BOO/TDSS.M

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

BOO/TDSS.M

Post by fairydraik on Wed May 04, 2011 7:32 pm

Hello.

I sincerely apologize for my long absence (and subsequent removal) from the GPA, but that's not why I'm here.

My computer has been infected wtih what my mom and I believe to be the new TDSS variant. The title of the topic is the name of the infection Avira found before everythng went to hell.

Currently, my mom is doing everything she can to get rid of it, but nothing seems to work. None of the TDSS rootkits we found mentioned in removal guides seem to be found in the registry. It is acting like a fake AV and when the computer is connected to the internet will pop up IE windows. It also tried to add an add-on to Firefox, but I told it no.

On a subsequent restart, it seems to have killed my mouse driver; Mom is doing everthing the old-fashioned way with the keyboard. Currently, we're only using the computer in Safe Mode. We think it's reinfecting through one of my portable hard drives. We can't use Avira, and the virus is blocking MBAM. Right now, I'm on my mom's Vista, but the infected computer is the one whose specs are on my profile.

Can you help us get rid of the virus?

Thanks,
Miri

Edit: I forgot to mention, we currently have the computer disconnected from the internet to prevent the virus from spreading. SHould we reconnect and run the fixes from that computer, or should we do the burn-it-to-a-CD thing from this one?

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed May 04, 2011 10:17 pm

Hello.
Reconnect it to the net, we may need internet access.

Please download aswMBR from [You must be registered and logged in to see this link.]

  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below



Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are [You must be registered and logged in to see this link.]

  • Once the scan finishes click Save log to save the log to your Desktop


  • Copy and paste the contents of aswMBR.txt back here for review


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 04, 2011 11:05 pm

My computer appears to be taking forever to start up; I replugged the mouse into a diferent USB, mom says that on XP that resets the driver. CHecking to see if it works... Nope. Mouse doesn't work still. It'll take a little bit to tab around and stuff, so please be patient with me~ I'm not used to doing things with just the keyboard.

Edit: Now that I'm actually in my computer, it took a few minutes but my mouse appears to be working. However, my computer came up with no UI, just two windows, the fake ativirus and a "Personalised Settings: Setting up personalized settings for: Google Search Provider." It was after opening task manager and attempting to end the XP Anti-Virus program that my mouse moves but it doesn't seem to have ended. Attempting to end.... YES~ It ended and Windows' UI is coming up normally, the settings window went away with the XP anti-virus warning, most likely it was trying to simulate the virus attack it was telling me was happening. Awww, poor thing, it WAS the virus. I'm wise to your little games you hacker. Was trying to play keep-up with the infected processes in Task Manager to no avail, booting firefox (attempting) so I can access your fixes.

Crap. Virus gave me a message saying Firefox was infected. And its still running. GRAHHHH. Avira popped up with a message saying that it's in my recycle bin now?!?! Okay, trying IE. It seems to have made IE my default browser, too.

Huh. Trying to open IE and somehow Mozilla is now actually running, IE came up too. Seeing if I can get past the, "Mozilla is running in safe mode" and actually into the net with Mozilla, as IE doesn't appear to be doing any..... IE just went away, the virus told me it was infected. Okay, lets see if it'll let Mozilla run.... Hm. IE popped back up, with a fake alert ssaying that Yahoo was infected. *eyeroll* anyway, Mozilla appears to be working. I apologize for the running commentary; being on two comps at once offers a unique pportunity to describe things as they happen; I hope it's useful to you.

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 04, 2011 11:24 pm

Okay, it's not letting me download the tool. It'll come up with the "Save/Run" window, I click Save File, but nothing happens. It appears to be working for a while, then stops.T he name of the website still appears down at the bottom in the bar where it shows loading progres but nothing else. If I roll over a link, that little thing goes away, replaced by the ubiquitous "Done". Any suggestions?

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Fri May 06, 2011 8:40 pm

Can you download it via another machine and transfer it via USB? if not, we'll go to boot disc.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Sat May 07, 2011 2:10 pm

Hmmm.... I'd have to find my USB drive. Would the virus be transferrable via that USB, though, if I needed to use it again? I don't want to infect my mom's computer.

Also, I"m sorry I didn't get this message when you posted it, I was up all last night with the stomach crud... blech.

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Sat May 07, 2011 2:28 pm

No worries.

Normally TDL doesn't spread via autorun worms, very rarely see it use that method.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Sat May 07, 2011 2:30 pm

Okay. Let me go search for it, but first, I want to try downloading one more time, my computer seems to be in better shape than last time I booted it up (Mouse works from the getgo, virus letting IE run, etc.)

Edit: No, virus won't even let me go to GeekPolice website. It'll start to load, then redirect me to "About:Blank" which says that the webpage is infected. Hunting down a flash drive now; if I can't find it, we may have to burn a CD.

Edit2: Found the flashdrive, about to transfer to the other computer.

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Sat May 07, 2011 2:46 pm

Aaaaalright. Everytime I try to open it, it says, "Windows cannot access device, path, or file. You may not have appropriate permissions to access this file." I am running as administrator. WHen I moved the program to the desktop, it still told me the same thing. I ended all of the active virus processes via task manager (whicch didnt' come up normaly, it went to a selection screen like my old school laptop, I clicked 'task manager', had to do that twice, and the username was bizarre, "logged on as (random numbers/letters)/Miranda (my last name)") and tried again, still got the same essage, but as I ended the processes, Avira was able to get through and told me about all kinds of infected files that it was finding, even a garbage .dll file in the system folder.

I hope that helps you somewhat.

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Sat May 07, 2011 2:47 pm

Ah ok, try this instead, I wanna see if it runs.


  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


  • [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Sat May 07, 2011 2:52 pm

    Nope, still getting the same error. Could it have something to do with me using a non-admin account on Vista to download it?

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Sat May 07, 2011 2:54 pm

    Possibly, but I know of an infection that throws up that error.

    We are going to be using a Windows Recovery Environment to help disinfect the system.

    Download the OTLPE Standard REATOGO Windows Recovery Environment.

    • Place a blank CD-R disc in to your CD burning drive.
    • Download [You must be registered and logged in to see this link.] and double-click on it to burn to a CD using ISO Burner.
    • Reboot your system using the boot CD you just created.

      Note : If you do not know how to set your computer to boot from CD follow the steps [You must be registered and logged in to see this link.]
    • Your system should now display a REATOGO-X-PE desktop.
    • Double-click on the OTLPE icon.
    • When asked "Do you wish to load the remote registry", select Yes
    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start. Change the following settings

    • Change Drivers to Non-Microsoft
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\_OTL\MovedFiles
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Sat May 07, 2011 3:01 pm

    .....wow. Vista says it's gonna take half an hour to download that file.

    I'm a little worried about this... I've never done anything like booting a computer from CD before.

    Edit: ALright, it's downloaded. Time to burn the CD and get this to work....


    Last edited by fairydraik on Sat May 07, 2011 3:14 pm; edited 1 time in total

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Sat May 07, 2011 3:07 pm

    It's not a hard thing to do, it's just gonna be easier for both of us this way. Rather than fight through whatever blocks the malware has placed, bypass the whole system and boot a CD, that way the malware can't boot as it doesn't need the HDD.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Sat May 07, 2011 3:22 pm

    Alright, makes sense. How long should it take for the CD to burn? OTLPEStd is at "0% extracting" right now, doesn't seem to be doing anything.

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Sat May 07, 2011 3:24 pm

    It can depend on the hardrive the machine has your using to burn it.

    I burnt OTLPE for me a few weeks back, took me about 1hr total I'd say, but I'm using a 2.5ghz processor so it's quicker than most.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Sat May 07, 2011 3:25 pm

    Mmkay. So it's normal if it doesn't seem to be doing anything at all?

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Sat May 07, 2011 3:27 pm

    Yes, give it a while, it may take some time to extract and burn if your on a somewhat middle ground machine.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Sat May 07, 2011 4:29 pm

    It's been around an hour and hasn't even made it to 1%. SHould I be worried?

    (Sorr if I sound a bit paranoid, I'm just... well... paranoid. Maybe it's 'cause I'm still sick...)

    Edit: Avira was evidently running a scan, so I turned it off; it was probably interfering with the process....

    Edit2: When checking to see if it was still respondin, according to the Task Manager, I found that Windows Defender was running in the background. I ended that as well.

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Sat May 07, 2011 6:26 pm

    After about three hours, it was still at 0%, so I turned it off. WHen I did so, Windows told me something about it not installing correctly, but I didn't want to mess with it. What now?

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Mon May 09, 2011 7:51 pm

    Fair enough then, lets see if we can cut through the malware.

    Please download Ice Sword from [You must be registered and logged in to see this link.]

    1. Download the zip to your desktop and extract it.
    2. Open the Ice Sword folder and then launch IceSword.exe.
    3. Now, on the left hand side tool, hit the Process button at the top of the list.
    4. Just above the list, there is a log button, press that and save the log to your Desktop.
    5. Next, hit the Startup on the left side list.
    6. Press the log button again.
    7. Post the two logs in your next reply.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Tue May 10, 2011 9:03 pm

    oooookay. I got a BSoD when I tried to turn my computer on, I think we need to try the boot disk again.

    Edit: No, it's going to let me get in this time. Let's try the IceSword..... if it doesn't work, I can try re-downloading OTLPE

    Edit2: On a hunch, I started aswMBR before the computer fully loaded up, and it's RUNNING. I clicked Scan and it's currently working Big Grin

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Tue May 10, 2011 10:28 pm

    Here's the text from the scan. I noticed that one of the items ("IRP_MJ_CREATE") is the same or similar to the one that caused my comp to BSoD.

    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-10 18:06:27
    -----------------------------
    18:06:27.468 OS Version: Windows 5.1.2600 Service Pack 3
    18:06:27.468 Number of processors: 1 586 0x403
    18:06:27.546 ComputerName: D94LZ971 UserName:
    18:06:50.703 Initialize success
    18:07:06.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    18:07:06.859 Disk 0 Vendor: ST380013 8.12 Size: 76293MB BusType: 3
    18:07:06.859 Disk 0 MBR read error 0
    18:07:06.859 Disk 0 MBR scan
    18:07:06.875 Disk 0 unknown MBR code
    18:07:06.875 MBR BIOS signature not found 0
    18:07:06.875 Disk 0 scanning sectors +156232125
    18:07:06.875 Disk 0 scanning C:\WINDOWS\system32\drivers
    18:09:10.156 Service scanning
    18:09:22.546 Disk 0 trace - called modules:
    18:09:22.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89d52730]<<
    18:09:22.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a724ab8]
    18:09:22.578 3 CLASSPNP.SYS[b8168fd7] -> nt!IofCallDriver -> [0x89cd8de0]
    18:09:22.578 \Driver\iaStor[0x89d93d78] -> IRP_MJ_CREATE -> 0x89d52730
    18:09:23.093 Scan finished successfully
    18:11:16.265 Disk 0 MBR has been saved successfully to "I:\MBR.dat"
    18:11:16.343 The log file has been saved successfully to "I:\aswMBR.txt"

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Tue May 10, 2011 11:22 pm

    Yep, TDL4.

    Do you have the XP disc? incase we need it, the fix for this can be dangerous.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Tue May 10, 2011 11:24 pm

    Ummmm.... I don't think so, I'd have to ask my mom and dad, and I do have Recovery COnsole installed.

    Okay, Mom says I'd have to ask Dad, but like I said, I do have Recovery Console, if that helps any.

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Tue May 10, 2011 11:34 pm

    Yeah that helps.

    Can you back up any data you don't want to lose, this infection isn't nice and fixing it known to cause the machine to become unusable.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Tue May 10, 2011 11:35 pm

    hmmmm. So, in other words, do not attempt without a WIndows disk?

    Edit: ANd, I don't really know how to go about backing up everything, everything I do is on that computer. I have some 1TB harddrives....

    Edit2: If I had to reinstall windows, would my data still be there, except Windows? I don't really know anything about that kind of thing...

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Tue May 10, 2011 11:41 pm

    You could slave the HDD from the infected machine into another machine, or use a bootable CD with GUI like OTLPE if you can get that working.

    Just our tools can't always catch this, and the only other option is the recovery console, but that will restore standard MBR, if you use a custom MBR (OEM with recovery) then it causes the machine to become unbootable, it's a lose lose situation.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Tue May 10, 2011 11:46 pm

    Slave? What does that mean?

    And how likely is it that my computer uses a custom MBR?

    And I suppose I could try to use OTLPE again, JIC.

    And... like I asked earlier, if my Windows becomes inoperable, is it possible for me to get my data (like files, etc.) back? (I'm sorry I'm asking so many questions. I just don't feel comfortable starting something risky without knowing about all the possible outcomes.)

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Tue May 10, 2011 11:53 pm

    Slave? What does that mean?

    At the back of every HDD is a little jumper chip, it sets the drive as master or slave. Right now yours will be set as master, switching it to slave makes it secondary to the primary HDD under another machine.

    It's not likely being XP, but I can't be 100% certain.

    It's possible if something bad does happen, that's why I recommend OTLPE, I've used it myself for my own machine a few months back.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Tue May 10, 2011 11:53 pm

    Alright. ANd if I had the Windows disk it would be easier, right?

    Edit: Mom says to tell you that it is a Dell computer, that that makes a difference.

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Wed May 11, 2011 12:02 am

    Actually since you've already got the RC, don't need the Windows disc really, only need that if were gonna format.

    Please reboot your machine.

    As it is rebooting, you will notice an extra menu, and an extra option for the Microsoft Windows Recovery Console.

    Please select that option to boot the RC, Windows will boot to a text based screen and ask you to select the installation to log into, please choose the correct one, usually option 1 and press enter.

    In there, type in the following commands, 1 line at a time.


    fixmbr
    exit

    After the copy command, you may be prompted with a yes/no to confirm the copy, type in "y" to confirm it.

    After that, boot back to normal mode and re-run aswmbr, then post the new log.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed May 11, 2011 12:05 am

    Okay, so I'm guessing this is where we cross our fingers and pray, right? ALright, lemme copy most of my My Documents folder onto my 1TB, just in case.

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Wed May 11, 2011 12:42 am

    Yep, this is the fix.

    Being XP I doubt anything bad will happen, but no promises.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed May 11, 2011 12:44 am

    Right. Well, I'm copying all of my stuff ontomy 1TB, and according to my comp (when it can even make up it's mind about the time) it's going to take over two hours. *sigh* luckily, I have a fild trip tmorrow which means i get to skip my first class of the day, so I can stay up late babysitting it.

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed May 11, 2011 1:31 am

    ....that's wierd. When I booted Recovery COnsole, it said, "NTLDR is compressed
    Press CTRL+ALT+DEL to restart"

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Wed May 11, 2011 2:27 pm

    Hmm.
    Do you think you can get this to run the same way you did with aswmbr?

    Please download TDSSKiller from [You must be registered and logged in to see this link.] and save it to your Desktop.

    • Doubleclick TDSSKiller.exe to run the tool
    • Click the Start Scan button
    • After the scan has finished, click the Close button
    • Click the Report button and copy/paste the contents of it into your next reply
    Note:It will also create a log in the C:\ directory.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed May 11, 2011 6:29 pm

    Probably, lemme try it.

    Edit: What's the exact ocation of the log it'll create? So I can put it on the flash.

    Edit2: I don't know what happened, but ever since I was able to run aswMBR, my computer has been a lot more responsive....


    Last edited by fairydraik on Wed May 11, 2011 6:41 pm; edited 1 time in total

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Wed May 11, 2011 6:39 pm

    Note:It will also create a log in the C:\ directory.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed May 11, 2011 6:42 pm

    It says it wants me to select actions for found objects, should I just continue with the default selections?

    ANd oops, didn't see that -_-;;;

    edit: I just continued witht he default settings, it asked me to reboot to complete the cure. The scan didn't seem to take very long... let's see what it says after restarting.

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed May 11, 2011 6:56 pm

    This is the log after I chose to go with the default settings, it looks like it did skip one item, and after reboot, the virus still appeared to be active. Should I run the tool again, this time not skipping any items?

    2011/05/11 14:40:34.0734 3916 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
    2011/05/11 14:40:35.0125 3916 ================================================================================
    2011/05/11 14:40:35.0125 3916 SystemInfo:
    2011/05/11 14:40:35.0125 3916
    2011/05/11 14:40:35.0125 3916 OS Version: 5.1.2600 ServicePack: 3.0
    2011/05/11 14:40:35.0125 3916 Product type: Workstation
    2011/05/11 14:40:35.0125 3916 ComputerName: D94LZ971
    2011/05/11 14:40:35.0125 3916 UserName: Miranda Rian
    2011/05/11 14:40:35.0125 3916 Windows directory: C:\WINDOWS
    2011/05/11 14:40:35.0125 3916 System windows directory: C:\WINDOWS
    2011/05/11 14:40:35.0125 3916 Processor architecture: Intel x86
    2011/05/11 14:40:35.0125 3916 Number of processors: 1
    2011/05/11 14:40:35.0125 3916 Page size: 0x1000
    2011/05/11 14:40:35.0125 3916 Boot type: Normal boot
    2011/05/11 14:40:35.0125 3916 ================================================================================
    2011/05/11 14:40:35.0812 3916 Initialize success
    2011/05/11 14:40:39.0125 4032 ================================================================================
    2011/05/11 14:40:39.0125 4032 Scan started
    2011/05/11 14:40:39.0125 4032 Mode: Manual;
    2011/05/11 14:40:39.0125 4032 ================================================================================
    2011/05/11 14:40:40.0671 4032 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    2011/05/11 14:40:41.0015 4032 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/05/11 14:40:41.0078 4032 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/05/11 14:40:41.0125 4032 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    2011/05/11 14:40:41.0187 4032 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/05/11 14:40:41.0250 4032 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/05/11 14:40:41.0312 4032 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/05/11 14:40:41.0343 4032 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    2011/05/11 14:40:41.0375 4032 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    2011/05/11 14:40:41.0406 4032 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    2011/05/11 14:40:41.0437 4032 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2011/05/11 14:40:41.0484 4032 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    2011/05/11 14:40:41.0515 4032 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    2011/05/11 14:40:41.0546 4032 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    2011/05/11 14:40:41.0593 4032 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    2011/05/11 14:40:41.0640 4032 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    2011/05/11 14:40:41.0687 4032 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    2011/05/11 14:40:41.0703 4032 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    2011/05/11 14:40:41.0781 4032 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/05/11 14:40:41.0812 4032 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/05/11 14:40:41.0921 4032 ati2mtag (f0d0b0cdec0be32d775f404cac2604bf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/05/11 14:40:42.0000 4032 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/05/11 14:40:42.0062 4032 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/05/11 14:40:42.0140 4032 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2011/05/11 14:40:42.0187 4032 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2011/05/11 14:40:42.0281 4032 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2011/05/11 14:40:42.0328 4032 b57w2k (2acf06176b9d011567d7f25b83ddd066) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    2011/05/11 14:40:42.0406 4032 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/05/11 14:40:42.0453 4032 BeTwinKeyboard (48650cdd4b2dab817fef0b39a430e955) C:\WINDOWS\system32\drivers\BeTwinKF.sys
    2011/05/11 14:40:42.0531 4032 BeTwinMouse (0a680658860662cc81b7b8ed3d037d4a) C:\WINDOWS\system32\drivers\BeTwinMF.sys
    2011/05/11 14:40:42.0609 4032 BeTwinSystem (d6a76e727e395933994ffdd3c85fc7f3) C:\WINDOWS\system32\Drivers\BeTwinSystem.sys
    2011/05/11 14:40:42.0671 4032 BeTwinVideo (95ebb2a77b0c6bb9186b56cfc93fe060) C:\WINDOWS\system32\drivers\BeTwinVF.sys
    2011/05/11 14:40:42.0828 4032 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    2011/05/11 14:40:42.0859 4032 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/05/11 14:40:42.0921 4032 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/05/11 14:40:42.0953 4032 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    2011/05/11 14:40:42.0984 4032 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/05/11 14:40:43.0031 4032 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/05/11 14:40:43.0078 4032 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/05/11 14:40:43.0156 4032 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    2011/05/11 14:40:43.0218 4032 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    2011/05/11 14:40:43.0312 4032 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
    2011/05/11 14:40:43.0359 4032 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    2011/05/11 14:40:43.0406 4032 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    2011/05/11 14:40:43.0453 4032 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/05/11 14:40:43.0531 4032 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/05/11 14:40:43.0593 4032 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/05/11 14:40:43.0640 4032 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/05/11 14:40:43.0703 4032 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/05/11 14:40:43.0765 4032 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    2011/05/11 14:40:43.0812 4032 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/05/11 14:40:43.0890 4032 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/05/11 14:40:44.0000 4032 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/05/11 14:40:44.0046 4032 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/05/11 14:40:44.0078 4032 FilterService (20fe03294ac1429ae88a64c2f754b0d4) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
    2011/05/11 14:40:44.0125 4032 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/05/11 14:40:44.0156 4032 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/05/11 14:40:44.0218 4032 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/05/11 14:40:44.0281 4032 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/05/11 14:40:44.0359 4032 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/05/11 14:40:44.0421 4032 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/05/11 14:40:44.0468 4032 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/05/11 14:40:44.0531 4032 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
    2011/05/11 14:40:44.0593 4032 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/05/11 14:40:44.0656 4032 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    2011/05/11 14:40:44.0703 4032 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/05/11 14:40:44.0781 4032 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    2011/05/11 14:40:44.0796 4032 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    2011/05/11 14:40:44.0828 4032 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/05/11 14:40:44.0875 4032 iaStor (88b1943ecff661f765228099138cf6ab) C:\WINDOWS\system32\drivers\iaStor.sys
    2011/05/11 14:40:44.0921 4032 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/05/11 14:40:44.0968 4032 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    2011/05/11 14:40:45.0046 4032 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
    2011/05/11 14:40:45.0109 4032 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
    2011/05/11 14:40:45.0156 4032 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
    2011/05/11 14:40:45.0187 4032 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/05/11 14:40:45.0250 4032 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/05/11 14:40:45.0328 4032 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/05/11 14:40:45.0375 4032 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/05/11 14:40:45.0437 4032 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/05/11 14:40:45.0484 4032 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/05/11 14:40:45.0562 4032 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/05/11 14:40:45.0609 4032 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/05/11 14:40:45.0656 4032 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/05/11 14:40:45.0718 4032 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/05/11 14:40:45.0750 4032 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/05/11 14:40:45.0796 4032 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/05/11 14:40:45.0859 4032 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/05/11 14:40:45.0968 4032 LVPr2Mon (8be71d7edb8c7494913722059f760dd0) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
    2011/05/11 14:40:46.0015 4032 LVRS (b6e1ccd6572984adcae68439afd07011) C:\WINDOWS\system32\DRIVERS\lvrs.sys
    2011/05/11 14:40:46.0203 4032 LVUVC (6c42815dd57e397f0cd988304b5eb4b3) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
    2011/05/11 14:40:46.0328 4032 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/05/11 14:40:46.0359 4032 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/05/11 14:40:46.0390 4032 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2011/05/11 14:40:46.0437 4032 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
    2011/05/11 14:40:46.0484 4032 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/05/11 14:40:46.0515 4032 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/05/11 14:40:46.0578 4032 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/05/11 14:40:46.0640 4032 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    2011/05/11 14:40:46.0671 4032 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/05/11 14:40:46.0734 4032 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/05/11 14:40:46.0796 4032 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/05/11 14:40:46.0843 4032 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/05/11 14:40:46.0906 4032 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/05/11 14:40:46.0937 4032 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/05/11 14:40:46.0984 4032 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/05/11 14:40:47.0031 4032 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/05/11 14:40:47.0109 4032 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/05/11 14:40:47.0156 4032 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/05/11 14:40:47.0218 4032 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/05/11 14:40:47.0312 4032 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/05/11 14:40:47.0359 4032 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/05/11 14:40:47.0421 4032 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/05/11 14:40:47.0484 4032 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/05/11 14:40:47.0531 4032 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/05/11 14:40:47.0593 4032 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/05/11 14:40:47.0640 4032 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/05/11 14:40:47.0750 4032 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/05/11 14:40:47.0859 4032 NPPTNT2 (9131fe60adfab595c8da53ad6a06aa31) C:\WINDOWS\system32\npptNT2.sys
    2011/05/11 14:40:48.0046 4032 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/05/11 14:40:48.0140 4032 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/05/11 14:40:48.0875 4032 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/05/11 14:40:49.0265 4032 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/05/11 14:40:49.0296 4032 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/05/11 14:40:49.0359 4032 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
    2011/05/11 14:40:49.0437 4032 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
    2011/05/11 14:40:49.0500 4032 P17 (3a7290f2c423b80ba95becae015b9b1b) C:\WINDOWS\system32\drivers\P17.sys
    2011/05/11 14:40:49.0562 4032 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/05/11 14:40:49.0609 4032 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/05/11 14:40:49.0656 4032 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/05/11 14:40:49.0718 4032 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/05/11 14:40:49.0781 4032 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/05/11 14:40:49.0843 4032 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/05/11 14:40:49.0968 4032 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    2011/05/11 14:40:50.0000 4032 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    2011/05/11 14:40:50.0125 4032 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/05/11 14:40:50.0156 4032 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/05/11 14:40:50.0218 4032 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/05/11 14:40:50.0296 4032 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/05/11 14:40:50.0343 4032 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    2011/05/11 14:40:50.0375 4032 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    2011/05/11 14:40:50.0406 4032 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    2011/05/11 14:40:50.0437 4032 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    2011/05/11 14:40:50.0468 4032 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    2011/05/11 14:40:50.0515 4032 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/05/11 14:40:50.0578 4032 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/05/11 14:40:50.0609 4032 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/05/11 14:40:50.0656 4032 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/05/11 14:40:50.0703 4032 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/05/11 14:40:50.0750 4032 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/05/11 14:40:50.0812 4032 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/05/11 14:40:50.0875 4032 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/05/11 14:40:50.0937 4032 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/05/11 14:40:51.0078 4032 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/05/11 14:40:51.0171 4032 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
    2011/05/11 14:40:51.0234 4032 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/05/11 14:40:51.0312 4032 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/05/11 14:40:51.0375 4032 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/05/11 14:40:51.0468 4032 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    2011/05/11 14:40:51.0515 4032 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/05/11 14:40:51.0578 4032 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
    2011/05/11 14:40:51.0609 4032 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    2011/05/11 14:40:51.0640 4032 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/05/11 14:40:51.0703 4032 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/05/11 14:40:51.0703 4032 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
    2011/05/11 14:40:51.0718 4032 sptd - detected LockedFile.Multi.Generic (1)
    2011/05/11 14:40:51.0750 4032 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/05/11 14:40:51.0812 4032 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/05/11 14:40:51.0859 4032 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2011/05/11 14:40:51.0937 4032 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/05/11 14:40:51.0984 4032 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/05/11 14:40:52.0015 4032 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/05/11 14:40:52.0093 4032 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    2011/05/11 14:40:52.0125 4032 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    2011/05/11 14:40:52.0140 4032 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    2011/05/11 14:40:52.0171 4032 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    2011/05/11 14:40:52.0234 4032 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/05/11 14:40:52.0328 4032 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/05/11 14:40:52.0390 4032 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/05/11 14:40:52.0453 4032 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/05/11 14:40:52.0500 4032 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/05/11 14:40:52.0578 4032 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    2011/05/11 14:40:52.0640 4032 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/05/11 14:40:52.0671 4032 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    2011/05/11 14:40:52.0750 4032 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/05/11 14:40:52.0828 4032 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/05/11 14:40:52.0875 4032 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/05/11 14:40:52.0921 4032 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/05/11 14:40:52.0984 4032 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/05/11 14:40:53.0031 4032 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/05/11 14:40:53.0078 4032 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/05/11 14:40:53.0109 4032 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/05/11 14:40:53.0171 4032 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/05/11 14:40:53.0250 4032 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2011/05/11 14:40:53.0328 4032 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/05/11 14:40:53.0359 4032 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    2011/05/11 14:40:53.0390 4032 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/05/11 14:40:53.0453 4032 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/05/11 14:40:53.0515 4032 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/05/11 14:40:53.0625 4032 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    2011/05/11 14:40:53.0718 4032 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/05/11 14:40:53.0828 4032 winusb (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.SYS
    2011/05/11 14:40:53.0937 4032 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    2011/05/11 14:40:54.0031 4032 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/05/11 14:40:54.0140 4032 \HardDisk3 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/05/11 14:40:54.0218 4032 ================================================================================
    2011/05/11 14:40:54.0218 4032 Scan finished
    2011/05/11 14:40:54.0218 4032 ================================================================================
    2011/05/11 14:40:54.0250 4012 Detected object count: 2
    2011/05/11 14:48:00.0187 4012 LockedFile.Multi.Generic(sptd) - User select action: Skip
    2011/05/11 14:48:00.0218 4012 \HardDisk3 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
    2011/05/11 14:48:00.0218 4012 \HardDisk3 - ok
    2011/05/11 14:48:00.0218 4012 Rootkit.Win32.TDSS.tdl4(\HardDisk3) - User select action: Cure
    2011/05/11 14:48:17.0265 3856 Deinitialize success

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Wed May 11, 2011 6:58 pm

    Hello.
    No, leave TDSSKiller now. The items skipped is legit, it's just TDSSKiller flags locked files.

    That killed the MBR infection. Lets try OTL now.

    Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

    • Close all windows and double click OTL.exe
    • Click Run Scan and let the program run uninterrupted
    • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
    • You may need to use two posts to get it all.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed May 11, 2011 7:12 pm

    Good news! Now that soome of the virus is dead, I can get on GP from my own computer, where I am right now. Those logs are comign.

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed May 11, 2011 7:20 pm

    Yayyyyyyy~~~ It workeddddddd~~~~~ I just need to copy/paste thelogs now. (please excuse typos, the remainging virus is making the screen type very slow and its screwing up y typing accuracey.)

    OTL logfile created on: 5/11/2011 3:13:44 PM - Run 3
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Miranda Rian\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 70.81 Gb Total Space | 13.65 Gb Free Space | 19.28% Space Free | Partition Type: NTFS
    Drive F: | 931.51 Gb Total Space | 888.73 Gb Free Space | 95.41% Space Free | Partition Type: NTFS
    Drive I: | 1.86 Gb Total Space | 1.18 Gb Free Space | 63.23% Space Free | Partition Type: FAT
    Drive J: | 74.51 Gb Total Space | 3.32 Gb Free Space | 4.45% Space Free | Partition Type: FAT32

    Computer Name: D94LZ971 | User Name: Miranda Rian | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/05/11 15:02:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Miranda Rian\Desktop\OTL.exe
    PRC - [2011/05/07 10:28:49 | 000,042,016 | ---- | M] () -- C:\WINDOWS\SYSTEM32\msywgahg.exe
    PRC - [2011/04/29 16:19:59 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2011/03/22 23:56:40 | 000,687,448 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
    PRC - [2011/03/21 17:10:00 | 001,230,704 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    PRC - [2011/03/19 13:46:02 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2010/11/04 02:14:38 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2010/04/01 05:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
    PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2006/02/21 17:59:00 | 000,143,360 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    PRC - [2006/02/21 17:58:34 | 000,081,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    PRC - [2004/09/01 03:06:18 | 000,147,456 | ---- | M] (A4Tech Co.,Ltd.) -- C:\Program Files\A4Tech\Mouse\Amoumain.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/05/11 15:02:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Miranda Rian\Desktop\OTL.exe
    MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    MOD - [2008/04/13 20:12:08 | 000,266,240 | ---- | M] () -- C:\WINDOWS\iyocusura.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- -- (npggsvc)
    SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
    SRV - [2011/05/07 10:28:49 | 000,042,016 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\msywgahg.exe -- (Network Adapter Events)
    SRV - [2011/05/02 22:30:25 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SYSTEM32\6to4v32.dll -- (6to4)
    SRV - [2011/05/02 22:30:07 | 000,215,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\SYSTEM32\itlpfw32.dll -- (itlperf)
    SRV - [2011/05/02 15:36:07 | 003,274,328 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_3f211bc.dll -- (Akamai)
    SRV - [2011/04/29 16:19:59 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2011/04/01 01:11:52 | 000,428,640 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
    SRV - [2011/03/19 13:46:02 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2010/06/18 21:59:12 | 000,246,520 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe -- (GameConsoleService)
    SRV - [2010/02/10 12:42:32 | 000,303,176 | ---- | M] (ThinSoft Pte Ltd.) [Auto | Stopped] -- C:\WINDOWS\SYSTEM32\BeTwinServiceXP.exe -- (TermService)
    SRV - [2006/02/21 17:58:34 | 000,081,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/04/01 01:11:10 | 004,333,280 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.sys -- (LVUVC) Logitech Webcam 500(UVC)
    DRV - [2011/04/01 01:09:48 | 000,291,424 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvrs.sys -- (LVRS)
    DRV - [2011/03/19 13:46:03 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys -- (avipbb)
    DRV - [2010/11/23 22:11:00 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avgntflt.sys -- (avgntflt)
    DRV - [2010/06/17 16:17:40 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
    DRV - [2010/05/14 18:04:20 | 000,023,904 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvuvcflt.sys -- (FilterService)
    DRV - [2010/05/07 18:43:30 | 000,025,824 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\LVPr2Mon.sys -- (LVPr2Mon)
    DRV - [2010/02/10 12:42:34 | 000,025,656 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\BeTwinVF.sys -- (BeTwinVideo)
    DRV - [2010/02/10 12:42:32 | 000,015,040 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BeTwinSystem.sys -- (BeTwinSystem)
    DRV - [2010/02/10 12:42:26 | 000,033,336 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BETWINMF.sys -- (BeTwinMouse)
    DRV - [2010/02/10 12:42:26 | 000,033,208 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BETWINKF.sys -- (BeTwinKeyboard)
    DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys -- (ssmdrv)
    DRV - [2009/03/18 17:35:40 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hamachi.sys -- (hamachi)
    DRV - [2006/11/02 08:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\winusb.sys -- (winusb)
    DRV - [2005/01/04 14:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\npptNT2.sys -- (NPPTNT2)
    DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -- (senfilt)
    DRV - [2004/08/25 14:28:46 | 000,787,456 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
    DRV - [2004/08/23 15:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\b57xp32.sys -- (b57w2k)
    DRV - [2004/06/15 23:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)
    DRV - [2004/06/09 13:16:00 | 000,840,960 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\P17.sys -- (P17)
    DRV - [2004/03/05 23:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52)
    DRV - [2004/03/05 23:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)
    DRV - [2004/03/05 23:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt)
    DRV - [2003/09/22 09:48:00 | 000,130,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctsfm2k.sys -- (ctsfm2k)
    DRV - [2003/09/22 09:47:00 | 000,178,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctoss2k.sys -- (ossrv)
    DRV - [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [You must be registered and logged in to see this link.] [binary data]
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.9
    FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
    FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.1
    FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:2.0.0
    FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.5
    FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.1
    FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.1.2008d

    FF - HKLM\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/03/11 18:08:59 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/03/11 18:09:00 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\Extensions\\{0ECA710F-47D0-4675-B53F-35385D5E8880}: C:\Documents and Settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880} [2011/05/02 20:12:19 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\Extensions\\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}: C:\Documents and Settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A} [2011/05/04 12:44:29 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 13:24:09 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 13:24:09 | 000,000,000 | ---D | M]

    [2010/02/26 18:51:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Extensions
    [2010/02/26 18:51:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Extensions\celtx@celtx.com
    [2011/05/04 19:17:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\extensions
    [2011/03/31 22:36:11 | 000,000,000 | ---D | M] ("Malware Search") -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
    [2010/06/24 13:48:48 | 000,000,000 | ---D | M] ("Athena") -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\extensions\{405e2f6c-b9b8-4515-a69c-e375d7156c86}
    [2011/05/04 19:17:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/04/01 21:42:24 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
    [2011/04/01 21:42:24 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM
    [2011/04/01 21:42:24 | 000,000,000 | ---D | M] (MSN-Smileys) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\EMOTICONS-MSN-SMILEYS@M513901.DE
    [2011/04/01 21:42:23 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG
    [2011/04/01 21:42:23 | 000,000,000 | ---D | M] (Blackened) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-BLACKENED@ADDONS.INSTANTBIRD.ORG
    [2011/04/01 21:42:23 | 000,000,000 | ---D | M] (Depth) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-DEPTH@ADDONS.INSTANTBIRD.ORG
    [2011/04/01 21:42:23 | 000,000,000 | ---D | M] (Minimal) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-MINIMAL20@ADDONS.INSTANTBIRD.ORG
    [2009/11/19 17:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
    [2009/11/19 17:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
    [2009/12/21 01:47:02 | 000,063,488 | ---- | M] (Nullsoft) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

    Hosts file not found
    O2 - BHO: (DivX Plus Web Player HTML5

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed May 11, 2011 7:22 pm

    The Extras log doesn't appear to have generated. That's just an uninstall list, right?

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Wed May 11, 2011 8:12 pm

    Hello.

    • Download combofix from here
      [You must be registered and logged in to see this link.]

      1. If you are using Firefox, make sure that your download settings are as follows:

      * Tools->Options->Main tab
      * Set to "Always ask me where to Save the files".

      2. During the download, rename Combofix to Combo-Fix as follows:





      3. It is important you rename Combofix during the download, but not after.
      4. Please do not rename Combofix to other names, but only to the one indicated.
      5. Close any open browsers.
      6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • We need to disable your local AV (Anti-virus) before running Combofix.
    • See [You must be registered and logged in to see this link.] for how to disable your AV.
    • Double click on ComboFix.exe.
    • Follow the prompts. NOTE:
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
      ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


    • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



    • Allow ComboFix to download the Recovery Console.
    • Accept the End-User License Agreement.
    • The Recovery Console will be installed.
    • You will then get this next prompt that asks if you want to continue the malware scan, select yes



    • Allow combofix to run
    • Post C:\combofix.txt back here.

      Note:
      Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed May 11, 2011 8:59 pm

    Here's the ComboFix log Big Grin Things seem to be working better now, Firefox recognized the fact that I had no default browser set and allowed me to do something about it. It did pop up with some errors about missing DLL files, but they all had the junk names so I think they were bad files that CF deleted and the virus was lookign for them. After checking the list of running processes, it looks like several virus processes have been killed for good but others have not. Advice on the next step?

    ComboFix 11-05-11.01 - Miranda Rian 05/11/2011 16:28:01.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1557 [GMT -4:00]
    Running from: c:\documents and settings\Miranda Rian\Desktop\Combo-Fix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Miranda Rian\Application Data\avdrn.dat
    c:\documents and settings\Miranda Rian\Application Data\Sun\ixokfmgyl68.dll
    c:\documents and settings\Miranda Rian\Application Data\Sun\mxd1.txt
    c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}
    c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\chrome.manifest
    c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\chrome\content\_cfg.js
    c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\chrome\content\overlay.xul
    c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\install.rdf
    c:\documents and settings\Miranda Rian\Start Menu\Programs\Startup\rarliw32.exe
    c:\documents and settings\Miranda Rian\WINDOWS
    c:\documents and settings\Richard Rian\WINDOWS
    C:\Recycle.Bin
    c:\recycle.bin\config.bin
    c:\recycle.bin\Recycle.Bin.exe
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf
    c:\windows\Glivua.exe
    c:\windows\Glivub.exe
    c:\windows\iyocusura.dll
    c:\windows\system32\6to4v32.dll
    c:\windows\system32\certstore.dat
    c:\windows\system32\itlnfw32.dll
    c:\windows\system32\itlpfw32.dll
    c:\windows\system32\RGSS104E.dll
    c:\windows\system32\RGSS104J.dll
    c:\windows\TDPLAP.dll
    F:\autorun.inf
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_6TO4
    -------\Legacy_ITLPERF
    -------\Service_6to4
    -------\Service_itlperf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-07 15:05 . 2011-05-07 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2011-05-07 14:36 . 2010-02-10 16:42 303176 ----a-w- c:\windows\system32\BeTwinServiceXP.exe
    2011-05-07 14:36 . 2010-02-10 16:42 33208 ----a-w- c:\windows\system32\drivers\BETWINKF.sys
    2011-05-07 14:36 . 2010-02-10 16:42 81984 ----a-w- c:\windows\system32\BeTwinAudio.dll
    2011-05-07 14:36 . 2006-03-17 03:35 249856 ----a-w- c:\windows\system32\SlsApi.dll
    2011-05-07 14:36 . 2010-02-10 16:42 15040 ----a-w- c:\windows\system32\drivers\BeTwinSystem.sys
    2011-05-07 14:36 . 2010-02-10 16:42 33336 ----a-w- c:\windows\system32\drivers\BETWINMF.sys
    2011-05-07 14:36 . 2010-02-10 16:42 25656 ----a-w- c:\windows\system32\drivers\BETWINVF.sys
    2011-05-07 14:36 . 2003-06-27 06:08 8704 ----a-w- c:\windows\system32\xtgina.dll
    2011-05-07 14:28 . 2011-05-07 14:28 42016 ----a-w- c:\windows\system32\msywgahg.exe
    2011-05-04 17:27 . 2011-05-04 17:28 -------- d-----w- c:\documents and settings\Administrator
    2011-05-04 16:44 . 2011-05-04 16:44 -------- d-----w- c:\documents and settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}
    2011-05-03 00:12 . 2011-05-11 18:40 0 ----a-w- c:\windows\Ffavunoli.bin
    2011-04-30 08:51 . 2011-04-30 08:51 -------- d-----w- c:\program files\Combined Community Codec Pack
    2011-04-30 00:08 . 2011-04-30 00:08 -------- d-----w- c:\program files\Matroska Pack
    2011-04-19 00:35 . 2011-04-19 00:35 -------- d-----w- c:\program files\iPod
    2011-04-19 00:34 . 2011-04-19 00:35 -------- d-----w- c:\program files\iTunes
    2011-04-19 00:30 . 2011-04-19 00:30 -------- d-----w- c:\program files\Bonjour
    2011-04-17 23:51 . 2011-04-17 23:51 45056 ----a-r- c:\documents and settings\Miranda Rian\Application Data\Microsoft\Installer\{1DED5EFD-410A-48DB-909A-2B2022BB50D2}\Nethergate.exe1_1DED5EFD410A48DB909A2B2022BB50D2.exe
    2011-04-17 23:51 . 2011-04-17 23:51 45056 ----a-r- c:\documents and settings\Miranda Rian\Application Data\Microsoft\Installer\{1DED5EFD-410A-48DB-909A-2B2022BB50D2}\Nethergate.exe_1DED5EFD410A48DB909A2B2022BB50D2.exe
    2011-04-14 07:39 . 2011-04-14 07:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-04-14 07:39 . 2011-04-14 07:39 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2011-04-13 23:53 . 2011-04-13 23:54 -------- d-----w- c:\program files\Help
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2011-04-01 05:11 . 2009-12-28 16:52 4333280 ----a-w- c:\windows\system32\drivers\lvuvc.sys
    2011-04-01 05:10 . 2009-12-28 16:52 539232 ----a-w- c:\windows\system32\LVUI2RC.dll
    2011-04-01 05:10 . 2009-12-28 16:52 543328 ----a-w- c:\windows\system32\LVUI2.dll
    2011-04-01 05:09 . 2009-12-28 16:52 291424 ----a-w- c:\windows\system32\drivers\lvrs.sys
    2011-04-01 05:08 . 2011-04-01 05:08 195168 ----a-w- c:\windows\system32\lvci13251014.dll
    2011-04-01 05:08 . 2009-12-28 16:52 301664 ----a-w- c:\windows\system32\lvcodec2.dll
    2011-04-01 05:07 . 2010-05-14 21:56 10877272 ----a-w- c:\windows\system32\LogiDPP.dll
    2011-04-01 05:07 . 2010-05-14 21:56 102744 ----a-w- c:\windows\system32\LogiDPPApp.exe
    2011-04-01 05:06 . 2010-05-14 21:55 331608 ----a-w- c:\windows\system32\DevManagerCore.dll
    2011-04-01 04:56 . 2009-12-28 16:52 39318 ----a-w- c:\windows\system32\Repository.reg
    2011-03-23 03:58 . 2011-03-23 03:58 14168 ----a-w- c:\windows\system32\drivers\iKeyLFT2.dll
    2011-03-19 17:46 . 2010-04-10 19:29 137656 -c--a-w- c:\windows\system32\drivers\avipbb.sys
    2010-03-09 16:11 . 2010-03-09 15:58 939139876 ----a-w- c:\program files\FEZsetup_2010-02-26.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
    "WheelMouse"="c:\progra~1\A4Tech\Mouse\Amoumain.exe" [2004-09-01 147456]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
    "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Rhapsody\\rhapsody.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader
    "6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader
    "12933:TCP"= 12933:TCP:BitComet 12933 TCP
    "12933:UDP"= 12933:UDP:BitComet 12933 UDP
    "1034:TCP"= 1034:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface
    .
    R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [6/5/2009 9:04 PM 691696]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 6:00 AM 14336]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/10/2010 3:29 PM 136360]
    R2 Network Adapter Events;Network Adapter Events;c:\windows\SYSTEM32\msywgahg.exe [5/7/2011 10:28 AM 42016]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [4/1/2011 1:11 AM 428640]
    S0 BeTwinVideo;BeTwinVideo;c:\windows\SYSTEM32\DRIVERS\BETWINVF.sys [5/7/2011 10:36 AM 25656]
    S1 BeTwinSystem;BeTwinSystem;c:\windows\SYSTEM32\DRIVERS\BeTwinSystem.sys [5/7/2011 10:36 AM 15040]
    S3 BeTwinKeyboard;BeTwinKeyboard;c:\windows\SYSTEM32\DRIVERS\BETWINKF.sys [5/7/2011 10:36 AM 33208]
    S3 BeTwinMouse;BeTwinMouse;c:\windows\SYSTEM32\DRIVERS\BETWINMF.sys [5/7/2011 10:36 AM 33336]
    S3 dump_wmimmc;dump_wmimmc;\??\f:\the chronicles of spellborn\bin\client\GameGuard\dump_wmimmc.sys --> f:\the chronicles of spellborn\bin\client\GameGuard\dump_wmimmc.sys [?]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WUAUSERV
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    itlsvc REG_MULTI_SZ itlperf
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
    mSearch Bar = [You must be registered and logged in to see this link.]
    uInternet Settings,ProxyOverride = *.local
    IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
    FF - ProfilePath - c:\documents and settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
    FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Athena: {405e2f6c-b9b8-4515-a69c-e375d7156c86} - %profile%\extensions\{405e2f6c-b9b8-4515-a69c-e375d7156c86}
    FF - Ext: Malware Search: {27c60876-b5c9-4335-b4f3-52b26782220c} - %profile%\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
    FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
    FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
    user_pref(security.warn_viewing_mixed,false);
    user_pref(security.warn_viewing_mixed.show_once,false);
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    user_pref(security.warn_submit_insecure,false);
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    ------- File Associations -------
    .
    exefile="c:\documents and settings\NetworkService\Local Settings\Application Data\hok.exe" -a "%1" %*
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-Steam - i:\steam\Steam.exe
    HKCU-Run-Dloqa - c:\windows\TDPLAP.dll
    HKCU-Run-4Y3Y0C3AUYVV4Y9GCYBOPHFEUNNFBI - c:\recycle.bin\Recycle.Bin.exe
    HKLM-Run-QuickTime Task - i:\quicktime\QTTask.exe
    HKLM-Run-Ywokaqe - c:\windows\iyocusura.dll
    Notify-itlntfy - itlnfw32.dll
    AddRemove-Champions Online - f:\cryptic studios\Uninstall Champions Online.exe
    AddRemove-Guild Wars - i:\guild wars\Gw.exe
    AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
    AddRemove-Shin Megami Tensei: Imagine Online - f:\aeriagames\MegaTen\Uninst.exe
    AddRemove-Steam App 7650 - i:\steam\steam.exe
    AddRemove-Steam App 7660 - i:\steam\steam.exe
    AddRemove-Steam App 7730 - i:\steam\steam.exe
    AddRemove-Steam App 7760 - i:\steam\steam.exe
    AddRemove-Steam App 7770 - i:\steam\steam.exe
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
    AddRemove-{9C244239-ED8E-40f1-937F-51C706CD2160} - i:\ea games\The Sims 2 Deluxe\EAUninstall.exe
    AddRemove-The Twilight Zone - i:\the twilight zone\Uninstal.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2011-05-11 16:43
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(716)
    c:\windows\system32\xtgina.dll
    c:\windows\system32\WINSCARD.DLL
    .
    - - - - - - - > 'explorer.exe'(2744)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\CTsvcCDA.EXE
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\system32\tcpsvcs.exe
    c:\windows\system32\MsPMSPSv.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-11 16:51:22 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-11 20:51
    ComboFix2.txt 2010-08-06 23:36
    .
    Pre-Run: 14,587,121,664 bytes free
    Post-Run: 16,250,331,136 bytes free
    .
    - - End Of File - - 602E313A295602BB876EC9FBEA0F1416

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Wed May 11, 2011 9:28 pm

    Hello.
    2 things to do here.

    Please download exeHelper from one of the two links.
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    • Double-click on exeHelper.com or exeHelper.scr to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Next,

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. Open notepad and copy/paste the text in the quotebox below into it:
      Code:

      File::
      c:\windows\system32\msywgahg.exe
      c:\windows\Ffavunoli.bin

      Registry::
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
      "itlsvc"=-
    4. Save this as CFScript.txt, in the same location as ComboFix.exe



    5. Referring to the picture above, drag CFScript into ComboFix.exe
    6. When finished, it shall produce a log for you at C:\ComboFix.txt
    7. Please post the contents of the log in your next reply.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed May 11, 2011 10:15 pm

    The exeHelper log:

    exeHelper by Raktor
    Build 20100414
    Run at 18:14:21 on 05/11/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    fairydraik
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 194
    Joined : 2009-10-31
    Gender : Female
    OS : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Wed May 11, 2011 10:34 pm

    Standing by for Combofix log.


    [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 34916
    Joined : 2008-08-03
    Gender : Male
    OS : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Page 1 of 2 1, 2  Next

    View previous topic View next topic Back to top


     
    Permissions in this forum:
    You cannot reply to topics in this forum