BOO/TDSS.M

Page 2 of 3 Previous  1, 2, 3  Next

View previous topic View next topic Go down

BOO/TDSS.M

Post by fairydraik on Thu 05 May 2011, 6:32 am

First topic message reminder :

Hello.

I sincerely apologize for my long absence (and subsequent removal) from the GPA, but that's not why I'm here.

My computer has been infected wtih what my mom and I believe to be the new TDSS variant. The title of the topic is the name of the infection Avira found before everythng went to hell.

Currently, my mom is doing everything she can to get rid of it, but nothing seems to work. None of the TDSS rootkits we found mentioned in removal guides seem to be found in the registry. It is acting like a fake AV and when the computer is connected to the internet will pop up IE windows. It also tried to add an add-on to Firefox, but I told it no.

On a subsequent restart, it seems to have killed my mouse driver; Mom is doing everthing the old-fashioned way with the keyboard. Currently, we're only using the computer in Safe Mode. We think it's reinfecting through one of my portable hard drives. We can't use Avira, and the virus is blocking MBAM. Right now, I'm on my mom's Vista, but the infected computer is the one whose specs are on my profile.

Can you help us get rid of the virus?

Thanks,
Miri

Edit: I forgot to mention, we currently have the computer disconnected from the internet to prevent the virus from spreading. SHould we reconnect and run the fixes from that computer, or should we do the burn-it-to-a-CD thing from this one?

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down


Re: BOO/TDSS.M

Post by Belahzur on Wed 11 May 2011, 10:34 am

Yeah that helps.

Can you back up any data you don't want to lose, this infection isn't nice and fixing it known to cause the machine to become unusable.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed 11 May 2011, 10:35 am

hmmmm. So, in other words, do not attempt without a WIndows disk?

Edit: ANd, I don't really know how to go about backing up everything, everything I do is on that computer. I have some 1TB harddrives....

Edit2: If I had to reinstall windows, would my data still be there, except Windows? I don't really know anything about that kind of thing...

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed 11 May 2011, 10:41 am

You could slave the HDD from the infected machine into another machine, or use a bootable CD with GUI like OTLPE if you can get that working.

Just our tools can't always catch this, and the only other option is the recovery console, but that will restore standard MBR, if you use a custom MBR (OEM with recovery) then it causes the machine to become unbootable, it's a lose lose situation.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed 11 May 2011, 10:46 am

Slave? What does that mean?

And how likely is it that my computer uses a custom MBR?

And I suppose I could try to use OTLPE again, JIC.

And... like I asked earlier, if my Windows becomes inoperable, is it possible for me to get my data (like files, etc.) back? (I'm sorry I'm asking so many questions. I just don't feel comfortable starting something risky without knowing about all the possible outcomes.)

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed 11 May 2011, 10:53 am

Slave? What does that mean?

At the back of every HDD is a little jumper chip, it sets the drive as master or slave. Right now yours will be set as master, switching it to slave makes it secondary to the primary HDD under another machine.

It's not likely being XP, but I can't be 100% certain.

It's possible if something bad does happen, that's why I recommend OTLPE, I've used it myself for my own machine a few months back.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed 11 May 2011, 10:53 am

Alright. ANd if I had the Windows disk it would be easier, right?

Edit: Mom says to tell you that it is a Dell computer, that that makes a difference.

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed 11 May 2011, 11:02 am

Actually since you've already got the RC, don't need the Windows disc really, only need that if were gonna format.

Please reboot your machine.

As it is rebooting, you will notice an extra menu, and an extra option for the Microsoft Windows Recovery Console.

Please select that option to boot the RC, Windows will boot to a text based screen and ask you to select the installation to log into, please choose the correct one, usually option 1 and press enter.

In there, type in the following commands, 1 line at a time.


fixmbr
exit

After the copy command, you may be prompted with a yes/no to confirm the copy, type in "y" to confirm it.

After that, boot back to normal mode and re-run aswmbr, then post the new log.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed 11 May 2011, 11:05 am

Okay, so I'm guessing this is where we cross our fingers and pray, right? ALright, lemme copy most of my My Documents folder onto my 1TB, just in case.

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Wed 11 May 2011, 11:42 am

Yep, this is the fix.

Being XP I doubt anything bad will happen, but no promises.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed 11 May 2011, 11:44 am

Right. Well, I'm copying all of my stuff ontomy 1TB, and according to my comp (when it can even make up it's mind about the time) it's going to take over two hours. *sigh* luckily, I have a fild trip tmorrow which means i get to skip my first class of the day, so I can stay up late babysitting it.

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Wed 11 May 2011, 12:31 pm

....that's wierd. When I booted Recovery COnsole, it said, "NTLDR is compressed
Press CTRL+ALT+DEL to restart"

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Thu 12 May 2011, 1:27 am

Hmm.
Do you think you can get this to run the same way you did with aswmbr?

Please download TDSSKiller from here and save it to your Desktop.

  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Thu 12 May 2011, 5:29 am

Probably, lemme try it.

Edit: What's the exact ocation of the log it'll create? So I can put it on the flash.

Edit2: I don't know what happened, but ever since I was able to run aswMBR, my computer has been a lot more responsive....


Last edited by fairydraik on Thu 12 May 2011, 5:41 am; edited 1 time in total

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Thu 12 May 2011, 5:39 am

Note:It will also create a log in the C:\ directory.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Thu 12 May 2011, 5:42 am

It says it wants me to select actions for found objects, should I just continue with the default selections?

ANd oops, didn't see that -_-;;;

edit: I just continued witht he default settings, it asked me to reboot to complete the cure. The scan didn't seem to take very long... let's see what it says after restarting.

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Thu 12 May 2011, 5:56 am

This is the log after I chose to go with the default settings, it looks like it did skip one item, and after reboot, the virus still appeared to be active. Should I run the tool again, this time not skipping any items?

2011/05/11 14:40:34.0734 3916 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/11 14:40:35.0125 3916 ================================================================================
2011/05/11 14:40:35.0125 3916 SystemInfo:
2011/05/11 14:40:35.0125 3916
2011/05/11 14:40:35.0125 3916 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/11 14:40:35.0125 3916 Product type: Workstation
2011/05/11 14:40:35.0125 3916 ComputerName: D94LZ971
2011/05/11 14:40:35.0125 3916 UserName: Miranda Rian
2011/05/11 14:40:35.0125 3916 Windows directory: C:\WINDOWS
2011/05/11 14:40:35.0125 3916 System windows directory: C:\WINDOWS
2011/05/11 14:40:35.0125 3916 Processor architecture: Intel x86
2011/05/11 14:40:35.0125 3916 Number of processors: 1
2011/05/11 14:40:35.0125 3916 Page size: 0x1000
2011/05/11 14:40:35.0125 3916 Boot type: Normal boot
2011/05/11 14:40:35.0125 3916 ================================================================================
2011/05/11 14:40:35.0812 3916 Initialize success
2011/05/11 14:40:39.0125 4032 ================================================================================
2011/05/11 14:40:39.0125 4032 Scan started
2011/05/11 14:40:39.0125 4032 Mode: Manual;
2011/05/11 14:40:39.0125 4032 ================================================================================
2011/05/11 14:40:40.0671 4032 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/05/11 14:40:41.0015 4032 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/11 14:40:41.0078 4032 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/11 14:40:41.0125 4032 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/05/11 14:40:41.0187 4032 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/11 14:40:41.0250 4032 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/05/11 14:40:41.0312 4032 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/11 14:40:41.0343 4032 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/05/11 14:40:41.0375 4032 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/05/11 14:40:41.0406 4032 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/05/11 14:40:41.0437 4032 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/05/11 14:40:41.0484 4032 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/05/11 14:40:41.0515 4032 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/05/11 14:40:41.0546 4032 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/05/11 14:40:41.0593 4032 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/05/11 14:40:41.0640 4032 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/05/11 14:40:41.0687 4032 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/05/11 14:40:41.0703 4032 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/05/11 14:40:41.0781 4032 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/11 14:40:41.0812 4032 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/11 14:40:41.0921 4032 ati2mtag (f0d0b0cdec0be32d775f404cac2604bf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/11 14:40:42.0000 4032 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/11 14:40:42.0062 4032 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/11 14:40:42.0140 4032 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/05/11 14:40:42.0187 4032 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/05/11 14:40:42.0281 4032 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/05/11 14:40:42.0328 4032 b57w2k (2acf06176b9d011567d7f25b83ddd066) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/05/11 14:40:42.0406 4032 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/11 14:40:42.0453 4032 BeTwinKeyboard (48650cdd4b2dab817fef0b39a430e955) C:\WINDOWS\system32\drivers\BeTwinKF.sys
2011/05/11 14:40:42.0531 4032 BeTwinMouse (0a680658860662cc81b7b8ed3d037d4a) C:\WINDOWS\system32\drivers\BeTwinMF.sys
2011/05/11 14:40:42.0609 4032 BeTwinSystem (d6a76e727e395933994ffdd3c85fc7f3) C:\WINDOWS\system32\Drivers\BeTwinSystem.sys
2011/05/11 14:40:42.0671 4032 BeTwinVideo (95ebb2a77b0c6bb9186b56cfc93fe060) C:\WINDOWS\system32\drivers\BeTwinVF.sys
2011/05/11 14:40:42.0828 4032 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/05/11 14:40:42.0859 4032 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/11 14:40:42.0921 4032 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/11 14:40:42.0953 4032 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/05/11 14:40:42.0984 4032 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/11 14:40:43.0031 4032 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/11 14:40:43.0078 4032 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/11 14:40:43.0156 4032 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/05/11 14:40:43.0218 4032 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/05/11 14:40:43.0312 4032 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
2011/05/11 14:40:43.0359 4032 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/05/11 14:40:43.0406 4032 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/05/11 14:40:43.0453 4032 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/11 14:40:43.0531 4032 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/11 14:40:43.0593 4032 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/11 14:40:43.0640 4032 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/11 14:40:43.0703 4032 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/11 14:40:43.0765 4032 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/05/11 14:40:43.0812 4032 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/11 14:40:43.0890 4032 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/05/11 14:40:44.0000 4032 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/11 14:40:44.0046 4032 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/11 14:40:44.0078 4032 FilterService (20fe03294ac1429ae88a64c2f754b0d4) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/05/11 14:40:44.0125 4032 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/11 14:40:44.0156 4032 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/11 14:40:44.0218 4032 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/11 14:40:44.0281 4032 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/11 14:40:44.0359 4032 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/11 14:40:44.0421 4032 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/11 14:40:44.0468 4032 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/11 14:40:44.0531 4032 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2011/05/11 14:40:44.0593 4032 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/11 14:40:44.0656 4032 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/05/11 14:40:44.0703 4032 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/11 14:40:44.0781 4032 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/05/11 14:40:44.0796 4032 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/05/11 14:40:44.0828 4032 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/11 14:40:44.0875 4032 iaStor (88b1943ecff661f765228099138cf6ab) C:\WINDOWS\system32\drivers\iaStor.sys
2011/05/11 14:40:44.0921 4032 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/11 14:40:44.0968 4032 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/05/11 14:40:45.0046 4032 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/05/11 14:40:45.0109 4032 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/05/11 14:40:45.0156 4032 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/05/11 14:40:45.0187 4032 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/11 14:40:45.0250 4032 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/11 14:40:45.0328 4032 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/11 14:40:45.0375 4032 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/11 14:40:45.0437 4032 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/11 14:40:45.0484 4032 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/11 14:40:45.0562 4032 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/11 14:40:45.0609 4032 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/11 14:40:45.0656 4032 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/11 14:40:45.0718 4032 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/11 14:40:45.0750 4032 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/11 14:40:45.0796 4032 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/11 14:40:45.0859 4032 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/11 14:40:45.0968 4032 LVPr2Mon (8be71d7edb8c7494913722059f760dd0) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
2011/05/11 14:40:46.0015 4032 LVRS (b6e1ccd6572984adcae68439afd07011) C:\WINDOWS\system32\DRIVERS\lvrs.sys
2011/05/11 14:40:46.0203 4032 LVUVC (6c42815dd57e397f0cd988304b5eb4b3) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/05/11 14:40:46.0328 4032 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/11 14:40:46.0359 4032 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/11 14:40:46.0390 4032 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/05/11 14:40:46.0437 4032 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/05/11 14:40:46.0484 4032 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/11 14:40:46.0515 4032 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/11 14:40:46.0578 4032 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/11 14:40:46.0640 4032 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/05/11 14:40:46.0671 4032 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/11 14:40:46.0734 4032 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/11 14:40:46.0796 4032 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/11 14:40:46.0843 4032 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/11 14:40:46.0906 4032 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/11 14:40:46.0937 4032 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/11 14:40:46.0984 4032 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/11 14:40:47.0031 4032 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/11 14:40:47.0109 4032 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/11 14:40:47.0156 4032 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/11 14:40:47.0218 4032 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/11 14:40:47.0312 4032 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/11 14:40:47.0359 4032 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/11 14:40:47.0421 4032 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/11 14:40:47.0484 4032 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/11 14:40:47.0531 4032 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/11 14:40:47.0593 4032 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/11 14:40:47.0640 4032 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/11 14:40:47.0750 4032 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/11 14:40:47.0859 4032 NPPTNT2 (9131fe60adfab595c8da53ad6a06aa31) C:\WINDOWS\system32\npptNT2.sys
2011/05/11 14:40:48.0046 4032 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/11 14:40:48.0140 4032 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/11 14:40:48.0875 4032 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/11 14:40:49.0265 4032 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/11 14:40:49.0296 4032 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/11 14:40:49.0359 4032 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/05/11 14:40:49.0437 4032 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
2011/05/11 14:40:49.0500 4032 P17 (3a7290f2c423b80ba95becae015b9b1b) C:\WINDOWS\system32\drivers\P17.sys
2011/05/11 14:40:49.0562 4032 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/11 14:40:49.0609 4032 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/11 14:40:49.0656 4032 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/11 14:40:49.0718 4032 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/11 14:40:49.0781 4032 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/11 14:40:49.0843 4032 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/11 14:40:49.0968 4032 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/05/11 14:40:50.0000 4032 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/05/11 14:40:50.0125 4032 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/11 14:40:50.0156 4032 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/11 14:40:50.0218 4032 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/11 14:40:50.0296 4032 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/11 14:40:50.0343 4032 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/05/11 14:40:50.0375 4032 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/05/11 14:40:50.0406 4032 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/05/11 14:40:50.0437 4032 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/05/11 14:40:50.0468 4032 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/05/11 14:40:50.0515 4032 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/11 14:40:50.0578 4032 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/11 14:40:50.0609 4032 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/11 14:40:50.0656 4032 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/11 14:40:50.0703 4032 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/11 14:40:50.0750 4032 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/11 14:40:50.0812 4032 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/11 14:40:50.0875 4032 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/11 14:40:50.0937 4032 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/11 14:40:51.0078 4032 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/11 14:40:51.0171 4032 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/05/11 14:40:51.0234 4032 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/11 14:40:51.0312 4032 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/11 14:40:51.0375 4032 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/11 14:40:51.0468 4032 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/05/11 14:40:51.0515 4032 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/11 14:40:51.0578 4032 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/05/11 14:40:51.0609 4032 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/05/11 14:40:51.0640 4032 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/11 14:40:51.0703 4032 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/05/11 14:40:51.0703 4032 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/05/11 14:40:51.0718 4032 sptd - detected LockedFile.Multi.Generic (1)
2011/05/11 14:40:51.0750 4032 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/11 14:40:51.0812 4032 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/11 14:40:51.0859 4032 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/05/11 14:40:51.0937 4032 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/11 14:40:51.0984 4032 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/11 14:40:52.0015 4032 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/11 14:40:52.0093 4032 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/05/11 14:40:52.0125 4032 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/05/11 14:40:52.0140 4032 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/05/11 14:40:52.0171 4032 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/05/11 14:40:52.0234 4032 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/11 14:40:52.0328 4032 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/11 14:40:52.0390 4032 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/11 14:40:52.0453 4032 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/11 14:40:52.0500 4032 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/11 14:40:52.0578 4032 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/05/11 14:40:52.0640 4032 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/11 14:40:52.0671 4032 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/05/11 14:40:52.0750 4032 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/11 14:40:52.0828 4032 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/11 14:40:52.0875 4032 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/11 14:40:52.0921 4032 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/11 14:40:52.0984 4032 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/11 14:40:53.0031 4032 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/11 14:40:53.0078 4032 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/11 14:40:53.0109 4032 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/11 14:40:53.0171 4032 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/11 14:40:53.0250 4032 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/05/11 14:40:53.0328 4032 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/11 14:40:53.0359 4032 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/05/11 14:40:53.0390 4032 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/05/11 14:40:53.0453 4032 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/11 14:40:53.0515 4032 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/11 14:40:53.0625 4032 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/05/11 14:40:53.0718 4032 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/11 14:40:53.0828 4032 winusb (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.SYS
2011/05/11 14:40:53.0937 4032 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/05/11 14:40:54.0031 4032 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/11 14:40:54.0140 4032 \HardDisk3 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/11 14:40:54.0218 4032 ================================================================================
2011/05/11 14:40:54.0218 4032 Scan finished
2011/05/11 14:40:54.0218 4032 ================================================================================
2011/05/11 14:40:54.0250 4012 Detected object count: 2
2011/05/11 14:48:00.0187 4012 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/05/11 14:48:00.0218 4012 \HardDisk3 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/11 14:48:00.0218 4012 \HardDisk3 - ok
2011/05/11 14:48:00.0218 4012 Rootkit.Win32.TDSS.tdl4(\HardDisk3) - User select action: Cure
2011/05/11 14:48:17.0265 3856 Deinitialize success

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Thu 12 May 2011, 5:58 am

Hello.
No, leave TDSSKiller now. The items skipped is legit, it's just TDSSKiller flags locked files.

That killed the MBR infection. Lets try OTL now.

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Thu 12 May 2011, 6:12 am

Good news! Now that soome of the virus is dead, I can get on GP from my own computer, where I am right now. Those logs are comign.

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Thu 12 May 2011, 6:20 am

Yayyyyyyy~~~ It workeddddddd~~~~~ I just need to copy/paste thelogs now. (please excuse typos, the remainging virus is making the screen type very slow and its screwing up y typing accuracey.)

OTL logfile created on: 5/11/2011 3:13:44 PM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Miranda Rian\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.81 Gb Total Space | 13.65 Gb Free Space | 19.28% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 888.73 Gb Free Space | 95.41% Space Free | Partition Type: NTFS
Drive I: | 1.86 Gb Total Space | 1.18 Gb Free Space | 63.23% Space Free | Partition Type: FAT
Drive J: | 74.51 Gb Total Space | 3.32 Gb Free Space | 4.45% Space Free | Partition Type: FAT32

Computer Name: D94LZ971 | User Name: Miranda Rian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/11 15:02:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Miranda Rian\Desktop\OTL.exe
PRC - [2011/05/07 10:28:49 | 000,042,016 | ---- | M] () -- C:\WINDOWS\SYSTEM32\msywgahg.exe
PRC - [2011/04/29 16:19:59 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/03/22 23:56:40 | 000,687,448 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PRC - [2011/03/21 17:10:00 | 001,230,704 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2011/03/19 13:46:02 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/11/04 02:14:38 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/04/01 05:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/21 17:59:00 | 000,143,360 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/02/21 17:58:34 | 000,081,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2004/09/01 03:06:18 | 000,147,456 | ---- | M] (A4Tech Co.,Ltd.) -- C:\Program Files\A4Tech\Mouse\Amoumain.exe


========== Modules (SafeList) ==========

MOD - [2011/05/11 15:02:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Miranda Rian\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 20:12:08 | 000,266,240 | ---- | M] () -- C:\WINDOWS\iyocusura.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (npggsvc)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/05/07 10:28:49 | 000,042,016 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\msywgahg.exe -- (Network Adapter Events)
SRV - [2011/05/02 22:30:25 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SYSTEM32\6to4v32.dll -- (6to4)
SRV - [2011/05/02 22:30:07 | 000,215,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\SYSTEM32\itlpfw32.dll -- (itlperf)
SRV - [2011/05/02 15:36:07 | 003,274,328 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_3f211bc.dll -- (Akamai)
SRV - [2011/04/29 16:19:59 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/04/01 01:11:52 | 000,428,640 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2011/03/19 13:46:02 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/06/18 21:59:12 | 000,246,520 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe -- (GameConsoleService)
SRV - [2010/02/10 12:42:32 | 000,303,176 | ---- | M] (ThinSoft Pte Ltd.) [Auto | Stopped] -- C:\WINDOWS\SYSTEM32\BeTwinServiceXP.exe -- (TermService)
SRV - [2006/02/21 17:58:34 | 000,081,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)


========== Driver Services (SafeList) ==========

DRV - [2011/04/01 01:11:10 | 004,333,280 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.sys -- (LVUVC) Logitech Webcam 500(UVC)
DRV - [2011/04/01 01:09:48 | 000,291,424 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvrs.sys -- (LVRS)
DRV - [2011/03/19 13:46:03 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys -- (avipbb)
DRV - [2010/11/23 22:11:00 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 16:17:40 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/05/14 18:04:20 | 000,023,904 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\lvuvcflt.sys -- (FilterService)
DRV - [2010/05/07 18:43:30 | 000,025,824 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2010/02/10 12:42:34 | 000,025,656 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\BeTwinVF.sys -- (BeTwinVideo)
DRV - [2010/02/10 12:42:32 | 000,015,040 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | System | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BeTwinSystem.sys -- (BeTwinSystem)
DRV - [2010/02/10 12:42:26 | 000,033,336 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BETWINMF.sys -- (BeTwinMouse)
DRV - [2010/02/10 12:42:26 | 000,033,208 | ---- | M] (ThinSoft Pte Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BETWINKF.sys -- (BeTwinKeyboard)
DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/18 17:35:40 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hamachi.sys -- (hamachi)
DRV - [2006/11/02 08:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\winusb.sys -- (winusb)
DRV - [2005/01/04 14:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\npptNT2.sys -- (NPPTNT2)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -- (senfilt)
DRV - [2004/08/25 14:28:46 | 000,787,456 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/23 15:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\b57xp32.sys -- (b57w2k)
DRV - [2004/06/15 23:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)
DRV - [2004/06/09 13:16:00 | 000,840,960 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\P17.sys -- (P17)
DRV - [2004/03/05 23:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52)
DRV - [2004/03/05 23:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)
DRV - [2004/03/05 23:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt)
DRV - [2003/09/22 09:48:00 | 000,130,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/09/22 09:47:00 | 000,178,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctoss2k.sys -- (ossrv)
DRV - [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [You must be registered and logged in to see this link.] [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.9
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.1
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:2.0.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.5
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.1
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.1.2008d

FF - HKLM\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/03/11 18:08:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/03/11 18:09:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0ECA710F-47D0-4675-B53F-35385D5E8880}: C:\Documents and Settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880} [2011/05/02 20:12:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}: C:\Documents and Settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A} [2011/05/04 12:44:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 13:24:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 13:24:09 | 000,000,000 | ---D | M]

[2010/02/26 18:51:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Extensions
[2010/02/26 18:51:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Extensions\celtx@celtx.com
[2011/05/04 19:17:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\extensions
[2011/03/31 22:36:11 | 000,000,000 | ---D | M] ("Malware Search") -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
[2010/06/24 13:48:48 | 000,000,000 | ---D | M] ("Athena") -- C:\Documents and Settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\extensions\{405e2f6c-b9b8-4515-a69c-e375d7156c86}
[2011/05/04 19:17:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/01 21:42:24 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
[2011/04/01 21:42:24 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM
[2011/04/01 21:42:24 | 000,000,000 | ---D | M] (MSN-Smileys) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\EMOTICONS-MSN-SMILEYS@M513901.DE
[2011/04/01 21:42:23 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG
[2011/04/01 21:42:23 | 000,000,000 | ---D | M] (Blackened) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-BLACKENED@ADDONS.INSTANTBIRD.ORG
[2011/04/01 21:42:23 | 000,000,000 | ---D | M] (Depth) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-DEPTH@ADDONS.INSTANTBIRD.ORG
[2011/04/01 21:42:23 | 000,000,000 | ---D | M] (Minimal) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-MINIMAL20@ADDONS.INSTANTBIRD.ORG
[2009/11/19 17:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/19 17:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
[2009/12/21 01:47:02 | 000,063,488 | ---- | M] (Nullsoft) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

Hosts file not found
O2 - BHO: (DivX Plus Web Player HTML5

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Thu 12 May 2011, 6:22 am

The Extras log doesn't appear to have generated. That's just an uninstall list, right?

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Thu 12 May 2011, 7:12 am

Hello.

  • Download combofix from here
    Link 1

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Thu 12 May 2011, 7:59 am

Here's the ComboFix log Things seem to be working better now, Firefox recognized the fact that I had no default browser set and allowed me to do something about it. It did pop up with some errors about missing DLL files, but they all had the junk names so I think they were bad files that CF deleted and the virus was lookign for them. After checking the list of running processes, it looks like several virus processes have been killed for good but others have not. Advice on the next step?

ComboFix 11-05-11.01 - Miranda Rian 05/11/2011 16:28:01.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1557 [GMT -4:00]
Running from: c:\documents and settings\Miranda Rian\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Miranda Rian\Application Data\avdrn.dat
c:\documents and settings\Miranda Rian\Application Data\Sun\ixokfmgyl68.dll
c:\documents and settings\Miranda Rian\Application Data\Sun\mxd1.txt
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\chrome.manifest
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\chrome\content\_cfg.js
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\chrome\content\overlay.xul
c:\documents and settings\Miranda Rian\Local Settings\Application Data\{0ECA710F-47D0-4675-B53F-35385D5E8880}\install.rdf
c:\documents and settings\Miranda Rian\Start Menu\Programs\Startup\rarliw32.exe
c:\documents and settings\Miranda Rian\WINDOWS
c:\documents and settings\Richard Rian\WINDOWS
C:\Recycle.Bin
c:\recycle.bin\config.bin
c:\recycle.bin\Recycle.Bin.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Glivua.exe
c:\windows\Glivub.exe
c:\windows\iyocusura.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat
c:\windows\system32\itlnfw32.dll
c:\windows\system32\itlpfw32.dll
c:\windows\system32\RGSS104E.dll
c:\windows\system32\RGSS104J.dll
c:\windows\TDPLAP.dll
F:\autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ITLPERF
-------\Service_6to4
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-07 15:05 . 2011-05-07 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-05-07 14:36 . 2010-02-10 16:42 303176 ----a-w- c:\windows\system32\BeTwinServiceXP.exe
2011-05-07 14:36 . 2010-02-10 16:42 33208 ----a-w- c:\windows\system32\drivers\BETWINKF.sys
2011-05-07 14:36 . 2010-02-10 16:42 81984 ----a-w- c:\windows\system32\BeTwinAudio.dll
2011-05-07 14:36 . 2006-03-17 03:35 249856 ----a-w- c:\windows\system32\SlsApi.dll
2011-05-07 14:36 . 2010-02-10 16:42 15040 ----a-w- c:\windows\system32\drivers\BeTwinSystem.sys
2011-05-07 14:36 . 2010-02-10 16:42 33336 ----a-w- c:\windows\system32\drivers\BETWINMF.sys
2011-05-07 14:36 . 2010-02-10 16:42 25656 ----a-w- c:\windows\system32\drivers\BETWINVF.sys
2011-05-07 14:36 . 2003-06-27 06:08 8704 ----a-w- c:\windows\system32\xtgina.dll
2011-05-07 14:28 . 2011-05-07 14:28 42016 ----a-w- c:\windows\system32\msywgahg.exe
2011-05-04 17:27 . 2011-05-04 17:28 -------- d-----w- c:\documents and settings\Administrator
2011-05-04 16:44 . 2011-05-04 16:44 -------- d-----w- c:\documents and settings\Nelwyn Rian\Local Settings\Application Data\{3BACD646-8F03-493E-AE54-2FD3A84F1F4A}
2011-05-03 00:12 . 2011-05-11 18:40 0 ----a-w- c:\windows\Ffavunoli.bin
2011-04-30 08:51 . 2011-04-30 08:51 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-04-30 00:08 . 2011-04-30 00:08 -------- d-----w- c:\program files\Matroska Pack
2011-04-19 00:35 . 2011-04-19 00:35 -------- d-----w- c:\program files\iPod
2011-04-19 00:34 . 2011-04-19 00:35 -------- d-----w- c:\program files\iTunes
2011-04-19 00:30 . 2011-04-19 00:30 -------- d-----w- c:\program files\Bonjour
2011-04-17 23:51 . 2011-04-17 23:51 45056 ----a-r- c:\documents and settings\Miranda Rian\Application Data\Microsoft\Installer\{1DED5EFD-410A-48DB-909A-2B2022BB50D2}\Nethergate.exe1_1DED5EFD410A48DB909A2B2022BB50D2.exe
2011-04-17 23:51 . 2011-04-17 23:51 45056 ----a-r- c:\documents and settings\Miranda Rian\Application Data\Microsoft\Installer\{1DED5EFD-410A-48DB-909A-2B2022BB50D2}\Nethergate.exe_1DED5EFD410A48DB909A2B2022BB50D2.exe
2011-04-14 07:39 . 2011-04-14 07:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 07:39 . 2011-04-14 07:39 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-04-13 23:53 . 2011-04-13 23:54 -------- d-----w- c:\program files\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-01 05:11 . 2009-12-28 16:52 4333280 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2011-04-01 05:10 . 2009-12-28 16:52 539232 ----a-w- c:\windows\system32\LVUI2RC.dll
2011-04-01 05:10 . 2009-12-28 16:52 543328 ----a-w- c:\windows\system32\LVUI2.dll
2011-04-01 05:09 . 2009-12-28 16:52 291424 ----a-w- c:\windows\system32\drivers\lvrs.sys
2011-04-01 05:08 . 2011-04-01 05:08 195168 ----a-w- c:\windows\system32\lvci13251014.dll
2011-04-01 05:08 . 2009-12-28 16:52 301664 ----a-w- c:\windows\system32\lvcodec2.dll
2011-04-01 05:07 . 2010-05-14 21:56 10877272 ----a-w- c:\windows\system32\LogiDPP.dll
2011-04-01 05:07 . 2010-05-14 21:56 102744 ----a-w- c:\windows\system32\LogiDPPApp.exe
2011-04-01 05:06 . 2010-05-14 21:55 331608 ----a-w- c:\windows\system32\DevManagerCore.dll
2011-04-01 04:56 . 2009-12-28 16:52 39318 ----a-w- c:\windows\system32\Repository.reg
2011-03-23 03:58 . 2011-03-23 03:58 14168 ----a-w- c:\windows\system32\drivers\iKeyLFT2.dll
2011-03-19 17:46 . 2010-04-10 19:29 137656 -c--a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-09 16:11 . 2010-03-09 15:58 939139876 ----a-w- c:\program files\FEZsetup_2010-02-26.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"WheelMouse"="c:\progra~1\A4Tech\Mouse\Amoumain.exe" [2004-09-01 147456]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader
"6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader
"12933:TCP"= 12933:TCP:BitComet 12933 TCP
"12933:UDP"= 12933:UDP:BitComet 12933 UDP
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [6/5/2009 9:04 PM 691696]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 6:00 AM 14336]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/10/2010 3:29 PM 136360]
R2 Network Adapter Events;Network Adapter Events;c:\windows\SYSTEM32\msywgahg.exe [5/7/2011 10:28 AM 42016]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [4/1/2011 1:11 AM 428640]
S0 BeTwinVideo;BeTwinVideo;c:\windows\SYSTEM32\DRIVERS\BETWINVF.sys [5/7/2011 10:36 AM 25656]
S1 BeTwinSystem;BeTwinSystem;c:\windows\SYSTEM32\DRIVERS\BeTwinSystem.sys [5/7/2011 10:36 AM 15040]
S3 BeTwinKeyboard;BeTwinKeyboard;c:\windows\SYSTEM32\DRIVERS\BETWINKF.sys [5/7/2011 10:36 AM 33208]
S3 BeTwinMouse;BeTwinMouse;c:\windows\SYSTEM32\DRIVERS\BETWINMF.sys [5/7/2011 10:36 AM 33336]
S3 dump_wmimmc;dump_wmimmc;\??\f:\the chronicles of spellborn\bin\client\GameGuard\dump_wmimmc.sys --> f:\the chronicles of spellborn\bin\client\GameGuard\dump_wmimmc.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
FF - ProfilePath - c:\documents and settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Athena: {405e2f6c-b9b8-4515-a69c-e375d7156c86} - %profile%\extensions\{405e2f6c-b9b8-4515-a69c-e375d7156c86}
FF - Ext: Malware Search: {27c60876-b5c9-4335-b4f3-52b26782220c} - %profile%\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
exefile="c:\documents and settings\NetworkService\Local Settings\Application Data\hok.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Steam - i:\steam\Steam.exe
HKCU-Run-Dloqa - c:\windows\TDPLAP.dll
HKCU-Run-4Y3Y0C3AUYVV4Y9GCYBOPHFEUNNFBI - c:\recycle.bin\Recycle.Bin.exe
HKLM-Run-QuickTime Task - i:\quicktime\QTTask.exe
HKLM-Run-Ywokaqe - c:\windows\iyocusura.dll
Notify-itlntfy - itlnfw32.dll
AddRemove-Champions Online - f:\cryptic studios\Uninstall Champions Online.exe
AddRemove-Guild Wars - i:\guild wars\Gw.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-Shin Megami Tensei: Imagine Online - f:\aeriagames\MegaTen\Uninst.exe
AddRemove-Steam App 7650 - i:\steam\steam.exe
AddRemove-Steam App 7660 - i:\steam\steam.exe
AddRemove-Steam App 7730 - i:\steam\steam.exe
AddRemove-Steam App 7760 - i:\steam\steam.exe
AddRemove-Steam App 7770 - i:\steam\steam.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{9C244239-ED8E-40f1-937F-51C706CD2160} - i:\ea games\The Sims 2 Deluxe\EAUninstall.exe
AddRemove-The Twilight Zone - i:\the twilight zone\Uninstal.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-05-11 16:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\xtgina.dll
c:\windows\system32\WINSCARD.DLL
.
- - - - - - - > 'explorer.exe'(2744)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-05-11 16:51:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-11 20:51
ComboFix2.txt 2010-08-06 23:36
.
Pre-Run: 14,587,121,664 bytes free
Post-Run: 16,250,331,136 bytes free
.
- - End Of File - - 602E313A295602BB876EC9FBEA0F1416

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Thu 12 May 2011, 8:28 am

Hello.
2 things to do here.

Please download exeHelper from one of the two links.
Link 1
Link 2

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next,

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    File::
    c:\windows\system32\msywgahg.exe
    c:\windows\Ffavunoli.bin

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    "itlsvc"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Thu 12 May 2011, 9:15 am

The exeHelper log:

exeHelper by Raktor
Build 20100414
Run at 18:14:21 on 05/11/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Thu 12 May 2011, 9:34 am

Standing by for Combofix log.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Sponsored content Today at 9:27 am


Sponsored content


Back to top Go down

Page 2 of 3 Previous  1, 2, 3  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum