BOO/TDSS.M

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Re: BOO/TDSS.M

Post by Belahzur on Tue May 10, 2011 11:34 pm

Yeah that helps.

Can you back up any data you don't want to lose, this infection isn't nice and fixing it known to cause the machine to become unusable.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Tue May 10, 2011 11:35 pm

hmmmm. So, in other words, do not attempt without a WIndows disk?

Edit: ANd, I don't really know how to go about backing up everything, everything I do is on that computer. I have some 1TB harddrives....

Edit2: If I had to reinstall windows, would my data still be there, except Windows? I don't really know anything about that kind of thing...

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Tue May 10, 2011 11:41 pm

You could slave the HDD from the infected machine into another machine, or use a bootable CD with GUI like OTLPE if you can get that working.

Just our tools can't always catch this, and the only other option is the recovery console, but that will restore standard MBR, if you use a custom MBR (OEM with recovery) then it causes the machine to become unbootable, it's a lose lose situation.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Tue May 10, 2011 11:46 pm

Slave? What does that mean?

And how likely is it that my computer uses a custom MBR?

And I suppose I could try to use OTLPE again, JIC.

And... like I asked earlier, if my Windows becomes inoperable, is it possible for me to get my data (like files, etc.) back? (I'm sorry I'm asking so many questions. I just don't feel comfortable starting something risky without knowing about all the possible outcomes.)

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Tue May 10, 2011 11:53 pm

Slave? What does that mean?

At the back of every HDD is a little jumper chip, it sets the drive as master or slave. Right now yours will be set as master, switching it to slave makes it secondary to the primary HDD under another machine.

It's not likely being XP, but I can't be 100% certain.

It's possible if something bad does happen, that's why I recommend OTLPE, I've used it myself for my own machine a few months back.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Tue May 10, 2011 11:53 pm

Alright. ANd if I had the Windows disk it would be easier, right?

Edit: Mom says to tell you that it is a Dell computer, that that makes a difference.

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed May 11, 2011 12:02 am

Actually since you've already got the RC, don't need the Windows disc really, only need that if were gonna format.

Please reboot your machine.

As it is rebooting, you will notice an extra menu, and an extra option for the Microsoft Windows Recovery Console.

Please select that option to boot the RC, Windows will boot to a text based screen and ask you to select the installation to log into, please choose the correct one, usually option 1 and press enter.

In there, type in the following commands, 1 line at a time.


fixmbr
exit

After the copy command, you may be prompted with a yes/no to confirm the copy, type in "y" to confirm it.

After that, boot back to normal mode and re-run aswmbr, then post the new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 11, 2011 12:05 am

Okay, so I'm guessing this is where we cross our fingers and pray, right? ALright, lemme copy most of my My Documents folder onto my 1TB, just in case.

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed May 11, 2011 12:42 am

Yep, this is the fix.

Being XP I doubt anything bad will happen, but no promises.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 11, 2011 12:44 am

Right. Well, I'm copying all of my stuff ontomy 1TB, and according to my comp (when it can even make up it's mind about the time) it's going to take over two hours. *sigh* luckily, I have a fild trip tmorrow which means i get to skip my first class of the day, so I can stay up late babysitting it.

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 11, 2011 1:31 am

....that's wierd. When I booted Recovery COnsole, it said, "NTLDR is compressed
Press CTRL+ALT+DEL to restart"

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed May 11, 2011 2:27 pm

Hmm.
Do you think you can get this to run the same way you did with aswmbr?

Please download TDSSKiller from [You must be registered and logged in to see this link.] and save it to your Desktop.

  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 11, 2011 6:29 pm

Probably, lemme try it.

Edit: What's the exact ocation of the log it'll create? So I can put it on the flash.

Edit2: I don't know what happened, but ever since I was able to run aswMBR, my computer has been a lot more responsive....


Last edited by fairydraik on Wed May 11, 2011 6:41 pm; edited 1 time in total

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed May 11, 2011 6:39 pm

Note:It will also create a log in the C:\ directory.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 11, 2011 6:42 pm

It says it wants me to select actions for found objects, should I just continue with the default selections?

ANd oops, didn't see that -_-;;;

edit: I just continued witht he default settings, it asked me to reboot to complete the cure. The scan didn't seem to take very long... let's see what it says after restarting.

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 11, 2011 6:56 pm

This is the log after I chose to go with the default settings, it looks like it did skip one item, and after reboot, the virus still appeared to be active. Should I run the tool again, this time not skipping any items?

2011/05/11 14:40:34.0734 3916 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/11 14:40:35.0125 3916 ================================================================================
2011/05/11 14:40:35.0125 3916 SystemInfo:
2011/05/11 14:40:35.0125 3916
2011/05/11 14:40:35.0125 3916 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/11 14:40:35.0125 3916 Product type: Workstation
2011/05/11 14:40:35.0125 3916 ComputerName: D94LZ971
2011/05/11 14:40:35.0125 3916 UserName: Miranda Rian
2011/05/11 14:40:35.0125 3916 Windows directory: C:\WINDOWS
2011/05/11 14:40:35.0125 3916 System windows directory: C:\WINDOWS
2011/05/11 14:40:35.0125 3916 Processor architecture: Intel x86
2011/05/11 14:40:35.0125 3916 Number of processors: 1
2011/05/11 14:40:35.0125 3916 Page size: 0x1000
2011/05/11 14:40:35.0125 3916 Boot type: Normal boot
2011/05/11 14:40:35.0125 3916 ================================================================================
2011/05/11 14:40:35.0812 3916 Initialize success
2011/05/11 14:40:39.0125 4032 ================================================================================
2011/05/11 14:40:39.0125 4032 Scan started
2011/05/11 14:40:39.0125 4032 Mode: Manual;
2011/05/11 14:40:39.0125 4032 ================================================================================
2011/05/11 14:40:40.0671 4032 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/05/11 14:40:41.0015 4032 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/11 14:40:41.0078 4032 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/11 14:40:41.0125 4032 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/05/11 14:40:41.0187 4032 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/11 14:40:41.0250 4032 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/05/11 14:40:41.0312 4032 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/11 14:40:41.0343 4032 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/05/11 14:40:41.0375 4032 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/05/11 14:40:41.0406 4032 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/05/11 14:40:41.0437 4032 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/05/11 14:40:41.0484 4032 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/05/11 14:40:41.0515 4032 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/05/11 14:40:41.0546 4032 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/05/11 14:40:41.0593 4032 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/05/11 14:40:41.0640 4032 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/05/11 14:40:41.0687 4032 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/05/11 14:40:41.0703 4032 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/05/11 14:40:41.0781 4032 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/11 14:40:41.0812 4032 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/11 14:40:41.0921 4032 ati2mtag (f0d0b0cdec0be32d775f404cac2604bf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/11 14:40:42.0000 4032 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/11 14:40:42.0062 4032 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/11 14:40:42.0140 4032 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/05/11 14:40:42.0187 4032 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/05/11 14:40:42.0281 4032 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/05/11 14:40:42.0328 4032 b57w2k (2acf06176b9d011567d7f25b83ddd066) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/05/11 14:40:42.0406 4032 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/11 14:40:42.0453 4032 BeTwinKeyboard (48650cdd4b2dab817fef0b39a430e955) C:\WINDOWS\system32\drivers\BeTwinKF.sys
2011/05/11 14:40:42.0531 4032 BeTwinMouse (0a680658860662cc81b7b8ed3d037d4a) C:\WINDOWS\system32\drivers\BeTwinMF.sys
2011/05/11 14:40:42.0609 4032 BeTwinSystem (d6a76e727e395933994ffdd3c85fc7f3) C:\WINDOWS\system32\Drivers\BeTwinSystem.sys
2011/05/11 14:40:42.0671 4032 BeTwinVideo (95ebb2a77b0c6bb9186b56cfc93fe060) C:\WINDOWS\system32\drivers\BeTwinVF.sys
2011/05/11 14:40:42.0828 4032 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/05/11 14:40:42.0859 4032 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/11 14:40:42.0921 4032 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/11 14:40:42.0953 4032 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/05/11 14:40:42.0984 4032 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/11 14:40:43.0031 4032 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/11 14:40:43.0078 4032 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/11 14:40:43.0156 4032 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/05/11 14:40:43.0218 4032 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/05/11 14:40:43.0312 4032 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
2011/05/11 14:40:43.0359 4032 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/05/11 14:40:43.0406 4032 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/05/11 14:40:43.0453 4032 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/11 14:40:43.0531 4032 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/11 14:40:43.0593 4032 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/11 14:40:43.0640 4032 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/11 14:40:43.0703 4032 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/11 14:40:43.0765 4032 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/05/11 14:40:43.0812 4032 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/11 14:40:43.0890 4032 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/05/11 14:40:44.0000 4032 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/11 14:40:44.0046 4032 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/11 14:40:44.0078 4032 FilterService (20fe03294ac1429ae88a64c2f754b0d4) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/05/11 14:40:44.0125 4032 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/11 14:40:44.0156 4032 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/11 14:40:44.0218 4032 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/11 14:40:44.0281 4032 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/11 14:40:44.0359 4032 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/11 14:40:44.0421 4032 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/11 14:40:44.0468 4032 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/11 14:40:44.0531 4032 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2011/05/11 14:40:44.0593 4032 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/11 14:40:44.0656 4032 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/05/11 14:40:44.0703 4032 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/11 14:40:44.0781 4032 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/05/11 14:40:44.0796 4032 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/05/11 14:40:44.0828 4032 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/11 14:40:44.0875 4032 iaStor (88b1943ecff661f765228099138cf6ab) C:\WINDOWS\system32\drivers\iaStor.sys
2011/05/11 14:40:44.0921 4032 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/11 14:40:44.0968 4032 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/05/11 14:40:45.0046 4032 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/05/11 14:40:45.0109 4032 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/05/11 14:40:45.0156 4032 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/05/11 14:40:45.0187 4032 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/11 14:40:45.0250 4032 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/11 14:40:45.0328 4032 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/11 14:40:45.0375 4032 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/11 14:40:45.0437 4032 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/11 14:40:45.0484 4032 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/11 14:40:45.0562 4032 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/11 14:40:45.0609 4032 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/11 14:40:45.0656 4032 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/11 14:40:45.0718 4032 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/11 14:40:45.0750 4032 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/11 14:40:45.0796 4032 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/11 14:40:45.0859 4032 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/11 14:40:45.0968 4032 LVPr2Mon (8be71d7edb8c7494913722059f760dd0) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
2011/05/11 14:40:46.0015 4032 LVRS (b6e1ccd6572984adcae68439afd07011) C:\WINDOWS\system32\DRIVERS\lvrs.sys
2011/05/11 14:40:46.0203 4032 LVUVC (6c42815dd57e397f0cd988304b5eb4b3) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/05/11 14:40:46.0328 4032 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/11 14:40:46.0359 4032 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/11 14:40:46.0390 4032 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/05/11 14:40:46.0437 4032 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/05/11 14:40:46.0484 4032 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/11 14:40:46.0515 4032 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/11 14:40:46.0578 4032 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/11 14:40:46.0640 4032 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/05/11 14:40:46.0671 4032 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/11 14:40:46.0734 4032 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/11 14:40:46.0796 4032 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/11 14:40:46.0843 4032 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/11 14:40:46.0906 4032 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/11 14:40:46.0937 4032 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/11 14:40:46.0984 4032 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/11 14:40:47.0031 4032 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/11 14:40:47.0109 4032 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/11 14:40:47.0156 4032 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/11 14:40:47.0218 4032 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/11 14:40:47.0312 4032 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/11 14:40:47.0359 4032 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/11 14:40:47.0421 4032 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/11 14:40:47.0484 4032 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/11 14:40:47.0531 4032 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/11 14:40:47.0593 4032 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/11 14:40:47.0640 4032 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/11 14:40:47.0750 4032 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/11 14:40:47.0859 4032 NPPTNT2 (9131fe60adfab595c8da53ad6a06aa31) C:\WINDOWS\system32\npptNT2.sys
2011/05/11 14:40:48.0046 4032 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/11 14:40:48.0140 4032 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/11 14:40:48.0875 4032 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/11 14:40:49.0265 4032 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/11 14:40:49.0296 4032 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/11 14:40:49.0359 4032 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/05/11 14:40:49.0437 4032 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
2011/05/11 14:40:49.0500 4032 P17 (3a7290f2c423b80ba95becae015b9b1b) C:\WINDOWS\system32\drivers\P17.sys
2011/05/11 14:40:49.0562 4032 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/11 14:40:49.0609 4032 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/11 14:40:49.0656 4032 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/11 14:40:49.0718 4032 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/11 14:40:49.0781 4032 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/11 14:40:49.0843 4032 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/11 14:40:49.0968 4032 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/05/11 14:40:50.0000 4032 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/05/11 14:40:50.0125 4032 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/11 14:40:50.0156 4032 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/11 14:40:50.0218 4032 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/11 14:40:50.0296 4032 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/11 14:40:50.0343 4032 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/05/11 14:40:50.0375 4032 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/05/11 14:40:50.0406 4032 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/05/11 14:40:50.0437 4032 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/05/11 14:40:50.0468 4032 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/05/11 14:40:50.0515 4032 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/11 14:40:50.0578 4032 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/11 14:40:50.0609 4032 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/11 14:40:50.0656 4032 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/11 14:40:50.0703 4032 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/11 14:40:50.0750 4032 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/11 14:40:50.0812 4032 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/11 14:40:50.0875 4032 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/11 14:40:50.0937 4032 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/11 14:40:51.0078 4032 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/11 14:40:51.0171 4032 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/05/11 14:40:51.0234 4032 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/11 14:40:51.0312 4032 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/11 14:40:51.0375 4032 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/11 14:40:51.0468 4032 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/05/11 14:40:51.0515 4032 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/11 14:40:51.0578 4032 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/05/11 14:40:51.0609 4032 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/05/11 14:40:51.0640 4032 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/11 14:40:51.0703 4032 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/05/11 14:40:51.0703 4032 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/05/11 14:40:51.0718 4032 sptd - detected LockedFile.Multi.Generic (1)
2011/05/11 14:40:51.0750 4032 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/11 14:40:51.0812 4032 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/11 14:40:51.0859 4032 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/05/11 14:40:51.0937 4032 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/11 14:40:51.0984 4032 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/11 14:40:52.0015 4032 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/11 14:40:52.0093 4032 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/05/11 14:40:52.0125 4032 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/05/11 14:40:52.0140 4032 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/05/11 14:40:52.0171 4032 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/05/11 14:40:52.0234 4032 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/11 14:40:52.0328 4032 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/11 14:40:52.0390 4032 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/11 14:40:52.0453 4032 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/11 14:40:52.0500 4032 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/11 14:40:52.0578 4032 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/05/11 14:40:52.0640 4032 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/11 14:40:52.0671 4032 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/05/11 14:40:52.0750 4032 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/11 14:40:52.0828 4032 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/11 14:40:52.0875 4032 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/11 14:40:52.0921 4032 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/11 14:40:52.0984 4032 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/11 14:40:53.0031 4032 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/11 14:40:53.0078 4032 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/11 14:40:53.0109 4032 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/11 14:40:53.0171 4032 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/11 14:40:53.0250 4032 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/05/11 14:40:53.0328 4032 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/11 14:40:53.0359 4032 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/05/11 14:40:53.0390 4032 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/05/11 14:40:53.0453 4032 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/11 14:40:53.0515 4032 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/11 14:40:53.0625 4032 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/05/11 14:40:53.0718 4032 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/11 14:40:53.0828 4032 winusb (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.SYS
2011/05/11 14:40:53.0937 4032 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/05/11 14:40:54.0031 4032 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/11 14:40:54.0140 4032 \HardDisk3 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/11 14:40:54.0218 4032 ================================================================================
2011/05/11 14:40:54.0218 4032 Scan finished
2011/05/11 14:40:54.0218 4032 ================================================================================
2011/05/11 14:40:54.0250 4012 Detected object count: 2
2011/05/11 14:48:00.0187 4012 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/05/11 14:48:00.0218 4012 \HardDisk3 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/11 14:48:00.0218 4012 \HardDisk3 - ok
2011/05/11 14:48:00.0218 4012 Rootkit.Win32.TDSS.tdl4(\HardDisk3) - User select action: Cure
2011/05/11 14:48:17.0265 3856 Deinitialize success

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed May 11, 2011 6:58 pm

Hello.
No, leave TDSSKiller now. The items skipped is legit, it's just TDSSKiller flags locked files.

That killed the MBR infection. Lets try OTL now.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 11, 2011 7:12 pm

Good news! Now that soome of the virus is dead, I can get on GP from my own computer, where I am right now. Those logs are comign.

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 11, 2011 7:20 pm

Yayyyyyyy~~~ It workeddddddd~~~~~ I just need to copy/paste thelogs now. (please excuse typos, the remainging virus is making the screen type very slow and its screwing up y typing accuracey.)

OTL logfile created on: 5/11/2011 3:13:44 PM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Miranda Rian\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.81 Gb Total Space | 13.65 Gb Free Space | 19.28% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 888.73 Gb Free Space | 95.41% Space Free | Partition Type: NTFS
Drive I: | 1.86 Gb Total Space | 1.18 Gb Free Space | 63.23% Space Free | Partition Type: FAT
Drive J: | 74.51 Gb Total Space | 3.32 Gb Free Space | 4.45% Space Free | Partition Type: FAT32

Computer Name: D94LZ971 | User Name: Miranda Rian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/11 15:02:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Miranda Rian\Desktop\OTL.exe
PRC - [2011/05/07 10:28:49 | 000,042,016 | ---- | M] () -- C:\WINDOWS\SYSTEM32\msywgahg.exe
PRC - [2011/04/29 16:19:59 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/03/22 23:56:40 | 000,687,448 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PRC - [2011/03/21 17:10:00 | 001,230,704 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2011/03/19 13:46:02 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/11/04 02:14:38 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/04/01 05:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/21 17:59:00 | 000,143,360 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/02/21 17:58:34 | 000,081,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2004/09/01 03:06:18 | 000,147,456 | ---- | M] (A4Tech Co.,Ltd.) -- C:\Program Files\A4Tech\Mouse\Amoumain.exe


========== Modules (SafeList) ==========

MOD - [2011/05/11 15:02:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Miranda Rian\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 20:12:08 | 000,266,240 | ---- | M] () -- C:\WINDOWS\iyocusura.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (npggsvc)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/05/07 10:28:49 | 000,042,016 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\msywgahg.exe -- (Network Adapter Events)
SRV - [2011/05/02 22:30:25 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SYSTEM32\6to4v32.dll -- (6to4)
SRV - [2011/05/02 22:30:07 | 000,215,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\SYSTEM32\itlpfw32.dll -- (itlperf)
SRV - [2011/05/02 15:36:07 | 003,274,328 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_3f211bc.dll -- (Akamai)
SRV - [2011/04/29 16:19:59 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/04/01 01:11:52 | 000,428,640 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2011/03/19 13:46:02 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/06/18 21:59:12 | 000,246,520 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe -- (GameConsoleService)
SRV - [2010/02/10 12:42:32 | 000,303,176 | ---- | M] (ThinSoft Pte Ltd.) [Auto | Stopped] -- C:\WINDOWS\SYSTEM32\BeTwinServiceXP.exe -- (TermService)
SRV - [2006/02/21 17:58:34 | 000,081,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)


========== Driver Services (SafeList) ==========

DRV - [2011/04/01 01:11:10 | 004,333,280 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.sys -- (LVUVC) Logitech Webcam 500(UVC)
DRV - [2011/04/01 01:09:48 | 000,291,424 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvrs.sys -- (LVRS)
DRV - [2011/03/19 13:46:03 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys -- (avipbb)
DRV - [2010/11/23 22:11:00 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 16:17:40 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/05/14 18:04:20 | 000,023,904 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvuvcflt.sys -- (FilterService)
DRV - [2010/05/07 18:43:30 | 000,025,824 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2010/02/10 12:42:34 | 000,025,656 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\BeTwinVF.sys -- (BeTwinVideo)
DRV - [2010/02/10 12:42:32 | 000,015,040 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BeTwinSystem.sys -- (BeTwinSystem)
DRV - [2010/02/10 12:42:26 | 000,033,336 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BETWINMF.sys -- (BeTwinMouse)
DRV - [2010/02/10 12:42:26 | 000,033,208 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BETWINKF.sys -- (BeTwinKeyboard)
DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/18 17:35:40 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hamachi.sys -- (hamachi)
DRV - [2006/11/02 08:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\winusb.sys -- (winusb)
DRV - [2005/01/04 14:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\npptNT2.sys -- (NPPTNT2)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -- (senfilt)
DRV - [2004/08/25 14:28:46 | 000,787,456 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/23 15:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\b57xp32.sys -- (b57w2k)
DRV - [2004/06/15 23:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)
DRV - [2004/06/09 13:16:00 | 000,840,960 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\P17.sys -- (P17)
DRV - [2004/03/05 23:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52)
DRV - [2004/03/05 23:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)
DRV - [2004/03/05 23:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt)
DRV - [2003/09/22 09:48:00 | 000,130,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/09/22 09:47:00 | 000,178,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctoss2k.sys -- (ossrv)
DRV - [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [You must be registered and logged in to see this link.] [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.9
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.1
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:2.0.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.5
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.1
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.1.2008d

FF - HKLM\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/03/11 18:08:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/03/11 18:09:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0ECA710F-47D0-4675-B53F-35385D5E8880}: C:\Documents and Settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880} [2011/05/02 20:12:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}: C:\Documents and Settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A} [2011/05/04 12:44:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 13:24:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 13:24:09 | 000,000,000 | ---D | M]

[2010/02/26 18:51:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Extensions
[2010/02/26 18:51:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Extensions\celtx@celtx.com
[2011/05/04 19:17:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\extensions
[2011/03/31 22:36:11 | 000,000,000 | ---D | M] ("Malware Search") -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
[2010/06/24 13:48:48 | 000,000,000 | ---D | M] ("Athena") -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\extensions\{405e2f6c-b9b8-4515-a69c-e375d7156c86}
[2011/05/04 19:17:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/01 21:42:24 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
[2011/04/01 21:42:24 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM
[2011/04/01 21:42:24 | 000,000,000 | ---D | M] (MSN-Smileys) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\EMOTICONS-MSN-SMILEYS@M513901.DE
[2011/04/01 21:42:23 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG
[2011/04/01 21:42:23 | 000,000,000 | ---D | M] (Blackened) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-BLACKENED@ADDONS.INSTANTBIRD.ORG
[2011/04/01 21:42:23 | 000,000,000 | ---D | M] (Depth) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-DEPTH@ADDONS.INSTANTBIRD.ORG
[2011/04/01 21:42:23 | 000,000,000 | ---D | M] (Minimal) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-MINIMAL20@ADDONS.INSTANTBIRD.ORG
[2009/11/19 17:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/19 17:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
[2009/12/21 01:47:02 | 000,063,488 | ---- | M] (Nullsoft) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

Hosts file not found
O2 - BHO: (DivX Plus Web Player HTML5

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 11, 2011 7:22 pm

The Extras log doesn't appear to have generated. That's just an uninstall list, right?

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed May 11, 2011 8:12 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 11, 2011 8:59 pm

Here's the ComboFix log Big Grin Things seem to be working better now, Firefox recognized the fact that I had no default browser set and allowed me to do something about it. It did pop up with some errors about missing DLL files, but they all had the junk names so I think they were bad files that CF deleted and the virus was lookign for them. After checking the list of running processes, it looks like several virus processes have been killed for good but others have not. Advice on the next step?

ComboFix 11-05-11.01 - Miranda Rian 05/11/2011 16:28:01.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1557 [GMT -4:00]
Running from: c:\documents and settings\Miranda Rian\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Miranda Rian\Application Data\avdrn.dat
c:\documents and settings\Miranda Rian\Application Data\Sun\ixokfmgyl68.dll
c:\documents and settings\Miranda Rian\Application Data\Sun\mxd1.txt
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\chrome.manifest
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\chrome\content\_cfg.js
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\chrome\content\overlay.xul
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\install.rdf
c:\documents and settings\Miranda Rian\Start Menu\Programs\Startup\rarliw32.exe
c:\documents and settings\Miranda Rian\WINDOWS
c:\documents and settings\Richard Rian\WINDOWS
C:\Recycle.Bin
c:\recycle.bin\config.bin
c:\recycle.bin\Recycle.Bin.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Glivua.exe
c:\windows\Glivub.exe
c:\windows\iyocusura.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat
c:\windows\system32\itlnfw32.dll
c:\windows\system32\itlpfw32.dll
c:\windows\system32\RGSS104E.dll
c:\windows\system32\RGSS104J.dll
c:\windows\TDPLAP.dll
F:\autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ITLPERF
-------\Service_6to4
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-07 15:05 . 2011-05-07 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-05-07 14:36 . 2010-02-10 16:42 303176 ----a-w- c:\windows\system32\BeTwinServiceXP.exe
2011-05-07 14:36 . 2010-02-10 16:42 33208 ----a-w- c:\windows\system32\drivers\BETWINKF.sys
2011-05-07 14:36 . 2010-02-10 16:42 81984 ----a-w- c:\windows\system32\BeTwinAudio.dll
2011-05-07 14:36 . 2006-03-17 03:35 249856 ----a-w- c:\windows\system32\SlsApi.dll
2011-05-07 14:36 . 2010-02-10 16:42 15040 ----a-w- c:\windows\system32\drivers\BeTwinSystem.sys
2011-05-07 14:36 . 2010-02-10 16:42 33336 ----a-w- c:\windows\system32\drivers\BETWINMF.sys
2011-05-07 14:36 . 2010-02-10 16:42 25656 ----a-w- c:\windows\system32\drivers\BETWINVF.sys
2011-05-07 14:36 . 2003-06-27 06:08 8704 ----a-w- c:\windows\system32\xtgina.dll
2011-05-07 14:28 . 2011-05-07 14:28 42016 ----a-w- c:\windows\system32\msywgahg.exe
2011-05-04 17:27 . 2011-05-04 17:28 -------- d-----w- c:\documents and settings\Administrator
2011-05-04 16:44 . 2011-05-04 16:44 -------- d-----w- c:\documents and settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}
2011-05-03 00:12 . 2011-05-11 18:40 0 ----a-w- c:\windows\Ffavunoli.bin
2011-04-30 08:51 . 2011-04-30 08:51 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-04-30 00:08 . 2011-04-30 00:08 -------- d-----w- c:\program files\Matroska Pack
2011-04-19 00:35 . 2011-04-19 00:35 -------- d-----w- c:\program files\iPod
2011-04-19 00:34 . 2011-04-19 00:35 -------- d-----w- c:\program files\iTunes
2011-04-19 00:30 . 2011-04-19 00:30 -------- d-----w- c:\program files\Bonjour
2011-04-17 23:51 . 2011-04-17 23:51 45056 ----a-r- c:\documents and settings\Miranda Rian\Application Data\Microsoft\Installer\{1DED5EFD-410A-48DB-909A-2B2022BB50D2}\Nethergate.exe1_1DED5EFD410A48DB909A2B2022BB50D2.exe
2011-04-17 23:51 . 2011-04-17 23:51 45056 ----a-r- c:\documents and settings\Miranda Rian\Application Data\Microsoft\Installer\{1DED5EFD-410A-48DB-909A-2B2022BB50D2}\Nethergate.exe_1DED5EFD410A48DB909A2B2022BB50D2.exe
2011-04-14 07:39 . 2011-04-14 07:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 07:39 . 2011-04-14 07:39 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-04-13 23:53 . 2011-04-13 23:54 -------- d-----w- c:\program files\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-01 05:11 . 2009-12-28 16:52 4333280 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2011-04-01 05:10 . 2009-12-28 16:52 539232 ----a-w- c:\windows\system32\LVUI2RC.dll
2011-04-01 05:10 . 2009-12-28 16:52 543328 ----a-w- c:\windows\system32\LVUI2.dll
2011-04-01 05:09 . 2009-12-28 16:52 291424 ----a-w- c:\windows\system32\drivers\lvrs.sys
2011-04-01 05:08 . 2011-04-01 05:08 195168 ----a-w- c:\windows\system32\lvci13251014.dll
2011-04-01 05:08 . 2009-12-28 16:52 301664 ----a-w- c:\windows\system32\lvcodec2.dll
2011-04-01 05:07 . 2010-05-14 21:56 10877272 ----a-w- c:\windows\system32\LogiDPP.dll
2011-04-01 05:07 . 2010-05-14 21:56 102744 ----a-w- c:\windows\system32\LogiDPPApp.exe
2011-04-01 05:06 . 2010-05-14 21:55 331608 ----a-w- c:\windows\system32\DevManagerCore.dll
2011-04-01 04:56 . 2009-12-28 16:52 39318 ----a-w- c:\windows\system32\Repository.reg
2011-03-23 03:58 . 2011-03-23 03:58 14168 ----a-w- c:\windows\system32\drivers\iKeyLFT2.dll
2011-03-19 17:46 . 2010-04-10 19:29 137656 -c--a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-09 16:11 . 2010-03-09 15:58 939139876 ----a-w- c:\program files\FEZsetup_2010-02-26.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"WheelMouse"="c:\progra~1\A4Tech\Mouse\Amoumain.exe" [2004-09-01 147456]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader
"6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader
"12933:TCP"= 12933:TCP:BitComet 12933 TCP
"12933:UDP"= 12933:UDP:BitComet 12933 UDP
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [6/5/2009 9:04 PM 691696]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 6:00 AM 14336]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/10/2010 3:29 PM 136360]
R2 Network Adapter Events;Network Adapter Events;c:\windows\SYSTEM32\msywgahg.exe [5/7/2011 10:28 AM 42016]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [4/1/2011 1:11 AM 428640]
S0 BeTwinVideo;BeTwinVideo;c:\windows\SYSTEM32\DRIVERS\BETWINVF.sys [5/7/2011 10:36 AM 25656]
S1 BeTwinSystem;BeTwinSystem;c:\windows\SYSTEM32\DRIVERS\BeTwinSystem.sys [5/7/2011 10:36 AM 15040]
S3 BeTwinKeyboard;BeTwinKeyboard;c:\windows\SYSTEM32\DRIVERS\BETWINKF.sys [5/7/2011 10:36 AM 33208]
S3 BeTwinMouse;BeTwinMouse;c:\windows\SYSTEM32\DRIVERS\BETWINMF.sys [5/7/2011 10:36 AM 33336]
S3 dump_wmimmc;dump_wmimmc;\??\f:\the chronicles of spellborn\bin\client\GameGuard\dump_wmimmc.sys --> f:\the chronicles of spellborn\bin\client\GameGuard\dump_wmimmc.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
FF - ProfilePath - c:\documents and settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Athena: {405e2f6c-b9b8-4515-a69c-e375d7156c86} - %profile%\extensions\{405e2f6c-b9b8-4515-a69c-e375d7156c86}
FF - Ext: Malware Search: {27c60876-b5c9-4335-b4f3-52b26782220c} - %profile%\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
exefile="c:\documents and settings\NetworkService\Local Settings\Application Data\hok.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Steam - i:\steam\Steam.exe
HKCU-Run-Dloqa - c:\windows\TDPLAP.dll
HKCU-Run-4Y3Y0C3AUYVV4Y9GCYBOPHFEUNNFBI - c:\recycle.bin\Recycle.Bin.exe
HKLM-Run-QuickTime Task - i:\quicktime\QTTask.exe
HKLM-Run-Ywokaqe - c:\windows\iyocusura.dll
Notify-itlntfy - itlnfw32.dll
AddRemove-Champions Online - f:\cryptic studios\Uninstall Champions Online.exe
AddRemove-Guild Wars - i:\guild wars\Gw.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-Shin Megami Tensei: Imagine Online - f:\aeriagames\MegaTen\Uninst.exe
AddRemove-Steam App 7650 - i:\steam\steam.exe
AddRemove-Steam App 7660 - i:\steam\steam.exe
AddRemove-Steam App 7730 - i:\steam\steam.exe
AddRemove-Steam App 7760 - i:\steam\steam.exe
AddRemove-Steam App 7770 - i:\steam\steam.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{9C244239-ED8E-40f1-937F-51C706CD2160} - i:\ea games\The Sims 2 Deluxe\EAUninstall.exe
AddRemove-The Twilight Zone - i:\the twilight zone\Uninstal.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-05-11 16:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\xtgina.dll
c:\windows\system32\WINSCARD.DLL
.
- - - - - - - > 'explorer.exe'(2744)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-05-11 16:51:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-11 20:51
ComboFix2.txt 2010-08-06 23:36
.
Pre-Run: 14,587,121,664 bytes free
Post-Run: 16,250,331,136 bytes free
.
- - End Of File - - 602E313A295602BB876EC9FBEA0F1416

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed May 11, 2011 9:28 pm

Hello.
2 things to do here.

Please download exeHelper from one of the two links.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next,

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    File::
    c:\windows\system32\msywgahg.exe
    c:\windows\Ffavunoli.bin

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    "itlsvc"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 11, 2011 10:15 pm

The exeHelper log:

exeHelper by Raktor
Build 20100414
Run at 18:14:21 on 05/11/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed May 11, 2011 10:34 pm

Standing by for Combofix log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed May 11, 2011 10:48 pm

Looks like things went well! The process that kept popping back that was also named inthe CFscript is gone for good, now, as wella s some of the others. Firefox still doens't detect itself as my default browser, and some of the wierd virus processes were still running. Additionally, I'm still getting the wierd popup whenever I go into task manager like an older version of XP (I get the same thing on the comps at my school) and the shutdown menu is still the old shutdown menu. It's also now re-detecting the Windows Updates.

Edit: AND Avira is no longer popping up with a billion virus notifications, even though it came on when CF rebooted the computer.

ComboFix 11-05-11.01 - Miranda Rian 05/11/2011 18:22:25.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1571 [GMT -4]
Running from: c:\documents and settings\Miranda Rian\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Miranda Rian\Desktop\CFscript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\windows\Ffavunoli.bin"
"c:\windows\system32\msywgahg.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}
c:\documents and settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}\chrome.manifest
c:\documents and settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}\chrome\content\_cfg.js
c:\documents and settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}\chrome\content\overlay.xul
c:\documents and settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}\install.rdf
c:\windows\Ffavunoli.bin
c:\windows\system32\msywgahg.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_Network_Adapter_Events
-------\Service_Network Adapter Events
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-07 15:05 . 2011-05-07 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-05-07 14:36 . 2010-02-10 16:42 303176 ----a-w- c:\windows\system32\BeTwinServiceXP.exe
2011-05-07 14:36 . 2010-02-10 16:42 33208 ----a-w- c:\windows\system32\drivers\BETWINKF.sys
2011-05-07 14:36 . 2010-02-10 16:42 81984 ----a-w- c:\windows\system32\BeTwinAudio.dll
2011-05-07 14:36 . 2006-03-17 03:35 249856 ----a-w- c:\windows\system32\SlsApi.dll
2011-05-07 14:36 . 2010-02-10 16:42 15040 ----a-w- c:\windows\system32\drivers\BeTwinSystem.sys
2011-05-07 14:36 . 2010-02-10 16:42 33336 ----a-w- c:\windows\system32\drivers\BETWINMF.sys
2011-05-07 14:36 . 2010-02-10 16:42 25656 ----a-w- c:\windows\system32\drivers\BETWINVF.sys
2011-05-07 14:36 . 2003-06-27 06:08 8704 ----a-w- c:\windows\system32\xtgina.dll
2011-05-04 17:27 . 2011-05-04 17:28 -------- d-----w- c:\documents and settings\Administrator
2011-04-30 08:51 . 2011-04-30 08:51 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-04-30 00:08 . 2011-04-30 00:08 -------- d-----w- c:\program files\Matroska Pack
2011-04-19 00:35 . 2011-04-19 00:35 -------- d-----w- c:\program files\iPod
2011-04-19 00:34 . 2011-04-19 00:35 -------- d-----w- c:\program files\iTunes
2011-04-19 00:30 . 2011-04-19 00:30 -------- d-----w- c:\program files\Bonjour
2011-04-17 23:51 . 2011-04-17 23:51 45056 ----a-r- c:\documents and settings\Miranda Rian\Application Data\Microsoft\Installer\{1DED5EFD-410A-48DB-909A-2B2022BB50D2}\Nethergate.exe1_1DED5EFD410A48DB909A2B2022BB50D2.exe
2011-04-17 23:51 . 2011-04-17 23:51 45056 ----a-r- c:\documents and settings\Miranda Rian\Application Data\Microsoft\Installer\{1DED5EFD-410A-48DB-909A-2B2022BB50D2}\Nethergate.exe_1DED5EFD410A48DB909A2B2022BB50D2.exe
2011-04-14 07:39 . 2011-04-14 07:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 07:39 . 2011-04-14 07:39 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-04-13 23:53 . 2011-04-13 23:54 -------- d-----w- c:\program files\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-01 05:11 . 2009-12-28 16:52 4333280 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2011-04-01 05:10 . 2009-12-28 16:52 539232 ----a-w- c:\windows\system32\LVUI2RC.dll
2011-04-01 05:10 . 2009-12-28 16:52 543328 ----a-w- c:\windows\system32\LVUI2.dll
2011-04-01 05:09 . 2009-12-28 16:52 291424 ----a-w- c:\windows\system32\drivers\lvrs.sys
2011-04-01 05:08 . 2011-04-01 05:08 195168 ----a-w- c:\windows\system32\lvci13251014.dll
2011-04-01 05:08 . 2009-12-28 16:52 301664 ----a-w- c:\windows\system32\lvcodec2.dll
2011-04-01 05:07 . 2010-05-14 21:56 10877272 ----a-w- c:\windows\system32\LogiDPP.dll
2011-04-01 05:07 . 2010-05-14 21:56 102744 ----a-w- c:\windows\system32\LogiDPPApp.exe
2011-04-01 05:06 . 2010-05-14 21:55 331608 ----a-w- c:\windows\system32\DevManagerCore.dll
2011-04-01 04:56 . 2009-12-28 16:52 39318 ----a-w- c:\windows\system32\Repository.reg
2011-03-23 03:58 . 2011-03-23 03:58 14168 ----a-w- c:\windows\system32\drivers\iKeyLFT2.dll
2011-03-19 17:46 . 2010-04-10 19:29 137656 -c--a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-09 16:11 . 2010-03-09 15:58 939139876 ----a-w- c:\program files\FEZsetup_2010-02-26.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"WheelMouse"="c:\progra~1\A4Tech\Mouse\Amoumain.exe" [2004-09-01 147456]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader
"6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader
"12933:TCP"= 12933:TCP:BitComet 12933 TCP
"12933:UDP"= 12933:UDP:BitComet 12933 UDP
"1035:TCP"= 1035:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [6/5/2009 9:04 PM 691696]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 6:00 AM 14336]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/10/2010 3:29 PM 136360]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [4/1/2011 1:11 AM 428640]
S0 BeTwinVideo;BeTwinVideo;c:\windows\SYSTEM32\DRIVERS\BETWINVF.sys [5/7/2011 10:36 AM 25656]
S1 BeTwinSystem;BeTwinSystem;c:\windows\SYSTEM32\DRIVERS\BeTwinSystem.sys [5/7/2011 10:36 AM 15040]
S3 BeTwinKeyboard;BeTwinKeyboard;c:\windows\SYSTEM32\DRIVERS\BETWINKF.sys [5/7/2011 10:36 AM 33208]
S3 BeTwinMouse;BeTwinMouse;c:\windows\SYSTEM32\DRIVERS\BETWINMF.sys [5/7/2011 10:36 AM 33336]
S3 dump_wmimmc;dump_wmimmc;\??\f:\the chronicles of spellborn\bin\client\GameGuard\dump_wmimmc.sys --> f:\the chronicles of spellborn\bin\client\GameGuard\dump_wmimmc.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
FF - ProfilePath - c:\documents and settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Athena: {405e2f6c-b9b8-4515-a69c-e375d7156c86} - %profile%\extensions\{405e2f6c-b9b8-4515-a69c-e375d7156c86}
FF - Ext: Malware Search: {27c60876-b5c9-4335-b4f3-52b26782220c} - %profile%\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-05-11 18:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\xtgina.dll
c:\windows\system32\WINSCARD.DLL
.
- - - - - - - > 'explorer.exe'(3328)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-05-11 18:41:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-11 22:41
ComboFix2.txt 2011-05-11 20:51
ComboFix3.txt 2010-08-06 23:36
.
Pre-Run: 16,238,682,112 bytes free
Post-Run: 16,246,935,552 bytes free
.
- - End Of File - - B2DB1E34A92746580085EA38888686AA

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed May 11, 2011 10:56 pm

Hello.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Thu May 12, 2011 12:19 am

The ESET is still scanning, but I was looking at one of my 1TB drives and I found two folders taht weren't there before, and that for some reason all the hidden files and folders were viewable. I hid them again, but the folders I hadn't seen before were still there; "Autorun" with a hidden file that looked like it was from the maker of my drive, and RECYCLER which had a recycle bin and a lot of folders with long names, all hidden. Just in the main thing, there was a hidden folder called "System Volume Information". Are any of these significant?

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Thu May 12, 2011 1:08 am

Alright. There was an option to delete quarantined files, but I didn't know if you wanted me to do that or not. Here's the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=4e4f00c2723e7e478cda74894cc30a30
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-12 01:05:55
# local_time=2011-05-11 09:05:55 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775125 100 93 0 41563877 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=139255
# found=5
# cleaned=5
# scan_time=5580
C:\Qoobox\Quarantine\C\WINDOWS\iyocusura.dll.vir a variant of Win32/Kryptik.NKL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\TDPLAP.dll.vir a variant of Win32/Kryptik.NIA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005245.dll a variant of Win32/Kryptik.NKL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005251.dll a variant of Win32/Kryptik.NIA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\SYSTEM32\xtgina.dll Win32/RDPdoor.AA trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Thu May 12, 2011 9:10 am

Hmm, things should be running a little better now, ESET found a file I didn't catch.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Fri May 13, 2011 12:32 am

Hey there. I did want to warn you beforehand that I do have uTorrent.

I know you discourage the use of uTorrent and other P2P software; I've seen the warning and I know the risks, so, yeah. I might remove it after this, or I might not. I don't know.

However, if there's any other recommendations you have for streamlining these programs, or if there's any potential spyware or whatever on here, please let me know.

Also, all my symptoms seem to be pretty much gone, but I don't know if the virus is completely gone. Is there anything to make sure it's not lurking on one of my drives waiting to take back over?

Also, becaue Mom asked, Akamai is part of one of my MMOs.

µTorrent
7-Zip 4.65
A4Tech iWheelWorks 7.64
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.4
Adobe Shockwave Player 11.5
Akamai NetSession Interface
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
Best Buy Digital Music Store
Blaine's Custom Blends (Translucency and Compositing)
Blaine's Custom Speed Effects
Blender (remove only)
Bonjour
CameraHelperMsi
Celtx (2.9)
Chuzzle Deluxe
Clouded Horizons Character Creation Utility
Combined Community Codec Pack 2010-10-10
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Diablo II
Diamond Mine Deluxe 1.81y
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DJ OldGames Package: Dungeon Hack
Dungeon Siege
erLT
ESET Online Scanner v3
GIMP 2.6.11
Haali Media Splitter
Hellfire
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Matrix Storage Manager
Internet Explorer Default Page
iTunes
Java DB 10.4.2.1
Java(TM) 6 Update 17
Java(TM) SE Development Kit 6 Update 17
Jewel Quest - The Sleepless Star
Junk Mail filter update
Logitech Webcam Software
Logitech Webcam Software Driver Package
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Macromedia Flash Player
Malwarebytes' Anti-Malware
Matroska Pack
Matroska Pack - Lazy Man's MKV 0.9.9
Messenger Plus! 5
Messenger Plus! Live
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office Word Viewer 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Search Enhancement Pack
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WinUsb 1.0
Microsoft XNA Framework Redistributable 2.0
Mozilla Firefox (3.6.17)
MSVCRT
MSXML 4.0
MSXML 4.0
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nancy Drew: Treasure in the Royal Tower
Nethergate
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
Police Quest Collection
PowerDVD 5.3
Project64 1.6
Python 2.6.6
QuickTime
RadLight Ogg Media DirectShow filter (remove only)
RGSS-RTP Standard
Rhapsody
Rhapsody Player Engine
RPG Maker VX RTP
RPG Maker XP
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Sierra Utilities
Skype Toolbars
Skype™ 5.1
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Live! 24-bit
Space Quest Collection
Steam
StepMania (remove only)
Tetris Worlds
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
Vegas Movie Studio HD Platinum 10.0
WildTangent Games
Winamp
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Messenger

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Fri May 13, 2011 11:03 am

Avira popped up with a notification, a junk .dll in "System Volume Information"?

Edit: I had Avira scan while I was at school, it popped up with a shiton of stuff that it quarantined. I deleted everything,b ut I wonder if my computer is really as clean as it appears to be?

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Fri May 13, 2011 8:40 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 9.4.4
    Java(TM) 6 Update 17
    Java(TM) SE Development Kit 6 Update 17

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe that you downloaded to install the newest version.

Then download and install [You must be registered and logged in to see this link.]

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Sat May 14, 2011 1:57 am

Gotta go and actually install the Java update, but everything seems okay. Other than that one mass find/deletion, Avira hasn't popped up with any real notices or anything; still, that one thing spooked me. Is there anything we can do to be sure that it's completely, completely gone?

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Sat May 14, 2011 1:58 am

If it helps, here is the log from that run.

Avira AntiVir Personal
Report file date: Friday, May 13, 2011 12:00

Scanning for 2725385 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : D94LZ971

Version information:
BUILD.DAT : 10.0.0.648 31823 Bytes 4/1/2011 18:36:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 4/29/2011 20:19:59
AVSCAN.DLL : 10.0.3.0 46440 Bytes 5/2/2010 21:26:51
LUKE.DLL : 10.0.3.2 104296 Bytes 12/17/2010 17:35:56
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 03:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 17:35:53
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 02:42:36
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 06:29:58
VBASE004.VDF : 7.11.5.226 2048 Bytes 4/7/2011 06:29:58
VBASE005.VDF : 7.11.5.227 2048 Bytes 4/7/2011 06:29:58
VBASE006.VDF : 7.11.5.228 2048 Bytes 4/7/2011 06:29:59
VBASE007.VDF : 7.11.5.229 2048 Bytes 4/7/2011 06:29:59
VBASE008.VDF : 7.11.5.230 2048 Bytes 4/7/2011 06:29:59
VBASE009.VDF : 7.11.5.231 2048 Bytes 4/7/2011 06:29:59
VBASE010.VDF : 7.11.5.232 2048 Bytes 4/7/2011 06:29:59
VBASE011.VDF : 7.11.5.233 2048 Bytes 4/7/2011 06:29:59
VBASE012.VDF : 7.11.5.234 2048 Bytes 4/7/2011 06:29:59
VBASE013.VDF : 7.11.6.28 158208 Bytes 4/11/2011 20:48:35
VBASE014.VDF : 7.11.6.74 116224 Bytes 4/13/2011 13:24:14
VBASE015.VDF : 7.11.6.113 137728 Bytes 4/14/2011 13:24:18
VBASE016.VDF : 7.11.6.150 146944 Bytes 4/18/2011 23:05:57
VBASE017.VDF : 7.11.6.192 138240 Bytes 4/20/2011 17:56:27
VBASE018.VDF : 7.11.6.237 156160 Bytes 4/22/2011 17:56:28
VBASE019.VDF : 7.11.7.45 427520 Bytes 4/27/2011 20:19:59
VBASE020.VDF : 7.11.7.64 192000 Bytes 4/28/2011 20:19:59
VBASE021.VDF : 7.11.7.97 182272 Bytes 5/2/2011 00:45:52
VBASE022.VDF : 7.11.7.127 467968 Bytes 5/4/2011 14:30:00
VBASE023.VDF : 7.11.7.183 185856 Bytes 5/9/2011 22:08:07
VBASE024.VDF : 7.11.7.218 133120 Bytes 5/11/2011 00:19:08
VBASE025.VDF : 7.11.7.234 139776 Bytes 5/11/2011 00:19:13
VBASE026.VDF : 7.11.7.235 2048 Bytes 5/11/2011 00:19:13
VBASE027.VDF : 7.11.7.236 2048 Bytes 5/11/2011 00:19:13
VBASE028.VDF : 7.11.7.237 2048 Bytes 5/11/2011 00:19:14
VBASE029.VDF : 7.11.7.238 2048 Bytes 5/11/2011 00:19:14
VBASE030.VDF : 7.11.7.239 2048 Bytes 5/11/2011 00:19:14
VBASE031.VDF : 7.11.7.254 68608 Bytes 5/12/2011 00:19:17
Engineversion : 8.2.4.228
AEVDF.DLL : 8.1.2.1 106868 Bytes 7/29/2010 18:18:59
AESCRIPT.DLL : 8.1.3.61 1253754 Bytes 5/7/2011 14:30:40
AESCN.DLL : 8.1.7.2 127349 Bytes 11/24/2010 02:10:37
AESBX.DLL : 8.1.3.2 254324 Bytes 11/24/2010 02:10:55
AERDL.DLL : 8.1.9.9 639347 Bytes 3/26/2011 06:05:57
AEPACK.DLL : 8.2.6.0 549237 Bytes 4/9/2011 06:30:09
AEOFFICE.DLL : 8.1.1.22 205178 Bytes 5/7/2011 14:30:34
AEHEUR.DLL : 8.1.2.113 3494263 Bytes 5/7/2011 14:30:31
AEHELP.DLL : 8.1.16.1 246134 Bytes 2/5/2011 17:20:51
AEGEN.DLL : 8.1.5.4 397684 Bytes 4/4/2011 20:14:53
AEEMU.DLL : 8.1.3.0 393589 Bytes 11/24/2010 02:09:34
AECORE.DLL : 8.1.20.2 196982 Bytes 4/9/2011 06:30:03
AEBB.DLL : 8.1.1.0 53618 Bytes 5/2/2010 21:26:50
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 16:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 16:03:35
AVREP.DLL : 10.0.0.9 174120 Bytes 4/29/2011 20:20:00
AVREG.DLL : 10.0.3.2 53096 Bytes 11/4/2010 06:14:38
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 4/29/2011 20:19:59
AVARKT.DLL : 10.0.22.6 231784 Bytes 12/17/2010 17:35:55
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 13:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 16:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 19:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 18:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 17:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 11/4/2010 06:14:36

Configuration settings for the scan:
Jobname.............................: Local Hard Disks
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\alldiscs.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, F:, I:, J:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, May 13, 2011 12:00

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'YAHOOM~1.EXE' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'COCIManager.exe' - '1' Module(s) have been scanned
Scan process 'CameraHelperShell.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'DTLite.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'DivXUpdate.exe' - '1' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '1' Module(s) have been scanned
Scan process 'LWS.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'Amoumain.exe' - '1' Module(s) have been scanned
Scan process 'ISUSPM.exe' - '1' Module(s) have been scanned
Scan process 'Iaanotif.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'tcpsvcs.exe' - '1' Module(s) have been scanned
Scan process 'SeaPort.exe' - '1' Module(s) have been scanned
Scan process 'Iaantmon.exe' - '1' Module(s) have been scanned
Scan process 'CTsvcCDA.EXE' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'UMVPFSrv.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Boot sector 'I:\'
[INFO] No virus was found!
Boot sector 'J:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1824' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\7e479456-392c61ab
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.KA Java virus
--> netbeans/PHP.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.KA Java virus
--> plugin/Commander.class
[DETECTION] Contains recognition pattern of the JAVA/Pesc.K Java virus
--> plugin/Console.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.BQ Java virus
--> plugin/Syntax.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.BS Java virus
C:\Qoobox\Quarantine\C\Documents and Settings\Miranda Rian\Application Data\Sun\ixokfmgyl68.dll.vir
[DETECTION] Is the TR/Drop.FrauDrop.xxux.1 Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Miranda Rian\Start Menu\Programs\Startup\rarliw32.exe.vir
[DETECTION] Is the TR/Dldr.Bredolab.AC.3 Trojan
C:\Qoobox\Quarantine\C\Recycle.Bin\Recycle.Bin.exe.vir
[DETECTION] Is the TR/Spy.SpyEyes.gzh.1 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\Glivua.exe.vir
[DETECTION] Is the TR/Dldr.Renos.PG.100 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\Glivub.exe.vir
[DETECTION] Is the TR/Dldr.Renos.PG.100 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\6to4v32.dll.vir
[DETECTION] Is the TR/Wimpixo.E.72 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\itlnfw32.dll.vir
[DETECTION] Is the TR/Sasfis.2.3 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\itlpfw32.dll.vir
[DETECTION] Is the TR/Agent.Delf.RQO.13 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msywgahg.exe.vir
[DETECTION] Is the TR/Antavmu.lfu Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005242.exe
[DETECTION] Is the TR/Spy.SpyEyes.gzh.1 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005243.exe
[DETECTION] Is the TR/Dldr.Renos.PG.100 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005244.exe
[DETECTION] Is the TR/Dldr.Renos.PG.100 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005246.dll
[DETECTION] Is the TR/Wimpixo.E.72 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005247.dll
[DETECTION] Is the TR/Sasfis.2.3 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005248.dll
[DETECTION] Is the TR/Agent.Delf.RQO.13 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005442.exe
[DETECTION] Is the TR/Antavmu.lfu Trojan
Begin scan in 'F:\'
Begin scan in 'I:\'
Begin scan in 'J:\'

Beginning disinfection:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005442.exe
[DETECTION] Is the TR/Antavmu.lfu Trojan
[NOTE] The file was moved to the quarantine directory under the name '4e54259a.qua'.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005248.dll
[DETECTION] Is the TR/Agent.Delf.RQO.13 Trojan
[NOTE] The file was moved to the quarantine directory under the name '56c30a3d.qua'.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005247.dll
[DETECTION] Is the TR/Sasfis.2.3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '049c50d5.qua'.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005246.dll
[DETECTION] Is the TR/Wimpixo.E.72 Trojan
[NOTE] The file was moved to the quarantine directory under the name '62ab1f17.qua'.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005244.exe
[DETECTION] Is the TR/Dldr.Renos.PG.100 Trojan
[NOTE] The file was moved to the quarantine directory under the name '272f3229.qua'.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005243.exe
[DETECTION] Is the TR/Dldr.Renos.PG.100 Trojan
[NOTE] The file was moved to the quarantine directory under the name '58340048.qua'.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0005242.exe
[DETECTION] Is the TR/Spy.SpyEyes.gzh.1 Trojan
[NOTE] The file was moved to the quarantine directory under the name '148c2c02.qua'.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\msywgahg.exe.vir
[DETECTION] Is the TR/Antavmu.lfu Trojan
[NOTE] The file was moved to the quarantine directory under the name '6b2f6c1f.qua'.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\itlpfw32.dll.vir
[DETECTION] Is the TR/Agent.Delf.RQO.13 Trojan
[NOTE] The file was moved to the quarantine directory under the name '460a4350.qua'.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\itlnfw32.dll.vir
[DETECTION] Is the TR/Sasfis.2.3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '5f6278ca.qua'.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\6to4v32.dll.vir
[DETECTION] Is the TR/Wimpixo.E.72 Trojan
[NOTE] The file was moved to the quarantine directory under the name '333b54fa.qua'.
C:\Qoobox\Quarantine\C\WINDOWS\Glivub.exe.vir
[DETECTION] Is the TR/Dldr.Renos.PG.100 Trojan
[NOTE] The file was moved to the quarantine directory under the name '42886d67.qua'.
C:\Qoobox\Quarantine\C\WINDOWS\Glivua.exe.vir
[DETECTION] Is the TR/Dldr.Renos.PG.100 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4c925da0.qua'.
C:\Qoobox\Quarantine\C\Recycle.Bin\Recycle.Bin.exe.vir
[DETECTION] Is the TR/Spy.SpyEyes.gzh.1 Trojan
[NOTE] The file was moved to the quarantine directory under the name '09bd24fb.qua'.
C:\Qoobox\Quarantine\C\Documents and Settings\Miranda Rian\Start Menu\Programs\Startup\rarliw32.exe.vir
[DETECTION] Is the TR/Dldr.Bredolab.AC.3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '00b9205c.qua'.
C:\Qoobox\Quarantine\C\Documents and Settings\Miranda Rian\Application Data\Sun\ixokfmgyl68.dll.vir
[DETECTION] Is the TR/Drop.FrauDrop.xxux.1 Trojan
[NOTE] The file was moved to the quarantine directory under the name '58fb392c.qua'.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\22\7e479456-392c61ab
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.BS Java virus
[NOTE] The file was moved to the quarantine directory under the name '743240f5.qua'.


End of the scan: Friday, May 13, 2011 15:05
Used time: 1:32:53 Hour(s)

The scan has been done completely.

22489 Scanned directories
562414 Files were scanned
20 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
17 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
562394 Files not concerned
10352 Archives were scanned
0 Warnings
17 Notes


fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Sat May 14, 2011 3:50 pm

Avira only found Combofix quarantine and Java cache, we'll take care of that and a few other things now.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.


To clear your Java Cache.

Click Start > Control Panel.
In the Control Panel, double-click the "Java" icon in the control panel. The Java Control Panel then appears.
Under the header "Temporary Internet Files", select the "Settings" button.

Don't change any of the settings, then click "Delete Files".



Next, the Delete Temporary Files dialog box appears.
Make sure both boxes are ticked, and hit the OK button.

Everything should be fine now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Sat May 14, 2011 8:27 pm

Thanks so much, Belahzur.

Um, do you know if it's okay for me to eitehr restart or pick back up my training? As the school year draws to a close, I've found myself with a lot more free time on my hands a nd a little bit wiser than I was when I started.

If the answer is no, I'm perfectly okay with that.

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Sun May 15, 2011 3:16 pm

You can pick up where you left off if you want.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Sun May 15, 2011 7:29 pm

Thank you so much Big Grin

When I finally get a job, you can be sure you'll be getting at least one donation from me. You've been nothing but a help. So, yeah, thanks ^^

fairydraik
Intermediate
Intermediate

Status :
Online
Offline

Posts : 194
Joined : 2009-10-31
Gender : Female
OS : Windows XP

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum