Jump to content

Recommended Posts

Hello,

I am requesting help for a rootkit that crashes my Firefox browser. My antivirus, ESET NOD32, blocks this site: clkh71yhks66.com/lI0PHMj42gbb0GVgZs4CtzLiRlP... IP address: 69.43.160.145:80 (I copied what I was able to copy since it was too long for the whole website to fit into the pop up). I have also scanned my system using DDS, GMER, and MBAM. The logs of which will be attached below.

dds.txt

mbam-log-2011-05-20 (13-07-39).txt

ARK.zip

attach.zip

Thanks to whoever would help me with this problem!

Link to post
Share on other sites

Hi hubertlim and Welcome to Malwarebytes!

Sorry or the delay, but this forum has been super busy.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

Please download aswMBR from here

  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below

aswMBR_Scan-1.jpg

Note: Do not take action against any **Rootkit** entries until I have reviewed the log.

  • Once the scan finishes click Save log to save the log to your Desktop
    aswMBR_SaveLog.png
  • Copy and paste the contents of aswMBR.txt back here for review

Link to post
Share on other sites

Okay, we'll have you fixed up soon. I'll be out of town on Sunday and Monday, but we should be finished by then.

Re-run aswMBR.exe

  • Click [scan]
  • On completion of the scan
  • Click the [Fix] for TDL4 (MBRoot):

aswMBR3.png

Once you are done with that, please do the following:

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • Vista/Windows 7 users right-click and select Run As Administrator.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

In your next reply, please include these log(s):

1.aswMBR log

2.TDSSKiller log

Link to post
Share on other sites

Alright done... here's the TDSSKiller log

2011/05/26 13:01:48.0578 3196 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24

2011/05/26 13:01:50.0015 3196 ================================================================================

2011/05/26 13:01:50.0015 3196 SystemInfo:

2011/05/26 13:01:50.0015 3196

2011/05/26 13:01:50.0015 3196 OS Version: 5.1.2600 ServicePack: 3.0

2011/05/26 13:01:50.0015 3196 Product type: Workstation

2011/05/26 13:01:50.0015 3196 ComputerName: HONORINA

2011/05/26 13:01:50.0015 3196 UserName: Administrator

2011/05/26 13:01:50.0015 3196 Windows directory: C:\WINDOWS

2011/05/26 13:01:50.0015 3196 System windows directory: C:\WINDOWS

2011/05/26 13:01:50.0015 3196 Processor architecture: Intel x86

2011/05/26 13:01:50.0015 3196 Number of processors: 1

2011/05/26 13:01:50.0015 3196 Page size: 0x1000

2011/05/26 13:01:50.0015 3196 Boot type: Normal boot

2011/05/26 13:01:50.0015 3196 ================================================================================

2011/05/26 13:01:55.0406 3196 Initialize success

2011/05/26 13:02:09.0203 4060 ================================================================================

2011/05/26 13:02:09.0203 4060 Scan started

2011/05/26 13:02:09.0203 4060 Mode: Manual;

2011/05/26 13:02:09.0203 4060 ================================================================================

2011/05/26 13:02:10.0500 4060 ACPI (d9ce207de54b3cb8c00e8d64e423f985) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/05/26 13:02:10.0562 4060 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/05/26 13:02:10.0765 4060 aeaudio (9f59ae2de835641fbb0c6afd80d8fa9b) C:\WINDOWS\system32\drivers\aeaudio.sys

2011/05/26 13:02:10.0812 4060 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/05/26 13:02:11.0015 4060 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/05/26 13:02:11.0171 4060 AgereSoftModem (029e01cb2938bec5af31bf47b6af0159) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/05/26 13:02:11.0609 4060 ApfiltrService (285b803bfa147716b6fe7545586450cd) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2011/05/26 13:02:11.0687 4060 Arp1394 (8843311ff38e791ff38fd377e6d69931) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/05/26 13:02:11.0906 4060 AsyncMac (26e7300adaf32afc70cd6cb91d9b127b) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/05/26 13:02:12.0078 4060 atapi (5c57fa4b5b2776c970c4f566a2df5b68) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/05/26 13:02:12.0171 4060 Atmarpc (71152b9de4a97f0410d38c52dc536e64) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/05/26 13:02:12.0265 4060 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/05/26 13:02:12.0343 4060 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/05/26 13:02:12.0390 4060 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/05/26 13:02:12.0453 4060 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/05/26 13:02:12.0468 4060 Cdfs (9529ef0ad949465cf0f178df918f451a) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/05/26 13:02:12.0546 4060 Cdrom (2bb41f9e073e1b6fc08cecd7fcb460fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/05/26 13:02:12.0671 4060 CmBatt (56d427a5ed548cae2c02c0f269ddd83b) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/05/26 13:02:12.0750 4060 Compbatt (dcbb26bb8ce6e3f8e58004a0626741e1) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/05/26 13:02:13.0062 4060 ddfispzy (ced8f669c20b3a0c7f532d4d87081b3e) C:\WINDOWS\system32\drivers\ddfispzy.sys

2011/05/26 13:02:13.0093 4060 Suspicious file (Forged): C:\WINDOWS\system32\drivers\ddfispzy.sys. Real md5: ced8f669c20b3a0c7f532d4d87081b3e, Fake md5: 63d9d55bea012ed8466d4494c5913150

2011/05/26 13:02:13.0109 4060 ddfispzy - detected ForgedFile.Multi.Generic (1)

2011/05/26 13:02:13.0281 4060 DgiVecp (a5034f77b278f07e224fe07cf98a8b76) C:\WINDOWS\system32\Drivers\DgiVecp.sys

2011/05/26 13:02:13.0390 4060 Disk (4454f78a5f283c42db9fb5098372b547) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/05/26 13:02:13.0531 4060 dmboot (fc3eb0005d9b2367ac8de241b7dd2841) C:\WINDOWS\system32\drivers\dmboot.sys

2011/05/26 13:02:13.0687 4060 dmio (d41fa055efa29d858df0ac70f7cd6516) C:\WINDOWS\system32\drivers\dmio.sys

2011/05/26 13:02:13.0781 4060 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/05/26 13:02:13.0875 4060 DMusic (bafc50aa5b584be3ebc42c41bb7dbfee) C:\WINDOWS\system32\drivers\DMusic.sys

2011/05/26 13:02:14.0109 4060 drmkaud (24ea6cf426cf20b6c3fb67b6938de84c) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/05/26 13:02:14.0203 4060 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2011/05/26 13:02:14.0328 4060 eamon (af82dc664e3d8e2cba3b95e68f6448a7) C:\WINDOWS\system32\DRIVERS\eamon.sys

2011/05/26 13:02:14.0421 4060 ehdrv (686a799c1bf1b18941994daf9f45db06) C:\WINDOWS\system32\DRIVERS\ehdrv.sys

2011/05/26 13:02:14.0531 4060 epfwtdir (3a7fba5c06dbcffc7d062fe705397a96) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys

2011/05/26 13:02:14.0640 4060 Fastfat (0290de29cef5795064d8ecb44db96709) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/05/26 13:02:14.0906 4060 Fdc (3168e82018b1e88e089013ac7970bad8) C:\WINDOWS\system32\drivers\Fdc.sys

2011/05/26 13:02:14.0953 4060 Fips (752498f9dd288d59c6f0513c1ee88352) C:\WINDOWS\system32\drivers\Fips.sys

2011/05/26 13:02:14.0984 4060 Flpydisk (10e9e0676af71fe78f03853f933137ab) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/05/26 13:02:15.0031 4060 FltMgr (09257eae1ea003020b26d3a723159033) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/05/26 13:02:15.0093 4060 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/05/26 13:02:15.0140 4060 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/05/26 13:02:15.0312 4060 Gpc (056e68384160cee86a3e8419fc892d07) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/05/26 13:02:15.0437 4060 HidUsb (8a0c80925d55c7b9c1d7eaac46e5fbf8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/05/26 13:02:15.0531 4060 hitmanpro35 (30b90793a568281bef70fa57dde305a2) C:\WINDOWS\system32\drivers\hitmanpro35.sys

2011/05/26 13:02:15.0703 4060 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/05/26 13:02:15.0843 4060 hwdatacard (60aec3f4ec355d9f46d545a0fa08ce87) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys

2011/05/26 13:02:15.0937 4060 hwusbdev (b93d3c81ef1d372dc5bd5e6275362e1a) C:\WINDOWS\system32\DRIVERS\ewusbdev.sys

2011/05/26 13:02:16.0156 4060 i8042prt (0e3fa77f8fa3dffe35650777410217d9) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/05/26 13:02:16.0312 4060 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys

2011/05/26 13:02:16.0437 4060 ialm (f159a2aaf79d8fe6c7a77a8b3de92581) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2011/05/26 13:02:16.0546 4060 Imapi (c8608b31b59cb8988ec2ceb4cf4a94f3) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/05/26 13:02:16.0656 4060 InCDfs (c32910ff5b7dbcd3ae83075ca8c03823) C:\WINDOWS\system32\drivers\InCDFs.sys

2011/05/26 13:02:16.0734 4060 InCDPass (06aa87b01fb9874b86987a10b04ec1bf) C:\WINDOWS\system32\drivers\InCDPass.sys

2011/05/26 13:02:17.0015 4060 InCDRec (6a7100412d8776ee9026bf252a2a198a) C:\WINDOWS\system32\drivers\InCDRec.sys

2011/05/26 13:02:17.0093 4060 incdrm (b011def89702f93e0d50e2a562a8cb5b) C:\WINDOWS\system32\drivers\InCDRm.sys

2011/05/26 13:02:17.0171 4060 IntelIde (f7df0c39144c738624383610e06f0f06) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/05/26 13:02:17.0234 4060 intelppm (361f60b27d9bbf701f26a44e6501150e) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/05/26 13:02:17.0281 4060 Ip6Fw (f65d35815863e623890ef73f54db61ab) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/05/26 13:02:17.0328 4060 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/05/26 13:02:17.0375 4060 IpInIp (9e01ac500963c5ab62fc98f59ba7960f) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/05/26 13:02:17.0421 4060 IpNat (597a994db7bd42dfd85b1214d3de0416) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/05/26 13:02:17.0500 4060 IPSec (17c65c873ed09769ac6e45c0d461ea2e) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/05/26 13:02:17.0609 4060 IRENUM (1fdcab16e51caf0219b8693c517c17a1) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/05/26 13:02:17.0703 4060 isapnp (9e25f42578bc22afe3d405414a177067) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/05/26 13:02:17.0812 4060 Kbdclass (0c6a9734730068cd373034226f36f1e8) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/05/26 13:02:17.0953 4060 kmixer (bb69d5a68f937ee946abcc0b934ea7bc) C:\WINDOWS\system32\drivers\kmixer.sys

2011/05/26 13:02:18.0015 4060 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/05/26 13:02:18.0234 4060 MidiSyn (8c7d037a53b495e7c250fd70b158b581) C:\WINDOWS\system32\drivers\MidiSyn.sys

2011/05/26 13:02:18.0781 4060 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/05/26 13:02:18.0859 4060 Modem (4dd00375c2a6fafb9bfd12246848875a) C:\WINDOWS\system32\drivers\Modem.sys

2011/05/26 13:02:18.0984 4060 Mouclass (8ca12d7d14a25b37f56d5f1fe9a25a60) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/05/26 13:02:19.0062 4060 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/05/26 13:02:19.0171 4060 MountMgr (a1f6e5985d4b6332765bbd752b585820) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/05/26 13:02:19.0265 4060 MRxDAV (b9f3e668f69f62572da2ef5a4e637f3d) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/05/26 13:02:19.0359 4060 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/05/26 13:02:19.0421 4060 Msfs (317c43683419458d0fd5f8107a30913a) C:\WINDOWS\system32\drivers\Msfs.sys

2011/05/26 13:02:19.0484 4060 MSKSSRV (fb715eebfb34c937472c615a0fd3231b) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/05/26 13:02:19.0515 4060 MSPCLOCK (2fb80ec34b3bfa8617b55fe2b9d33106) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/05/26 13:02:19.0609 4060 MSPQM (dfc52003f881409650f81aa7716ddcf3) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/05/26 13:02:19.0687 4060 mssmbios (0bb1037d1c00f3a154205c7550af2845) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/05/26 13:02:19.0734 4060 Mup (d49499e4c395940a3fbaa9dc66d23a63) C:\WINDOWS\system32\drivers\Mup.sys

2011/05/26 13:02:19.0859 4060 NDIS (7eaf6ac0fea24ce89b298b52ede1b5c4) C:\WINDOWS\system32\drivers\NDIS.sys

2011/05/26 13:02:19.0968 4060 NdisTapi (27afa919c0e3f139a193e9758532d5e6) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/05/26 13:02:20.0015 4060 Ndisuio (1f482bcdb22b941c7ed7159633a45b6e) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/05/26 13:02:20.0046 4060 NdisWan (db8df6110124ade6149c29dac88c3879) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/05/26 13:02:20.0109 4060 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/05/26 13:02:20.0187 4060 NetBIOS (ce36bd0eea5b4b278dfcc7e59a1d1e86) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/05/26 13:02:20.0234 4060 NetBT (30da2fa55d186ef6c753ba736beda9fb) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/05/26 13:02:20.0343 4060 NIC1394 (96a1af0945947af0446d9971c5dc3478) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/05/26 13:02:20.0437 4060 Npfs (4b719885e41ca3425d36a69a0c057b3c) C:\WINDOWS\system32\drivers\Npfs.sys

2011/05/26 13:02:20.0515 4060 Ntfs (a470c31513534f650a59e78a2fe783c1) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/05/26 13:02:20.0625 4060 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/05/26 13:02:20.0687 4060 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/05/26 13:02:20.0750 4060 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/05/26 13:02:20.0859 4060 ohci1394 (557d5d2245ffc96c9003e0aad02e9398) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/05/26 13:02:21.0046 4060 Parport (a54d582b1737095cf71fc4c75e7e4bb5) C:\WINDOWS\system32\drivers\Parport.sys

2011/05/26 13:02:21.0125 4060 PartMgr (268917bc207a3105d975741c1c5285e8) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/05/26 13:02:21.0218 4060 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/05/26 13:02:21.0250 4060 PCI (7f4cbf9df8ba8003ca145e5bbe95eb81) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/05/26 13:02:21.0343 4060 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys

2011/05/26 13:02:21.0359 4060 Pcmcia (a925580e85b1aeec64a5c39ab79ecc7d) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/05/26 13:02:21.0640 4060 PptpMiniport (5f125a075f48ee11d23cd1d59b5b5ca0) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/05/26 13:02:21.0703 4060 PSched (b6e3f0cbf53530b1eb92e29c0c3ebeac) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/05/26 13:02:21.0781 4060 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/05/26 13:02:22.0125 4060 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/05/26 13:02:22.0218 4060 Rasl2tp (2024f3c75d6cb95e0fddb1517fb21eb5) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/26 13:02:22.0281 4060 RasPppoe (a3a64b2f69b8e384029373845c273e6f) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/05/26 13:02:22.0328 4060 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/05/26 13:02:22.0375 4060 Rdbss (3d5c240ae89126e2ceac04f229a62c94) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/05/26 13:02:22.0421 4060 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/05/26 13:02:22.0546 4060 rdpdr (98cc7ac6614002080a92c5533608e425) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/05/26 13:02:22.0765 4060 RDPWD (bca59653d57bf56b3e2eb34edd1c55df) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/05/26 13:02:22.0859 4060 redbook (49c5ce86bc164709fda25212e4731126) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/05/26 13:02:23.0015 4060 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2011/05/26 13:02:23.0093 4060 sdbus (89bd19756b5bb0c26cd19e967c15c03b) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2011/05/26 13:02:23.0140 4060 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/05/26 13:02:23.0281 4060 senfilt (bb596a578330ad794c6769b588af6bb4) C:\WINDOWS\system32\drivers\senfilt.sys

2011/05/26 13:02:23.0390 4060 Serial (5a49bc6b85cf7132cd742d284cc9d977) C:\WINDOWS\system32\drivers\Serial.sys

2011/05/26 13:02:23.0468 4060 Sfloppy (df0061645da3c6592f13104e838774c8) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/05/26 13:02:23.0562 4060 smwdm (1319ea66a96250d59665d133c0ff7cd0) C:\WINDOWS\system32\drivers\smwdm.sys

2011/05/26 13:02:23.0687 4060 splitter (a7fee4c5d140e32d45538d40a5ed67e2) C:\WINDOWS\system32\drivers\splitter.sys

2011/05/26 13:02:23.0843 4060 sr (e650c7b9a96a7a0b345a6d19c462d2af) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/05/26 13:02:23.0968 4060 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/05/26 13:02:24.0125 4060 swenum (578418d07c7c7bac36a1f6832d4fcaf1) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/05/26 13:02:24.0250 4060 swmidi (bccf5102409538b01aac7aaa73660860) C:\WINDOWS\system32\drivers\swmidi.sys

2011/05/26 13:02:24.0578 4060 sysaudio (8b0ace8441356a7327da88d86e4672b7) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/05/26 13:02:24.0765 4060 Tcpip (270684847a8ef5c51fff58457e4dc8c6) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/05/26 13:02:24.0859 4060 TDPIPE (3ebf04df288699cbe92860fc2fc77156) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/05/26 13:02:24.0906 4060 TDTCP (ef72b325bfc20182a9070393eafc00b2) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/05/26 13:02:25.0015 4060 TermDD (b1d8df0d53171ea964df87cf0248fd08) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/05/26 13:02:25.0140 4060 tifm21 (f779ba4cd37963ab4600c9871b7752a3) C:\WINDOWS\system32\drivers\tifm21.sys

2011/05/26 13:02:25.0343 4060 Udfs (ddd12fc258e777b3a6a49e75bf3d6899) C:\WINDOWS\system32\drivers\Udfs.sys

2011/05/26 13:02:25.0515 4060 Update (2256719de3722bc2f47a05172aa423bc) C:\WINDOWS\system32\DRIVERS\update.sys

2011/05/26 13:02:25.0640 4060 usbccgp (d820f16e901511c0d20abd6bab35f645) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/05/26 13:02:25.0734 4060 usbehci (ae18e087754f290fc05f81cc3a4ec6c9) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/05/26 13:02:25.0781 4060 usbhub (c8731ef48bae257e1948b8d87d8de0fb) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/26 13:02:25.0875 4060 usbprint (66fba83336949ad20a7d7049a499b169) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/05/26 13:02:25.0968 4060 usbscan (dcdc6ead214ea4f79bfcbc6d185eed5b) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/05/26 13:02:26.0093 4060 USBSTOR (479485d182199facf965bc4d2756d456) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/05/26 13:02:26.0140 4060 usbuhci (7710296ef5c1977d62ab3c9e2c3950ea) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/05/26 13:02:26.0234 4060 VgaSave (a856a8a639d6bc16b65cfb7c4aaa45d5) C:\WINDOWS\System32\drivers\vga.sys

2011/05/26 13:02:26.0359 4060 VolSnap (868170260a32fd080fb637da3f2a4423) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/05/26 13:02:26.0859 4060 w29n51 (68eb5bc07781a36a63633541c11e1ad6) C:\WINDOWS\system32\DRIVERS\w29n51.sys

2011/05/26 13:02:27.0218 4060 Wanarp (c37d29a03e5181b2c49103803b62583f) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/05/26 13:02:27.0312 4060 wdmaud (a687be1dc68ef2ef0d76216f9f05f986) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/05/26 13:02:27.0515 4060 WmiAcpi (c1fa582027ee08731c60c6485cfb9d96) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/05/26 13:02:27.0640 4060 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/05/26 13:02:27.0671 4060 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/05/26 13:02:28.0265 4060 ZTEusbmdm6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys

2011/05/26 13:02:28.0625 4060 ZTEusbnmea (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys

2011/05/26 13:02:28.0953 4060 ZTEusbser6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys

2011/05/26 13:02:29.0078 4060 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/05/26 13:02:31.0046 4060 ================================================================================

2011/05/26 13:02:31.0046 4060 Scan finished

2011/05/26 13:02:31.0046 4060 ================================================================================

2011/05/26 13:02:31.0062 4052 Detected object count: 1

2011/05/26 13:02:31.0062 4052 Actual detected object count: 1

2011/05/26 13:02:48.0312 4052 ForgedFile.Multi.Generic(ddfispzy) - User select action: Skip

and the aswMBR log

aswMBR.txt

Link to post
Share on other sites

Looking better!

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hi,

Do you have your windows CD for this PC? Version.dll is infected and we should replace it with a clean copy.

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::

MIA::
c:\windows\system32\Version.dll

Driver::
XDva344
XDva375

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

We're almost done here.... :)

Please remove these entries from Add/Remove Programs in the Control Panel

Adobe Reader 8.1.1

Reboot your computer once all Java and Adobe Reader components are removed.

  • Please go to the link below to update.
  • Adobe Reader
  • Uncheck Include in your download (optional Free McAfee Security Scan Plus )

Next

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

The scan took too long that i had to abort it :(. Here is the log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6708

Windows 5.1.2600 Service Pack 3, v.6055

Internet Explorer 7.0.5730.13

5/30/2011 1:38:48 AM

mbam-log-2011-05-30 (01-38-47).txt

Scan type: Quick scan

Objects scanned: 1642774

Time elapsed: 7 hour(s), 30 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

TFC(Temp File Cleaner

Generally tools like TFC are created to assist us with malware removal by removing a lot of junk files, so our security tools will have less to scan, thus speed things up. It may also help to remove some types of malware which may be lurking in temp/user account folders.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot, if not, do this yourself to ensure a complete clean

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Next

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

The Rootkit problem that I had before seems to have disappeared. I am not having crashes in firefor :) .

Though.. it seems the ESET Online Scan found some infected files :mellow:

Here's the ESET log:

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=15647e9c8d1e7b4294dcf7b6b2dccec8

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-05-31 05:16:03

# local_time=2011-05-31 01:16:03 (+0800, China Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3, v.6055

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8199 39157161 100 100 2790173 47644354 0 0

# scanned=100881

# found=4

# cleaned=0

# scan_time=6451

# nod_component=V3 Build:0x30000000

C:\Program Files\Windows Media Player\WMPSkin.exe Win32/WFPDisabler.A application (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ddfispzy_.sys.zip Win32/BHO.EXT trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{AA5F1E61-EE39-4FD7-BF28-3B4BF68C6BFE}\RP6\A0015113.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I

C:\Users\Administrator\Desktop\anti virus stuff\OrbitDownloaderSetup.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I

Link to post
Share on other sites

We'll remove those files and do some house cleaning on your computer:

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Services

    :Reg

    :Files
    C:\Program Files\Windows Media Player\WMPSkin.exe
    C:\Users\Administrator\Desktop\anti virus stuff\OrbitDownloaderSetup.exe
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]

  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Link to post
Share on other sites

I would also like to ask what would be a good antivirus for a Mac

I really don't know. But I know a few Mac users have:

http://www.iantivirus.com/

Your Computer is Clean

mr-clean.gif

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

It's a good idea to Flush your System Restore after removing malware and create a new restore point.

To SET A NEW RESTORE POINT:

1. Go to Start > Programs > Accessories > System Tools and click "System Restore".

2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

3. Then go to Start > Run and type: Cleanmgr

4. Click "OK".

5. Click the "More Options" Tab.

6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.

How to Create a Restore Point.

How to use Cleanmgr.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Secunia software inspector & update checker

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from to help speed up your computer.

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

WOW thanks :D

I already had the addons for firefox so i should be fine :)

Well, all done :) downloaded all applications and used OTC to clean my PC. After the cleaning, no problems happened to my PC at all.

Thanks for helping me once again :D I'll be sure to use these forums when I get another problem :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.