hubertlim Posted May 22, 2011 ID:432309 Share Posted May 22, 2011 Hello,I am requesting help for a rootkit that crashes my Firefox browser. My antivirus, ESET NOD32, blocks this site: clkh71yhks66.com/lI0PHMj42gbb0GVgZs4CtzLiRlP... IP address: 69.43.160.145:80 (I copied what I was able to copy since it was too long for the whole website to fit into the pop up). I have also scanned my system using DDS, GMER, and MBAM. The logs of which will be attached below.dds.txtmbam-log-2011-05-20 (13-07-39).txtARK.zipattach.zipThanks to whoever would help me with this problem! Link to post Share on other sites More sharing options...
Kenny94 Posted May 24, 2011 ID:432983 Share Posted May 24, 2011 Hi hubertlim and Welcome to Malwarebytes!Sorry or the delay, but this forum has been super busy. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.---------------------------------------------------------------------------------------------Please download aswMBR from hereSave aswMBR.exe to your DesktopDouble click aswMBR.exe to run itClick the Scan button to start the scan as illustrated belowNote: Do not take action against any **Rootkit** entries until I have reviewed the log. Once the scan finishes click Save log to save the log to your DesktopCopy and paste the contents of aswMBR.txt back here for review Link to post Share on other sites More sharing options...
hubertlim Posted May 25, 2011 Author ID:433249 Share Posted May 25, 2011 I don't mind the delay as you're helping around the world with their own little problems so...Here is the aswMBR logaswMBR.txt Link to post Share on other sites More sharing options...
hubertlim Posted May 25, 2011 Author ID:433250 Share Posted May 25, 2011 I don't mind the delay as you're helping around the world with their own little problems so...Here is the aswMBR logaswMBR.txt Link to post Share on other sites More sharing options...
hubertlim Posted May 25, 2011 Author ID:433251 Share Posted May 25, 2011 Sorry for the double post... I'm having a very slow internet connection Link to post Share on other sites More sharing options...
Kenny94 Posted May 25, 2011 ID:433373 Share Posted May 25, 2011 Okay, we'll have you fixed up soon. I'll be out of town on Sunday and Monday, but we should be finished by then.Re-run aswMBR.exeClick [scan]On completion of the scanClick the [Fix] for TDL4 (MBRoot): Once you are done with that, please do the following:Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop.Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.Vista/Windows 7 users right-click and select Run As Administrator.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.Click the Report button and copy/paste the contents of it into your next replyNote:It will also create a log in the C:\ directory.In your next reply, please include these log(s): 1.aswMBR log2.TDSSKiller log Link to post Share on other sites More sharing options...
hubertlim Posted May 26, 2011 Author ID:433498 Share Posted May 26, 2011 Alright done... here's the TDSSKiller log2011/05/26 13:01:48.0578 3196 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:242011/05/26 13:01:50.0015 3196 ================================================================================2011/05/26 13:01:50.0015 3196 SystemInfo:2011/05/26 13:01:50.0015 3196 2011/05/26 13:01:50.0015 3196 OS Version: 5.1.2600 ServicePack: 3.02011/05/26 13:01:50.0015 3196 Product type: Workstation2011/05/26 13:01:50.0015 3196 ComputerName: HONORINA2011/05/26 13:01:50.0015 3196 UserName: Administrator2011/05/26 13:01:50.0015 3196 Windows directory: C:\WINDOWS2011/05/26 13:01:50.0015 3196 System windows directory: C:\WINDOWS2011/05/26 13:01:50.0015 3196 Processor architecture: Intel x862011/05/26 13:01:50.0015 3196 Number of processors: 12011/05/26 13:01:50.0015 3196 Page size: 0x10002011/05/26 13:01:50.0015 3196 Boot type: Normal boot2011/05/26 13:01:50.0015 3196 ================================================================================2011/05/26 13:01:55.0406 3196 Initialize success2011/05/26 13:02:09.0203 4060 ================================================================================2011/05/26 13:02:09.0203 4060 Scan started2011/05/26 13:02:09.0203 4060 Mode: Manual; 2011/05/26 13:02:09.0203 4060 ================================================================================2011/05/26 13:02:10.0500 4060 ACPI (d9ce207de54b3cb8c00e8d64e423f985) C:\WINDOWS\system32\DRIVERS\ACPI.sys2011/05/26 13:02:10.0562 4060 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys2011/05/26 13:02:10.0765 4060 aeaudio (9f59ae2de835641fbb0c6afd80d8fa9b) C:\WINDOWS\system32\drivers\aeaudio.sys2011/05/26 13:02:10.0812 4060 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys2011/05/26 13:02:11.0015 4060 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys2011/05/26 13:02:11.0171 4060 AgereSoftModem (029e01cb2938bec5af31bf47b6af0159) C:\WINDOWS\system32\DRIVERS\AGRSM.sys2011/05/26 13:02:11.0609 4060 ApfiltrService (285b803bfa147716b6fe7545586450cd) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys2011/05/26 13:02:11.0687 4060 Arp1394 (8843311ff38e791ff38fd377e6d69931) C:\WINDOWS\system32\DRIVERS\arp1394.sys2011/05/26 13:02:11.0906 4060 AsyncMac (26e7300adaf32afc70cd6cb91d9b127b) C:\WINDOWS\system32\DRIVERS\asyncmac.sys2011/05/26 13:02:12.0078 4060 atapi (5c57fa4b5b2776c970c4f566a2df5b68) C:\WINDOWS\system32\DRIVERS\atapi.sys2011/05/26 13:02:12.0171 4060 Atmarpc (71152b9de4a97f0410d38c52dc536e64) C:\WINDOWS\system32\DRIVERS\atmarpc.sys2011/05/26 13:02:12.0265 4060 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys2011/05/26 13:02:12.0343 4060 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys2011/05/26 13:02:12.0390 4060 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys2011/05/26 13:02:12.0453 4060 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys2011/05/26 13:02:12.0468 4060 Cdfs (9529ef0ad949465cf0f178df918f451a) C:\WINDOWS\system32\drivers\Cdfs.sys2011/05/26 13:02:12.0546 4060 Cdrom (2bb41f9e073e1b6fc08cecd7fcb460fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys2011/05/26 13:02:12.0671 4060 CmBatt (56d427a5ed548cae2c02c0f269ddd83b) C:\WINDOWS\system32\DRIVERS\CmBatt.sys2011/05/26 13:02:12.0750 4060 Compbatt (dcbb26bb8ce6e3f8e58004a0626741e1) C:\WINDOWS\system32\DRIVERS\compbatt.sys2011/05/26 13:02:13.0062 4060 ddfispzy (ced8f669c20b3a0c7f532d4d87081b3e) C:\WINDOWS\system32\drivers\ddfispzy.sys2011/05/26 13:02:13.0093 4060 Suspicious file (Forged): C:\WINDOWS\system32\drivers\ddfispzy.sys. Real md5: ced8f669c20b3a0c7f532d4d87081b3e, Fake md5: 63d9d55bea012ed8466d4494c59131502011/05/26 13:02:13.0109 4060 ddfispzy - detected ForgedFile.Multi.Generic (1)2011/05/26 13:02:13.0281 4060 DgiVecp (a5034f77b278f07e224fe07cf98a8b76) C:\WINDOWS\system32\Drivers\DgiVecp.sys2011/05/26 13:02:13.0390 4060 Disk (4454f78a5f283c42db9fb5098372b547) C:\WINDOWS\system32\DRIVERS\disk.sys2011/05/26 13:02:13.0531 4060 dmboot (fc3eb0005d9b2367ac8de241b7dd2841) C:\WINDOWS\system32\drivers\dmboot.sys2011/05/26 13:02:13.0687 4060 dmio (d41fa055efa29d858df0ac70f7cd6516) C:\WINDOWS\system32\drivers\dmio.sys2011/05/26 13:02:13.0781 4060 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys2011/05/26 13:02:13.0875 4060 DMusic (bafc50aa5b584be3ebc42c41bb7dbfee) C:\WINDOWS\system32\drivers\DMusic.sys2011/05/26 13:02:14.0109 4060 drmkaud (24ea6cf426cf20b6c3fb67b6938de84c) C:\WINDOWS\system32\drivers\drmkaud.sys2011/05/26 13:02:14.0203 4060 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys2011/05/26 13:02:14.0328 4060 eamon (af82dc664e3d8e2cba3b95e68f6448a7) C:\WINDOWS\system32\DRIVERS\eamon.sys2011/05/26 13:02:14.0421 4060 ehdrv (686a799c1bf1b18941994daf9f45db06) C:\WINDOWS\system32\DRIVERS\ehdrv.sys2011/05/26 13:02:14.0531 4060 epfwtdir (3a7fba5c06dbcffc7d062fe705397a96) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys2011/05/26 13:02:14.0640 4060 Fastfat (0290de29cef5795064d8ecb44db96709) C:\WINDOWS\system32\drivers\Fastfat.sys2011/05/26 13:02:14.0906 4060 Fdc (3168e82018b1e88e089013ac7970bad8) C:\WINDOWS\system32\drivers\Fdc.sys2011/05/26 13:02:14.0953 4060 Fips (752498f9dd288d59c6f0513c1ee88352) C:\WINDOWS\system32\drivers\Fips.sys2011/05/26 13:02:14.0984 4060 Flpydisk (10e9e0676af71fe78f03853f933137ab) C:\WINDOWS\system32\drivers\Flpydisk.sys2011/05/26 13:02:15.0031 4060 FltMgr (09257eae1ea003020b26d3a723159033) C:\WINDOWS\system32\DRIVERS\fltMgr.sys2011/05/26 13:02:15.0093 4060 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys2011/05/26 13:02:15.0140 4060 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys2011/05/26 13:02:15.0312 4060 Gpc (056e68384160cee86a3e8419fc892d07) C:\WINDOWS\system32\DRIVERS\msgpc.sys2011/05/26 13:02:15.0437 4060 HidUsb (8a0c80925d55c7b9c1d7eaac46e5fbf8) C:\WINDOWS\system32\DRIVERS\hidusb.sys2011/05/26 13:02:15.0531 4060 hitmanpro35 (30b90793a568281bef70fa57dde305a2) C:\WINDOWS\system32\drivers\hitmanpro35.sys2011/05/26 13:02:15.0703 4060 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys2011/05/26 13:02:15.0843 4060 hwdatacard (60aec3f4ec355d9f46d545a0fa08ce87) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys2011/05/26 13:02:15.0937 4060 hwusbdev (b93d3c81ef1d372dc5bd5e6275362e1a) C:\WINDOWS\system32\DRIVERS\ewusbdev.sys2011/05/26 13:02:16.0156 4060 i8042prt (0e3fa77f8fa3dffe35650777410217d9) C:\WINDOWS\system32\DRIVERS\i8042prt.sys2011/05/26 13:02:16.0312 4060 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys2011/05/26 13:02:16.0437 4060 ialm (f159a2aaf79d8fe6c7a77a8b3de92581) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys2011/05/26 13:02:16.0546 4060 Imapi (c8608b31b59cb8988ec2ceb4cf4a94f3) C:\WINDOWS\system32\DRIVERS\imapi.sys2011/05/26 13:02:16.0656 4060 InCDfs (c32910ff5b7dbcd3ae83075ca8c03823) C:\WINDOWS\system32\drivers\InCDFs.sys2011/05/26 13:02:16.0734 4060 InCDPass (06aa87b01fb9874b86987a10b04ec1bf) C:\WINDOWS\system32\drivers\InCDPass.sys2011/05/26 13:02:17.0015 4060 InCDRec (6a7100412d8776ee9026bf252a2a198a) C:\WINDOWS\system32\drivers\InCDRec.sys2011/05/26 13:02:17.0093 4060 incdrm (b011def89702f93e0d50e2a562a8cb5b) C:\WINDOWS\system32\drivers\InCDRm.sys2011/05/26 13:02:17.0171 4060 IntelIde (f7df0c39144c738624383610e06f0f06) C:\WINDOWS\system32\DRIVERS\intelide.sys2011/05/26 13:02:17.0234 4060 intelppm (361f60b27d9bbf701f26a44e6501150e) C:\WINDOWS\system32\DRIVERS\intelppm.sys2011/05/26 13:02:17.0281 4060 Ip6Fw (f65d35815863e623890ef73f54db61ab) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys2011/05/26 13:02:17.0328 4060 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys2011/05/26 13:02:17.0375 4060 IpInIp (9e01ac500963c5ab62fc98f59ba7960f) C:\WINDOWS\system32\DRIVERS\ipinip.sys2011/05/26 13:02:17.0421 4060 IpNat (597a994db7bd42dfd85b1214d3de0416) C:\WINDOWS\system32\DRIVERS\ipnat.sys2011/05/26 13:02:17.0500 4060 IPSec (17c65c873ed09769ac6e45c0d461ea2e) C:\WINDOWS\system32\DRIVERS\ipsec.sys2011/05/26 13:02:17.0609 4060 IRENUM (1fdcab16e51caf0219b8693c517c17a1) C:\WINDOWS\system32\DRIVERS\irenum.sys2011/05/26 13:02:17.0703 4060 isapnp (9e25f42578bc22afe3d405414a177067) C:\WINDOWS\system32\DRIVERS\isapnp.sys2011/05/26 13:02:17.0812 4060 Kbdclass (0c6a9734730068cd373034226f36f1e8) C:\WINDOWS\system32\DRIVERS\kbdclass.sys2011/05/26 13:02:17.0953 4060 kmixer (bb69d5a68f937ee946abcc0b934ea7bc) C:\WINDOWS\system32\drivers\kmixer.sys2011/05/26 13:02:18.0015 4060 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys2011/05/26 13:02:18.0234 4060 MidiSyn (8c7d037a53b495e7c250fd70b158b581) C:\WINDOWS\system32\drivers\MidiSyn.sys2011/05/26 13:02:18.0781 4060 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys2011/05/26 13:02:18.0859 4060 Modem (4dd00375c2a6fafb9bfd12246848875a) C:\WINDOWS\system32\drivers\Modem.sys2011/05/26 13:02:18.0984 4060 Mouclass (8ca12d7d14a25b37f56d5f1fe9a25a60) C:\WINDOWS\system32\DRIVERS\mouclass.sys2011/05/26 13:02:19.0062 4060 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys2011/05/26 13:02:19.0171 4060 MountMgr (a1f6e5985d4b6332765bbd752b585820) C:\WINDOWS\system32\drivers\MountMgr.sys2011/05/26 13:02:19.0265 4060 MRxDAV (b9f3e668f69f62572da2ef5a4e637f3d) C:\WINDOWS\system32\DRIVERS\mrxdav.sys2011/05/26 13:02:19.0359 4060 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys2011/05/26 13:02:19.0421 4060 Msfs (317c43683419458d0fd5f8107a30913a) C:\WINDOWS\system32\drivers\Msfs.sys2011/05/26 13:02:19.0484 4060 MSKSSRV (fb715eebfb34c937472c615a0fd3231b) C:\WINDOWS\system32\drivers\MSKSSRV.sys2011/05/26 13:02:19.0515 4060 MSPCLOCK (2fb80ec34b3bfa8617b55fe2b9d33106) C:\WINDOWS\system32\drivers\MSPCLOCK.sys2011/05/26 13:02:19.0609 4060 MSPQM (dfc52003f881409650f81aa7716ddcf3) C:\WINDOWS\system32\drivers\MSPQM.sys2011/05/26 13:02:19.0687 4060 mssmbios (0bb1037d1c00f3a154205c7550af2845) C:\WINDOWS\system32\DRIVERS\mssmbios.sys2011/05/26 13:02:19.0734 4060 Mup (d49499e4c395940a3fbaa9dc66d23a63) C:\WINDOWS\system32\drivers\Mup.sys2011/05/26 13:02:19.0859 4060 NDIS (7eaf6ac0fea24ce89b298b52ede1b5c4) C:\WINDOWS\system32\drivers\NDIS.sys2011/05/26 13:02:19.0968 4060 NdisTapi (27afa919c0e3f139a193e9758532d5e6) C:\WINDOWS\system32\DRIVERS\ndistapi.sys2011/05/26 13:02:20.0015 4060 Ndisuio (1f482bcdb22b941c7ed7159633a45b6e) C:\WINDOWS\system32\DRIVERS\ndisuio.sys2011/05/26 13:02:20.0046 4060 NdisWan (db8df6110124ade6149c29dac88c3879) C:\WINDOWS\system32\DRIVERS\ndiswan.sys2011/05/26 13:02:20.0109 4060 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys2011/05/26 13:02:20.0187 4060 NetBIOS (ce36bd0eea5b4b278dfcc7e59a1d1e86) C:\WINDOWS\system32\DRIVERS\netbios.sys2011/05/26 13:02:20.0234 4060 NetBT (30da2fa55d186ef6c753ba736beda9fb) C:\WINDOWS\system32\DRIVERS\netbt.sys2011/05/26 13:02:20.0343 4060 NIC1394 (96a1af0945947af0446d9971c5dc3478) C:\WINDOWS\system32\DRIVERS\nic1394.sys2011/05/26 13:02:20.0437 4060 Npfs (4b719885e41ca3425d36a69a0c057b3c) C:\WINDOWS\system32\drivers\Npfs.sys2011/05/26 13:02:20.0515 4060 Ntfs (a470c31513534f650a59e78a2fe783c1) C:\WINDOWS\system32\drivers\Ntfs.sys2011/05/26 13:02:20.0625 4060 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys2011/05/26 13:02:20.0687 4060 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys2011/05/26 13:02:20.0750 4060 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys2011/05/26 13:02:20.0859 4060 ohci1394 (557d5d2245ffc96c9003e0aad02e9398) C:\WINDOWS\system32\DRIVERS\ohci1394.sys2011/05/26 13:02:21.0046 4060 Parport (a54d582b1737095cf71fc4c75e7e4bb5) C:\WINDOWS\system32\drivers\Parport.sys2011/05/26 13:02:21.0125 4060 PartMgr (268917bc207a3105d975741c1c5285e8) C:\WINDOWS\system32\drivers\PartMgr.sys2011/05/26 13:02:21.0218 4060 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys2011/05/26 13:02:21.0250 4060 PCI (7f4cbf9df8ba8003ca145e5bbe95eb81) C:\WINDOWS\system32\DRIVERS\pci.sys2011/05/26 13:02:21.0343 4060 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys2011/05/26 13:02:21.0359 4060 Pcmcia (a925580e85b1aeec64a5c39ab79ecc7d) C:\WINDOWS\system32\DRIVERS\pcmcia.sys2011/05/26 13:02:21.0640 4060 PptpMiniport (5f125a075f48ee11d23cd1d59b5b5ca0) C:\WINDOWS\system32\DRIVERS\raspptp.sys2011/05/26 13:02:21.0703 4060 PSched (b6e3f0cbf53530b1eb92e29c0c3ebeac) C:\WINDOWS\system32\DRIVERS\psched.sys2011/05/26 13:02:21.0781 4060 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys2011/05/26 13:02:22.0125 4060 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys2011/05/26 13:02:22.0218 4060 Rasl2tp (2024f3c75d6cb95e0fddb1517fb21eb5) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys2011/05/26 13:02:22.0281 4060 RasPppoe (a3a64b2f69b8e384029373845c273e6f) C:\WINDOWS\system32\DRIVERS\raspppoe.sys2011/05/26 13:02:22.0328 4060 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys2011/05/26 13:02:22.0375 4060 Rdbss (3d5c240ae89126e2ceac04f229a62c94) C:\WINDOWS\system32\DRIVERS\rdbss.sys2011/05/26 13:02:22.0421 4060 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys2011/05/26 13:02:22.0546 4060 rdpdr (98cc7ac6614002080a92c5533608e425) C:\WINDOWS\system32\DRIVERS\rdpdr.sys2011/05/26 13:02:22.0765 4060 RDPWD (bca59653d57bf56b3e2eb34edd1c55df) C:\WINDOWS\system32\drivers\RDPWD.sys2011/05/26 13:02:22.0859 4060 redbook (49c5ce86bc164709fda25212e4731126) C:\WINDOWS\system32\DRIVERS\redbook.sys2011/05/26 13:02:23.0015 4060 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS2011/05/26 13:02:23.0093 4060 sdbus (89bd19756b5bb0c26cd19e967c15c03b) C:\WINDOWS\system32\DRIVERS\sdbus.sys2011/05/26 13:02:23.0140 4060 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys2011/05/26 13:02:23.0281 4060 senfilt (bb596a578330ad794c6769b588af6bb4) C:\WINDOWS\system32\drivers\senfilt.sys2011/05/26 13:02:23.0390 4060 Serial (5a49bc6b85cf7132cd742d284cc9d977) C:\WINDOWS\system32\drivers\Serial.sys2011/05/26 13:02:23.0468 4060 Sfloppy (df0061645da3c6592f13104e838774c8) C:\WINDOWS\system32\drivers\Sfloppy.sys2011/05/26 13:02:23.0562 4060 smwdm (1319ea66a96250d59665d133c0ff7cd0) C:\WINDOWS\system32\drivers\smwdm.sys2011/05/26 13:02:23.0687 4060 splitter (a7fee4c5d140e32d45538d40a5ed67e2) C:\WINDOWS\system32\drivers\splitter.sys2011/05/26 13:02:23.0843 4060 sr (e650c7b9a96a7a0b345a6d19c462d2af) C:\WINDOWS\system32\DRIVERS\sr.sys2011/05/26 13:02:23.0968 4060 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys2011/05/26 13:02:24.0125 4060 swenum (578418d07c7c7bac36a1f6832d4fcaf1) C:\WINDOWS\system32\DRIVERS\swenum.sys2011/05/26 13:02:24.0250 4060 swmidi (bccf5102409538b01aac7aaa73660860) C:\WINDOWS\system32\drivers\swmidi.sys2011/05/26 13:02:24.0578 4060 sysaudio (8b0ace8441356a7327da88d86e4672b7) C:\WINDOWS\system32\drivers\sysaudio.sys2011/05/26 13:02:24.0765 4060 Tcpip (270684847a8ef5c51fff58457e4dc8c6) C:\WINDOWS\system32\DRIVERS\tcpip.sys2011/05/26 13:02:24.0859 4060 TDPIPE (3ebf04df288699cbe92860fc2fc77156) C:\WINDOWS\system32\drivers\TDPIPE.sys2011/05/26 13:02:24.0906 4060 TDTCP (ef72b325bfc20182a9070393eafc00b2) C:\WINDOWS\system32\drivers\TDTCP.sys2011/05/26 13:02:25.0015 4060 TermDD (b1d8df0d53171ea964df87cf0248fd08) C:\WINDOWS\system32\DRIVERS\termdd.sys2011/05/26 13:02:25.0140 4060 tifm21 (f779ba4cd37963ab4600c9871b7752a3) C:\WINDOWS\system32\drivers\tifm21.sys2011/05/26 13:02:25.0343 4060 Udfs (ddd12fc258e777b3a6a49e75bf3d6899) C:\WINDOWS\system32\drivers\Udfs.sys2011/05/26 13:02:25.0515 4060 Update (2256719de3722bc2f47a05172aa423bc) C:\WINDOWS\system32\DRIVERS\update.sys2011/05/26 13:02:25.0640 4060 usbccgp (d820f16e901511c0d20abd6bab35f645) C:\WINDOWS\system32\DRIVERS\usbccgp.sys2011/05/26 13:02:25.0734 4060 usbehci (ae18e087754f290fc05f81cc3a4ec6c9) C:\WINDOWS\system32\DRIVERS\usbehci.sys2011/05/26 13:02:25.0781 4060 usbhub (c8731ef48bae257e1948b8d87d8de0fb) C:\WINDOWS\system32\DRIVERS\usbhub.sys2011/05/26 13:02:25.0875 4060 usbprint (66fba83336949ad20a7d7049a499b169) C:\WINDOWS\system32\DRIVERS\usbprint.sys2011/05/26 13:02:25.0968 4060 usbscan (dcdc6ead214ea4f79bfcbc6d185eed5b) C:\WINDOWS\system32\DRIVERS\usbscan.sys2011/05/26 13:02:26.0093 4060 USBSTOR (479485d182199facf965bc4d2756d456) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS2011/05/26 13:02:26.0140 4060 usbuhci (7710296ef5c1977d62ab3c9e2c3950ea) C:\WINDOWS\system32\DRIVERS\usbuhci.sys2011/05/26 13:02:26.0234 4060 VgaSave (a856a8a639d6bc16b65cfb7c4aaa45d5) C:\WINDOWS\System32\drivers\vga.sys2011/05/26 13:02:26.0359 4060 VolSnap (868170260a32fd080fb637da3f2a4423) C:\WINDOWS\system32\drivers\VolSnap.sys2011/05/26 13:02:26.0859 4060 w29n51 (68eb5bc07781a36a63633541c11e1ad6) C:\WINDOWS\system32\DRIVERS\w29n51.sys2011/05/26 13:02:27.0218 4060 Wanarp (c37d29a03e5181b2c49103803b62583f) C:\WINDOWS\system32\DRIVERS\wanarp.sys2011/05/26 13:02:27.0312 4060 wdmaud (a687be1dc68ef2ef0d76216f9f05f986) C:\WINDOWS\system32\drivers\wdmaud.sys2011/05/26 13:02:27.0515 4060 WmiAcpi (c1fa582027ee08731c60c6485cfb9d96) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys2011/05/26 13:02:27.0640 4060 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys2011/05/26 13:02:27.0671 4060 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys2011/05/26 13:02:28.0265 4060 ZTEusbmdm6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys2011/05/26 13:02:28.0625 4060 ZTEusbnmea (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys2011/05/26 13:02:28.0953 4060 ZTEusbser6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys2011/05/26 13:02:29.0078 4060 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR02011/05/26 13:02:31.0046 4060 ================================================================================2011/05/26 13:02:31.0046 4060 Scan finished2011/05/26 13:02:31.0046 4060 ================================================================================2011/05/26 13:02:31.0062 4052 Detected object count: 12011/05/26 13:02:31.0062 4052 Actual detected object count: 12011/05/26 13:02:48.0312 4052 ForgedFile.Multi.Generic(ddfispzy) - User select action: Skip and the aswMBR logaswMBR.txt Link to post Share on other sites More sharing options...
Kenny94 Posted May 26, 2011 ID:433610 Share Posted May 26, 2011 Looking better! Download ComboFix from below:Combofix download* IMPORTANT !!! Place combofix.exe on your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.You can get help on disabling your protection programs hereDouble click on combofix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:The Recovery Console was successfully installed.Click on Yes, to continue scanning for malware.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply.Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.---------------------------------------------------------------------------------------------Ensure your AntiVirus and AntiSpyware applications are re-enabled.--------------------------------------------------------------------------------------------- Link to post Share on other sites More sharing options...
hubertlim Posted May 27, 2011 Author ID:433815 Share Posted May 27, 2011 Alright! Finished the ComboFix scanHere is the log:ComboFix.txt Link to post Share on other sites More sharing options...
Kenny94 Posted May 27, 2011 ID:433904 Share Posted May 27, 2011 Hi, Do you have your windows CD for this PC? Version.dll is infected and we should replace it with a clean copy.Run CFScriptClose any open browsers.Open Notepad by click startClick RunType notepad into the box and click enterNotepad will openCopy and Paste everything from the Code box into Notepad:KILLALL::MIA::c:\windows\system32\Version.dll Driver::XDva344XDva375Save the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system. Link to post Share on other sites More sharing options...
hubertlim Posted May 28, 2011 Author ID:434090 Share Posted May 28, 2011 I could'nt seem to find the CD for a while now.. maybe I'll go look for it later.I have already tested using to see if my firefox crashes again.. so far it's clean.Anyway, here's the ComboFix logComboFix.txt Link to post Share on other sites More sharing options...
Kenny94 Posted May 28, 2011 ID:434197 Share Posted May 28, 2011 We're almost done here.... Please remove these entries from Add/Remove Programs in the Control Panel Adobe Reader 8.1.1Reboot your computer once all Java and Adobe Reader components are removed.Please go to the link below to update.Adobe Reader Uncheck Include in your download (optional Free McAfee Security Scan Plus ) NextUpdate Run MalwarebytesLaunch Malwarebytes' Anti-MalwareIf an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites More sharing options...
hubertlim Posted May 29, 2011 Author ID:434503 Share Posted May 29, 2011 The scan took too long that i had to abort it . Here is the log:Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 6708Windows 5.1.2600 Service Pack 3, v.6055Internet Explorer 7.0.5730.135/30/2011 1:38:48 AMmbam-log-2011-05-30 (01-38-47).txtScan type: Quick scanObjects scanned: 1642774Time elapsed: 7 hour(s), 30 minute(s), 6 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Kenny94 Posted May 30, 2011 ID:434901 Share Posted May 30, 2011 TFC(Temp File CleanerGenerally tools like TFC are created to assist us with malware removal by removing a lot of junk files, so our security tools will have less to scan, thus speed things up. It may also help to remove some types of malware which may be lurking in temp/user account folders.TFC(Temp File Cleaner):Please download TFC to your desktop, Save any unsaved work. TFC will close all open application windows.Double-click TFC.exe to run the program.If prompted, click "Yes" to reboot, if not, do this yourself to ensure a complete clean Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.NextESET Online ScannerNote: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.Please go here then click on: Select the option YES, I accept the Terms of Use then click on: When prompted allow the Add-On/Active X to install.Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.Now click on Advanced Settings and select the following:Scan for potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth Technology[*]Now click on: [*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.[*]When completed the Online Scan will begin automatically. [*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall. [*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first![*]Now click on: [*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.[*]Copy and paste that log as a reply to this topic.Note: Do not forget to re-enable your Anti-Virus application after running the above scan!Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted. Link to post Share on other sites More sharing options...
hubertlim Posted May 31, 2011 Author ID:434979 Share Posted May 31, 2011 The Rootkit problem that I had before seems to have disappeared. I am not having crashes in firefor .Though.. it seems the ESET Online Scan found some infected files Here's the ESET log:ESETSmartInstaller@High as downloader log:all ok# version=7# OnlineScannerApp.exe=1.0.0.1# OnlineScanner.ocx=1.0.0.6427# api_version=3.0.2# EOSSerial=15647e9c8d1e7b4294dcf7b6b2dccec8# end=finished# remove_checked=false# archives_checked=true# unwanted_checked=true# unsafe_checked=true# antistealth_checked=true# utc_time=2011-05-31 05:16:03# local_time=2011-05-31 01:16:03 (+0800, China Standard Time)# country="United States"# lang=1033# osver=5.1.2600 NT Service Pack 3, v.6055# compatibility_mode=6143 16777215 0 0 0 0 0 0# compatibility_mode=8199 39157161 100 100 2790173 47644354 0 0# scanned=100881# found=4# cleaned=0# scan_time=6451# nod_component=V3 Build:0x30000000C:\Program Files\Windows Media Player\WMPSkin.exe Win32/WFPDisabler.A application (unable to clean) 00000000000000000000000000000000 IC:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ddfispzy_.sys.zip Win32/BHO.EXT trojan (unable to clean) 00000000000000000000000000000000 IC:\System Volume Information\_restore{AA5F1E61-EE39-4FD7-BF28-3B4BF68C6BFE}\RP6\A0015113.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 IC:\Users\Administrator\Desktop\anti virus stuff\OrbitDownloaderSetup.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I Link to post Share on other sites More sharing options...
Kenny94 Posted May 31, 2011 ID:435078 Share Posted May 31, 2011 We'll remove those files and do some house cleaning on your computer:Please download the OTM by OldTimer. Save it to your desktop. Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)::Services:Reg:FilesC:\Program Files\Windows Media Player\WMPSkin.exe C:\Users\Administrator\Desktop\anti virus stuff\OrbitDownloaderSetup.exe ipconfig /flushdns /c:Commands[purity][resethosts][emptytemp][CREATERESTOREPOINT][EMPTYFLASH][Reboot] Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.Click the red Moveit! button.A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.Close OTMIf a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Link to post Share on other sites More sharing options...
hubertlim Posted June 1, 2011 Author ID:435379 Share Posted June 1, 2011 Log:Files moved on Reboot...Registry entries deleted on Reboot...^ This is all that was written in it. I would also like to ask what would be a good antivirus for a Mac.Thanks Link to post Share on other sites More sharing options...
Kenny94 Posted June 1, 2011 ID:435490 Share Posted June 1, 2011 I would also like to ask what would be a good antivirus for a MacI really don't know. But I know a few Mac users have: http://www.iantivirus.com/Your Computer is CleanSome final items:Follow these steps to uninstall Combofix and tools used in the removal of malwareTo remove all of the tools we used and the files and folders they created, please do the following:Please download OTC.exe by OldTimer:Save it to your Desktop.Double click OTC.exe.Click the CleanUp! button.If you are prompted to Reboot during the cleanup, select Yes.The tool will delete itself once it finishes.Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.It's a good idea to Flush your System Restore after removing malware and create a new restore point. To SET A NEW RESTORE POINT:1. Go to Start > Programs > Accessories > System Tools and click "System Restore".2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.3. Then go to Start > Run and type: Cleanmgr4. Click "OK".5. Click the "More Options" Tab.6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.Graphics for doing this are in the following links if you need them.How to Create a Restore Point.How to use Cleanmgr.Here are some additional links for you to check out to help you with your computer security. BrowsersJust because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE. If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.Make your Internet Explorer more secure - This can be done by following these simple instructions:From within Internet Explorer click on the Tools menu and then click on Options.Click once on the Security tabClick once on the Internet icon so it becomes highlighted.Click once on the Custom Level button.Change the Download signed ActiveX controls to PromptChange the Download unsigned ActiveX controls to DisableChange the Initialize and script ActiveX controls not marked as safe to DisableChange the Installation of desktop items to PromptChange the Launching programs and files in an IFRAME to PromptChange the Navigate sub-frames across different domains to PromptWhen all these settings have been made, click on the OK buttonIf it prompts you as to whether or not you want to save the settings, press the Yes button.Next press the Apply button and then the OK to exit the Internet Properties page.Additional Security MeasuresSecunia software inspector & update checker Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from to help speed up your computer.Visit My Blog for Malware and Spyware Tips Link to post Share on other sites More sharing options...
hubertlim Posted June 1, 2011 Author ID:435533 Share Posted June 1, 2011 WOW thanks I already had the addons for firefox so i should be fine Well, all done downloaded all applications and used OTC to clean my PC. After the cleaning, no problems happened to my PC at all.Thanks for helping me once again I'll be sure to use these forums when I get another problem Link to post Share on other sites More sharing options...
LDTate Posted June 7, 2011 ID:437653 Share Posted June 7, 2011 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts