Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

RootKit Virus I think... Help!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

RootKit Virus I think... Help!!!

Unread postby kcarlasc » November 26th, 2010, 8:53 pm

Getting re-directs and Windows update is hosed. Tried Malwarebytes,ComboFix. SuperAntiVirus just to name a few...

Any help would be great

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 07:05 PM, on 11/26/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\FixCamera.exe
C:\Windows\tsnpstd3.exe
C:\Windows\vsnpstd3.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\alwil software\Avast5\AvastUI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\itunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Users\MichelleC\AppData\Roaming\Smilebox\SmileboxTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\microsoft office\Office14\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\MichelleC\Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/?ref=hp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: BrowserHelper Class - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Program Files\Windows Home Server\WHSDeskBands.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Home Server Banner - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Program Files\Windows Home Server\WHSDeskBands.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [FixCamera] C:\Windows\FixCamera.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\Windows\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\Windows\vsnpstd3.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\MichelleC\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SmileboxTray] "C:\Users\MichelleC\AppData\Roaming\Smilebox\SmileboxTray.exe"
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\microsoft office\Office14\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Home Server.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOBCA7~1\GoogleDesktopNetwork3.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HPMSSConnectorService (HPMSSConnectorSvc) - HP - C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe
O23 - Service: Intel(R) PROSet Monitoring Service - Intel Corporation - C:\Windows\system32\IProsetMonitor.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MediaCollectorService - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9738 bytes
kcarlasc
Regular Member
 
Posts: 16
Joined: November 26th, 2010, 8:46 pm
Advertisement
Register to Remove

Re: RootKit Virus I think... Help!!!

Unread postby MWR 3 day Mod » November 29th, 2010, 11:33 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: RootKit Virus I think... Help!!!

Unread postby askey127 » November 30th, 2010, 12:34 pm

Hi kcarlasc,
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder.
In addition, the list opens in Notepad so you can also save as another name in another location if you wish.
Please paste the contents into your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: RootKit Virus I think... Help!!!

Unread postby kcarlasc » November 30th, 2010, 1:55 pm

Uninstall List

32 Bit HP CIO Components Installer
Action Replay DSi Code Manager
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.1
Aleks 3.12
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
Bonjour
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon Inkjet Printer Driver Add-On Module
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Codec
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities Digital Photo Professional 3.7
Canon Utilities EOS Capture 1.3
Canon Utilities MyCamera
Canon Utilities PhotoStitch 3.1
Canon Utilities Picture Style Editor
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Conexant HD Audio
Coupon Printer for Windows
Definition update for Microsoft Office 2010 (KB982726)
Easy DVD Creator 2.2.1
EOS USB WIA Driver
EZ Home and Office v4.1 Trial Version
Facebook Desktop
Feedback Tool
GE MiniCam Pro
Google Apps
Google Desktop
Google Earth
Google Earth Plug-in
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
HDAUDIO Soft Data Fax Modem with SmartCP
HP Customer Participation Program 14.0
HP Imaging Device Functions 14.0
HP MediaSmart Server 3.0 Update 1
HP Photo Creations
HP Photosmart Essential 3.5
HP Photosmart Officejet and Deskjet All-In-One Driver Software 13.0 Rel. B
HP Photosmart Premium C309g-m All-in-One Driver Software 14.0 Rel. 6
HP Print Projects 1.0
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
Intel(R) Graphics Media Accelerator Driver
Intel(R) Network Connections 15.7.176.0
Intel(R) Network Connections 15.7.176.0
iTunes
Java(TM) 6 Update 22
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Outlook Social Connector Provider for Facebook 32-bit
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
OCR Software by I.R.I.S. 13.0
OGA Notifier 2.0.0048.0
QuickTime
Riverpoint Writer
Rock Your Phone 1.63.18
Shop for HP Supplies
Shutterfly Express Uploader
Shutterfly Express Uploader
Synaptics Pointing Device Driver
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft OneNote 2010 (KB2288640)
Update for Microsoft Outlook Social Connector (KB2289116)
Update for Microsoft Outlook Social Connector (KB2289116)
USB PC Camera (SN9C103)
Visual C++ 8.0 ATL (x86) WinSXS MSM
Visual C++ 8.0 CRT (x86) WinSXS MSM
Windows Home Server Connector
Windows Live ID Sign-in Assistant
Yahoo! Messenger
Yahoo! Software Update
kcarlasc
Regular Member
 
Posts: 16
Joined: November 26th, 2010, 8:46 pm

Re: RootKit Virus I think... Help!!!

Unread postby askey127 » November 30th, 2010, 2:47 pm

kcarlasc,
Facebook is far too sloppy with their security to allow it to come up every time your browser starts. I would change start pages.
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis. (Right-click and "Run as administrator" in Vista/Win7)
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
------------------------------------------
Scan with ESET online scanner:
  • Open Internet Explorer by right-clicking the IE icon (on the Start menu or quick launch) and selecting Run as administrator
  • NOTE: Internet Explorer will temporarily have administrator privileges, this is required for the scan but dangerous for normal surfing so do NOT open any other websites in IE until after the scan has finished and this window has been closed.
  • Open the ESET Online Scanner in Internet Explorer
  • Tick the box next to YES, I accept the Terms of Use. and click Start
  • Allow the ActiveX control to be installed by Internet Explorer
  • Once the ActiveX has finished loading click Start to initialize and update the scanner
  • When the Computer scan screen appears, leave Remove found threats UN-checked, but check the box next to Scan unwanted applications. Then click Scan to begin the scan.
  • Once complete and the summary page appears, press Start, copy/paste the following command into the search box and press Enter:
    notepad "C:\Program Files\EsetOnlineScanner\log.txt"
  • The log file should now appear in Notepad, copy and paste the contents in your next response.
  • Please be sure to close this Internet Explorer window before continuing.

Another item worth mentioning:
If you are running from a router, do you know for certain that the router administrator password was changed when it was installed?
If there is a router, are there any other machines on that router, and are they getting redirects?

So we are looking for the ESET report log, and any answers you may have about the router.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: RootKit Virus I think... Help!!!

Unread postby kcarlasc » November 30th, 2010, 8:03 pm

ESET info...
C:\TDSSKiller_Quarantine\26.11.2010_12.00.55\tdl30000\svc0000\tsk0000.dta Win32/Olmarik.ZC trojan
C:\Windows\FixCamera.exe a variant of Win32/KillProc.A application
Operating memory a variant of Win32/KillProc.A application

Router Info..

Router did have a different password till it needed to be reset then it seems I forgot to change it.. I just changed it.. no other computers seem to have any issues...
kcarlasc
Regular Member
 
Posts: 16
Joined: November 26th, 2010, 8:46 pm

Re: RootKit Virus I think... Help!!!

Unread postby askey127 » November 30th, 2010, 8:22 pm

kcarlasc,
OK. If you leave it as the default, bots can change the URLs in the router so all the connections go thru their servers on the way to your ISP.

Looks like you may have run this before, but I need to see what it says now.
--------------------------------------------
TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista - W7 users: Right-click and select "Run As Administrator".
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
    • If Cure is not offered as an option, choose Skip.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
  6. Copy and paste the contents of that file in your next reply.
If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: RootKit Virus I think... Help!!!

Unread postby kcarlasc » December 1st, 2010, 8:55 am

This caused a BSOD when I rebooted after the clean, also looks like it did not clean anything with the processing error.,


2010/12/01 07:52:08.0028 TDSS rootkit removing tool 2.4.9.0 Nov 26 2010 15:38:31
2010/12/01 07:52:08.0028 ================================================================================
2010/12/01 07:52:08.0028 SystemInfo:
2010/12/01 07:52:08.0028
2010/12/01 07:52:08.0028 OS Version: 6.1.7600 ServicePack: 0.0
2010/12/01 07:52:08.0028 Product type: Workstation
2010/12/01 07:52:08.0028 ComputerName: MICHELLEC-PC
2010/12/01 07:52:08.0028 UserName: MichelleC
2010/12/01 07:52:08.0028 Windows directory: C:\Windows
2010/12/01 07:52:08.0028 System windows directory: C:\Windows
2010/12/01 07:52:08.0028 Processor architecture: Intel x86
2010/12/01 07:52:08.0028 Number of processors: 2
2010/12/01 07:52:08.0028 Page size: 0x1000
2010/12/01 07:52:08.0028 Boot type: Normal boot
2010/12/01 07:52:08.0028 ================================================================================
2010/12/01 07:52:08.0840 Initialize success
2010/12/01 07:52:38.0698 ================================================================================
2010/12/01 07:52:38.0698 Scan started
2010/12/01 07:52:38.0698 Mode: Manual;
2010/12/01 07:52:38.0698 ================================================================================
2010/12/01 07:52:40.0601 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
2010/12/01 07:52:40.0664 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
2010/12/01 07:52:40.0711 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
2010/12/01 07:52:40.0773 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2010/12/01 07:52:40.0851 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2010/12/01 07:52:40.0898 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2010/12/01 07:52:40.0976 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
2010/12/01 07:52:41.0023 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
2010/12/01 07:52:41.0101 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2010/12/01 07:52:41.0194 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
2010/12/01 07:52:41.0225 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
2010/12/01 07:52:41.0257 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
2010/12/01 07:52:41.0288 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2010/12/01 07:52:41.0350 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2010/12/01 07:52:41.0413 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
2010/12/01 07:52:41.0475 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2010/12/01 07:52:41.0506 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
2010/12/01 07:52:41.0553 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
2010/12/01 07:52:41.0662 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2010/12/01 07:52:41.0709 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2010/12/01 07:52:41.0803 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\Windows\system32\drivers\aswFsBlk.sys
2010/12/01 07:52:41.0927 aswMonFlt (bd9119468c32b7ecd1e0544d3f286a73) C:\Windows\system32\drivers\aswMonFlt.sys
2010/12/01 07:52:41.0959 aswRdr (69823954bbd461a73d69774928c9737e) C:\Windows\system32\drivers\aswRdr.sys
2010/12/01 07:52:42.0005 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\Windows\system32\drivers\aswSP.sys
2010/12/01 07:52:42.0037 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\Windows\system32\drivers\aswTdi.sys
2010/12/01 07:52:42.0083 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/12/01 07:52:42.0161 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
2010/12/01 07:52:42.0286 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2010/12/01 07:52:42.0349 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2010/12/01 07:52:42.0442 BackupReader (22f769c67cb88ef32a985132041a6169) C:\Windows\system32\DRIVERS\BackupReader.sys
2010/12/01 07:52:42.0583 BCM43XX (f9ce9b5e049efc66b8e6c73c18ee8438) C:\Windows\system32\DRIVERS\bcmwl6.sys
2010/12/01 07:52:42.0692 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2010/12/01 07:52:42.0739 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2010/12/01 07:52:42.0832 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
2010/12/01 07:52:42.0863 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2010/12/01 07:52:42.0895 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2010/12/01 07:52:42.0957 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2010/12/01 07:52:43.0004 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2010/12/01 07:52:43.0051 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2010/12/01 07:52:43.0097 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2010/12/01 07:52:43.0129 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2010/12/01 07:52:43.0441 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2010/12/01 07:52:43.0487 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
2010/12/01 07:52:43.0550 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2010/12/01 07:52:43.0628 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2010/12/01 07:52:43.0690 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/12/01 07:52:43.0737 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
2010/12/01 07:52:43.0784 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2010/12/01 07:52:43.0909 CnxtHdAudService (a4d44ab8423791db757b38150ec599a4) C:\Windows\system32\drivers\CHDRT32.sys
2010/12/01 07:52:43.0955 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2010/12/01 07:52:44.0002 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
2010/12/01 07:52:44.0065 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2010/12/01 07:52:44.0174 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
2010/12/01 07:52:44.0252 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
2010/12/01 07:52:44.0345 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2010/12/01 07:52:44.0392 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2010/12/01 07:52:44.0486 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2010/12/01 07:52:44.0579 dsiarhwprog (f35b5d0cc142b87e687fc504baa69d82) C:\Windows\system32\Drivers\dsiarhwprog.sys
2010/12/01 07:52:44.0657 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
2010/12/01 07:52:44.0751 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\Windows\system32\DRIVERS\e100b325.sys
2010/12/01 07:52:44.0891 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2010/12/01 07:52:45.0032 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2010/12/01 07:52:45.0094 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
2010/12/01 07:52:45.0188 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2010/12/01 07:52:45.0266 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2010/12/01 07:52:45.0313 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2010/12/01 07:52:45.0484 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2010/12/01 07:52:45.0515 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2010/12/01 07:52:45.0562 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/12/01 07:52:45.0609 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2010/12/01 07:52:45.0671 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2010/12/01 07:52:45.0703 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2010/12/01 07:52:45.0781 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
2010/12/01 07:52:45.0812 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2010/12/01 07:52:45.0921 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2010/12/01 07:52:46.0093 HBtnKey (7dad592a4d28092d584cfb4deef1373d) C:\Windows\system32\DRIVERS\cpqbttn.sys
2010/12/01 07:52:46.0139 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2010/12/01 07:52:46.0217 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys
2010/12/01 07:52:46.0311 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/12/01 07:52:46.0342 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2010/12/01 07:52:46.0389 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2010/12/01 07:52:46.0436 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2010/12/01 07:52:46.0514 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
2010/12/01 07:52:46.0639 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
2010/12/01 07:52:46.0717 HSF_DPV (1882827f41dee51c70e24c567c35bfb5) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2010/12/01 07:52:46.0810 HSXHWAZL (a44ddf3ba83e4664bf4de9220097578c) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2010/12/01 07:52:46.0888 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
2010/12/01 07:52:46.0935 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
2010/12/01 07:52:46.0982 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/12/01 07:52:47.0044 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
2010/12/01 07:52:47.0247 igfx (9467514ea189475a6e7fdc5d7bde9d3f) C:\Windows\system32\DRIVERS\igdkmd32.sys
2010/12/01 07:52:47.0450 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2010/12/01 07:52:47.0543 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
2010/12/01 07:52:47.0590 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2010/12/01 07:52:47.0699 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/12/01 07:52:47.0949 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2010/12/01 07:52:48.0027 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2010/12/01 07:52:48.0152 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2010/12/01 07:52:48.0277 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
2010/12/01 07:52:48.0417 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/12/01 07:52:48.0542 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/12/01 07:52:48.0620 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/12/01 07:52:48.0698 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
2010/12/01 07:52:48.0807 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
2010/12/01 07:52:48.0932 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/12/01 07:52:49.0088 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2010/12/01 07:52:49.0181 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2010/12/01 07:52:49.0275 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2010/12/01 07:52:49.0384 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2010/12/01 07:52:49.0462 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2010/12/01 07:52:49.0556 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2010/12/01 07:52:49.0696 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2010/12/01 07:52:49.0821 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2010/12/01 07:52:50.0211 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2010/12/01 07:52:50.0258 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2010/12/01 07:52:50.0305 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
2010/12/01 07:52:50.0367 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2010/12/01 07:52:50.0429 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
2010/12/01 07:52:50.0492 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
2010/12/01 07:52:50.0585 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2010/12/01 07:52:50.0741 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
2010/12/01 07:52:50.0991 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/12/01 07:52:51.0038 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/12/01 07:52:51.0069 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/12/01 07:52:51.0116 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
2010/12/01 07:52:51.0163 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
2010/12/01 07:52:51.0241 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2010/12/01 07:52:51.0272 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2010/12/01 07:52:51.0319 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
2010/12/01 07:52:51.0381 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2010/12/01 07:52:51.0428 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/12/01 07:52:51.0459 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2010/12/01 07:52:51.0506 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2010/12/01 07:52:51.0599 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/12/01 07:52:51.0646 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2010/12/01 07:52:51.0709 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2010/12/01 07:52:51.0771 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2010/12/01 07:52:51.0927 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2010/12/01 07:52:52.0083 NDIS (443bdbba36c1c10d307514f82d589d8a) C:\Windows\system32\drivers\ndis.sys
2010/12/01 07:52:52.0083 Suspicious file (Forged): C:\Windows\system32\drivers\ndis.sys. Real md5: 443bdbba36c1c10d307514f82d589d8a, Fake md5: 23759d175a0a9baaf04d05047bc135a8
2010/12/01 07:52:52.0099 NDIS - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/12/01 07:52:52.0145 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2010/12/01 07:52:52.0192 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/12/01 07:52:52.0223 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/12/01 07:52:52.0270 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/12/01 07:52:52.0317 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
2010/12/01 07:52:52.0379 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2010/12/01 07:52:52.0411 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
2010/12/01 07:52:52.0520 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2010/12/01 07:52:52.0567 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2010/12/01 07:52:52.0613 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2010/12/01 07:52:52.0691 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
2010/12/01 07:52:52.0754 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2010/12/01 07:52:52.0801 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
2010/12/01 07:52:52.0847 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
2010/12/01 07:52:52.0910 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
2010/12/01 07:52:52.0957 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/12/01 07:52:53.0081 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2010/12/01 07:52:53.0206 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
2010/12/01 07:52:53.0425 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2010/12/01 07:52:53.0518 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
2010/12/01 07:52:53.0581 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
2010/12/01 07:52:53.0721 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/12/01 07:52:53.0799 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2010/12/01 07:52:53.0939 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2010/12/01 07:52:54.0298 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2010/12/01 07:52:54.0407 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2010/12/01 07:52:54.0579 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2010/12/01 07:52:54.0719 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2010/12/01 07:52:54.0813 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2010/12/01 07:52:54.0891 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2010/12/01 07:52:54.0953 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2010/12/01 07:52:55.0063 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2010/12/01 07:52:55.0141 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/12/01 07:52:55.0234 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/12/01 07:52:55.0297 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2010/12/01 07:52:55.0421 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
2010/12/01 07:52:55.0562 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2010/12/01 07:52:55.0827 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/12/01 07:52:56.0342 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
2010/12/01 07:52:56.0420 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2010/12/01 07:52:56.0513 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2010/12/01 07:52:56.0669 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
2010/12/01 07:52:56.0794 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
2010/12/01 07:52:56.0981 rimmptsk (7a6648b61661b1421ffab762e391e33f) C:\Windows\system32\DRIVERS\rimmptsk.sys
2010/12/01 07:52:57.0091 rimsptsk (d0a35b7670aa3558eaab483f64446496) C:\Windows\system32\DRIVERS\rimsptsk.sys
2010/12/01 07:52:57.0184 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
2010/12/01 07:52:57.0356 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2010/12/01 07:52:57.0574 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
2010/12/01 07:52:57.0730 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
2010/12/01 07:52:57.0808 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
2010/12/01 07:52:57.0995 sdbus (aa826e35f6d28a8e5d1efeb337f24ba2) C:\Windows\system32\DRIVERS\sdbus.sys
2010/12/01 07:52:58.0058 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/12/01 07:52:58.0136 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2010/12/01 07:52:58.0198 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2010/12/01 07:52:58.0261 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2010/12/01 07:52:58.0370 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
2010/12/01 07:52:58.0432 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2010/12/01 07:52:58.0495 sffp_sd (a0708bbd07d245c06ff9de549ca47185) C:\Windows\system32\DRIVERS\sffp_sd.sys
2010/12/01 07:52:58.0557 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2010/12/01 07:52:58.0651 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
2010/12/01 07:52:58.0713 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2010/12/01 07:52:58.0775 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2010/12/01 07:52:58.0838 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2010/12/01 07:52:59.0259 SNPSTD3 (a37e84eb12c39d36eddeb7966429e75f) C:\Windows\system32\DRIVERS\snpstd3.sys
2010/12/01 07:52:59.0524 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2010/12/01 07:52:59.0665 srv (dd0dd124d95390fdffa7fb6283923ed4) C:\Windows\system32\DRIVERS\srv.sys
2010/12/01 07:52:59.0743 srv2 (59ef6d9c690e89d51b0692ccb13a06fc) C:\Windows\system32\DRIVERS\srv2.sys
2010/12/01 07:52:59.0867 SrvHsfHDA (e00fdfaff025e94f9821153750c35a6d) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2010/12/01 07:52:59.0977 SrvHsfV92 (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2010/12/01 07:53:00.0101 SrvHsfWinac (bc0c7ea89194c299f051c24119000e17) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
2010/12/01 07:53:00.0195 srvnet (08f28676802b58138e48a2b40caf6204) C:\Windows\system32\DRIVERS\srvnet.sys
2010/12/01 07:53:00.0320 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2010/12/01 07:53:00.0413 StillCam (edb05bd63148796f23ea78506404a538) C:\Windows\system32\DRIVERS\serscan.sys
2010/12/01 07:53:00.0507 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
2010/12/01 07:53:00.0616 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
2010/12/01 07:53:00.0679 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
2010/12/01 07:53:00.0803 SynTP (f5d926807bd9bc0af68f9376144de425) C:\Windows\system32\DRIVERS\SynTP.sys
2010/12/01 07:53:00.0991 Tcpip (bb7f39c31c4a4417fd318e7cd184e225) C:\Windows\system32\drivers\tcpip.sys
2010/12/01 07:53:01.0100 TCPIP6 (bb7f39c31c4a4417fd318e7cd184e225) C:\Windows\system32\DRIVERS\tcpip.sys
2010/12/01 07:53:01.0178 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
2010/12/01 07:53:01.0240 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
2010/12/01 07:53:01.0303 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
2010/12/01 07:53:01.0381 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
2010/12/01 07:53:01.0630 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
2010/12/01 07:53:01.0849 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/12/01 07:53:02.0020 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
2010/12/01 07:53:02.0270 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2010/12/01 07:53:02.0332 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
2010/12/01 07:53:02.0441 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
2010/12/01 07:53:02.0488 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
2010/12/01 07:53:02.0551 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2010/12/01 07:53:02.0644 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\Windows\system32\Drivers\usbaapl.sys
2010/12/01 07:53:02.0753 usbaudio (2436a42aab4ad48a9b714e5b0f344627) C:\Windows\system32\drivers\usbaudio.sys
2010/12/01 07:53:02.0816 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/12/01 07:53:02.0878 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
2010/12/01 07:53:02.0925 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
2010/12/01 07:53:02.0987 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys
2010/12/01 07:53:03.0034 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
2010/12/01 07:53:03.0128 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2010/12/01 07:53:03.0221 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
2010/12/01 07:53:03.0268 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/12/01 07:53:03.0331 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/12/01 07:53:03.0424 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
2010/12/01 07:53:03.0502 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/12/01 07:53:03.0565 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2010/12/01 07:53:03.0658 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
2010/12/01 07:53:03.0721 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
2010/12/01 07:53:03.0783 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2010/12/01 07:53:03.0861 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
2010/12/01 07:53:03.0955 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
2010/12/01 07:53:04.0033 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
2010/12/01 07:53:04.0095 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
2010/12/01 07:53:04.0189 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2010/12/01 07:53:04.0267 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
2010/12/01 07:53:04.0329 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2010/12/01 07:53:04.0407 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
2010/12/01 07:53:04.0469 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
2010/12/01 07:53:04.0547 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2010/12/01 07:53:04.0594 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/01 07:53:04.0625 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/01 07:53:04.0766 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2010/12/01 07:53:04.0828 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2010/12/01 07:53:04.0984 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2010/12/01 07:53:05.0078 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2010/12/01 07:53:05.0187 winachsf (e096ffb754f1e45ae1bddac1275ae2c5) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2010/12/01 07:53:05.0374 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\Windows\system32\DRIVERS\WinUsb.sys
2010/12/01 07:53:05.0421 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/12/01 07:53:05.0577 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/12/01 07:53:05.0686 WSDPrintDevice (553f6ccd7c58eb98d4a8fbdaf283d7a9) C:\Windows\system32\DRIVERS\WSDPrint.sys
2010/12/01 07:53:05.0795 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
2010/12/01 07:53:05.0889 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/12/01 07:53:05.0998 XAudio (19e7c173b6242ad7521e537ae54768bf) C:\Windows\system32\DRIVERS\xaudio.sys
2010/12/01 07:53:06.0139 ================================================================================
2010/12/01 07:53:06.0139 Scan finished
2010/12/01 07:53:06.0139 ================================================================================
2010/12/01 07:53:06.0185 Detected object count: 1
2010/12/01 07:53:17.0324 C:\Windows\system32\drivers\ndis.sys - processing error
2010/12/01 07:53:17.0324 Rootkit.Win32.TDSS.tdl3(NDIS) - User select action: Cure
2010/12/01 07:53:25.0358 Deinitialize success
kcarlasc
Regular Member
 
Posts: 16
Joined: November 26th, 2010, 8:46 pm

Re: RootKit Virus I think... Help!!!

Unread postby askey127 » December 1st, 2010, 12:39 pm

Otis,
------------------------------------------------------
Warning - Compromised Data
Because the TDL3 rootkit infection has had remote control access to all your Internet activities, you should assume that any data on it may have been stolen.
Take whatever precautions you think sensible about any financial (credit cards, banking, etc.), or other critical information that has been passed through or stored on the machine.
I would suggest changing all account names/numbers, and passwords for ANY accounts that have been used with the machine.
That includes not only banking, credit cards, and financial, but also website and e-mail accounts as well.
Don't use the infected machine to make the changes.
---------------------------------------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    ndis.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVAST
    Right click on the avast! icon in system tray (looks like this: Image) and choose (Stop On-Access Protection)
    Avast On-Access Protection is now disabled.
  • Now start ComboFix (zzz.exe). Right click and choose "Run as administrator".
  • OK any disclaimers and start the Scan.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

So we are Looking for the results from SystemLook.txt and the log from Combofix (zzz.exe)
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: RootKit Virus I think... Help!!!

Unread postby kcarlasc » December 1st, 2010, 8:06 pm

SystemLook 04.09.10 by jpshortstuff
Log created at 18:16 on 01/12/2010 by MichelleC
Administrator - Elevation successful

========== filefind ==========

Searching for "ndis.sys"
C:\Windows\ERDNT\cache\ndis.sys --a---- 710720 bytes [19:15 26/11/2010] [01:20 14/07/2009] 23759D175A0A9BAAF04D05047BC135A8
C:\Windows\System32\drivers\ndis.sys --a---- 710720 bytes [23:12 13/07/2009] [01:20 14/07/2009] 23759D175A0A9BAAF04D05047BC135A8
C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.1.7600.16385_none_a79d81ea7d62a289\ndis.sys --a---- 710720 bytes [23:12 13/07/2009] [01:20 14/07/2009] 23759D175A0A9BAAF04D05047BC135A8

-= EOF =-


ComboFix 10-11-30.09 - MichelleC 12/01/2010 18:27:54.3.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2038.968 [GMT -5:00]
Running from: c:\users\MichelleC\Documents\zzz.exe
.

((((((((((((((((((((((((( Files Created from 2010-11-01 to 2010-12-01 )))))))))))))))))))))))))))))))
.

2010-12-01 23:43 . 2010-12-01 23:43 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-01 23:43 . 2010-12-01 23:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-30 21:21 . 2010-11-30 21:21 -------- d-----w- c:\program files\ESET
2010-11-29 12:22 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8BF8DE9E-5DF2-4C56-8C05-84FB5ED6D857}\mpengine.dll
2010-11-26 23:27 . 2010-11-26 23:27 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-11-26 23:19 . 2010-11-26 23:19 -------- d-----w- c:\program files\CCleaner
2010-11-26 23:14 . 2010-11-26 23:14 -------- d-----w- C:\!KillBox
2010-11-26 20:24 . 2010-11-26 23:50 -------- d-----w- c:\program files\Sophos
2010-11-26 18:45 . 2010-11-26 18:45 35 ----a-w- c:\users\MichelleC\AppData\Roaming\SetValue.bat
2010-11-26 18:45 . 2010-11-26 18:45 691 ----a-w- c:\users\MichelleC\AppData\Roaming\GetValue.vbs
2010-11-26 17:27 . 2010-09-22 06:05 110752 ----a-w- c:\windows\system32\IPROSetMonitor.exe
2010-11-26 17:26 . 2010-11-26 17:27 -------- d-----w- c:\program files\Intel
2010-11-26 17:02 . 2010-11-26 17:02 -------- d-----w- C:\TDSSKiller_Quarantine
2010-11-26 16:54 . 2010-11-26 19:25 -------- d-----w- c:\windows\system32\catroot2
2010-11-26 14:54 . 2010-11-26 14:54 -------- d-----w- c:\program files\Common Files\Java
2010-11-26 14:53 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-26 13:16 . 2010-05-23 10:11 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-11-26 13:16 . 2010-05-23 10:15 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2010-11-26 13:16 . 2010-05-23 10:11 3181568 ----a-w- c:\windows\system32\mf.dll
2010-11-26 13:16 . 2010-08-16 06:15 804864 ----a-w- c:\windows\system32\FntCache.dll
2010-11-26 13:16 . 2010-08-16 06:14 1076224 ----a-w- c:\windows\system32\DWrite.dll
2010-11-26 13:16 . 2010-08-16 06:14 737280 ----a-w- c:\windows\system32\d2d1.dll
2010-11-26 13:16 . 2010-08-16 06:14 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2010-11-26 13:16 . 2010-08-16 06:14 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2010-11-26 13:15 . 2010-05-09 09:15 279552 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2010-11-26 13:15 . 2010-05-09 09:15 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
2010-11-26 13:15 . 2010-06-26 05:14 1495040 ----a-w- c:\windows\system32\ExplorerFrame.dll
2010-11-26 13:14 . 2010-11-26 13:14 -------- d-----w- c:\program files\Feedback Tool
2010-11-23 20:42 . 2010-11-23 20:42 -------- d-----w- c:\program files\iPod
2010-11-23 20:37 . 2010-11-23 20:37 -------- d-----w- c:\program files\Apple Software Update
2010-11-23 20:36 . 2010-11-23 20:36 -------- d-----w- c:\program files\Bonjour
2010-11-09 16:46 . 2010-11-09 16:46 -------- d-----w- C:\my dvd
2010-11-09 16:42 . 2010-11-09 16:50 -------- d-----w- c:\program files\Easy DVD Creator
2010-11-06 16:37 . 2010-11-06 16:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-12 17:43 . 2010-10-12 17:43 183808 ----a-w- c:\windows\system32\Ncs2Setp.dll
2010-10-11 21:19 . 2010-10-11 21:19 642680 ----a-w- c:\windows\system32\ncs2dmix.dll
2010-10-11 21:19 . 2010-10-11 21:19 509560 ----a-w- c:\windows\system32\accesor.dll
2010-10-11 20:53 . 2010-10-11 20:53 134776 ----a-w- c:\windows\system32\ncs2instutility.dll
2010-10-11 20:34 . 2010-10-11 20:34 1843832 ----a-w- c:\windows\system32\ncscolib.dll
2010-10-07 17:23 . 2010-10-07 17:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 17:23 . 2010-10-07 17:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 17:23 . 2010-10-07 17:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 17:23 . 2010-10-07 17:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-10-01 09:39 . 2010-09-29 10:57 0 ----a-w- c:\users\MichelleC\AppData\Local\Axequh.bin
2010-09-28 20:44 . 2010-09-28 20:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-09-28 20:44 . 2010-09-28 20:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-20 09:32 . 2010-09-20 09:32 136416 ----a-w- c:\windows\system32\drivers\iANSW60.sys
2010-09-17 09:02 . 2010-09-17 09:02 30368 ----a-w- c:\windows\system32\drivers\iqvw32.sys
2010-09-09 11:03 . 2010-09-09 11:03 239768 ----a-w- c:\windows\system32\PRONtObj.dll
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 15:12 . 2010-07-15 22:05 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-07-15 22:05 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-07-15 22:06 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-07-15 22:06 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-07-15 22:06 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-07-15 22:06 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-07 14:47 . 2010-07-15 22:06 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-01 39408]
"Google Update"="c:\users\MichelleC\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"FixCamera"="c:\windows\FixCamera.exe" [2007-02-10 20480]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 30192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]

c:\users\MichelleC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\microsoft office\Office14\ONENOTEM.EXE [2010-3-29 227712]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2010-4-16 604008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOBCA7~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 135664]
R3 dsiarhwprog;dsiarhwprog;c:\windows\system32\Drivers\dsiarhwprog.sys [2007-02-08 29184]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-11 30192]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\F392.tmp [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-09 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2009-10-07 239464]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [2009-10-07 97128]
S2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [2009-10-26 20992]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 110752]
S2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [2009-10-26 81920]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [2009-10-07 376680]
S3 BackupReader;BackupReader;c:\windows\system32\DRIVERS\BackupReader.sys [2009-10-07 44776]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-03-01 19:18]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 21:27]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 21:27]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4249644563-712330806-2779167662-1000Core.job
- c:\users\MichelleC\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-27 04:38]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4249644563-712330806-2779167662-1000UA.job
- c:\users\MichelleC\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-27 04:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/?ref=hp
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: ST9160411AS rev.SD13 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-2

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85DCBEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86ee2872; SUB DWORD [EBP-0x4], 0x86ee212e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x82C4B458] -> \Device\Harddisk0\DR0[0x85EB6A00]
3 CLASSPNP[0x88DB259E] -> ntkrnlpa!IofCallDriver[0x82C4B458] -> \IdeDeviceP1T0L0-2[0x85988908]
[0x860D2978] -> IRP_MJ_CREATE -> 0x85DCBEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-2 -> \??\IDE#DiskST9160411AS_____________________________SD13____#5&286c039e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\F392.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-12-01 19:03:10
ComboFix-quarantined-files.txt 2010-12-02 00:03
ComboFix2.txt 2010-11-26 20:19
ComboFix3.txt 2010-11-26 19:17

Pre-Run: 52,070,903,808 bytes free
Post-Run: 51,897,225,216 bytes free

- - End Of File - - 35DDCD0559C8A79A0172DDCD8E80B159
kcarlasc
Regular Member
 
Posts: 16
Joined: November 26th, 2010, 8:46 pm

Re: RootKit Virus I think... Help!!!

Unread postby askey127 » December 2nd, 2010, 10:02 am

kcarlasc,
-----------------------------------------------
Run RootRepeal
Download RootRepeal.zip from here & unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program, or in Vista, right click and choose "Run as administrator"
  • Click the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
      Drivers
      Files
      Processes
      SSDT
      Stealth Objects
      Hidden Services
  • Click the OK button
  • In the next dialog, select every drive showing
  • Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File then Exit to close the program
  • Post the contents of RootRepeal.txt in your next reply
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: RootKit Virus I think... Help!!!

Unread postby kcarlasc » December 2nd, 2010, 10:14 pm

Does not run, throws the following error:

21:13:32: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000dc)
21:13:32: DeviceIoControl Error! Error Code = 0x1e7
21:13:32: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000dc)
kcarlasc
Regular Member
 
Posts: 16
Joined: November 26th, 2010, 8:46 pm

Re: RootKit Virus I think... Help!!!

Unread postby askey127 » December 3rd, 2010, 7:21 am

kcarlasc
------------------------------------------------------
Warning - Compromised Data
Because the infection (TDSS Rootkit) has had remote control access to all your Internet activities, you should assume that any data on it may have been stolen.
Take whatever precautions you think sensible about any financial (credit cards, banking, etc.), or other critical information that has been passed through or stored on the machine.
I would suggest changing all account names/numbers, and passwords for ANY accounts that have been used with the machine.
That includes not only banking, credit cards, and financial, but also website and e-mail accounts as well.
Don't use the infected machine to make the changes.
------------------------------------------------
Download and Run Rkill
Please download and run the tool named Rkill, which may help in allowing other programs to run.
There are 4 different versions. If one of them won't run then download and try to run one of the other ones.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get ONE of these to run, not all of them. You may get warnings from your antivirus about any of these tools, ignore them or shutdown your antivirus.
Please download Rkill from one of the following links and save to your Desktop:
Rkill.exe
RKill.com
RKill.scr
Rkill.pif
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If ir does not, delete the desktop entry. Then download and use the one provided in the next link.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
------------------------------------------------------------
Please download the GMER Rootkit Scanner from Here.
  • XP : Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • VISTA/Win7: Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than the System drive (which is typically C:\)
    • Show All (don't miss this one)
      See image below
      Image
  • Then click the Scan button & wait for it to finish
    **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
Note: Do not run any other programs while Gmer is running.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: RootKit Virus I think... Help!!!

Unread postby kcarlasc » December 3rd, 2010, 8:04 pm

Rkill Log
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/03/2010 at 19:02:29.
Operating System: Windows 7 Professional


Processes terminated by Rkill or while it was running:



Rkill completed on 12/03/2010 at 19:02:48.

GMER Log
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-03 19:23:35
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort1 ST9160411AS rev.SD13
Running: 8ghr0emx.exe; Driver: C:\Users\MICHEL~1\AppData\Local\Temp\uwlcyuoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E479BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8E4799D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8E479B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C5F599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C83F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwLoadDriver 82DBD291 7 Bytes JMP 8E479B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82E24FBF 5 Bytes JMP 8E4755D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 82E3ECF3 5 Bytes JMP 8E477012 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!NtCreateSection 82E4CD63 7 Bytes JMP 8E4799D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82EF6EAC 7 Bytes JMP 8E479BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.rsrc C:\Windows\system32\drivers\ndis.sys entry point in ".rsrc" section [0x88CA1014]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[964] ntdll.dll!NtProtectVirtualMemory 779F5380 5 Bytes JMP 0024000A
.text C:\Windows\system32\svchost.exe[964] ntdll.dll!NtWriteVirtualMemory 779F5F00 5 Bytes JMP 0034000A
.text C:\Windows\system32\svchost.exe[964] ntdll.dll!KiUserExceptionDispatcher 779F6448 5 Bytes JMP 001F000A
.text C:\Windows\system32\svchost.exe[964] ole32.dll!CoCreateInstance 775C57FC 5 Bytes JMP 0063000A
.text C:\Windows\system32\svchost.exe[964] USER32.dll!GetCursorPos 778EC198 5 Bytes JMP 00DE000A
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1416] kernel32.dll!SetUnhandledExceptionFilter 772E3162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Windows\Explorer.EXE[3104] ntdll.dll!NtProtectVirtualMemory 779F5380 5 Bytes JMP 01F7000A
.text C:\Windows\Explorer.EXE[3104] ntdll.dll!NtWriteVirtualMemory 779F5F00 5 Bytes JMP 01F8000A
.text C:\Windows\Explorer.EXE[3104] ntdll.dll!KiUserExceptionDispatcher 779F6448 5 Bytes JMP 01F6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4456] USER32.dll!CreateWindowExW 778F0E51 5 Bytes JMP 617A8157 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4456] USER32.dll!DialogBoxIndirectParamW 77914AA7 5 Bytes JMP 618CF970 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4456] USER32.dll!DialogBoxParamW 7791564A 5 Bytes JMP 616C4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4456] USER32.dll!DialogBoxParamA 7792CF6A 5 Bytes JMP 618CF90D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4456] USER32.dll!DialogBoxIndirectParamA 7792D29C 5 Bytes JMP 618CF9D3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4456] USER32.dll!MessageBoxIndirectA 7793E8C9 5 Bytes JMP 618CF8A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4456] USER32.dll!MessageBoxIndirectW 7793E9C3 5 Bytes JMP 618CF837 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4456] USER32.dll!MessageBoxExA 7793EA29 5 Bytes JMP 618CF7D5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4456] USER32.dll!MessageBoxExW 7793EA4D 5 Bytes JMP 618CF773 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000050 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-0 85DCEAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85DCEAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85DCEAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 85DCEAEA

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Device\Ide\IdeDeviceP1T0L0-2 -> \??\IDE#DiskST9160411AS_____________________________SD13____#5&286c039e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 312581552 (+254): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Windows\Temp\_avast5_\unp193573914.tmp (size mismatch) 59094/0 bytes executable
File C:\Windows\Temp\_avast5_\unp640768.tmp (size mismatch) 59094/0 bytes executable
File C:\Windows\system32\drivers\ndis.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
kcarlasc
Regular Member
 
Posts: 16
Joined: November 26th, 2010, 8:46 pm

Re: RootKit Virus I think... Help!!!

Unread postby askey127 » December 3rd, 2010, 9:59 pm

kcarlasc
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    TDL::
    C:\Windows\system32\drivers\ndis.sys
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 279 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware