system32\drivers\aswSP.sys

2011/05/11 09:32:23.0296 2312 aswTdi (e52e45743e27fd6184c55618a10b81ab) C:\WINDOWS\system32\drivers\aswTdi.sys

2011/05/11 09:32:23.0328 2312 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/05/11 09:32:23.0375 2312 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/05/11 09:32:23.0593 2312 ati2mtag (c82240ce60a9326e52282f62ba923f27) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/05/11 09:32:23.0671 2312 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/05/11 09:32:23.0734 2312 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/05/11 09:32:24.0015 2312 b57w2k (2acf06176b9d011567d7f25b83ddd066) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/05/11 09:32:24.0187 2312 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/05/11 09:32:24.0546 2312 BeTwinKeyboard (48650cdd4b2dab817fef0b39a430e955) C:\WINDOWS\system32\drivers\BeTwinKF.sys

2011/05/11 09:32:24.0812 2312 BeTwinMouse (0a680658860662cc81b7b8ed3d037d4a) C:\WINDOWS\system32\drivers\BeTwinMF.sys

2011/05/11 09:32:24.0906 2312 BeTwinSystem (d6a76e727e395933994ffdd3c85fc7f3) C:\WINDOWS\system32\Drivers\BeTwinSystem.sys

2011/05/11 09:32:25.0093 2312 BeTwinVideo (95ebb2a77b0c6bb9186b56cfc93fe060) C:\WINDOWS\system32\drivers\BeTwinVF.sys

2011/05/11 09:32:25.0343 2312 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/05/11 09:32:25.0515 2312 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/05/11 09:32:25.0718 2312 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/05/11 09:32:25.0812 2312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/05/11 09:32:26.0046 2312 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/05/11 09:32:26.0140 2312 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/05/11 09:32:26.0250 2312 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/05/11 09:32:26.0375 2312 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/05/11 09:32:26.0484 2312 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/05/11 09:32:26.0734 2312 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/05/11 09:32:26.0828 2312 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/05/11 09:32:27.0015 2312 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/05/11 09:32:27.0062 2312 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/05/11 09:32:27.0125 2312 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/05/11 09:32:27.0234 2312 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/05/11 09:32:27.0515 2312 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/05/11 09:32:27.0609 2312 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/05/11 09:32:27.0750 2312 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/05/11 09:32:27.0875 2312 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/05/11 09:32:27.0968 2312 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/05/11 09:32:28.0171 2312 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/05/11 09:32:28.0375 2312 ialm (737da0be27652c4482ac5cde099bfce9) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2011/05/11 09:32:28.0515 2312 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/05/11 09:32:28.0593 2312 InCDfs (580a81790cd0a48d85da322267da7ac4) C:\WINDOWS\system32\drivers\InCDFs.sys

2011/05/11 09:32:28.0687 2312 InCDPass (aaa2789d2ce21b31be9406ba1ceb7285) C:\WINDOWS\system32\drivers\InCDPass.sys

2011/05/11 09:32:28.0750 2312 InCDrec (4d022577e9072b5d22e0a383a7806bbb) C:\WINDOWS\system32\drivers\InCDrec.sys

2011/05/11 09:32:28.0812 2312 incdrm (c258e57321a3c3737f4fa815fa69ee0b) C:\WINDOWS\system32\drivers\InCDRm.sys

2011/05/11 09:32:29.0203 2312 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/05/11 09:32:29.0375 2312 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/05/11 09:32:29.0500 2312 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/05/11 09:32:29.0671 2312 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/05/11 09:32:30.0171 2312 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/05/11 09:32:30.0218 2312 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/05/11 09:32:30.0265 2312 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/05/11 09:32:30.0375 2312 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/05/11 09:32:30.0437 2312 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/05/11 09:32:30.0515 2312 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/05/11 09:32:30.0593 2312 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/05/11 09:32:30.0703 2312 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/05/11 09:32:30.0843 2312 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/05/11 09:32:31.0171 2312 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/05/11 09:32:31.0281 2312 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/05/11 09:32:31.0359 2312 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/05/11 09:32:31.0453 2312 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/05/11 09:32:31.0484 2312 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/05/11 09:32:31.0562 2312 mozyFilter (957f5e54b0bc53dc5bebe8327dd154d9) C:\WINDOWS\system32\DRIVERS\mozy.sys

2011/05/11 09:32:31.0640 2312 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/05/11 09:32:31.0796 2312 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/05/11 09:32:31.0984 2312 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/05/11 09:32:32.0046 2312 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/05/11 09:32:32.0203 2312 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/05/11 09:32:32.0281 2312 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/05/11 09:32:32.0328 2312 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/05/11 09:32:32.0375 2312 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/05/11 09:32:32.0406 2312 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/05/11 09:32:32.0484 2312 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/05/11 09:32:32.0562 2312 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/05/11 09:32:32.0609 2312 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/05/11 09:32:32.0671 2312 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/05/11 09:32:32.0718 2312 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/05/11 09:32:32.0953 2312 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/05/11 09:32:33.0031 2312 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/05/11 09:32:33.0109 2312 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/05/11 09:32:33.0203 2312 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/05/11 09:32:33.0281 2312 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/05/11 09:32:33.0328 2312 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/05/11 09:32:33.0375 2312 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/05/11 09:32:33.0437 2312 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/05/11 09:32:33.0656 2312 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/05/11 09:32:33.0703 2312 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/05/11 09:32:33.0796 2312 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys

2011/05/11 09:32:33.0859 2312 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/05/11 09:32:34.0046 2312 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/05/11 09:32:34.0125 2312 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/05/11 09:32:34.0187 2312 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/05/11 09:32:34.0484 2312 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/05/11 09:32:34.0593 2312 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/11 09:32:34.0656 2312 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/05/11 09:32:34.0703 2312 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/05/11 09:32:34.0734 2312 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/05/11 09:32:34.0781 2312 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/05/11 09:32:34.0875 2312 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/05/11 09:32:34.0937 2312 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/05/11 09:32:35.0031 2312 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/05/11 09:32:35.0250 2312 rtl8185 (65c9ee649ec9e86c964b390909377909) C:\WINDOWS\system32\DRIVERS\rtl8185.sys

2011/05/11 09:32:35.0437 2312 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/05/11 09:32:35.0484 2312 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/05/11 09:32:35.0531 2312 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/05/11 09:32:35.0593 2312 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/05/11 09:32:35.0750 2312 smwdm (4aa922332433cdeb8b82c072c212e32e) C:\WINDOWS\system32\drivers\smwdm.sys

2011/05/11 09:32:36.0031 2312 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/05/11 09:32:36.0109 2312 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/05/11 09:32:36.0218 2312 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/05/11 09:32:36.0312 2312 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/05/11 09:32:36.0390 2312 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/05/11 09:32:36.0515 2312 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/05/11 09:32:36.0609 2312 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/05/11 09:32:36.0843 2312 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/05/11 09:32:36.0906 2312 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/05/11 09:32:36.0968 2312 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/05/11 09:32:37.0078 2312 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/05/11 09:32:37.0328 2312 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/05/11 09:32:37.0453 2312 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/05/11 09:32:37.0531 2312 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/05/11 09:32:37.0671 2312 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/05/11 09:32:37.0734 2312 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/11 09:32:37.0796 2312 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/05/11 09:32:37.0875 2312 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/05/11 09:32:38.0000 2312 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/05/11 09:32:38.0078 2312 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/05/11 09:32:38.0140 2312 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/05/11 09:32:38.0203 2312 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/05/11 09:32:38.0296 2312 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/05/11 09:32:38.0500 2312 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/05/11 09:32:38.0640 2312 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2011/05/11 09:32:38.0750 2312 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/05/11 09:32:38.0828 2312 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/05/11 09:32:38.0875 2312 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/05/11 09:32:38.0875 2312 ================================================================================

2011/05/11 09:32:38.0875 2312 Scan finished

2011/05/11 09:32:38.0875 2312 ================================================================================

2011/05/11 09:32:38.0890 3524 Detected object count: 1

2011/05/11 09:32:57.0078 3524 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

2011/05/11 09:32:57.0078 3524 \HardDisk0 - ok

2011/05/11 09:32:57.0078 3524 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2011/05/11 09:33:13.0437 3828 Deinitialize success

Should I post the GooredFix log as well?

BTW, As soon as I get the all clear, I'm going to upgrade to PRO, anything else I should have on this machine so that i can minimize the chances of this happening again on this machine?

Amy

Link to post
Share on other sites

Thanks, updated MBAM, and ran a full scan. Drats, it appears a new Trojan has already struck? I did not do anything other than save log, posted below. Computer seems to run normally.

Amy

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6557

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/11/2011 7:44:05 PM

mbam-log-2011-05-11 (19-43-55).txt

Scan type: Full scan (C:\|)

Objects scanned: 368533

Time elapsed: 1 hour(s), 0 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\documents and settings\User\application data\Sun\ixokfmgyl68.dll (Trojan.Ambler) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{12B5B5A9-C3B2-491F-8E36-91DB518CC4FF} (Trojan.Ambler) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{12B5B5A9-C3B2-491F-8E36-91DB518CC4FF} (Trojan.Ambler) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\User\application data\Sun\ixokfmgyl68.dll (Trojan.Ambler) -> No action taken.

Link to post
Share on other sites

Thanks, to be safe, I disabled the wireless adaptor right after the Ambler Trojan showed up. I reran the scan again today,in quick mode, because it found the 4 objects very quickly last time, and then deleted the 4 objects. The log was the same as the one above. I then reran the scan and got the log that is posted below:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6557

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/12/2011 4:51:29 PM

mbam-log-2011-05-12 (16-51-29).txt

Scan type: Quick scan

Objects scanned: 205790

Time elapsed: 11 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

The computer is behaving normally.

Amy

Link to post
Share on other sites

You can delete TDSSKiller

Good job thumbup.gif

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.