TechSpot

Still another browser redirect infection, winupdate and webroot toast

By sascec
Jan 4, 2011
  1. I was trying to download a photo utility the day after Christmas and downloaded an unwanted payload that infected my computer. Symptoms include erratic browser redirects, failure to lauch winupdate, webroot cannot complete a Spysweeper scan.

    History of erradication: Downloaded AVG and it found a few problems and two Trojans. Still had the browser problem. Downloaded Malware product and it found a few infections. Still had the browser problem, Downloaded Spybot SD and it found a few more Trojans and infections (Java related). Still had the browser problem. Upgraded to SP3 on XP and upgraded to IE8. Still had the browser problem but now Webroot was blocking websites again. I would see a screen flicker up when I cut on networking on the system but then Webroot would start blocking the redirects. I uninstalled Webroot and reloaded it with an older version and it works better now, just isn't the new version. Webroot continues to block website, often at a very aggravating rate.

    So I still have some infection. Here are the requisite dumps. the Malware MBAM scan came back clean but I left it at home. I can attach it tonight. Here are the others. BTW, the GMER scan says the webroot file is bad so I killed that process and re-ran it; the 2nd scan came back clean, with a possible rootkit trace on drive. I ran these with the network disabled to quarantine myself off the net. Notice the possible rootkit infection mentioned in the logs. I was able to disable Webroot from running but not AVG (could not kill the processes in GMER). Let me know the next step, thanks for looking at this. I got several infections over the last five years and I usually reload the OS which is a pain. I appreciate the time spent helping others on this forum.

    GMER SCAN #1
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-03 21:29:10
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST96812AS rev.8.03
    Running: cog1irf6.exe; Driver: C:\DOCUME~1\SASCEC~2.CHU\LOCALS~1\Temp\uwriqpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT 86F4B990 ZwAllocateVirtualMemory
    SSDT 86F670A8 ZwCreateKey
    SSDT 86F4BEB8 ZwCreateProcess
    SSDT 86F4BE40 ZwCreateProcessEx
    SSDT 86F4BC60 ZwCreateThread
    SSDT 86F8A238 ZwDeleteKey
    SSDT 86F4BF30 ZwDeleteValueKey
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA9F2A6C0]
    SSDT 86F4BA08 ZwQueueApcThread
    SSDT 86F89020 ZwReadVirtualMemory
    SSDT 86F8A1C0 ZwRenameKey
    SSDT 86F4BAF8 ZwSetContextThread
    SSDT 86F8A148 ZwSetInformationKey
    SSDT 86F4BD50 ZwSetInformationProcess
    SSDT 86F4BB70 ZwSetInformationThread
    SSDT 86F4BFA8 ZwSetValueKey
    SSDT 86F4BCD8 ZwSuspendProcess
    SSDT 86F4BA80 ZwSuspendThread
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA9F2A770]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA9F2A810]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA9F2A8B0]

    Code B462B339 KeFindConfigurationNextEntry

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D8000A
    .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D9000A
    .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D7000C
    .text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00FA000A
    .text C:\WINDOWS\System32\svchost.exe[1272] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EA000A
    .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E2000A
    .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E3000A
    .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C3000C

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
    IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
    IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \Driver\Tcpip \Device\Ip 86BC7E90
    Device \Driver\Tcpip \Device\Ip 856D92F8
    Device \Driver\Tcpip \Device\Ip 86C08A38
    Device \Driver\Tcpip \Device\Ip 86F6E188

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)

    Device \Driver\Tcpip \Device\Tcp 86BC7E90
    Device \Driver\Tcpip \Device\Tcp 856D92F8
    Device \Driver\Tcpip \Device\Tcp 86C08A38
    Device \Driver\Tcpip \Device\Tcp 86F6E188

    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\Tcpip \Device\Udp 86BC7E90
    Device \Driver\Tcpip \Device\Udp 856D92F8
    Device \Driver\Tcpip \Device\Udp 86C08A38
    Device \Driver\Tcpip \Device\Udp 86F6E188

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\Tcpip \Device\RawIp 86BC7E90
    Device \Driver\Tcpip \Device\RawIp 856D92F8
    Device \Driver\Tcpip \Device\RawIp 86C08A38
    Device \Driver\Tcpip \Device\RawIp 86F6E188

    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\Tcpip \Device\IPMULTICAST 86BC7E90
    Device \Driver\Tcpip \Device\IPMULTICAST 856D92F8
    Device \Driver\Tcpip \Device\IPMULTICAST 86C08A38
    Device \Driver\Tcpip \Device\IPMULTICAST 86F6E188

    AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST96812AS_______________________________8.03____#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Processes - GMER 1.0.15 ----

    Process C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe (*** hidden *** ) 1872

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----

    =================================================================
    Just for grins I ran the MBR.exe and here is the dump:
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST96812AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST96812AS_______________________________8.03____#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86F0539B
    user & kernel MBR OK
    ==============================================================
    ----------------------------------------------------------------------------------------------------
    DDS (Ver_10-12-12.02) - NTFSx86
    Run by sascec at 21:57:37.26 on Mon 01/03/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.532 [GMT -5:00]

    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Webroot AntiVirus with AntiSpyware *Disabled/Updated* {B3891867-7230-459B-9987-E7CCFA7A7D1D}
    FW: Webroot Internet Security Essentials *Disabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\system32\bgsvcgen.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    G:\cog1irf6.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\WINDOWS\system32\mmc.exe
    C:\Program Files\AVG\AVG10\avgchsvx.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    G:\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
    uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
    mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
    StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
    StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: igfxcui - igfxdev.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\sascec~2.chu\applic~1\mozilla\firefox\profiles\mo3wkrtg.default\
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: d:\program files\videolan\vlc\npvlc.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
    R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2010-1-13 4064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-5-7 92008]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
    S2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]
    S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
    S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2008-11-12 3667312]
    S2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2011-1-2 1086840]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-12-29 11520]

    =============== Created Last 30 ================

    2011-01-04 00:33:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-04 00:32:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-04 00:32:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-03 01:09:57 1553272 ----a-w- c:\windows\WRSetup.dll
    2011-01-03 01:09:57 -------- d-----w- c:\docume~1\sascec~2.chu\applic~1\Webroot
    2011-01-03 01:09:57 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\Webroot
    2010-12-31 14:37:10 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\WD_SmartWareCommon
    2010-12-30 15:35:46 -------- d-----w- c:\docume~1\sascec~2.chu\applic~1\Malwarebytes
    2010-12-30 15:29:50 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\Malwarebytes
    2010-12-30 15:09:14 -------- d-sh--w- c:\documents and settings\sascec.chucklap\IECompatCache
    2010-12-30 15:06:17 -------- d-sh--w- c:\documents and settings\sascec.chucklap\PrivacIE
    2010-12-30 15:02:09 -------- d-sh--w- c:\documents and settings\sascec.chucklap\IETldCache
    2010-12-30 14:49:28 -------- dc-h--w- c:\windows\ie8
    2010-12-30 03:13:13 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
    2010-12-30 03:13:13 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
    2010-12-30 03:11:59 9216 ------w- c:\windows\system32\dot3dlg.dll
    2010-12-30 03:10:58 32866 ------w- c:\windows\slrundll.exe
    2010-12-30 03:10:51 -------- d-----w- c:\windows\system32\scripting
    2010-12-30 03:10:49 -------- d-----w- c:\windows\l2schemas
    2010-12-30 03:10:43 -------- d-----w- c:\windows\system32\en
    2010-12-30 03:10:42 -------- d-----w- c:\windows\system32\bits
    2010-12-30 02:52:10 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
    2010-12-30 02:42:59 18944 ------w- c:\windows\system32\drivers\bthusb.sys
    2010-12-29 20:02:15 -------- d-----w- c:\docume~1\sascec~2.chu\locals~1\applic~1\Western_Digital
    2010-12-29 20:00:52 -------- d-----w- c:\docume~1\sascec~2.chu\applic~1\Western Digital
    2010-12-29 20:00:39 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\Western Digital
    2010-12-29 19:59:58 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
    2010-12-29 19:58:42 -------- d-----w- c:\program files\Western Digital
    2010-12-29 00:49:25 -------- d-----w- c:\docume~1\sascec~2.chu\locals~1\applic~1\Western Digital
    2010-12-29 00:33:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-12-29 00:33:57 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\Spybot - Search & Destroy
    2010-12-28 20:08:09 -------- d--h--w- C:\$AVG
    2010-12-28 19:47:15 -------- d-----w- c:\docume~1\sascec~2.chu\applic~1\AVG10
    2010-12-28 19:45:52 -------- d--h--w- c:\docume~1\alluse~2.win\applic~1\Common Files
    2010-12-28 19:43:49 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-12-28 19:43:49 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\AVG10
    2010-12-28 19:43:13 -------- d-----w- c:\program files\AVG
    2010-12-28 19:21:19 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\MFAData
    2010-12-08 09:12:38 251728 ----a-w- c:\windows\system32\drivers\avgldx86.sys

    ==================== Find3M ====================


    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST96812AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F05555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f0b7b0]; MOV EAX, [0x86f0b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F81AB8]
    3 CLASSPNP[0xF757DFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86ECE680]
    \Driver\atapi[0x86F41B18] -> IRP_MJ_CREATE -> 0x86F05555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST96812AS_______________________________8.03____#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86F0539B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 22:00:12.75 ===============
    ===============================================================


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 10/21/2009 8:31:48 PM
    System Uptime: 1/3/2011 8:22:31 PM (2 hours ago)

    Motherboard: Dell Inc. | | 0KD882
    Processor: Genuine Intel(R) CPU T2050 @ 1.60GHz | Microprocessor | 1596/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 39 GiB total, 7.859 GiB free.
    D: is FIXED (NTFS) - 12 GiB total, 2.555 GiB free.
    F: is CDROM ()
    G: is FIXED (FAT) - 0 GiB total, 0.051 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description: Modem Device on High Definition Audio Bus
    Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&2973568E&0&0102
    Manufacturer:
    Name: Modem Device on High Definition Audio Bus
    PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&2973568E&0&0102
    Service:

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) PRO/Wireless 3945ABG Network Connection
    Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10208086&REV_02\4&6C79FC5&0&00E0
    Manufacturer: Intel Corporation
    Name: Intel(R) PRO/Wireless 3945ABG Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10208086&REV_02\4&6C79FC5&0&00E0
    Service: NETw4x32

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Ethernet Controller
    Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01AF1028&REV_02\4&2FE911E8&0&00F0
    Manufacturer:
    Name: Ethernet Controller
    PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01AF1028&REV_02\4&2FE911E8&0&00F0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\4&2FE911E8&0&0BF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\4&2FE911E8&0&0BF0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01BD1028&REV_05\4&2FE911E8&0&0CF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01BD1028&REV_05\4&2FE911E8&0&0CF0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: SM Bus Controller
    Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01BD1028&REV_01\3&61AAA01&0&FB
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01BD1028&REV_01\3&61AAA01&0&FB
    Service:

    ==== System Restore Points ===================

    RP1: 1/2/2011 7:27:49 PM - System Checkpoint

    ==== Installed Programs ======================

    ACD PhotoStitcher
    ACDSee 3.1 (SR-1)
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Type Manager 4.0
    Apple Software Update
    AVG 2011
    Broadcom 440x 10/100 Integrated Controller
    Dell ResourceCD
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Graphics Media Accelerator Driver
    Java(TM) 6 Update 16
    Juniper Networks Setup Client
    Juniper Networks Setup Client Activex Control
    Juniper Terminal Services Client
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Silverlight
    Microsoft SQL Server Compact 3.5 SP1 English
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 and SOAP Toolkit 3.0
    MSXML 6 Service Pack 2 (KB973686)
    PCFriendly
    PHOTOfunSTUDIO 4.0 HD Edition
    Picasa 3
    PowerDVD
    QuickTime
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio MyDVD DE
    Roxio Update Manager
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB982381)
    SigmaTel Audio
    SILKYPIX Developer Studio 3.0 SE
    Sonic Activation Module
    Spy Sweeper
    Spy Sweeper Core
    Spybot - Search & Destroy
    TomTom HOME 2.7.4.1962
    TomTom HOME Visual Studio Merge Modules
    Try Corel Snapfire muvee autoProducer add on
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    VLC media player 1.1.4
    WD SmartWare
    WebFldrs XP
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows XP Service Pack 3
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    12/31/2010 9:31:32 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.
    12/30/2010 9:49:04 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    12/30/2010 9:49:04 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Cryptographic Services service, but this action failed with the following error: An instance of the service is already running.
    12/30/2010 7:36:15 AM, error: Service Control Manager [7022] - The Windows Firewall/Internet Connection Sharing (ICS) service hung on starting.
    12/29/2010 8:06:05 PM, error: Service Control Manager [7034] - The WD SmartWare Drive Manager service terminated unexpectedly. It has done this 1 time(s).
    12/29/2010 8:06:00 PM, error: Service Control Manager [7034] - The WD SmartWare Background Service service terminated unexpectedly. It has done this 1 time(s).
    12/29/2010 8:04:39 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    12/29/2010 7:40:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {9B1F122C-2982-4E91-AA8B-E071D54F2A4D}
    12/29/2010 3:57:59 PM, error: Service Control Manager [7034] - The B's Recorder GOLD Library General Service service terminated unexpectedly. It has done this 1 time(s).
    12/29/2010 2:49:32 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
    12/29/2010 2:47:16 PM, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 001302BB980B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    12/28/2010 9:59:10 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/28/2010 9:51:47 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
    12/28/2010 8:40:17 PM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 2 time(s).
    12/28/2010 7:50:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    12/28/2010 7:09:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    12/28/2010 6:41:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ATMhelpr Avgldx86 Avgmfx86 Fips intelppm OMCI
    12/28/2010 6:40:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/28/2010 5:35:30 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    12/28/2010 5:35:00 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    12/28/2010 2:43:42 PM, information: Windows File Protection [64004] - The protected system file dbghelp.dll could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.2180 The specific error code is 0x00000490 [Element not found. ].
    12/28/2010 12:34:09 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    12/28/2010 11:58:33 AM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
    12/28/2010 11:27:54 AM, error: ATMhelpr [43] -
    12/28/2010 1:58:38 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
    12/28/2010 1:58:38 PM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/28/2010 1:52:39 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
    12/28/2010 1:52:26 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/28/2010 1:51:55 PM, error: Service Control Manager [7034] - The ProtexisLicensing service terminated unexpectedly. It has done this 1 time(s).
    12/28/2010 1:51:47 PM, error: Service Control Manager [7034] - The Webroot Client Service service terminated unexpectedly. It has done this 1 time(s).
    12/28/2010 1:28:03 PM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 001302BB980B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    12/27/2010 8:50:44 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'admparse.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    12/27/2010 3:42:02 PM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
    1/3/2011 9:32:00 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    1/3/2011 9:13:47 PM, error: Service Control Manager [7034] - The AVGIDSAgent service terminated unexpectedly. It has done this 1 time(s).
    1/3/2011 9:13:41 PM, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    1/3/2011 7:24:42 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'desktop.ini' on the volume 'HarddiskVolume6'. It has stopped monitoring the volume.
    1/3/2011 5:29:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    1/1/2011 9:38:25 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ATMhelpr Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss Tcpip
    1/1/2011 9:38:25 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    1/1/2011 9:38:25 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/1/2011 9:38:25 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/1/2011 9:38:25 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

    ==== End Of File ===========================
     
  2. crunchie

    crunchie Malware Helper Posts: 728

    Hi and welcome to TechSpot forums :).

    ====

    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    • If an infected file is detected, the default action will be Cure, click on Continue.

    • If a suspicious file is detected, the default action will be Skip, click on Continue.

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


    ====

    Please also post the MBAM log.
     
  3. sascec

    sascec TS Rookie Topic Starter

    MBAM and TDSS logs

    MBAM log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5450

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/3/2011 8:05:02 PM
    mbam-log-2011-01-03 (20-05-02).txt

    Scan type: Quick scan
    Objects scanned: 288145
    Time elapsed: 25 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    TDSS log:

    2011/01/04 17:23:35.0531 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
    2011/01/04 17:23:35.0531 ================================================================================
    2011/01/04 17:23:35.0531 SystemInfo:
    2011/01/04 17:23:35.0531
    2011/01/04 17:23:35.0531 OS Version: 5.1.2600 ServicePack: 3.0
    2011/01/04 17:23:35.0531 Product type: Workstation
    2011/01/04 17:23:35.0531 ComputerName: CHUCKLAP
    2011/01/04 17:23:35.0531 UserName: sascec
    2011/01/04 17:23:35.0531 Windows directory: C:\WINDOWS
    2011/01/04 17:23:35.0531 System windows directory: C:\WINDOWS
    2011/01/04 17:23:35.0531 Processor architecture: Intel x86
    2011/01/04 17:23:35.0531 Number of processors: 2
    2011/01/04 17:23:35.0531 Page size: 0x1000
    2011/01/04 17:23:35.0531 Boot type: Normal boot
    2011/01/04 17:23:35.0531 ================================================================================
    2011/01/04 17:23:37.0015 Initialize success
    2011/01/04 17:23:44.0671 ================================================================================
    2011/01/04 17:23:44.0671 Scan started
    2011/01/04 17:23:44.0671 Mode: Manual;
    2011/01/04 17:23:44.0671 ================================================================================
    2011/01/04 17:24:01.0187 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/01/04 17:24:03.0265 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/01/04 17:24:07.0484 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    2011/01/04 17:24:11.0562 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/01/04 17:24:26.0937 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/01/04 17:24:34.0375 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/01/04 17:24:36.0531 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/01/04 17:24:39.0093 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/01/04 17:24:41.0062 ATMhelpr (3ef1db7f168851914517d4ed36b57c04) C:\WINDOWS\system32\drivers\ATMhelpr.sys
    2011/01/04 17:24:43.0234 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/01/04 17:24:44.0968 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
    2011/01/04 17:24:46.0937 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
    2011/01/04 17:24:48.0859 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
    2011/01/04 17:24:50.0375 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
    2011/01/04 17:24:52.0828 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
    2011/01/04 17:24:55.0406 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
    2011/01/04 17:24:58.0671 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
    2011/01/04 17:25:01.0750 Avgtdix (660788ec46f10ece80274d564fa8b4aa) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
    2011/01/04 17:25:06.0281 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/01/04 17:25:10.0171 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/01/04 17:25:18.0437 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/01/04 17:25:23.0437 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/01/04 17:25:27.0500 cdrbsdrv (e0042bd5bef17a6a3ef1df576bde24d1) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
    2011/01/04 17:25:31.0703 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/01/04 17:25:35.0843 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
    2011/01/04 17:25:39.0281 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/01/04 17:25:42.0671 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/01/04 17:25:45.0937 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/01/04 17:25:46.0453 DLABMFSM (a53723176d0002feb486eff8e17812f2) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
    2011/01/04 17:25:46.0984 DLABOIOM (d4587063acea776699251e177d719586) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
    2011/01/04 17:25:47.0453 DLACDBHM (5230cdb7e715f3a3b4a882e254cdd35d) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
    2011/01/04 17:25:48.0046 DLADResM (c950c2e7b9ed1a4fc4a2ac7ec044f1d6) C:\WINDOWS\system32\DLA\DLADResM.SYS
    2011/01/04 17:25:49.0156 DLAIFS_M (24400137e387a24410c52a591f3cfb4d) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
    2011/01/04 17:25:49.0750 DLAOPIOM (29a303feceb28641ecebdae89eb71c63) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
    2011/01/04 17:25:50.0515 DLAPoolM (c93e33a22a1ae0c5508f3fb1f6d0a50c) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
    2011/01/04 17:25:51.0218 DLARTL_M (77fe51f0f8d86804cb81f6ef6bfb86dd) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
    2011/01/04 17:25:52.0953 DLAUDFAM (b953498c35a31e5ac98f49adbcf3e627) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
    2011/01/04 17:25:54.0718 DLAUDF_M (4897704c093c1f59ce58fc65e1e1ef1e) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
    2011/01/04 17:25:56.0484 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/01/04 17:25:58.0062 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/01/04 17:25:59.0906 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/01/04 17:26:01.0921 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/01/04 17:26:03.0984 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/01/04 17:26:07.0046 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
    2011/01/04 17:26:08.0859 DRVNDDM (ffc371525aa55d1bae18715ebcb8797c) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
    2011/01/04 17:26:11.0343 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/01/04 17:26:13.0781 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/01/04 17:26:15.0562 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/01/04 17:26:18.0109 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/01/04 17:26:19.0640 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/01/04 17:26:22.0453 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/01/04 17:26:35.0421 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/01/04 17:26:39.0562 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/01/04 17:26:42.0218 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/01/04 17:26:48.0328 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/01/04 17:26:54.0203 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/01/04 17:26:57.0359 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    2011/01/04 17:26:58.0687 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/01/04 17:27:02.0515 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/01/04 17:27:03.0859 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/01/04 17:27:04.0984 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/01/04 17:27:06.0234 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/01/04 17:27:07.0562 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/01/04 17:27:08.0953 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/01/04 17:27:10.0125 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/01/04 17:27:11.0078 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/01/04 17:27:11.0859 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/01/04 17:27:12.0859 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/01/04 17:27:13.0718 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/01/04 17:27:15.0109 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/01/04 17:27:15.0718 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/01/04 17:27:16.0562 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/01/04 17:27:17.0359 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/01/04 17:27:18.0656 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/01/04 17:27:19.0484 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/01/04 17:27:20.0218 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/01/04 17:27:20.0687 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/01/04 17:27:21.0343 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/01/04 17:27:21.0875 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/01/04 17:27:22.0421 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/01/04 17:27:23.0234 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/01/04 17:27:23.0953 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/01/04 17:27:24.0375 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/01/04 17:27:25.0109 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/01/04 17:27:25.0828 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/01/04 17:27:26.0406 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/01/04 17:27:27.0109 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/01/04 17:27:28.0062 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/01/04 17:27:29.0640 NETw4x32 (88100ebdd10309fbd445ef8e42452eae) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
    2011/01/04 17:27:30.0859 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/01/04 17:27:31.0234 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/01/04 17:27:31.0796 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/01/04 17:27:32.0890 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/01/04 17:27:33.0437 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/01/04 17:27:34.0015 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/01/04 17:27:34.0343 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/01/04 17:27:34.0687 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
    2011/01/04 17:27:35.0046 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2011/01/04 17:27:35.0890 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/01/04 17:27:36.0375 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/01/04 17:27:36.0734 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/01/04 17:27:37.0281 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/01/04 17:27:37.0562 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/01/04 17:27:42.0062 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/01/04 17:27:42.0625 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/01/04 17:27:43.0968 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/01/04 17:27:46.0015 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/01/04 17:27:50.0484 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/01/04 17:27:50.0953 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/01/04 17:27:51.0390 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/01/04 17:27:52.0046 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/01/04 17:27:52.0687 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/01/04 17:27:53.0359 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/01/04 17:27:54.0109 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/01/04 17:27:54.0640 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/01/04 17:27:54.0984 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    2011/01/04 17:27:55.0359 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/01/04 17:27:56.0125 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2011/01/04 17:27:56.0546 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
    2011/01/04 17:27:57.0703 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
    2011/01/04 17:27:58.0265 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
    2011/01/04 17:28:00.0093 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    2011/01/04 17:28:00.0812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/01/04 17:28:01.0343 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/01/04 17:28:01.0859 ssfs0bbc (1097fe3528c825e54c1d52ed8c0eac0f) C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys
    2011/01/04 17:28:02.0187 sshrmd (e97911c0ac7d26d1a2a782869f264e9e) C:\WINDOWS\system32\DRIVERS\sshrmd.sys
    2011/01/04 17:28:02.0640 ssidrv (80997508996f9d2a662502238fbcb1d7) C:\WINDOWS\system32\DRIVERS\ssidrv.sys
    2011/01/04 17:28:03.0578 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
    2011/01/04 17:28:04.0328 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/01/04 17:28:05.0000 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/01/04 17:28:07.0171 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/01/04 17:28:07.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/01/04 17:28:08.0453 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/01/04 17:28:09.0671 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/01/04 17:28:10.0125 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/01/04 17:28:11.0515 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/01/04 17:28:12.0218 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/01/04 17:28:12.0906 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/01/04 17:28:13.0250 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/01/04 17:28:14.0234 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/01/04 17:28:15.0093 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/01/04 17:28:15.0515 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/01/04 17:28:16.0093 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/01/04 17:28:17.0937 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/01/04 17:28:18.0531 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/01/04 17:28:18.0812 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
    2011/01/04 17:28:19.0453 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/01/04 17:28:19.0718 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/01/04 17:28:19.0765 ================================================================================
    2011/01/04 17:28:19.0765 Scan finished
    2011/01/04 17:28:19.0765 ================================================================================
    2011/01/04 17:28:19.0781 Detected object count: 1
    2011/01/04 17:32:21.0109 \HardDisk0 - will be cured after reboot
    2011/01/04 17:32:21.0109 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2011/01/04 17:32:26.0750 Deinitialize success
     
  4. crunchie

    crunchie Malware Helper Posts: 728

    How are things after running TDDSKiller and rebooting?
     
  5. sascec

    sascec TS Rookie Topic Starter

    everything coming up roses

    Everything looks good thus far. I have re-enabled the network, connected to MS and then downloaded the 39 pending updates. I will be updating Webroot again and run a full scan but things look great.

    Since my three infections over the last three years seem to involve rootkit infection, I need a tool that does a good job at that type of detection as well as good AV and malware detect. Got a recommendation? Was thinking about using Comodo as a firewall. Any feedback is welcome.

    Thanks for some really prompt feedback on my problem. This really sets this forum apart. You guys rock!
     
  6. crunchie

    crunchie Malware Helper Posts: 728

    Best thing to avoid these things are know where you are going on the web and use a secure browser such as opera or Firefox, as well as keeping M$ up-to-date.
    Comodo has an excellent firewall imo. Good AV too :).

    ==

    Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
    • You will need to use Internet Explorer to complete this scan.
    • You will need to temporarily Disable your current Anti-virus program.
    • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
    • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

    NOTE: If you are unable to complete the ESET scan, please try another from the list below:

     
  7. sascec

    sascec TS Rookie Topic Starter

    where'd it come from?

    one last query: where'd I pick up my rootkit? The last two actions that I recall doing before everything went crazy was to backup my drive to my WD drive, and then I downloaded a photo utility that allows me to batch resize my photos. I am going with the last action since I never did get that darn thing downloaded.

    Thanks for the recommendations too.
     
  8. crunchie

    crunchie Malware Helper Posts: 728

    Hard to say where you may have picked it up, but quite possibly with a suspect download.
    You might also want to install Web Of Trust to your browser. It will warn you about any suspect sites.
     
  9. sascec

    sascec TS Rookie Topic Starter

    Comodo found Trojan within WR file

    I did a full scan with Comodo and it detected a Trojan payload within one of the Webroot files. Could I have gotten this payload with my recent Webroot update? Or did my infection alter the original file?
     
  10. crunchie

    crunchie Malware Helper Posts: 728

    Was it a file or in the vault? Either way, Comodo has done it's job :). If a webroot file, it was possibly hit by the infection.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...