TechSpot

System Check virus removal?

Solved
By joss09
Jan 6, 2012
  1. Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.06.06

    Windows XP Service Pack 1 x86 NTFS
    Internet Explorer 6.0.2800.1106
    Administrator :: SUN-6H5NHFR7L5C [administrator]

    2012-1-6 21:18:44
    mbam-log-2012-01-06 (21-18-44).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 154185
    Time elapsed: 3 minute(s), 36 second(s)

    Memory Processes Detected: 2
    C:\Documents and Settings\All Users\Application Data\FiqVFmUcesohLm.exe (Rogue.FakeHDD) -> 1724 -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\SggGd86F9xBnVF.exe (Trojan.FakeAlert) -> 1688 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|FiqVFmUcesohLm.exe (Rogue.FakeHDD) -> Data: C:\Documents and Settings\All Users\Application Data\FiqVFmUcesohLm.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 9
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 5
    C:\Documents and Settings\All Users\Application Data\FiqVFmUcesohLm.exe (Rogue.FakeHDD) -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\SggGd86F9xBnVF.exe (Trojan.FakeAlert) -> Delete on reboot.
    C:\Documents and Settings\Administrator\Local Settings\Temp\oiu0.6198862887578649.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\DqtotSVpshKYpw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\wera0.3784665752635392.exe (Trojan.Agent) -> Quarantined and deleted successfully.

    (end)




    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-01-06 21:33:48
    Windows 5.1.2600 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0 ST316002 rev.8.01
    Running: utoh4zsi.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtyqpow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----
     
  2. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_26
    Run by Administrator at 21:51:03 on 2012-01-06
    Microsoft Windows XP Professional 5.1.2600.1.936.86.1033.18.510.130 [GMT -5:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
    C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
    C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\WINDOWS\System32\conime.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/webhp?client=aff-ime
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
    BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [Lexmark 5200 series] "c:\program files\lexmark 5200 series\lxbtbmgr.exe"
    mRun: [LXBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBTtime.dll,_RunDLLEntry@16
    mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
    mRun: [<NO NAME>]
    mRun: [Google Pinyin 2 Autoupdater] "c:\program files\google\google pinyin 2\GooglePinyinDaemon.exe"
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    Notify: igfxcui - igfxsrvc.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\65m8sdqv.default\
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    .
    =============== Created Last 30 ================
    .
    2012-01-07 02:16:55 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
    2012-01-07 02:16:48 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-01-07 02:16:47 18800 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-07 02:16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-04 20:25:51 3396152 ----a-w- c:\windows\system32\GooglePinyin2.ime
    2011-12-31 00:49:09 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
    2011-12-31 00:49:09 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
    2011-12-31 00:49:09 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
    2011-12-31 00:49:09 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
    .
    ==================== Find3M ====================
    .
    2011-11-14 00:32:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-12 15:29:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-10-12 15:29:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST316002 rev.8.01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xB2F76FF0]<<
    _asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
    1 nt!IofCallDriver[0x804ED850] -> \Device\Harddisk0\DR0[0x81F5C7F0]
    3 CLASSPNP[0xF8599022] -> nt!IofCallDriver[0x804ED850] -> [0x81DE9030]
    \Driver\00001666[0x81DEB4D8] -> IRP_MJ_CREATE -> 0xB2F76FF0
    kernel: MBR read successfully
    _asm { NOP ; JMP 0x181; }
    user != kernel MBR !!!
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
    .
    ============= FINISH: 21:51:24.40 ===============
     
  3. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2011-9-30 21:19:20
    System Uptime: 2012-1-6 16:23:42 (5 hours ago)
    .
    Motherboard: Intel Corporation | | D845GVSR
    Processor: Intel(R) Celeron(R) CPU 2.40GHz | X1 | 2399/100mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 84 GiB total, 77.171 GiB free.
    D: is FIXED (NTFS) - 65 GiB total, 61.275 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Ethernet Controller
    Device ID: PCI\VEN_10EC&DEV_8185&SUBSYS_340D187E&REV_20\4&2AF9ED5&0&00F0
    Manufacturer:
    Name: Ethernet Controller
    PNP Device ID: PCI\VEN_10EC&DEV_8185&SUBSYS_340D187E&REV_20\4&2AF9ED5&0&00F0
    Service:
    .
    ==== System Restore Points ===================
    .
    RP10: 2011-10-6 17:50:30 - System Checkpoint
    RP11: 2011-10-8 13:42:26 - System Checkpoint
    RP12: 2011-10-9 14:13:42 - System Checkpoint
    RP13: 2011-10-10 15:45:28 - System Checkpoint
    RP14: 2011-10-11 17:23:14 - System Checkpoint
    RP15: 2011-10-12 11:28:58 - Installed Java(TM) 6 Update 26
    RP16: 2011-10-13 14:37:58 - System Checkpoint
    RP17: 2011-10-14 15:06:37 - System Checkpoint
    RP18: 2011-10-15 16:12:31 - System Checkpoint
    RP19: 2011-10-17 0:56:15 - System Checkpoint
    RP20: 2011-10-18 5:15:06 - System Checkpoint
    RP21: 2011-10-21 1:16:27 - System Checkpoint
    RP22: 2011-10-22 1:31:20 - System Checkpoint
    RP23: 2011-10-24 12:15:53 - System Checkpoint
    RP24: 2011-10-25 12:36:23 - System Checkpoint
    RP25: 2011-10-26 12:40:59 - System Checkpoint
    RP26: 2011-10-27 15:28:28 - System Checkpoint
    RP27: 2011-10-28 17:59:35 - System Checkpoint
    RP28: 2011-10-29 20:20:21 - System Checkpoint
    RP29: 2011-10-31 13:15:23 - System Checkpoint
    RP30: 2011-11-1 14:04:54 - System Checkpoint
    RP31: 2011-11-2 14:17:32 - System Checkpoint
    RP32: 2011-11-4 13:05:21 - System Checkpoint
    RP33: 2011-11-6 11:51:54 - System Checkpoint
    RP34: 2011-11-7 12:16:12 - System Checkpoint
    RP35: 2011-11-8 16:01:16 - System Checkpoint
    RP36: 2011-11-9 20:36:46 - System Checkpoint
    RP37: 2011-11-10 22:12:38 - System Checkpoint
    RP38: 2011-11-12 13:51:49 - System Checkpoint
    RP39: 2011-11-13 15:33:30 - System Checkpoint
    RP40: 2011-11-16 10:52:54 - System Checkpoint
    RP41: 2011-11-17 11:14:02 - System Checkpoint
    RP42: 2011-11-18 13:29:10 - System Checkpoint
    RP43: 2011-11-19 14:22:32 - System Checkpoint
    RP44: 2011-11-20 15:45:13 - System Checkpoint
    RP45: 2011-11-21 16:57:54 - System Checkpoint
    RP46: 2011-11-22 21:15:57 - System Checkpoint
    RP47: 2011-11-25 13:51:00 - System Checkpoint
    RP48: 2011-11-26 15:44:34 - System Checkpoint
    RP49: 2011-11-27 15:53:03 - System Checkpoint
    RP50: 2011-11-28 22:37:32 - System Checkpoint
    RP51: 2011-11-30 11:49:22 - System Checkpoint
    RP52: 2011-12-1 13:16:33 - System Checkpoint
    RP53: 2011-12-5 9:20:41 - System Checkpoint
    RP54: 2011-12-6 10:15:58 - System Checkpoint
    RP55: 2011-12-7 12:01:34 - System Checkpoint
    RP56: 2011-12-8 15:09:19 - System Checkpoint
    RP57: 2011-12-10 21:36:00 - System Checkpoint
    RP58: 2011-12-12 12:29:47 - System Checkpoint
    RP59: 2011-12-15 11:55:10 - System Checkpoint
    RP60: 2011-12-16 15:47:21 - System Checkpoint
    RP61: 2011-12-17 16:40:15 - System Checkpoint
    RP62: 2011-12-19 9:21:51 - System Checkpoint
    RP63: 2011-12-20 12:11:08 - System Checkpoint
    RP64: 2011-12-21 19:22:45 - System Checkpoint
    RP65: 2011-12-23 8:27:43 - System Checkpoint
    RP66: 2011-12-24 12:09:35 - System Checkpoint
    RP67: 2011-12-26 12:28:51 - System Checkpoint
    RP68: 2011-12-27 14:08:40 - System Checkpoint
    RP69: 2011-12-29 13:50:39 - System Checkpoint
    RP70: 2011-12-30 20:42:40 - System Checkpoint
    RP71: 2012-1-2 15:11:19 - System Checkpoint
    RP72: 2012-1-3 15:25:56 - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    ABBYY FineReader 5.0 Sprint Plus
    Adobe Acrobat 6.0 Standard
    Adobe Flash Player 11 Plugin
    Compatibility Pack for the 2007 Office system
    Intel Application Accelerator
    Intel(R) Extreme Graphics Driver
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet
    Java Auto Updater
    Java(TM) 6 Update 26
    Lexmark 5200 Series
    Lexmark Fax Solutions
    Malwarebytes Anti-Malware version 1.60.0.1800
    McAfee Security Scan Plus
    Microsoft Office Professional Edition 2003
    Mozilla Firefox 9.0.1 (x86 en-US)
    Realtek AC'97 Audio
    WebFldrs XP
    Windows Installer 3.0 (KB884016)
    谷歌拼音输入法 2.7
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2012-1-6 16:25:43, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi IntelIde PCIIde
    2012-1-6 14:18:42, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
    2012-1-6 14:18:42, error: Service Control Manager [7001] - The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error: A device attached to the system is not functioning.
    2012-1-6 14:18:42, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2012-1-6 14:18:42, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2012-1-6 14:18:42, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    2012-1-6 14:15:00, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2012-1-4 11:25:37, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    .
    ==== End Of File ===========================
     
  4. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    note to whoever helps me:
    i'm okay with a delay, and i won't be free for most of tomorrow and i don't want to keep you waiting, so the best time for me would be after 5. thank you for the help!
     
  5. Broni

    Broni Malware Annihilator Posts: 47,567   +267

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================================================

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  6. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    18:58:21.0109 1772 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
    18:58:23.0109 1772 ============================================================
    18:58:23.0109 1772 Current date / time: 2012/01/07 18:58:23.0109
    18:58:23.0109 1772 SystemInfo:
    18:58:23.0109 1772
    18:58:23.0109 1772 OS Version: 5.1.2600 ServicePack: 1.0
    18:58:23.0109 1772 Product type: Workstation
    18:58:23.0109 1772 ComputerName: SUN-6H5NHFR7L5C
    18:58:23.0281 1772 UserName: Administrator
    18:58:23.0281 1772 Windows directory: C:\WINDOWS
    18:58:23.0296 1772 System windows directory: C:\WINDOWS
    18:58:23.0296 1772 Processor architecture: Intel x86
    18:58:23.0296 1772 Number of processors: 1
    18:58:23.0296 1772 Page size: 0x1000
    18:58:23.0296 1772 Boot type: Normal boot
    18:58:23.0296 1772 ============================================================
    18:58:23.0531 1772 Initialize success
    18:58:32.0906 1056 ============================================================
    18:58:32.0906 1056 Scan started
    18:58:32.0906 1056 Mode: Manual;
    18:58:32.0906 1056 ============================================================
    18:58:32.0921 1056 Abiosdsk - ok
    18:58:32.0937 1056 abp480n5 - ok
    18:58:32.0968 1056 ACPI - ok
    18:58:32.0984 1056 ACPIEC - ok
    18:58:33.0000 1056 adpu160m - ok
    18:58:33.0031 1056 aec - ok
    18:58:33.0046 1056 AFD - ok
    18:58:33.0062 1056 Aha154x - ok
    18:58:33.0093 1056 aic78u2 - ok
    18:58:33.0109 1056 aic78xx - ok
    18:58:33.0140 1056 ALCXWDM - ok
    18:58:33.0187 1056 AliIde - ok
    18:58:33.0203 1056 amsint - ok
    18:58:33.0234 1056 asc - ok
    18:58:33.0265 1056 asc3350p - ok
    18:58:33.0281 1056 asc3550 - ok
    18:58:33.0296 1056 AsyncMac - ok
    18:58:33.0328 1056 atapi - ok
    18:58:33.0359 1056 Atdisk - ok
    18:58:33.0375 1056 Atmarpc - ok
    18:58:33.0453 1056 audstub - ok
    18:58:33.0484 1056 Beep - ok
    18:58:33.0515 1056 cbidf2k - ok
    18:58:33.0531 1056 cd20xrnt - ok
    18:58:33.0562 1056 Cdaudio - ok
    18:58:33.0578 1056 Cdfs - ok
    18:58:33.0593 1056 Cdrom - ok
    18:58:33.0625 1056 Changer - ok
    18:58:33.0656 1056 CmdIde - ok
    18:58:33.0703 1056 Cpqarray - ok
    18:58:33.0734 1056 dac2w2k - ok
    18:58:33.0750 1056 dac960nt - ok
    18:58:33.0781 1056 Disk - ok
    18:58:33.0812 1056 dmboot - ok
    18:58:33.0828 1056 dmio - ok
    18:58:33.0843 1056 dmload - ok
    18:58:33.0875 1056 DMusic - ok
    18:58:33.0906 1056 dpti2o - ok
    18:58:33.0921 1056 drmkaud - ok
    18:58:33.0953 1056 E100B - ok
    18:58:33.0984 1056 Fastfat - ok
    18:58:34.0015 1056 Fdc - ok
    18:58:34.0046 1056 Fips - ok
    18:58:34.0062 1056 Flpydisk - ok
    18:58:34.0078 1056 FsVga - ok
    18:58:34.0093 1056 Fs_Rec - ok
    18:58:34.0125 1056 Ftdisk - ok
    18:58:34.0140 1056 Gpc - ok
    18:58:34.0171 1056 HidUsb - ok
    18:58:34.0203 1056 hpn - ok
    18:58:34.0203 1056 i2omgmt - ok
    18:58:34.0234 1056 i2omp - ok
    18:58:34.0250 1056 i8042prt - ok
    18:58:34.0265 1056 ialm - ok
    18:58:34.0296 1056 IdeBusDr - ok
    18:58:34.0312 1056 IdeChnDr - ok
    18:58:34.0328 1056 Imapi - ok
    18:58:34.0375 1056 ini910u - ok
    18:58:34.0406 1056 IntelIde - ok
    18:58:34.0421 1056 IpFilterDriver - ok
    18:58:34.0453 1056 IpInIp - ok
    18:58:34.0453 1056 IpNat - ok
    18:58:34.0484 1056 IPSec - ok
    18:58:34.0500 1056 IRENUM - ok
    18:58:34.0531 1056 isapnp - ok
    18:58:34.0562 1056 Kbdclass - ok
    18:58:34.0578 1056 kmixer - ok
    18:58:34.0593 1056 KSecDD - ok
    18:58:34.0640 1056 lbrtfdc - ok
    18:58:34.0718 1056 mnmdd - ok
    18:58:34.0750 1056 Modem - ok
    18:58:34.0765 1056 Mouclass - ok
    18:58:34.0781 1056 MountMgr - ok
    18:58:34.0812 1056 mraid35x - ok
    18:58:34.0828 1056 MRxDAV - ok
    18:58:34.0843 1056 MRxSmb - ok
    18:58:34.0875 1056 Msfs - ok
    18:58:34.0906 1056 MSKSSRV - ok
    18:58:34.0921 1056 MSPCLOCK - ok
    18:58:34.0953 1056 MSPQM - ok
    18:58:34.0953 1056 Mup - ok
    18:58:34.0968 1056 NAL - ok
    18:58:35.0000 1056 NDIS - ok
    18:58:35.0015 1056 NdisTapi - ok
    18:58:35.0031 1056 Ndisuio - ok
    18:58:35.0062 1056 NdisWan - ok
    18:58:35.0078 1056 NDProxy - ok
    18:58:35.0093 1056 NetBIOS - ok
    18:58:35.0125 1056 NetBT - ok
    18:58:35.0203 1056 Npfs - ok
    18:58:35.0218 1056 Ntfs - ok
    18:58:35.0250 1056 Null - ok
    18:58:35.0265 1056 NwlnkFlt - ok
    18:58:35.0281 1056 NwlnkFwd - ok
    18:58:35.0328 1056 Parport - ok
    18:58:35.0343 1056 PartMgr - ok
    18:58:35.0375 1056 ParVdm - ok
    18:58:35.0390 1056 PCI - ok
    18:58:35.0421 1056 PCIDump - ok
    18:58:35.0437 1056 PCIIde - ok
    18:58:35.0453 1056 Pcmcia - ok
    18:58:35.0468 1056 PDCOMP - ok
    18:58:35.0484 1056 PDFRAME - ok
    18:58:35.0500 1056 PDRELI - ok
    18:58:35.0531 1056 PDRFRAME - ok
    18:58:35.0546 1056 perc2 - ok
    18:58:35.0578 1056 perc2hib - ok
    18:58:35.0656 1056 PptpMiniport - ok
    18:58:35.0671 1056 Processor - ok
    18:58:35.0703 1056 PSched - ok
    18:58:35.0718 1056 Ptilink - ok
    18:58:35.0734 1056 ql1080 - ok
    18:58:35.0750 1056 Ql10wnt - ok
    18:58:35.0781 1056 ql12160 - ok
    18:58:35.0796 1056 ql1240 - ok
    18:58:35.0812 1056 ql1280 - ok
    18:58:35.0828 1056 RasAcd - ok
    18:58:35.0875 1056 Rasl2tp - ok
    18:58:35.0890 1056 RasPppoe - ok
    18:58:35.0921 1056 Raspti - ok
    18:58:35.0937 1056 Rdbss - ok
    18:58:35.0953 1056 RDPCDD - ok
    18:58:35.0984 1056 rdpdr - ok
    18:58:36.0000 1056 RDPWD - ok
    18:58:36.0031 1056 redbook - ok
    18:58:36.0156 1056 Secdrv - ok
    18:58:36.0187 1056 serenum - ok
    18:58:36.0203 1056 Serial - ok
    18:58:36.0218 1056 Sfloppy - ok
    18:58:36.0265 1056 Simbad - ok
    18:58:36.0281 1056 Sparrow - ok
    18:58:36.0296 1056 splitter - ok
    18:58:36.0328 1056 sr - ok
    18:58:36.0359 1056 Srv - ok
    18:58:36.0406 1056 swenum - ok
    18:58:36.0421 1056 swmidi - ok
    18:58:36.0453 1056 symc810 - ok
    18:58:36.0468 1056 symc8xx - ok
    18:58:36.0484 1056 sym_hi - ok
    18:58:36.0500 1056 sym_u3 - ok
    18:58:36.0515 1056 sysaudio - ok
    18:58:36.0562 1056 Tcpip - ok
    18:58:36.0578 1056 TDPIPE - ok
    18:58:36.0593 1056 TDTCP - ok
    18:58:36.0625 1056 TermDD - ok
    18:58:36.0671 1056 TosIde - ok
    18:58:36.0703 1056 Udfs - ok
    18:58:36.0718 1056 ultra - ok
    18:58:36.0750 1056 Update - ok
    18:58:36.0796 1056 usbccgp - ok
    18:58:36.0812 1056 usbehci - ok
    18:58:36.0828 1056 usbhub - ok
    18:58:36.0859 1056 usbprint - ok
    18:58:36.0875 1056 usbscan - ok
    18:58:36.0906 1056 USBSTOR - ok
    18:58:36.0921 1056 usbuhci - ok
    18:58:36.0937 1056 VgaSave - ok
    18:58:36.0968 1056 ViaIde - ok
    18:58:36.0984 1056 VolSnap - ok
    18:58:37.0031 1056 Wanarp - ok
    18:58:37.0046 1056 WDICA - ok
    18:58:37.0062 1056 wdmaud - ok
    18:58:37.0218 1056 MBR (0x1B8) (7490e13dc489e4e704d2115976665d5e) \Device\Harddisk0\DR0
    18:58:37.0812 1056 \Device\Harddisk0\DR0 - ok
    18:58:37.0828 1056 ============================================================
    18:58:37.0828 1056 Scan finished
    18:58:37.0828 1056 ============================================================
    18:58:37.0875 1132 Detected object count: 0
    18:58:37.0875 1132 Actual detected object count: 0
     
  7. Broni

    Broni Malware Annihilator Posts: 47,567   +267

    This is very old TDSSKiller version.
    Delete your file, download fresh one and post new log.
     
  8. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    11:17:12.0359 1248 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
    11:17:14.0359 1248 ============================================================
    11:17:14.0359 1248 Current date / time: 2012/01/08 11:17:14.0359
    11:17:14.0359 1248 SystemInfo:
    11:17:14.0359 1248
    11:17:14.0359 1248 OS Version: 5.1.2600 ServicePack: 1.0
    11:17:14.0359 1248 Product type: Workstation
    11:17:14.0359 1248 ComputerName: SUN-6H5NHFR7L5C
    11:17:14.0359 1248 UserName: Administrator
    11:17:14.0359 1248 Windows directory: C:\WINDOWS
    11:17:14.0359 1248 System windows directory: C:\WINDOWS
    11:17:14.0359 1248 Processor architecture: Intel x86
    11:17:14.0359 1248 Number of processors: 1
    11:17:14.0359 1248 Page size: 0x1000
    11:17:14.0359 1248 Boot type: Normal boot
    11:17:14.0359 1248 ============================================================
    11:17:14.0625 1248 Initialize success
    11:18:54.0906 1144 ============================================================
    11:18:54.0906 1144 Scan started
    11:18:54.0906 1144 Mode: Manual;
    11:18:54.0906 1144 ============================================================
    11:18:54.0906 1144 Abiosdsk - ok
    11:18:54.0937 1144 abp480n5 - ok
    11:18:54.0953 1144 ACPI - ok
    11:18:54.0984 1144 ACPIEC - ok
    11:18:55.0000 1144 adpu160m - ok
    11:18:55.0015 1144 aec - ok
    11:18:55.0046 1144 AFD - ok
    11:18:55.0062 1144 Aha154x - ok
    11:18:55.0093 1144 aic78u2 - ok
    11:18:55.0109 1144 aic78xx - ok
    11:18:55.0140 1144 ALCXWDM - ok
    11:18:55.0187 1144 AliIde - ok
    11:18:55.0203 1144 amsint - ok
    11:18:55.0234 1144 asc - ok
    11:18:55.0265 1144 asc3350p - ok
    11:18:55.0281 1144 asc3550 - ok
    11:18:55.0312 1144 AsyncMac - ok
    11:18:55.0328 1144 atapi - ok
    11:18:55.0343 1144 Atdisk - ok
    11:18:55.0375 1144 Atmarpc - ok
    11:18:55.0406 1144 audstub - ok
    11:18:55.0437 1144 Beep - ok
    11:18:55.0484 1144 cbidf2k - ok
    11:18:55.0515 1144 cd20xrnt - ok
    11:18:55.0531 1144 Cdaudio - ok
    11:18:55.0546 1144 Cdfs - ok
    11:18:55.0578 1144 Cdrom - ok
    11:18:55.0593 1144 Changer - ok
    11:18:55.0625 1144 CmdIde - ok
    11:18:55.0671 1144 Cpqarray - ok
    11:18:55.0703 1144 dac2w2k - ok
    11:18:55.0718 1144 dac960nt - ok
    11:18:55.0750 1144 Disk - ok
    11:18:55.0781 1144 dmboot - ok
    11:18:55.0796 1144 dmio - ok
    11:18:55.0828 1144 dmload - ok
    11:18:55.0859 1144 DMusic - ok
    11:18:55.0875 1144 dpti2o - ok
    11:18:55.0906 1144 drmkaud - ok
    11:18:55.0921 1144 E100B - ok
    11:18:55.0968 1144 Fastfat - ok
    11:18:55.0984 1144 Fdc - ok
    11:18:56.0015 1144 Fips - ok
    11:18:56.0031 1144 Flpydisk - ok
    11:18:56.0046 1144 FsVga - ok
    11:18:56.0078 1144 Fs_Rec - ok
    11:18:56.0093 1144 Ftdisk - ok
    11:18:56.0109 1144 Gpc - ok
    11:18:56.0156 1144 HidUsb - ok
    11:18:56.0171 1144 hpn - ok
    11:18:56.0187 1144 i2omgmt - ok
    11:18:56.0203 1144 i2omp - ok
    11:18:56.0218 1144 i8042prt - ok
    11:18:56.0234 1144 ialm - ok
    11:18:56.0265 1144 IdeBusDr - ok
    11:18:56.0281 1144 IdeChnDr - ok
    11:18:56.0312 1144 Imapi - ok
    11:18:56.0359 1144 ini910u - ok
    11:18:56.0390 1144 IntelIde - ok
    11:18:56.0406 1144 IpFilterDriver - ok
    11:18:56.0421 1144 IpInIp - ok
    11:18:56.0437 1144 IpNat - ok
    11:18:56.0453 1144 IPSec - ok
    11:18:56.0468 1144 IRENUM - ok
    11:18:56.0500 1144 isapnp - ok
    11:18:56.0531 1144 Kbdclass - ok
    11:18:56.0546 1144 kmixer - ok
    11:18:56.0578 1144 KSecDD - ok
    11:18:56.0609 1144 lbrtfdc - ok
    11:18:56.0687 1144 mnmdd - ok
    11:18:56.0718 1144 Modem - ok
    11:18:56.0750 1144 Mouclass - ok
    11:18:56.0765 1144 MountMgr - ok
    11:18:56.0781 1144 mraid35x - ok
    11:18:56.0796 1144 MRxDAV - ok
    11:18:56.0828 1144 MRxSmb - ok
    11:18:56.0859 1144 Msfs - ok
    11:18:56.0890 1144 MSKSSRV - ok
    11:18:56.0906 1144 MSPCLOCK - ok
    11:18:56.0921 1144 MSPQM - ok
    11:18:56.0937 1144 Mup - ok
    11:18:56.0953 1144 NAL - ok
    11:18:56.0984 1144 NDIS - ok
    11:18:57.0000 1144 NdisTapi - ok
    11:18:57.0015 1144 Ndisuio - ok
    11:18:57.0031 1144 NdisWan - ok
    11:18:57.0062 1144 NDProxy - ok
    11:18:57.0078 1144 NetBIOS - ok
    11:18:57.0093 1144 NetBT - ok
    11:18:57.0171 1144 Npfs - ok
    11:18:57.0203 1144 Ntfs - ok
    11:18:57.0234 1144 Null - ok
    11:18:57.0250 1144 NwlnkFlt - ok
    11:18:57.0265 1144 NwlnkFwd - ok
    11:18:57.0312 1144 Parport - ok
    11:18:57.0328 1144 PartMgr - ok
    11:18:57.0359 1144 ParVdm - ok
    11:18:57.0375 1144 PCI - ok
    11:18:57.0390 1144 PCIDump - ok
    11:18:57.0406 1144 PCIIde - ok
    11:18:57.0437 1144 Pcmcia - ok
    11:18:57.0453 1144 PDCOMP - ok
    11:18:57.0468 1144 PDFRAME - ok
    11:18:57.0484 1144 PDRELI - ok
    11:18:57.0500 1144 PDRFRAME - ok
    11:18:57.0531 1144 perc2 - ok
    11:18:57.0546 1144 perc2hib - ok
    11:18:57.0625 1144 PptpMiniport - ok
    11:18:57.0656 1144 Processor - ok
    11:18:57.0671 1144 PSched - ok
    11:18:57.0703 1144 Ptilink - ok
    11:18:57.0718 1144 ql1080 - ok
    11:18:57.0734 1144 Ql10wnt - ok
    11:18:57.0750 1144 ql12160 - ok
    11:18:57.0765 1144 ql1240 - ok
    11:18:57.0796 1144 ql1280 - ok
    11:18:57.0812 1144 RasAcd - ok
    11:18:57.0843 1144 Rasl2tp - ok
    11:18:57.0875 1144 RasPppoe - ok
    11:18:57.0890 1144 Raspti - ok
    11:18:57.0921 1144 Rdbss - ok
    11:18:57.0937 1144 RDPCDD - ok
    11:18:57.0968 1144 rdpdr - ok
    11:18:57.0984 1144 RDPWD - ok
    11:18:58.0015 1144 redbook - ok
    11:18:58.0125 1144 Secdrv - ok
    11:18:58.0171 1144 serenum - ok
    11:18:58.0187 1144 Serial - ok
    11:18:58.0203 1144 Sfloppy - ok
    11:18:58.0234 1144 Simbad - ok
    11:18:58.0265 1144 Sparrow - ok
    11:18:58.0281 1144 splitter - ok
    11:18:58.0312 1144 sr - ok
    11:18:58.0328 1144 Srv - ok
    11:18:58.0375 1144 swenum - ok
    11:18:58.0390 1144 swmidi - ok
    11:18:58.0421 1144 symc810 - ok
    11:18:58.0453 1144 symc8xx - ok
    11:18:58.0468 1144 sym_hi - ok
    11:18:58.0484 1144 sym_u3 - ok
    11:18:58.0500 1144 sysaudio - ok
    11:18:58.0531 1144 Tcpip - ok
    11:18:58.0546 1144 TDPIPE - ok
    11:18:58.0546 1144 TDTCP - ok
    11:18:58.0562 1144 TermDD - ok
    11:18:58.0609 1144 TosIde - ok
    11:18:58.0656 1144 Udfs - ok
    11:18:58.0671 1144 ultra - ok
    11:18:58.0687 1144 Update - ok
    11:18:58.0734 1144 usbccgp - ok
    11:18:58.0750 1144 usbehci - ok
    11:18:58.0765 1144 usbhub - ok
    11:18:58.0781 1144 usbprint - ok
    11:18:58.0796 1144 usbscan - ok
    11:18:58.0828 1144 USBSTOR - ok
    11:18:58.0843 1144 usbuhci - ok
    11:18:58.0859 1144 VgaSave - ok
    11:18:58.0890 1144 ViaIde - ok
    11:18:58.0906 1144 VolSnap - ok
    11:18:58.0953 1144 Wanarp - ok
    11:18:58.0984 1144 WDICA - ok
    11:18:59.0000 1144 wdmaud - ok
    11:18:59.0140 1144 MBR (0x1B8) (7490e13dc489e4e704d2115976665d5e) \Device\Harddisk0\DR0
    11:18:59.0750 1144 \Device\Harddisk0\DR0 - ok
    11:18:59.0765 1144 ============================================================
    11:18:59.0765 1144 Scan finished
    11:18:59.0765 1144 ============================================================
    11:18:59.0812 1028 Detected object count: 0
    11:18:59.0812 1028 Actual detected object count: 0
     
  9. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    it looks the same.
    i downloaded this from the kaspersky website.
     
  10. Broni

    Broni Malware Annihilator Posts: 47,567   +267

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ============================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  11. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-08 13:47:49
    -----------------------------
    13:47:49.921 OS Version: Windows 5.1.2600 Service Pack 1
    13:47:49.921 Number of processors: 1 586 0x209
    13:47:49.937 ComputerName: SUN-6H5NHFR7L5C UserName: Administrator
    13:47:50.421 Initialize success
    13:56:57.000 AVAST engine defs: 12010800
    14:00:20.218 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0
    14:00:20.218 Disk 0 Vendor: ST316002 8.01 Size: 152627MB BusType: 3
    14:00:20.234 Disk 0 MBR read successfully
    14:00:20.250 Disk 0 MBR scan
    14:00:20.296 Disk 0 Windows XP default MBR code found via API
    14:00:20.296 Disk 0 unknown MBR code
    14:00:20.296 Disk 0 MBR hidden
    14:00:20.312 Disk 0 Partition 1 80 (A) 54 OnTrack DM6 ONTRACK 8024 MB offset 9
    14:00:20.343 Disk 0 scanning sectors +312576705
    14:00:20.390 Disk 0 scanning C:\WINDOWS\System32\drivers
    14:00:20.406 Service scanning
    14:00:22.046 Modules scanning
    14:00:23.390 Disk 0 trace - called modules:
    14:00:23.812 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xb2f76ff0]<<
    14:00:23.828 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x81fd2a28]
    14:00:23.843 3 CLASSPNP.SYS[f8589022] -> nt!IofCallDriver -> [0x81c40ab8]
    14:00:23.843 \Driver\00000675[0x81c42698] -> IRP_MJ_CREATE -> 0xb2f76ff0
    14:00:24.406 AVAST engine scan C:\WINDOWS
    14:00:24.453 AVAST engine scan C:\WINDOWS\system32
    14:00:24.484 AVAST engine scan C:\WINDOWS\system32\drivers
    14:00:24.500 AVAST engine scan C:\Documents and Settings\Administrator
    14:00:24.515 AVAST engine scan C:\Documents and Settings\All Users
    14:00:24.531 Scan finished successfully
    14:04:56.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
    14:04:56.156 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
     
     
  12. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 1 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    ATA_Read(): DeviceIoControl() ERROR 1

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  13. Broni

    Broni Malware Annihilator Posts: 47,567   +267

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

    • Double click on downloaded file to run it.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will produce a log (FRST.txt) on your desktop.
    • Please copy and paste it to your reply.
     
  14. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.2
    Ran by Administrator at 2012-01-08 14:17:43
    Running from C:\Documents and Settings\Administrator\My Documents\Downloads
    Service Pack 1 (X86) OS Language: English(US)
    Attention: Could not load system hive.
    Error: The process cannot access the file because it is being used by another process.
    ========================== Registry (Whitelisted) =============

    HKLM\...\Winlogon: [Userinit] [x]
    HKLM\...\Winlogon: [Shell]

    ================================ Services (Whitelisted) ==================


    ========================== Drivers (Whitelisted) =============


    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============

    2012-01-08 14:17 - 2012-01-08 14:17 - 0000000 ____D C:\FRST
    2012-01-08 14:04 - 2012-01-08 14:04 - 0001983 ____A C:\Documents and Settings\Administrator\Desktop\aswMBR.txt
    2012-01-08 14:04 - 2012-01-08 14:04 - 0000512 ____A C:\Documents and Settings\Administrator\Desktop\MBR.dat
    2012-01-08 11:20 - 2012-01-08 11:20 - 0013606 ____A C:\TDSSKiller.2.6.25.0_08.01.2012_11.20.44_log.txt
    2012-01-08 11:20 - 2012-01-08 11:20 - 0001846 ____A C:\TDSSKiller.2.6.25.0_08.01.2012_11.20.27_log.txt
    2012-01-08 11:17 - 2012-01-08 11:19 - 0013606 ____A C:\TDSSKiller.2.6.25.0_08.01.2012_11.17.12_log.txt
    2012-01-06 21:34 - 2012-01-06 21:34 - 0000000 ___RD C:\Documents and Settings\Administrator\My Documents\My Videos
    2012-01-06 21:33 - 2012-01-06 21:33 - 0000395 ____A C:\Documents and Settings\Administrator\Desktop\gmer.log
    2012-01-06 21:23 - 2012-01-06 21:23 - 0006872 ____A C:\Documents and Settings\Administrator\Desktop\mbam-log-2012-01-06 (21-18-44).txt
    2012-01-06 21:16 - 2012-01-06 21:16 - 0000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-01-06 21:16 - 2012-01-06 21:16 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-01-06 21:16 - 2012-01-06 21:16 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2012-01-06 21:16 - 2012-01-06 21:16 - 0000000 ____D C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2012-01-06 21:16 - 2011-12-10 15:24 - 0018800 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-01-06 20:36 - 2012-01-06 20:40 - 0000000 ____D C:\Documents and Settings\Administrator\My Documents\patent 3
    2012-01-06 20:33 - 2012-01-06 20:38 - 0000000 ____D C:\Documents and Settings\Administrator\My Documents\resume 2
    2012-01-06 20:22 - 2011-10-04 16:31 - 0001619 ____A C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
    2012-01-06 20:22 - 2011-10-04 16:31 - 0001611 ____A C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    2012-01-06 20:22 - 2011-10-01 11:52 - 0000724 ____A C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    2012-01-06 20:22 - 2011-10-01 11:11 - 0001824 ____A C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    2012-01-06 20:22 - 2011-10-01 11:11 - 0001758 ____A C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 6.0 Standard.lnk
    2012-01-06 20:22 - 2011-10-01 11:02 - 0000763 ____A C:\Documents and Settings\All Users\Desktop\Lexmark 5200 Series All-In-One Center.lnk
    2012-01-06 20:22 - 2011-10-01 00:13 - 0000084 __ASH C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
    2012-01-06 19:14 - 2012-01-06 21:23 - 0000000 ____D C:\Windows\CSC
    2012-01-06 19:14 - 2012-01-06 19:35 - 0188700 ____A C:\Windows\ntbtlog.txt
    2012-01-04 16:31 - 2012-01-04 16:31 - 0000000 ____D C:\Documents and Settings\LocalService\Application Data\Google
    2012-01-04 16:25 - 2012-01-04 16:25 - 0074840 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
    2012-01-04 16:25 - 2012-01-04 16:25 - 0000835 ____A C:\Documents and Settings\Administrator\Desktop\System Check.lnk
    2012-01-04 16:25 - 2012-01-04 16:25 - 0000336 ____A C:\Documents and Settings\All Users\Application Data\SggGd86F9xBnVF
    2012-01-04 16:25 - 2012-01-04 16:25 - 0000272 ____A C:\Documents and Settings\All Users\Application Data\~SggGd86F9xBnVF
    2012-01-04 16:25 - 2012-01-04 16:25 - 0000160 ____A C:\Documents and Settings\All Users\Application Data\~SggGd86F9xBnVFr

    ============ 3 Months Modified Files and Folders ===============

    2012-01-08 14:17 - 2012-01-08 14:17 - 0000000 ____D C:\FRST
    2012-01-08 14:04 - 2012-01-08 14:04 - 0001983 ____A C:\Documents and Settings\Administrator\Desktop\aswMBR.txt
    2012-01-08 14:04 - 2012-01-08 14:04 - 0000512 ____A C:\Documents and Settings\Administrator\Desktop\MBR.dat
    2012-01-08 13:44 - 2011-10-01 00:20 - 0000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
    2012-01-08 13:44 - 2011-10-01 00:20 - 0000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
    2012-01-08 13:44 - 2011-10-01 00:20 - 0000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
    2012-01-08 13:44 - 2011-10-01 00:13 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-01-08 13:44 - 2011-09-30 18:00 - 0000159 ____A C:\Windows\wiadebug.log
    2012-01-08 13:44 - 2011-09-30 18:00 - 0000048 ____A C:\Windows\wiaservc.log
    2012-01-08 13:44 - 2003-03-31 07:00 - 0013646 ____A C:\Windows\System32\wpa.dbl
    2012-01-08 11:26 - 2011-10-01 00:20 - 0032648 ____A C:\Windows\SchedLgU.Txt
    2012-01-08 11:26 - 2011-10-01 00:20 - 0000280 ___SH C:\Documents and Settings\Administrator\ntuser.ini
    2012-01-08 11:20 - 2012-01-08 11:20 - 0013606 ____A C:\TDSSKiller.2.6.25.0_08.01.2012_11.20.44_log.txt
    2012-01-08 11:20 - 2012-01-08 11:20 - 0001846 ____A C:\TDSSKiller.2.6.25.0_08.01.2012_11.20.27_log.txt
    2012-01-08 11:19 - 2012-01-08 11:17 - 0013606 ____A C:\TDSSKiller.2.6.25.0_08.01.2012_11.17.12_log.txt
    2012-01-08 10:59 - 2011-09-30 17:58 - 0375635 ____A C:\Windows\setupapi.log
    2012-01-08 10:55 - 2011-10-01 15:31 - 0000000 ____D C:\Program Files\Google
    2012-01-08 10:55 - 2011-10-01 15:31 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Google
    2012-01-06 21:34 - 2012-01-06 21:34 - 0000000 ___RD C:\Documents and Settings\Administrator\My Documents\My Videos
    2012-01-06 21:34 - 2011-10-01 00:20 - 0000000 ___RD C:\Documents and Settings\Administrator\My Documents
    2012-01-06 21:33 - 2012-01-06 21:33 - 0000395 ____A C:\Documents and Settings\Administrator\Desktop\gmer.log
    2012-01-06 21:23 - 2012-01-06 21:23 - 0006872 ____A C:\Documents and Settings\Administrator\Desktop\mbam-log-2012-01-06 (21-18-44).txt
    2012-01-06 21:23 - 2012-01-06 19:14 - 0000000 ____D C:\Windows\CSC
    2012-01-06 21:16 - 2012-01-06 21:16 - 0000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-01-06 21:16 - 2012-01-06 21:16 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-01-06 21:16 - 2012-01-06 21:16 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2012-01-06 21:16 - 2012-01-06 21:16 - 0000000 ____D C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2012-01-06 20:52 - 2011-10-01 00:20 - 0000000 ___RD C:\Documents and Settings\Administrator\My Documents\My Pictures
    2012-01-06 20:40 - 2012-01-06 20:36 - 0000000 ____D C:\Documents and Settings\Administrator\My Documents\patent 3
    2012-01-06 20:38 - 2012-01-06 20:33 - 0000000 ____D C:\Documents and Settings\Administrator\My Documents\resume 2
    2012-01-06 20:22 - 2011-09-30 17:58 - 0000000 ___RD C:\Documents and Settings\All Users\Start Menu
    2012-01-06 19:35 - 2012-01-06 19:14 - 0188700 ____A C:\Windows\ntbtlog.txt
    2012-01-04 16:31 - 2012-01-04 16:31 - 0000000 ____D C:\Documents and Settings\LocalService\Application Data\Google
    2012-01-04 16:25 - 2012-01-04 16:25 - 0074840 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
    2012-01-04 16:25 - 2012-01-04 16:25 - 0000835 ____A C:\Documents and Settings\Administrator\Desktop\System Check.lnk
    2012-01-04 16:25 - 2012-01-04 16:25 - 0000336 ____A C:\Documents and Settings\All Users\Application Data\SggGd86F9xBnVF
    2012-01-04 16:25 - 2012-01-04 16:25 - 0000272 ____A C:\Documents and Settings\All Users\Application Data\~SggGd86F9xBnVF
    2012-01-04 16:25 - 2012-01-04 16:25 - 0000160 ____A C:\Documents and Settings\All Users\Application Data\~SggGd86F9xBnVFr
    2012-01-04 16:23 - 2011-09-30 17:58 - 0265416 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-01-04 16:22 - 2011-10-01 00:13 - 0017712 ____A C:\Windows\Windows Update.log
    2012-01-04 16:22 - 2003-03-31 07:00 - 0000231 ____A C:\Windows\system.ini
    2012-01-04 15:01 - 2011-09-30 17:58 - 0002318 ____A C:\Windows\regopt.log
    2011-12-30 19:49 - 2011-10-01 11:52 - 0000000 ____D C:\Program Files\Mozilla Firefox
    2011-12-29 20:44 - 2011-10-01 11:00 - 0000000 ____D C:\Program Files\Lx_cats
    2011-12-10 15:24 - 2012-01-06 21:16 - 0018800 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2011-12-09 10:57 - 2011-10-01 00:12 - 0000000 ___SD C:\Windows\Downloaded Program Files
    2011-12-01 12:25 - 2011-11-28 11:11 - 0000000 ____D C:\Documents and Settings\Administrator\My Documents\color
    2011-11-28 13:37 - 2011-11-22 08:09 - 0027648 ____A C:\Documents and Settings\Administrator\My Documents\Formulation Chemist in our Wyandotte BASF.doc
    2011-11-28 11:18 - 2011-11-11 21:45 - 0000000 ____D C:\Documents and Settings\Administrator\My Documents\basf
    2011-11-25 17:17 - 2011-10-01 11:06 - 0000000 ____D C:\Documents and Settings\Administrator\Application Data\FaxCtr
    2011-11-24 12:56 - 2011-11-24 12:56 - 0107259 ____A C:\Documents and Settings\Administrator\My Documents\registrar eku.pdf
    2011-11-21 19:25 - 2011-11-21 19:25 - 1150499 ____A C:\Documents and Settings\Administrator\My Documents\us5719202 Pual Share.pdf
    2011-11-21 19:23 - 2011-11-21 19:23 - 0945345 ____A C:\Documents and Settings\Administrator\My Documents\us 7479326 Paul Share.pdf
    2011-11-20 10:17 - 2011-11-20 10:17 - 0047616 ____A C:\Documents and Settings\Administrator\My Documents\GretagMacbeth Spectrolino.doc
    2011-11-18 09:48 - 2011-10-01 00:20 - 0000180 ___SH C:\Documents and Settings\LocalService\ntuser.ini
    2011-11-18 09:46 - 2011-10-01 00:20 - 0000180 ___SH C:\Documents and Settings\NetworkService\ntuser.ini
    2011-11-16 21:44 - 2011-11-16 21:44 - 0044544 ____A C:\Documents and Settings\Administrator\My Documents\Math Tables.doc
    2011-11-13 19:32 - 2011-10-01 14:56 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2011-11-11 22:31 - 2011-11-11 22:21 - 0037376 ____A C:\Documents and Settings\Administrator\My Documents\Paul Share BASF.doc
    2011-11-10 20:25 - 2011-11-10 20:23 - 0099098 ____A C:\Documents and Settings\Administrator\My Documents\Mark Sun expense report.pdf
    2011-11-10 20:23 - 2011-10-01 11:11 - 0000000 ____D C:\Documents and Settings\Administrator\Application Data\Adobe
    2011-11-10 18:04 - 2011-11-10 18:04 - 0028672 ____A C:\Documents and Settings\Administrator\My Documents\Product Development Scientist BASF.doc
    2011-11-10 14:37 - 2011-11-10 14:37 - 0029184 ____A C:\Documents and Settings\Administrator\My Documents\Research Chemist job for BASF.doc
    2011-11-09 14:51 - 2011-11-09 14:51 - 2217251 ____A C:\Documents and Settings\Administrator\My Documents\us 20090111934 china.pdf
    2011-11-08 10:19 - 2011-11-07 15:26 - 0026112 ____A C:\Documents and Settings\Administrator\My Documents\AkzoNoble polymer chemist.doc
    2011-11-02 10:11 - 2011-11-02 10:11 - 0024576 ____A C:\Documents and Settings\Administrator\My Documents\interview plan for siegwerk.doc
    2011-10-31 12:37 - 2011-09-30 17:59 - 0360124 ____A C:\Windows\System32\PerfStringBackup.INI
    2011-10-27 00:32 - 2011-10-12 15:09 - 0033792 ____A C:\Documents and Settings\Administrator\My Documents\Ink Formulations Chemist for Fujifilm.doc
    2011-10-21 22:31 - 2011-10-14 22:04 - 2926080 ____A C:\Documents and Settings\Administrator\My Documents\Background for Mark Sun.ppt
    2011-10-21 03:21 - 2011-10-21 03:21 - 0033280 ____A C:\Documents and Settings\Administrator\My Documents\chemtrend formulation chemist.doc
    2011-10-21 02:59 - 2011-10-01 00:20 - 0000000 ___SD C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
    2011-10-14 00:24 - 2011-10-14 00:24 - 0024064 ____A C:\Documents and Settings\Administrator\My Documents\Sun Chemical.doc
    2011-10-12 16:00 - 2011-10-12 16:00 - 0030208 ____A C:\Documents and Settings\Administrator\My Documents\Sun Chemical seeking a Senior Chemist for Cincinnati.doc
    2011-10-12 10:29 - 2011-10-12 10:29 - 0472808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
    2011-10-12 10:29 - 2011-10-12 10:29 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2011-10-12 10:29 - 2011-10-12 10:29 - 0145184 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2011-10-12 10:29 - 2011-10-12 10:29 - 0145184 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2011-10-12 10:29 - 2011-10-12 10:29 - 0073728 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javacpl.cpl
    2011-10-12 10:29 - 2011-10-12 10:29 - 0000000 ____D C:\Windows\Sun
    2011-10-12 10:29 - 2011-10-12 10:29 - 0000000 ____D C:\Program Files\Java
    2011-10-12 10:29 - 2011-10-12 10:29 - 0000000 ____D C:\Program Files\Common Files\Java
    2011-10-12 10:29 - 2011-10-12 10:29 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Sun
    2011-10-12 10:27 - 2011-10-12 10:27 - 0000000 ____D C:\Documents and Settings\Administrator\Application Data\Sun


    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe
    [2003-03-31 07:00] - [2003-03-31 07:00] - 1004032 ____A (Microsoft Corporation) a82b28bfc2e4455fe43022a498c0ef0a

    C:\Windows\System32\winlogon.exe
    [2003-03-31 07:00] - [2003-03-31 07:00] - 0516608 ____A (Microsoft Corporation) 2246d8d8f4714a2cedb21ab9b1849abb

    C:\Windows\System32\Drivers\volsnap.sys
    [2003-03-31 07:00] - [2003-03-31 07:00] - 0049152 ____A (Microsoft Corporation) 6fdc9523ef81617cf5028f47fcaf0fbe


    ==================== Restore Points (XP) =====================


    ========================= Memory info ======================

    Percentage of memory in use: 60%
    Total physical RAM: 509.8 MB
    Available physical RAM: 200.68 MB
    Total Pagefile: 1248.77 MB
    Available Pagefile: 973.54 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2002.14 MB

    ======================= Partitions =========================

    2 Drive c: () (Fixed) (Total:83.87 GB) (Free:77.3 GB) NTFS ==>[Drive with boot components]
    3 Drive d: () (Fixed) (Total:65.18 GB) (Free:61.28 GB) NTFS

    Microsoft DiskPart version 1.0
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 149 GB 0 B

    Partitions of Disk 0:
    ===============

    Microsoft DiskPart version 1.0
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 84 GB 32 KB
    Partition 2 Extended 65 GB 84 GB
    Partition 3 Logical 65 GB 84 GB

    Disk: 0
    Microsoft DiskPart version 1.0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 84 GB Healthy System

    Disk: 0
    Microsoft DiskPart version 1.0
    Partition 3
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 D NTFS Partition 65 GB Healthy
     
  15. Broni

    Broni Malware Annihilator Posts: 47,567   +267

    Download the FixTDSS.exe

    Save the file to your Windows desktop.
    Close all running programs.
    If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
    Double-click the FixTDSS.exe file to start the removal tool.
    Click Start to begin the process, and then allow the tool to run.
    OK any security prompts.
    Restart the computer when prompted by the tool.
    After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
    If you are running Windows XP, re-enable System Restore.
     
  16. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    a window popped up saying "backdoor.tidserv has not been found on your computer"
     
  17. Broni

    Broni Malware Annihilator Posts: 47,567   +267

    Post new Bootkit Remover log.
     
  18. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 1 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    ATA_Read(): DeviceIoControl() ERROR 1

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  19. Broni

    Broni Malware Annihilator Posts: 47,567   +267

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  20. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    i'm not sure why it is in chinese.
    ComboFix 12-01-07.04 - Administrator 8/2012 Sun 20:29:25.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.1.936.86.1033.18.510.350 [GMT -5:00]
    执行位置: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    .
    Error: Cfiles.dat
    .
    ((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Start Menu\Programs\System Check\System Check.lnk
    c:\documents and settings\Administrator\Start Menu\Programs\System Check\Uninstall System Check.lnk
    c:\documents and settings\All Users\Application Data\~SggGd86F9xBnVF
    c:\documents and settings\All Users\Application Data\~SggGd86F9xBnVFr
    c:\documents and settings\All Users\Application Data\SggGd86F9xBnVF
    c:\windows\$NtUninstallKB45136$
    c:\windows\$NtUninstallKB45136$\3106834216
    c:\windows\$NtUninstallKB45136$\3136621221\@
    c:\windows\$NtUninstallKB45136$\3136621221\cfg.ini
    c:\windows\$NtUninstallKB45136$\3136621221\Desktop.ini
    c:\windows\$NtUninstallKB45136$\3136621221\L\koiiiltl
    c:\windows\$NtUninstallKB45136$\3136621221\U\00000001.@
    c:\windows\$NtUninstallKB45136$\3136621221\U\00000002.@
    c:\windows\$NtUninstallKB45136$\3136621221\U\00000004.@
    c:\windows\$NtUninstallKB45136$\3136621221\U\80000000.@
    c:\windows\$NtUninstallKB45136$\3136621221\U\80000004.@
    c:\windows\$NtUninstallKB45136$\3136621221\U\80000032.@
    c:\windows\system32\c_10001.nls
    c:\windows\system32\c_10003.nls
    c:\windows\system32\c_10007.nls
    c:\windows\system32\c_10010.nls
    c:\windows\system32\c_10017.nls
    c:\windows\system32\c_10029.nls
    c:\windows\system32\c_10079.nls
    c:\windows\system32\c_10081.nls
    c:\windows\system32\c_10082.nls
    c:\windows\system32\c_20905.nls
    c:\windows\system32\c_28593.nls
    c:\windows\system32\c_28598.nls
    .
    发现受感染 c:\windows\system32\drivers\netbt.sys 并且成功解毒
    从 - The cat found it :) 恢复原来档案
    c:\windows\system32\qmgr.dll . . . 受感染!!
    .
    找不到 。。。 "c:\windows\system32\drivers\intelppm.sys"!!
    .
    .
    ((((((((((((((((((((((((( 2011-12-09 至 2012-01-09 的新的档案 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-08 19:17 . 2012-01-08 19:18 -------- d-----w- C:\FRST
    2012-01-07 02:16 . 2012-01-07 02:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2012-01-07 02:16 . 2012-01-07 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-01-07 02:16 . 2012-01-07 02:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-07 02:16 . 2011-12-10 20:24 18800 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-31 00:49 . 2011-12-31 00:49 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2011-12-31 00:49 . 2011-12-31 00:49 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2011-12-31 00:49 . 2011-12-31 00:49 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2011-12-31 00:49 . 2011-12-31 00:49 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-14 00:32 . 2011-10-01 19:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-12 15:29 . 2011-10-12 15:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-10-12 15:29 . 2011-10-12 15:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-12-31 00:49 . 2011-10-01 16:52 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *注意* 空白与合法缺省登录将不会被显示
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2003-03-31 13312]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
    "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-10-23 86016]
    "SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
    "Lexmark 5200 series"="c:\program files\Lexmark 5200 series\lxbtbmgr.exe" [2004-06-04 57344]
    "LXBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]
    "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2004-03-23 294912]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2003-03-31 208953]
    "MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 59392]
    "PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
    "PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ALG
    *NewlyCreated* - IPNAT
    .
    .
    ------- 而外的扫描 -------
    .
    uStart Page = hxxp://www.google.com/webhp?client=aff-ime
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    TCP: DhcpNameServer = 192.168.254.254
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\65m8sdqv.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-08 20:35
    Windows 5.1.2600 Service Pack 1 NTFS
    .
    扫描被隐藏的进程 。。。
    .
    扫描被隐藏的启动组 。。。
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    .
    扫描被隐藏的文件 。。。
    .
    扫描完成
    被隐藏的档案: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST316002 rev.8.01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0
    .
    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user != kernel MBR !!!
    .
    **************************************************************************
    .
    --------------------- 运行进程下的动态链接库 ---------------------
    .
    - - - - - - - > 'winlogon.exe'(652)
    c:\windows\System32\ODBC32.dll
    c:\windows\System32\msctfime.ime
    .
    - - - - - - - > 'lsass.exe'(716)
    c:\windows\System32\dssenh.dll
    .
    - - - - - - - > 'explorer.exe'(1352)
    c:\windows\System32\msctfime.ime
    c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
    c:\windows\System32\Msi.dll
    c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
    c:\windows\IME\SPGRMR.DLL
    c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
    .
    ------------------------ 其他运行进程 ------------------------
    .
    c:\windows\System32\conime.exe
    c:\windows\SOUNDMAN.EXE
    c:\program files\Lexmark 5200 series\lxbtbmon.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\System32\wbem\wmiapsrv.exe
    .
    **************************************************************************
    .
    完成时间: 2012-01-08 20:37:08 - 电脑已重新启动
    ComboFix-quarantined-files.txt 2012-01-09 01:37
    .
    Pre-Run: 84,895,215,616 bytes free
    Post-Run: 85,454,356,480 bytes free
    .
    winxpsp1_cn_pro_bf.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
    .
    - - End Of File - - 1A5D8A438EA48781CC67F3E4109A51A6
     
  21. Broni

    Broni Malware Annihilator Posts: 47,567   +267

    Post new Bootkit Remover log.

    Also....

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
      intelppm.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  22. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 1 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    ATA_Read(): DeviceIoControl() ERROR 1

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...

    SystemLook 30.07.11 by jpshortstuff
    Log created at 22:35 on 08/01/2012 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "intelppm.sys"
    No files found.

    -= EOF =-
     
  23. Broni

    Broni Malware Annihilator Posts: 47,567   +267

    We have to reset your MBR.

    Restart computer
    When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
    You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
    If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

    You should get a black screen with a C:\> prompt. Type with an Enter after each line:

    fixmbr

    fixboot

    exit

    Reboot computer.

    Post fresh Bootkit Remover log.
     
  24. joss09

    joss09 TS Rookie Topic Starter Posts: 29

    when entering fixboot, it says fixboot cannot find system drive, or the drive specified is not valid
     
  25. Broni

    Broni Malware Annihilator Posts: 47,567   +267

    Skip that command.
    Run just "fixmbr".
    Did it say, it was successful?

    Restart computer and post new Bootkit Remover log.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.