TechSpot

Iexplore.exe processes pop up, apparent rootkit infection

Inactive
By DoktrMik
Jul 24, 2010
Topic Status:
Not open for further replies.
  1. DoktrMik

    DoktrMik TS Rookie Topic Starter Posts: 68

    I ran Safe Mode with Networking, but for some reason couldn't enable any of my network adapters. I'd click on enable and a dialog would say 'Enabling...', then 'Enabled'. But the adapter was still disabled. Hmmm....
  2. DoktrMik

    DoktrMik TS Rookie Topic Starter Posts: 68

    How sure would you be that a reinstall of C: would fix this issue? I'm assuming that the only thing that would survive would be: a) something on another drive/partition and b) anything in the MBR. If you believe that I'm 99% likely to be OK after a Windows reinstall, I think I'll just do that.

    I've spent so much time on this already that I need to move on with my life!
  3. Broni

    Broni Malware Annihilator Posts: 46,736   +254

    Interesting...
    Without any connection, we can't really test iexplore issue.
    Try to reinstall network driver.
    Maybe another restart?
  4. Broni

    Broni Malware Annihilator Posts: 46,736   +254

    If you format the drive, nothing should survive there, even MBR.
  5. DoktrMik

    DoktrMik TS Rookie Topic Starter Posts: 68

    I'm just going to go with the reinstall. It's been a couple of years since the machine was built, and hopefully I can be more careful this time. Do you have recommendations for antivirus software and/or antimalware software, so I can be sure this doesn't happen again?

    Many thanks.
  6. Broni

    Broni Malware Annihilator Posts: 46,736   +254

    The fact is, there is no perfect security program.
    The very first line of defense, is and always be your brain and your computer habits.

    If you ask me about very good protection programs....here you go...
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html

    If you want good two-ways firewall...
    - free Comodo Internet Security (firewall + AV): http://www.personalfirewall.comodo.com/
    NOTE. During installation, Comodo will also allow you to install AV only, or firewall only, if you prefer to combine one Comodo product with some other product.

    As for antimalware, nothing better, than Malwarebytes.

    That's all you need.
  7. DoktrMik

    DoktrMik TS Rookie Topic Starter Posts: 68

    Well, I did the reinstall. Felt a heck of a lot less painful after going through all those debugging steps!

    Broni, I want to thank you for your incredible dedication and quick responses to my problems. I really thought we might be able to solve this issue, but I wouldn't have even thought about trying if you hadn't been as responsive and helpful as you were. You rock!
  8. Broni

    Broni Malware Annihilator Posts: 46,736   +254

    You're welcome :)

    "Unsolved mysteries" don't happen to me too often, but....unfortunately, this was the case...grrrrrrrrrrrrrrr
  9. DoktrMik

    DoktrMik TS Rookie Topic Starter Posts: 68

    Agggghhhhh

    So, I appear to have become infected again after a reinstall. MBAM found Rootkit.TDSS.Gen inside C:\Windows\Temp\12.tmp and now I can't go to Windows Update nor even Google for anything with 'windowsupdate' in the title.

    I'm not sure if you want me to open a new thread, but since we never completely ruled out a router infection I suppose it could be related.

    I think I know how it happened, though. I was looking for some drivers and clicked on a web site that proved to be a bit fake looking. Oh, man this sucks.

    MBAM isn't finding anything, even in safe mode. But my system restore points (all 3 of them) have been corrupted.
  10. Broni

    Broni Malware Annihilator Posts: 46,736   +254

    Oh boy.....

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  11. DoktrMik

    DoktrMik TS Rookie Topic Starter Posts: 68

    Here are the DDS and GMER logs, hope they help.

    Attached Files:

     
  12. DoktrMik

    DoktrMik TS Rookie Topic Starter Posts: 68

    2010/08/24 20:11:38.0609 TDSS rootkit removing tool 2.4.1.2 Aug 16 2010 09:46:23
    2010/08/24 20:11:38.0609 ================================================================================
    2010/08/24 20:11:38.0609 SystemInfo:
    2010/08/24 20:11:38.0609
    2010/08/24 20:11:38.0609 OS Version: 5.1.2600 ServicePack: 3.0
    2010/08/24 20:11:38.0609 Product type: Workstation
    2010/08/24 20:11:38.0609 ComputerName: CASTLEROCK
    2010/08/24 20:11:38.0609 UserName: Mike
    2010/08/24 20:11:38.0609 Windows directory: C:\WINDOWS
    2010/08/24 20:11:38.0609 System windows directory: C:\WINDOWS
    2010/08/24 20:11:38.0609 Processor architecture: Intel x86
    2010/08/24 20:11:38.0609 Number of processors: 4
    2010/08/24 20:11:38.0609 Page size: 0x1000
    2010/08/24 20:11:38.0609 Boot type: Normal boot
    2010/08/24 20:11:38.0609 ================================================================================
    2010/08/24 20:11:40.0234 Initialize success
    2010/08/24 20:11:42.0062 ================================================================================
    2010/08/24 20:11:42.0062 Scan started
    2010/08/24 20:11:42.0062 Mode: Manual;
    2010/08/24 20:11:42.0062 ================================================================================
    2010/08/24 20:11:45.0500 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/08/24 20:11:45.0531 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/08/24 20:11:45.0562 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/08/24 20:11:45.0609 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/08/24 20:11:45.0687 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
    2010/08/24 20:11:45.0796 ANIO (2953a157a783bfc06f42f99fefa5eb07) C:\WINDOWS\system32\ANIO.SYS
    2010/08/24 20:11:45.0828 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/08/24 20:11:45.0875 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/08/24 20:11:45.0890 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/08/24 20:11:45.0906 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/08/24 20:11:45.0921 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/08/24 20:11:45.0984 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2010/08/24 20:11:46.0000 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2010/08/24 20:11:46.0015 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2010/08/24 20:11:46.0046 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/08/24 20:11:46.0078 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/08/24 20:11:46.0093 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/08/24 20:11:46.0109 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/08/24 20:11:46.0125 Cdrom (9839006fc3112cc531ede542e67c55a5) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/08/24 20:11:46.0125 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: 9839006fc3112cc531ede542e67c55a5, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe
    2010/08/24 20:11:46.0125 Cdrom - detected Rootkit.Win32.TDSS.tdl3 (0)
    2010/08/24 20:11:46.0187 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/08/24 20:11:46.0218 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/08/24 20:11:46.0250 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/08/24 20:11:46.0281 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/08/24 20:11:46.0312 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/08/24 20:11:46.0343 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/08/24 20:11:46.0359 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/08/24 20:11:46.0375 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2010/08/24 20:11:46.0390 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/08/24 20:11:46.0406 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2010/08/24 20:11:46.0406 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2010/08/24 20:11:46.0421 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/08/24 20:11:46.0437 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/08/24 20:11:46.0468 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/08/24 20:11:46.0484 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/08/24 20:11:46.0515 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/08/24 20:11:46.0562 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/08/24 20:11:46.0609 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
    2010/08/24 20:11:46.0625 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/08/24 20:11:46.0750 IntcAzAudAddService (a109fe3ca1ee4e92292b349de1b32f7b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2010/08/24 20:11:46.0812 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/08/24 20:11:46.0875 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2010/08/24 20:11:46.0890 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/08/24 20:11:46.0906 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/08/24 20:11:46.0921 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/08/24 20:11:46.0937 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/08/24 20:11:46.0968 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/08/24 20:11:46.0984 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/08/24 20:11:47.0000 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/08/24 20:11:47.0015 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/08/24 20:11:47.0031 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/08/24 20:11:47.0078 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/08/24 20:11:47.0109 LBeepKE (ca63fe81705ad660e482bef210bf2c73) C:\WINDOWS\system32\Drivers\LBeepKE.sys
    2010/08/24 20:11:47.0125 LHidFilt (b68309f25c5787385da842eb5b496958) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
    2010/08/24 20:11:47.0156 LMouFilt (63d3b1d3cd267fcc186a0146b80d453b) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
    2010/08/24 20:11:47.0171 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/08/24 20:11:47.0187 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/08/24 20:11:47.0234 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
    2010/08/24 20:11:47.0296 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/08/24 20:11:47.0312 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/08/24 20:11:47.0328 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/08/24 20:11:47.0343 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/08/24 20:11:47.0390 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/08/24 20:11:47.0437 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/08/24 20:11:47.0453 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/08/24 20:11:47.0468 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/08/24 20:11:47.0484 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/08/24 20:11:47.0515 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/08/24 20:11:47.0531 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/08/24 20:11:47.0546 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/08/24 20:11:47.0578 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/08/24 20:11:47.0609 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/08/24 20:11:47.0609 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/08/24 20:11:47.0625 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/08/24 20:11:47.0640 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/08/24 20:11:47.0656 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/08/24 20:11:47.0703 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/08/24 20:11:47.0718 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/08/24 20:11:47.0750 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/08/24 20:11:47.0781 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/08/24 20:11:47.0984 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/08/24 20:11:48.0203 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/08/24 20:11:48.0218 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/08/24 20:11:48.0234 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/08/24 20:11:48.0250 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/08/24 20:11:48.0265 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/08/24 20:11:48.0281 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/08/24 20:11:48.0296 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/08/24 20:11:48.0328 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/08/24 20:11:48.0343 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/08/24 20:11:48.0421 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/08/24 20:11:48.0437 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/08/24 20:11:48.0453 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/08/24 20:11:48.0515 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/08/24 20:11:48.0531 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/08/24 20:11:48.0546 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/08/24 20:11:48.0546 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/08/24 20:11:48.0578 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/08/24 20:11:48.0593 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/08/24 20:11:48.0609 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/08/24 20:11:48.0656 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/08/24 20:11:48.0671 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/08/24 20:11:48.0734 rt2870 (a6886caf9d03dade7144171e471eca6f) C:\WINDOWS\system32\DRIVERS\rt2870.sys
    2010/08/24 20:11:48.0750 RTLE8023xp (6ebfbbf24fed8285928b825a46618f8a) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    2010/08/24 20:11:48.0781 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/08/24 20:11:48.0796 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/08/24 20:11:48.0796 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/08/24 20:11:48.0828 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/08/24 20:11:48.0875 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/08/24 20:11:48.0890 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/08/24 20:11:48.0921 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/08/24 20:11:48.0968 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2010/08/24 20:11:48.0984 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/08/24 20:11:49.0000 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/08/24 20:11:49.0062 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/08/24 20:11:49.0109 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/08/24 20:11:49.0140 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/08/24 20:11:49.0156 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/08/24 20:11:49.0171 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/08/24 20:11:49.0218 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/08/24 20:11:49.0250 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/08/24 20:11:49.0296 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/08/24 20:11:49.0312 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/08/24 20:11:49.0328 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/08/24 20:11:49.0343 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/08/24 20:11:49.0359 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/08/24 20:11:49.0375 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/08/24 20:11:49.0406 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/08/24 20:11:49.0437 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
    2010/08/24 20:11:49.0468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/08/24 20:11:49.0531 ================================================================================
    2010/08/24 20:11:49.0531 Scan finished
    2010/08/24 20:11:49.0531 ================================================================================
    2010/08/24 20:11:49.0546 Detected object count: 1
    2010/08/24 20:11:54.0578 Cdrom (9839006fc3112cc531ede542e67c55a5) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/08/24 20:11:54.0578 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: 9839006fc3112cc531ede542e67c55a5, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe
    2010/08/24 20:11:54.0812 Backup copy found, using it..
    2010/08/24 20:11:54.0828 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured after reboot
    2010/08/24 20:11:54.0828 Rootkit.Win32.TDSS.tdl3(Cdrom) - User select action: Cure
    2010/08/24 20:11:59.0562 Deinitialize success



    I let it do a 'cure' and after reboot can now visit windowsupdate...
  13. Broni

    Broni Malware Annihilator Posts: 46,736   +254

    Yeah, the infected file has been cured.

    No logs zipping, please.

    Update MBAM, re-run it. Post the log.

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  14. DoktrMik

    DoktrMik TS Rookie Topic Starter Posts: 68

    Sorry about the zip file - the txt file wasn't uploading, the page would not load. Perhaps it was being redirected? Will get those logs shortly...thx.
  15. Broni

    Broni Malware Annihilator Posts: 46,736   +254

    No problem :)
  16. DoktrMik

    DoktrMik TS Rookie Topic Starter Posts: 68

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4473

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    8/24/2010 8:36:48 PM
    mbam-log-2010-08-24 (20-36-48).txt

    Scan type: Quick scan
    Objects scanned: 129650
    Time elapsed: 1 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  17. DoktrMik

    DoktrMik TS Rookie Topic Starter Posts: 68

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x020107bc

    Kernel Drivers (total 120):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xB85A8000 \WINDOWS\system32\KDCOM.DLL
    0xB84B8000 \WINDOWS\system32\BOOTVID.dll
    0xB80A8000 klmdb.sys
    0xB7F79000 ACPI.sys
    0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB7F68000 pci.sys
    0xB80B8000 isapnp.sys
    0xB80C8000 ohci1394.sys
    0xB80D8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xB8670000 pciide.sys
    0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xB80E8000 MountMgr.sys
    0xB7F49000 ftdisk.sys
    0xB85AC000 dmload.sys
    0xB7F23000 dmio.sys
    0xB8330000 PartMgr.sys
    0xB80F8000 VolSnap.sys
    0xB7F0B000 atapi.sys
    0xB8108000 disk.sys
    0xB8118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB7EEB000 fltMgr.sys
    0xB7ED9000 sr.sys
    0xB7EC2000 KSecDD.sys
    0xB7E35000 Ntfs.sys
    0xB7E08000 NDIS.sys
    0xB7DEE000 Mup.sys
    0xB81C8000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB6F16000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB6F02000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB83C0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB6EDE000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xB83C8000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB6EB6000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB81D8000 \SystemRoot\system32\DRIVERS\serial.sys
    0xB8564000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xB6EA2000 \SystemRoot\system32\DRIVERS\parport.sys
    0xB81E8000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xB8208000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xB8218000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB6E7F000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB86F2000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xB8228000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB856C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB6E68000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xB8238000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xB8248000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xB83D0000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB6E40000 \SystemRoot\system32\DRIVERS\psched.sys
    0xB8258000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xB83D8000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xB83E0000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB6C90000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xB8268000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xB83E8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB83F0000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xB85BC000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB6C32000 \SystemRoot\system32\DRIVERS\update.sys
    0xB8588000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xB8278000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xB85BE000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB8288000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB4431000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xB440D000 \SystemRoot\system32\drivers\portcls.sys
    0xB82A8000 \SystemRoot\system32\drivers\drmk.sys
    0xB85D8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB8736000 \SystemRoot\System32\Drivers\Null.SYS
    0xB85DA000 \SystemRoot\System32\Drivers\Beep.SYS
    0xB8408000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xB8410000 \SystemRoot\System32\drivers\vga.sys
    0xB85DC000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xB85DE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xB8418000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xB8420000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB6B76000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB438A000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB4331000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB4309000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB42E3000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xB82D8000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xB42C1000 \SystemRoot\System32\drivers\afd.sys
    0xB82E8000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xB8428000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xB4296000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB4226000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xB82F8000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB4204000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xB85E2000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xB8430000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xB412D000 \SystemRoot\system32\DRIVERS\rt2870.sys
    0xB4405000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xB8318000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xB8450000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
    0xB8148000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    0xB40BC000 \SystemRoot\System32\Drivers\wdf01000.sys
    0xB43ED000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xB43E9000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xB8458000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
    0xB8158000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB40A4000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xB85E6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB6B86000 \SystemRoot\System32\drivers\Dxapi.sys
    0xB8468000 \SystemRoot\System32\watchdog.sys
    0xBD000000 \SystemRoot\System32\drivers\dxg.sys
    0xB8704000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBD012000 \SystemRoot\System32\nv4_disp.dll
    0xB3D4F000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xB3D3B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB3A2A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB864A000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xB84A8000 \??\C:\WINDOWS\system32\ANIO.SYS
    0xB87C0000 \SystemRoot\System32\Drivers\LBeepKE.sys
    0xB38BB000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB355E000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB381B000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB2769000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB25B4000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 34):
    0 System Idle Process
    4 System
    464 C:\WINDOWS\system32\smss.exe
    684 csrss.exe
    708 C:\WINDOWS\system32\winlogon.exe
    752 C:\WINDOWS\system32\services.exe
    764 C:\WINDOWS\system32\lsass.exe
    968 C:\WINDOWS\system32\nvsvc32.exe
    992 C:\WINDOWS\system32\svchost.exe
    1076 svchost.exe
    1116 C:\WINDOWS\system32\svchost.exe
    1208 svchost.exe
    1260 svchost.exe
    1516 C:\WINDOWS\system32\spoolsv.exe
    1560 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1600 svchost.exe
    1664 C:\WINDOWS\system32\ANIWConnService.exe
    1696 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1716 C:\Program Files\Bonjour\mDNSResponder.exe
    1964 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    1436 alg.exe
    1176 C:\WINDOWS\explorer.exe
    168 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    172 C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe
    2016 C:\WINDOWS\system32\rundll32.exe
    2060 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    2072 C:\Program Files\Logitech\SetPointP\SetPoint.exe
    2084 C:\WINDOWS\RTHDCPL.EXE
    2136 C:\Program Files\LaCie\Network Assistant\LaCie Network Assistant.exe
    2184 C:\WINDOWS\system32\ctfmon.exe
    2660 C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
    2248 C:\WINDOWS\system32\svchost.exe
    3412 C:\Program Files\Mozilla Firefox\firefox.exe
    1284 C:\Documents and Settings\Mike\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
    \\.\E: --> \\.\PhysicalDrive2 at offset 0x0000003d`093bfc00 (NTFS)
    \\.\F: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\H: --> \\.\PhysicalDrive0 at offset 0x0000001e`84dcfe00 (NTFS)
    \\.\I: --> \\.\PhysicalDrive0 at offset 0x00000043`2432e400 (NTFS)
    \\.\J: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
    \\.\K: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
    \\.\Q: --> \\.\PhysicalDrive0 at offset 0x0000005b`8e958000 (NTFS)

    PhysicalDrive2 Model Number: WDCWD5000AAKS-00A7B0, Rev: 01.03B01
    PhysicalDrive0 Model Number: WDCWD5000AAKS-00A7B0, Rev: 01.03B01
    PhysicalDrive1 Model Number: SAMSUNGSP1213C, Rev: SV100-30
    PhysicalDrive3 Model Number: ST3250823AS, Rev: 3.03

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive2 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: 2B90DDCC668E70D6A429D4E56313F2A2532D922A
    111 GB \\.\PhysicalDrive1 Windows XP MBR code detected
    SHA1: 2B90DDCC668E70D6A429D4E56313F2A2532D922A
    232 GB \\.\PhysicalDrive3 Windows XP MBR code detected
    SHA1: 2B90DDCC668E70D6A429D4E56313F2A2532D922A


    Done!
  18. DoktrMik

    DoktrMik TS Rookie Topic Starter Posts: 68

    ComboFix log.

    Attached Files:

  19. Broni

    Broni Malware Annihilator Posts: 46,736   +254

    All looks good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    For a good measure, run TFC and Kaspersky online scan and you should be good to go :)
  20. DoktrMik

    DoktrMik TS Rookie Topic Starter Posts: 68

    Awesome, looks like i'm OK. Let's hope this was just me being stupid rather than evidence of a lingering infection. Once again, thank you!! :D
  21. Broni

    Broni Malware Annihilator Posts: 46,736   +254

    You're welcome again :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.