also @ TechSpot: Google, Samsung unveil Chromebook, Chromebox with Chrome OS 19

TechSpot

TechSpot News Products Downloads Forums

Collaborate in the cloud with Office, Exchange, SharePoint, and Lync.
Microsoft Office 365. Pay-as-you-go starting at $8/user/month. Begin your free trial now.

[Solved] System Check virus removal?

Discussion in 'Virus and Malware Removal' started by joss09, Jan 6, 2012.

Page 1 of 3

joss09 Newcomer, in training

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.06.06

Windows XP Service Pack 1 x86 NTFS
Internet Explorer 6.0.2800.1106
Administrator :: SUN-6H5NHFR7L5C [administrator]

2012-1-6 21:18:44
mbam-log-2012-01-06 (21-18-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 154185
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Detected: 2
C:\Documents and Settings\All Users\Application Data\FiqVFmUcesohLm.exe (Rogue.FakeHDD) -> 1724 -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\SggGd86F9xBnVF.exe (Trojan.FakeAlert) -> 1688 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|FiqVFmUcesohLm.exe (Rogue.FakeHDD) -> Data: C:\Documents and Settings\All Users\Application Data\FiqVFmUcesohLm.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 9
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Documents and Settings\All Users\Application Data\FiqVFmUcesohLm.exe (Rogue.FakeHDD) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\SggGd86F9xBnVF.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\oiu0.6198862887578649.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\DqtotSVpshKYpw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\wera0.3784665752635392.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-06 21:33:48
Windows 5.1.2600 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0 ST316002 rev.8.01
Running: utoh4zsi.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtyqpow.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

joss09, Jan 6, 2012

#1
joss09 Newcomer, in training

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 21:51:03 on 2012-01-06
Microsoft Windows XP Professional 5.1.2600.1.936.86.1033.18.510.130 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/webhp?client=aff-ime
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Lexmark 5200 series] "c:\program files\lexmark 5200 series\lxbtbmgr.exe"
mRun: [LXBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBTtime.dll,_RunDLLEntry@16
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [<NO NAME>]
mRun: [Google Pinyin 2 Autoupdater] "c:\program files\google\google pinyin 2\GooglePinyinDaemon.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\65m8sdqv.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2012-01-07 02:16:55 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-01-07 02:16:48 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-07 02:16:47 18800 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-07 02:16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-04 20:25:51 3396152 ----a-w- c:\windows\system32\GooglePinyin2.ime
2011-12-31 00:49:09 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2011-12-31 00:49:09 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2011-12-31 00:49:09 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2011-12-31 00:49:09 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
.
==================== Find3M ====================
.
2011-11-14 00:32:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-12 15:29:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-12 15:29:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST316002 rev.8.01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xB2F76FF0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 nt!IofCallDriver[0x804ED850] -> \Device\Harddisk0\DR0[0x81F5C7F0]
3 CLASSPNP[0xF8599022] -> nt!IofCallDriver[0x804ED850] -> [0x81DE9030]
\Driver\00001666[0x81DEB4D8] -> IRP_MJ_CREATE -> 0xB2F76FF0
kernel: MBR read successfully
_asm { NOP ; JMP 0x181; }
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 21:51:24.40 ===============

joss09, Jan 6, 2012

#2
joss09 Newcomer, in training

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2011-9-30 21:19:20
System Uptime: 2012-1-6 16:23:42 (5 hours ago)
.
Motherboard: Intel Corporation | | D845GVSR
Processor: Intel(R) Celeron(R) CPU 2.40GHz | X1 | 2399/100mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 84 GiB total, 77.171 GiB free.
D: is FIXED (NTFS) - 65 GiB total, 61.275 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_10EC&DEV_8185&SUBSYS_340D187E&REV_20\4&2AF9ED5&0&00F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_10EC&DEV_8185&SUBSYS_340D187E&REV_20\4&2AF9ED5&0&00F0
Service:
.
==== System Restore Points ===================
.
RP10: 2011-10-6 17:50:30 - System Checkpoint
RP11: 2011-10-8 13:42:26 - System Checkpoint
RP12: 2011-10-9 14:13:42 - System Checkpoint
RP13: 2011-10-10 15:45:28 - System Checkpoint
RP14: 2011-10-11 17:23:14 - System Checkpoint
RP15: 2011-10-12 11:28:58 - Installed Java(TM) 6 Update 26
RP16: 2011-10-13 14:37:58 - System Checkpoint
RP17: 2011-10-14 15:06:37 - System Checkpoint
RP18: 2011-10-15 16:12:31 - System Checkpoint
RP19: 2011-10-17 0:56:15 - System Checkpoint
RP20: 2011-10-18 5:15:06 - System Checkpoint
RP21: 2011-10-21 1:16:27 - System Checkpoint
RP22: 2011-10-22 1:31:20 - System Checkpoint
RP23: 2011-10-24 12:15:53 - System Checkpoint
RP24: 2011-10-25 12:36:23 - System Checkpoint
RP25: 2011-10-26 12:40:59 - System Checkpoint
RP26: 2011-10-27 15:28:28 - System Checkpoint
RP27: 2011-10-28 17:59:35 - System Checkpoint
RP28: 2011-10-29 20:20:21 - System Checkpoint
RP29: 2011-10-31 13:15:23 - System Checkpoint
RP30: 2011-11-1 14:04:54 - System Checkpoint
RP31: 2011-11-2 14:17:32 - System Checkpoint
RP32: 2011-11-4 13:05:21 - System Checkpoint
RP33: 2011-11-6 11:51:54 - System Checkpoint
RP34: 2011-11-7 12:16:12 - System Checkpoint
RP35: 2011-11-8 16:01:16 - System Checkpoint
RP36: 2011-11-9 20:36:46 - System Checkpoint
RP37: 2011-11-10 22:12:38 - System Checkpoint
RP38: 2011-11-12 13:51:49 - System Checkpoint
RP39: 2011-11-13 15:33:30 - System Checkpoint
RP40: 2011-11-16 10:52:54 - System Checkpoint
RP41: 2011-11-17 11:14:02 - System Checkpoint
RP42: 2011-11-18 13:29:10 - System Checkpoint
RP43: 2011-11-19 14:22:32 - System Checkpoint
RP44: 2011-11-20 15:45:13 - System Checkpoint
RP45: 2011-11-21 16:57:54 - System Checkpoint
RP46: 2011-11-22 21:15:57 - System Checkpoint
RP47: 2011-11-25 13:51:00 - System Checkpoint
RP48: 2011-11-26 15:44:34 - System Checkpoint
RP49: 2011-11-27 15:53:03 - System Checkpoint
RP50: 2011-11-28 22:37:32 - System Checkpoint
RP51: 2011-11-30 11:49:22 - System Checkpoint
RP52: 2011-12-1 13:16:33 - System Checkpoint
RP53: 2011-12-5 9:20:41 - System Checkpoint
RP54: 2011-12-6 10:15:58 - System Checkpoint
RP55: 2011-12-7 12:01:34 - System Checkpoint
RP56: 2011-12-8 15:09:19 - System Checkpoint
RP57: 2011-12-10 21:36:00 - System Checkpoint
RP58: 2011-12-12 12:29:47 - System Checkpoint
RP59: 2011-12-15 11:55:10 - System Checkpoint
RP60: 2011-12-16 15:47:21 - System Checkpoint
RP61: 2011-12-17 16:40:15 - System Checkpoint
RP62: 2011-12-19 9:21:51 - System Checkpoint
RP63: 2011-12-20 12:11:08 - System Checkpoint
RP64: 2011-12-21 19:22:45 - System Checkpoint
RP65: 2011-12-23 8:27:43 - System Checkpoint
RP66: 2011-12-24 12:09:35 - System Checkpoint
RP67: 2011-12-26 12:28:51 - System Checkpoint
RP68: 2011-12-27 14:08:40 - System Checkpoint
RP69: 2011-12-29 13:50:39 - System Checkpoint
RP70: 2011-12-30 20:42:40 - System Checkpoint
RP71: 2012-1-2 15:11:19 - System Checkpoint
RP72: 2012-1-3 15:25:56 - System Checkpoint
.
==== Installed Programs ======================
.
ABBYY FineReader 5.0 Sprint Plus
Adobe Acrobat 6.0 Standard
Adobe Flash Player 11 Plugin
Compatibility Pack for the 2007 Office system
Intel Application Accelerator
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Java Auto Updater
Java(TM) 6 Update 26
Lexmark 5200 Series
Lexmark Fax Solutions
Malwarebytes Anti-Malware version 1.60.0.1800
McAfee Security Scan Plus
Microsoft Office Professional Edition 2003
Mozilla Firefox 9.0.1 (x86 en-US)
Realtek AC'97 Audio
WebFldrs XP
Windows Installer 3.0 (KB884016)
谷歌拼音输入法 2.7
.
==== Event Viewer Messages From Past Week ========
.
2012-1-6 16:25:43, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi IntelIde PCIIde
2012-1-6 14:18:42, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
2012-1-6 14:18:42, error: Service Control Manager [7001] - The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error: A device attached to the system is not functioning.
2012-1-6 14:18:42, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2012-1-6 14:18:42, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2012-1-6 14:18:42, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2012-1-6 14:15:00, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2012-1-4 11:25:37, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
.
==== End Of File ===========================

joss09, Jan 6, 2012

#3
joss09 Newcomer, in training

note to whoever helps me:
i'm okay with a delay, and i won't be free for most of tomorrow and i don't want to keep you waiting, so the best time for me would be after 5. thank you for the help!

joss09, Jan 6, 2012

#4
Broni Malware Annihilator
Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================================

Download TDSSKiller and save it to your desktop.

Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
Broni, Jan 7, 2012

#5
joss09 Newcomer, in training

18:58:21.0109 1772 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
18:58:23.0109 1772 ============================================================
18:58:23.0109 1772 Current date / time: 2012/01/07 18:58:23.0109
18:58:23.0109 1772 SystemInfo:
18:58:23.0109 1772
18:58:23.0109 1772 OS Version: 5.1.2600 ServicePack: 1.0
18:58:23.0109 1772 Product type: Workstation
18:58:23.0109 1772 ComputerName: SUN-6H5NHFR7L5C
18:58:23.0281 1772 UserName: Administrator
18:58:23.0281 1772 Windows directory: C:\WINDOWS
18:58:23.0296 1772 System windows directory: C:\WINDOWS
18:58:23.0296 1772 Processor architecture: Intel x86
18:58:23.0296 1772 Number of processors: 1
18:58:23.0296 1772 Page size: 0x1000
18:58:23.0296 1772 Boot type: Normal boot
18:58:23.0296 1772 ============================================================
18:58:23.0531 1772 Initialize success
18:58:32.0906 1056 ============================================================
18:58:32.0906 1056 Scan started
18:58:32.0906 1056 Mode: Manual;
18:58:32.0906 1056 ============================================================
18:58:32.0921 1056 Abiosdsk - ok
18:58:32.0937 1056 abp480n5 - ok
18:58:32.0968 1056 ACPI - ok
18:58:32.0984 1056 ACPIEC - ok
18:58:33.0000 1056 adpu160m - ok
18:58:33.0031 1056 aec - ok
18:58:33.0046 1056 AFD - ok
18:58:33.0062 1056 Aha154x - ok
18:58:33.0093 1056 aic78u2 - ok
18:58:33.0109 1056 aic78xx - ok
18:58:33.0140 1056 ALCXWDM - ok
18:58:33.0187 1056 AliIde - ok
18:58:33.0203 1056 amsint - ok
18:58:33.0234 1056 asc - ok
18:58:33.0265 1056 asc3350p - ok
18:58:33.0281 1056 asc3550 - ok
18:58:33.0296 1056 AsyncMac - ok
18:58:33.0328 1056 atapi - ok
18:58:33.0359 1056 Atdisk - ok
18:58:33.0375 1056 Atmarpc - ok
18:58:33.0453 1056 audstub - ok
18:58:33.0484 1056 Beep - ok
18:58:33.0515 1056 cbidf2k - ok
18:58:33.0531 1056 cd20xrnt - ok
18:58:33.0562 1056 Cdaudio - ok
18:58:33.0578 1056 Cdfs - ok
18:58:33.0593 1056 Cdrom - ok
18:58:33.0625 1056 Changer - ok
18:58:33.0656 1056 CmdIde - ok
18:58:33.0703 1056 Cpqarray - ok
18:58:33.0734 1056 dac2w2k - ok
18:58:33.0750 1056 dac960nt - ok
18:58:33.0781 1056 Disk - ok
18:58:33.0812 1056 dmboot - ok
18:58:33.0828 1056 dmio - ok
18:58:33.0843 1056 dmload - ok
18:58:33.0875 1056 DMusic - ok
18:58:33.0906 1056 dpti2o - ok
18:58:33.0921 1056 drmkaud - ok
18:58:33.0953 1056 E100B - ok
18:58:33.0984 1056 Fastfat - ok
18:58:34.0015 1056 Fdc - ok
18:58:34.0046 1056 Fips - ok
18:58:34.0062 1056 Flpydisk - ok
18:58:34.0078 1056 FsVga - ok
18:58:34.0093 1056 Fs_Rec - ok
18:58:34.0125 1056 Ftdisk - ok
18:58:34.0140 1056 Gpc - ok
18:58:34.0171 1056 HidUsb - ok
18:58:34.0203 1056 hpn - ok
18:58:34.0203 1056 i2omgmt - ok
18:58:34.0234 1056 i2omp - ok
18:58:34.0250 1056 i8042prt - ok
18:58:34.0265 1056 ialm - ok
18:58:34.0296 1056 IdeBusDr - ok
18:58:34.0312 1056 IdeChnDr - ok
18:58:34.0328 1056 Imapi - ok
18:58:34.0375 1056 ini910u - ok
18:58:34.0406 1056 IntelIde - ok
18:58:34.0421 1056 IpFilterDriver - ok
18:58:34.0453 1056 IpInIp - ok
18:58:34.0453 1056 IpNat - ok
18:58:34.0484 1056 IPSec - ok
18:58:34.0500 1056 IRENUM - ok
18:58:34.0531 1056 isapnp - ok
18:58:34.0562 1056 Kbdclass - ok
18:58:34.0578 1056 kmixer - ok
18:58:34.0593 1056 KSecDD - ok
18:58:34.0640 1056 lbrtfdc - ok
18:58:34.0718 1056 mnmdd - ok
18:58:34.0750 1056 Modem - ok
18:58:34.0765 1056 Mouclass - ok
18:58:34.0781 1056 MountMgr - ok
18:58:34.0812 1056 mraid35x - ok
18:58:34.0828 1056 MRxDAV - ok
18:58:34.0843 1056 MRxSmb - ok
18:58:34.0875 1056 Msfs - ok
18:58:34.0906 1056 MSKSSRV - ok
18:58:34.0921 1056 MSPCLOCK - ok
18:58:34.0953 1056 MSPQM - ok
18:58:34.0953 1056 Mup - ok
18:58:34.0968 1056 NAL - ok
18:58:35.0000 1056 NDIS - ok
18:58:35.0015 1056 NdisTapi - ok
18:58:35.0031 1056 Ndisuio - ok
18:58:35.0062 1056 NdisWan - ok
18:58:35.0078 1056 NDProxy - ok
18:58:35.0093 1056 NetBIOS - ok
18:58:35.0125 1056 NetBT - ok
18:58:35.0203 1056 Npfs - ok
18:58:35.0218 1056 Ntfs - ok
18:58:35.0250 1056 Null - ok
18:58:35.0265 1056 NwlnkFlt - ok
18:58:35.0281 1056 NwlnkFwd - ok
18:58:35.0328 1056 Parport - ok
18:58:35.0343 1056 PartMgr - ok
18:58:35.0375 1056 ParVdm - ok
18:58:35.0390 1056 PCI - ok
18:58:35.0421 1056 PCIDump - ok
18:58:35.0437 1056 PCIIde - ok
18:58:35.0453 1056 Pcmcia - ok
18:58:35.0468 1056 PDCOMP - ok
18:58:35.0484 1056 PDFRAME - ok
18:58:35.0500 1056 PDRELI - ok
18:58:35.0531 1056 PDRFRAME - ok
18:58:35.0546 1056 perc2 - ok
18:58:35.0578 1056 perc2hib - ok
18:58:35.0656 1056 PptpMiniport - ok
18:58:35.0671 1056 Processor - ok
18:58:35.0703 1056 PSched - ok
18:58:35.0718 1056 Ptilink - ok
18:58:35.0734 1056 ql1080 - ok
18:58:35.0750 1056 Ql10wnt - ok
18:58:35.0781 1056 ql12160 - ok
18:58:35.0796 1056 ql1240 - ok
18:58:35.0812 1056 ql1280 - ok
18:58:35.0828 1056 RasAcd - ok
18:58:35.0875 1056 Rasl2tp - ok
18:58:35.0890 1056 RasPppoe - ok
18:58:35.0921 1056 Raspti - ok
18:58:35.0937 1056 Rdbss - ok
18:58:35.0953 1056 RDPCDD - ok
18:58:35.0984 1056 rdpdr - ok
18:58:36.0000 1056 RDPWD - ok
18:58:36.0031 1056 redbook - ok
18:58:36.0156 1056 Secdrv - ok
18:58:36.0187 1056 serenum - ok
18:58:36.0203 1056 Serial - ok
18:58:36.0218 1056 Sfloppy - ok
18:58:36.0265 1056 Simbad - ok
18:58:36.0281 1056 Sparrow - ok
18:58:36.0296 1056 splitter - ok
18:58:36.0328 1056 sr - ok
18:58:36.0359 1056 Srv - ok
18:58:36.0406 1056 swenum - ok
18:58:36.0421 1056 swmidi - ok
18:58:36.0453 1056 symc810 - ok
18:58:36.0468 1056 symc8xx - ok
18:58:36.0484 1056 sym_hi - ok
18:58:36.0500 1056 sym_u3 - ok
18:58:36.0515 1056 sysaudio - ok
18:58:36.0562 1056 Tcpip - ok
18:58:36.0578 1056 TDPIPE - ok
18:58:36.0593 1056 TDTCP - ok
18:58:36.0625 1056 TermDD - ok
18:58:36.0671 1056 TosIde - ok
18:58:36.0703 1056 Udfs - ok
18:58:36.0718 1056 ultra - ok
18:58:36.0750 1056 Update - ok
18:58:36.0796 1056 usbccgp - ok
18:58:36.0812 1056 usbehci - ok
18:58:36.0828 1056 usbhub - ok
18:58:36.0859 1056 usbprint - ok
18:58:36.0875 1056 usbscan - ok
18:58:36.0906 1056 USBSTOR - ok
18:58:36.0921 1056 usbuhci - ok
18:58:36.0937 1056 VgaSave - ok
18:58:36.0968 1056 ViaIde - ok
18:58:36.0984 1056 VolSnap - ok
18:58:37.0031 1056 Wanarp - ok
18:58:37.0046 1056 WDICA - ok
18:58:37.0062 1056 wdmaud - ok
18:58:37.0218 1056 MBR (0x1B8) (7490e13dc489e4e704d2115976665d5e) \Device\Harddisk0\DR0
18:58:37.0812 1056 \Device\Harddisk0\DR0 - ok
18:58:37.0828 1056 ============================================================
18:58:37.0828 1056 Scan finished
18:58:37.0828 1056 ============================================================
18:58:37.0875 1132 Detected object count: 0
18:58:37.0875 1132 Actual detected object count: 0

joss09, Jan 7, 2012

#6
Broni Malware Annihilator

This is very old TDSSKiller version.
Delete your file, download fresh one and post new log.

Broni, Jan 7, 2012

#7
joss09 Newcomer, in training

11:17:12.0359 1248 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
11:17:14.0359 1248 ============================================================
11:17:14.0359 1248 Current date / time: 2012/01/08 11:17:14.0359
11:17:14.0359 1248 SystemInfo:
11:17:14.0359 1248
11:17:14.0359 1248 OS Version: 5.1.2600 ServicePack: 1.0
11:17:14.0359 1248 Product type: Workstation
11:17:14.0359 1248 ComputerName: SUN-6H5NHFR7L5C
11:17:14.0359 1248 UserName: Administrator
11:17:14.0359 1248 Windows directory: C:\WINDOWS
11:17:14.0359 1248 System windows directory: C:\WINDOWS
11:17:14.0359 1248 Processor architecture: Intel x86
11:17:14.0359 1248 Number of processors: 1
11:17:14.0359 1248 Page size: 0x1000
11:17:14.0359 1248 Boot type: Normal boot
11:17:14.0359 1248 ============================================================
11:17:14.0625 1248 Initialize success
11:18:54.0906 1144 ============================================================
11:18:54.0906 1144 Scan started
11:18:54.0906 1144 Mode: Manual;
11:18:54.0906 1144 ============================================================
11:18:54.0906 1144 Abiosdsk - ok
11:18:54.0937 1144 abp480n5 - ok
11:18:54.0953 1144 ACPI - ok
11:18:54.0984 1144 ACPIEC - ok
11:18:55.0000 1144 adpu160m - ok
11:18:55.0015 1144 aec - ok
11:18:55.0046 1144 AFD - ok
11:18:55.0062 1144 Aha154x - ok
11:18:55.0093 1144 aic78u2 - ok
11:18:55.0109 1144 aic78xx - ok
11:18:55.0140 1144 ALCXWDM - ok
11:18:55.0187 1144 AliIde - ok
11:18:55.0203 1144 amsint - ok
11:18:55.0234 1144 asc - ok
11:18:55.0265 1144 asc3350p - ok
11:18:55.0281 1144 asc3550 - ok
11:18:55.0312 1144 AsyncMac - ok
11:18:55.0328 1144 atapi - ok
11:18:55.0343 1144 Atdisk - ok
11:18:55.0375 1144 Atmarpc - ok
11:18:55.0406 1144 audstub - ok
11:18:55.0437 1144 Beep - ok
11:18:55.0484 1144 cbidf2k - ok
11:18:55.0515 1144 cd20xrnt - ok
11:18:55.0531 1144 Cdaudio - ok
11:18:55.0546 1144 Cdfs - ok
11:18:55.0578 1144 Cdrom - ok
11:18:55.0593 1144 Changer - ok
11:18:55.0625 1144 CmdIde - ok
11:18:55.0671 1144 Cpqarray - ok
11:18:55.0703 1144 dac2w2k - ok
11:18:55.0718 1144 dac960nt - ok
11:18:55.0750 1144 Disk - ok
11:18:55.0781 1144 dmboot - ok
11:18:55.0796 1144 dmio - ok
11:18:55.0828 1144 dmload - ok
11:18:55.0859 1144 DMusic - ok
11:18:55.0875 1144 dpti2o - ok
11:18:55.0906 1144 drmkaud - ok
11:18:55.0921 1144 E100B - ok
11:18:55.0968 1144 Fastfat - ok
11:18:55.0984 1144 Fdc - ok
11:18:56.0015 1144 Fips - ok
11:18:56.0031 1144 Flpydisk - ok
11:18:56.0046 1144 FsVga - ok
11:18:56.0078 1144 Fs_Rec - ok
11:18:56.0093 1144 Ftdisk - ok
11:18:56.0109 1144 Gpc - ok
11:18:56.0156 1144 HidUsb - ok
11:18:56.0171 1144 hpn - ok
11:18:56.0187 1144 i2omgmt - ok
11:18:56.0203 1144 i2omp - ok
11:18:56.0218 1144 i8042prt - ok
11:18:56.0234 1144 ialm - ok
11:18:56.0265 1144 IdeBusDr - ok
11:18:56.0281 1144 IdeChnDr - ok
11:18:56.0312 1144 Imapi - ok
11:18:56.0359 1144 ini910u - ok
11:18:56.0390 1144 IntelIde - ok
11:18:56.0406 1144 IpFilterDriver - ok
11:18:56.0421 1144 IpInIp - ok
11:18:56.0437 1144 IpNat - ok
11:18:56.0453 1144 IPSec - ok
11:18:56.0468 1144 IRENUM - ok
11:18:56.0500 1144 isapnp - ok
11:18:56.0531 1144 Kbdclass - ok
11:18:56.0546 1144 kmixer - ok
11:18:56.0578 1144 KSecDD - ok
11:18:56.0609 1144 lbrtfdc - ok
11:18:56.0687 1144 mnmdd - ok
11:18:56.0718 1144 Modem - ok
11:18:56.0750 1144 Mouclass - ok
11:18:56.0765 1144 MountMgr - ok
11:18:56.0781 1144 mraid35x - ok
11:18:56.0796 1144 MRxDAV - ok
11:18:56.0828 1144 MRxSmb - ok
11:18:56.0859 1144 Msfs - ok
11:18:56.0890 1144 MSKSSRV - ok
11:18:56.0906 1144 MSPCLOCK - ok
11:18:56.0921 1144 MSPQM - ok
11:18:56.0937 1144 Mup - ok
11:18:56.0953 1144 NAL - ok
11:18:56.0984 1144 NDIS - ok
11:18:57.0000 1144 NdisTapi - ok
11:18:57.0015 1144 Ndisuio - ok
11:18:57.0031 1144 NdisWan - ok
11:18:57.0062 1144 NDProxy - ok
11:18:57.0078 1144 NetBIOS - ok
11:18:57.0093 1144 NetBT - ok
11:18:57.0171 1144 Npfs - ok
11:18:57.0203 1144 Ntfs - ok
11:18:57.0234 1144 Null - ok
11:18:57.0250 1144 NwlnkFlt - ok
11:18:57.0265 1144 NwlnkFwd - ok
11:18:57.0312 1144 Parport - ok
11:18:57.0328 1144 PartMgr - ok
11:18:57.0359 1144 ParVdm - ok
11:18:57.0375 1144 PCI - ok
11:18:57.0390 1144 PCIDump - ok
11:18:57.0406 1144 PCIIde - ok
11:18:57.0437 1144 Pcmcia - ok
11:18:57.0453 1144 PDCOMP - ok
11:18:57.0468 1144 PDFRAME - ok
11:18:57.0484 1144 PDRELI - ok
11:18:57.0500 1144 PDRFRAME - ok
11:18:57.0531 1144 perc2 - ok
11:18:57.0546 1144 perc2hib - ok
11:18:57.0625 1144 PptpMiniport - ok
11:18:57.0656 1144 Processor - ok
11:18:57.0671 1144 PSched - ok
11:18:57.0703 1144 Ptilink - ok
11:18:57.0718 1144 ql1080 - ok
11:18:57.0734 1144 Ql10wnt - ok
11:18:57.0750 1144 ql12160 - ok
11:18:57.0765 1144 ql1240 - ok
11:18:57.0796 1144 ql1280 - ok
11:18:57.0812 1144 RasAcd - ok
11:18:57.0843 1144 Rasl2tp - ok
11:18:57.0875 1144 RasPppoe - ok
11:18:57.0890 1144 Raspti - ok
11:18:57.0921 1144 Rdbss - ok
11:18:57.0937 1144 RDPCDD - ok
11:18:57.0968 1144 rdpdr - ok
11:18:57.0984 1144 RDPWD - ok
11:18:58.0015 1144 redbook - ok
11:18:58.0125 1144 Secdrv - ok
11:18:58.0171 1144 serenum - ok
11:18:58.0187 1144 Serial - ok
11:18:58.0203 1144 Sfloppy - ok
11:18:58.0234 1144 Simbad - ok
11:18:58.0265 1144 Sparrow - ok
11:18:58.0281 1144 splitter - ok
11:18:58.0312 1144 sr - ok
11:18:58.0328 1144 Srv - ok
11:18:58.0375 1144 swenum - ok
11:18:58.0390 1144 swmidi - ok
11:18:58.0421 1144 symc810 - ok
11:18:58.0453 1144 symc8xx - ok
11:18:58.0468 1144 sym_hi - ok
11:18:58.0484 1144 sym_u3 - ok
11:18:58.0500 1144 sysaudio - ok
11:18:58.0531 1144 Tcpip - ok
11:18:58.0546 1144 TDPIPE - ok
11:18:58.0546 1144 TDTCP - ok
11:18:58.0562 1144 TermDD - ok
11:18:58.0609 1144 TosIde - ok
11:18:58.0656 1144 Udfs - ok
11:18:58.0671 1144 ultra - ok
11:18:58.0687 1144 Update - ok
11:18:58.0734 1144 usbccgp - ok
11:18:58.0750 1144 usbehci - ok
11:18:58.0765 1144 usbhub - ok
11:18:58.0781 1144 usbprint - ok
11:18:58.0796 1144 usbscan - ok
11:18:58.0828 1144 USBSTOR - ok
11:18:58.0843 1144 usbuhci - ok
11:18:58.0859 1144 VgaSave - ok
11:18:58.0890 1144 ViaIde - ok
11:18:58.0906 1144 VolSnap - ok
11:18:58.0953 1144 Wanarp - ok
11:18:58.0984 1144 WDICA - ok
11:18:59.0000 1144 wdmaud - ok
11:18:59.0140 1144 MBR (0x1B8) (7490e13dc489e4e704d2115976665d5e) \Device\Harddisk0\DR0
11:18:59.0750 1144 \Device\Harddisk0\DR0 - ok
11:18:59.0765 1144 ============================================================
11:18:59.0765 1144 Scan finished
11:18:59.0765 1144 ============================================================
11:18:59.0812 1028 Detected object count: 0
11:18:59.0812 1028 Actual detected object count: 0

joss09, Jan 8, 2012

#8
joss09 Newcomer, in training

it looks the same.
i downloaded this from the kaspersky website.

joss09, Jan 8, 2012

#9
Broni Malware Annihilator
Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

============================================================

Download Bootkit Remover to your Desktop.

Unzip downloaded file to your Desktop.

Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).

It will show a Black screen with some data on it.

Right click on the screen and click Select All.

Press CTRL+C

Open a Notepad and press CTRL+V

Post the output back here.
Broni, Jan 8, 2012

#10
joss09 Newcomer, in training

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-08 13:47:49
-----------------------------
13:47:49.921 OS Version: Windows 5.1.2600 Service Pack 1
13:47:49.921 Number of processors: 1 586 0x209
13:47:49.937 ComputerName: SUN-6H5NHFR7L5C UserName: Administrator
13:47:50.421 Initialize success
13:56:57.000 AVAST engine defs: 12010800
14:00:20.218 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0
14:00:20.218 Disk 0 Vendor: ST316002 8.01 Size: 152627MB BusType: 3
14:00:20.234 Disk 0 MBR read successfully
14:00:20.250 Disk 0 MBR scan
14:00:20.296 Disk 0 Windows XP default MBR code found via API
14:00:20.296 Disk 0 unknown MBR code
14:00:20.296 Disk 0 MBR hidden
14:00:20.312 Disk 0 Partition 1 80 (A) 54 OnTrack DM6 ONTRACK 8024 MB offset 9
14:00:20.343 Disk 0 scanning sectors +312576705
14:00:20.390 Disk 0 scanning C:\WINDOWS\System32\drivers
14:00:20.406 Service scanning
14:00:22.046 Modules scanning
14:00:23.390 Disk 0 trace - called modules:
14:00:23.812 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xb2f76ff0]<<
14:00:23.828 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x81fd2a28]
14:00:23.843 3 CLASSPNP.SYS[f8589022] -> nt!IofCallDriver -> [0x81c40ab8]
14:00:23.843 \Driver\00000675[0x81c42698] -> IRP_MJ_CREATE -> 0xb2f76ff0
14:00:24.406 AVAST engine scan C:\WINDOWS
14:00:24.453 AVAST engine scan C:\WINDOWS\system32
14:00:24.484 AVAST engine scan C:\WINDOWS\system32\drivers
14:00:24.500 AVAST engine scan C:\Documents and Settings\Administrator
14:00:24.515 AVAST engine scan C:\Documents and Settings\All Users
14:00:24.531 Scan finished successfully
14:04:56.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
14:04:56.156 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

joss09, Jan 8, 2012

#11
joss09 Newcomer, in training

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 1 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
ATA_Read(): DeviceIoControl() ERROR 1

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]

Done;
Press any key to quit...

joss09, Jan 8, 2012

#12
Broni Malware Annihilator
For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

Double click on downloaded file to run it.

When the tool opens click Yes to disclaimer.

Press Scan button.

It will produce a log (FRST.txt) on your desktop.

Please copy and paste it to your reply.
Broni, Jan 8, 2012

#13
joss09 Newcomer, in training

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.2
Ran by Administrator at 2012-01-08 14:17:43
Running from C:\Documents and Settings\Administrator\My Documents\Downloads
Service Pack 1 (X86) OS Language: English(US)
Attention: Could not load system hive.
Error: The process cannot access the file because it is being used by another process.
========================== Registry (Whitelisted) =============

HKLM\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell]

================================ Services (Whitelisted) ==================

========================== Drivers (Whitelisted) =============

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-01-08 14:17 - 2012-01-08 14:17 - 0000000 ____D C:\FRST
2012-01-08 14:04 - 2012-01-08 14:04 - 0001983 ____A C:\Documents and Settings\Administrator\Desktop\aswMBR.txt
2012-01-08 14:04 - 2012-01-08 14:04 - 0000512 ____A C:\Documents and Settings\Administrator\Desktop\MBR.dat
2012-01-08 11:20 - 2012-01-08 11:20 - 0013606 ____A C:\TDSSKiller.2.6.25.0_08.01.2012_11.20.44_log.txt
2012-01-08 11:20 - 2012-01-08 11:20 - 0001846 ____A C:\TDSSKiller.2.6.25.0_08.01.2012_11.20.27_log.txt
2012-01-08 11:17 - 2012-01-08 11:19 - 0013606 ____A C:\TDSSKiller.2.6.25.0_08.01.2012_11.17.12_log.txt
2012-01-06 21:34 - 2012-01-06 21:34 - 0000000 ___RD C:\Documents and Settings\Administrator\My Documents\My Videos
2012-01-06 21:33 - 2012-01-06 21:33 - 0000395 ____A C:\Documents and Settings\Administrator\Desktop\gmer.log
2012-01-06 21:23 - 2012-01-06 21:23 - 0006872 ____A C:\Documents and Settings\Administrator\Desktop\mbam-log-2012-01-06 (21-18-44).txt
2012-01-06 21:16 - 2012-01-06 21:16 - 0000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-01-06 21:16 - 2012-01-06 21:16 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-01-06 21:16 - 2012-01-06 21:16 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-01-06 21:16 - 2012-01-06 21:16 - 0000000 ____D C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2012-01-06 21:16 - 2011-12-10 15:24 - 0018800 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-01-06 20:36 - 2012-01-06 20:40 - 0000000 ____D C:\Documents and Settings\Administrator\My Documents\patent 3
2012-01-06 20:33 - 2012-01-06 20:38 - 0000000 ____D C:\Documents and Settings\Administrator\My Documents\resume 2
2012-01-06 20:22 - 2011-10-04 16:31 - 0001619 ____A C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
2012-01-06 20:22 - 2011-10-04 16:31 - 0001611 ____A C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
2012-01-06 20:22 - 2011-10-01 11:52 - 0000724 ____A C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2012-01-06 20:22 - 2011-10-01 11:11 - 0001824 ____A C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
2012-01-06 20:22 - 2011-10-01 11:11 - 0001758 ____A C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 6.0 Standard.lnk
2012-01-06 20:22 - 2011-10-01 11:02 - 0000763 ____A C:\Documents and Settings\All Users\Desktop\Lexmark 5200 Series All-In-One Center.lnk
2012-01-06 20:22 - 2011-10-01 00:13 - 0000084 __ASH C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2012-01-06 19:14 - 2012-01-06 21:23 - 0000000 ____D C:\Windows\CSC
2012-01-06 19:14 - 2012-01-06 19:35 - 0188700 ____A C:\Windows\ntbtlog.txt
2012-01-04 16:31 - 2012-01-04 16:31 - 0000000 ____D C:\Documents and Settings\LocalService\Application Data\Google
2012-01-04 16:25 - 2012-01-04 16:25 - 0074840 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2012-01-04 16:25 - 2012-01-04 16:25 - 0000835 ____A C:\Documents and Settings\Administrator\Desktop\System Check.lnk
2012-01-04 16:25 - 2012-01-04 16:25 - 0000336 ____A C:\Documents and Settings\All Users\Application Data\SggGd86F9xBnVF
2012-01-04 16:25 - 2012-01-04 16:25 - 0000272 ____A C:\Documents and Settings\All Users\Application Data\~SggGd86F9xBnVF
2012-01-04 16:25 - 2012-01-04 16:25 - 0000160 ____A C:\Documents and Settings\All Users\Application Data\~SggGd86F9xBnVFr

============ 3 Months Modified Files and Folders ===============

2012-01-08 14:17 - 2012-01-08 14:17 - 0000000 ____D C:\FRST
2012-01-08 14:04 - 2012-01-08 14:04 - 0001983 ____A C:\Documents and Settings\Administrator\Desktop\aswMBR.txt
2012-01-08 14:04 - 2012-01-08 14:04 - 0000512 ____A C:\Documents and Settings\Administrator\Desktop\MBR.dat
2012-01-08 13:44 - 2011-10-01 00:20 - 0000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2012-01-08 13:44 - 2011-10-01 00:20 - 0000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2012-01-08 13:44 - 2011-10-01 00:20 - 0000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
2012-01-08 13:44 - 2011-10-01 00:13 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-01-08 13:44 - 2011-09-30 18:00 - 0000159 ____A C:\Windows\wiadebug.log
2012-01-08 13:44 - 2011-09-30 18:00 - 0000048 ____A C:\Windows\wiaservc.log
2012-01-08 13:44 - 2003-03-31 07:00 - 0013646 ____A C:\Windows\System32\wpa.dbl
2012-01-08 11:26 - 2011-10-01 00:20 - 0032648 ____A C:\Windows\SchedLgU.Txt
2012-01-08 11:26 - 2011-10-01 00:20 - 0000280 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2012-01-08 11:20 - 2012-01-08 11:20 - 0013606 ____A C:\TDSSKiller.2.6.25.0_08.01.2012_11.20.44_log.txt
2012-01-08 11:20 - 2012-01-08 11:20 - 0001846 ____A C:\TDSSKiller.2.6.25.0_08.01.2012_11.20.27_log.txt
2012-01-08 11:19 - 2012-01-08 11:17 - 0013606 ____A C:\TDSSKiller.2.6.25.0_08.01.2012_11.17.12_log.txt
2012-01-08 10:59 - 2011-09-30 17:58 - 0375635 ____A C:\Windows\setupapi.log
2012-01-08 10:55 - 2011-10-01 15:31 - 0000000 ____D C:\Program Files\Google
2012-01-08 10:55 - 2011-10-01 15:31 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Google
2012-01-06 21:34 - 2012-01-06 21:34 - 0000000 ___RD C:\Documents and Settings\Administrator\My Documents\My Videos
2012-01-06 21:34 - 2011-10-01 00:20 - 0000000 ___RD C:\Documents and Settings\Administrator\My Documents
2012-01-06 21:33 - 2012-01-06 21:33 - 0000395 ____A C:\Documents and Settings\Administrator\Desktop\gmer.log
2012-01-06 21:23 - 2012-01-06 21:23 - 0006872 ____A C:\Documents and Settings\Administrator\Desktop\mbam-log-2012-01-06 (21-18-44).txt
2012-01-06 21:23 - 2012-01-06 19:14 - 0000000 ____D C:\Windows\CSC
2012-01-06 21:16 - 2012-01-06 21:16 - 0000784 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-01-06 21:16 - 2012-01-06 21:16 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-01-06 21:16 - 2012-01-06 21:16 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-01-06 21:16 - 2012-01-06 21:16 - 0000000 ____D C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2012-01-06 20:52 - 2011-10-01 00:20 - 0000000 ___RD C:\Documents and Settings\Administrator\My Documents\My Pictures
2012-01-06 20:40 - 2012-01-06 20:36 - 0000000 ____D C:\Documents and Settings\Administrator\My Documents\patent 3
2012-01-06 20:38 - 2012-01-06 20:33 - 0000000 ____D C:\Documents and Settings\Administrator\My Documents\resume 2
2012-01-06 20:22 - 2011-09-30 17:58 - 0000000 ___RD C:\Documents and Settings\All Users\Start Menu
2012-01-06 19:35 - 2012-01-06 19:14 - 0188700 ____A C:\Windows\ntbtlog.txt
2012-01-04 16:31 - 2012-01-04 16:31 - 0000000 ____D C:\Documents and Settings\LocalService\Application Data\Google
2012-01-04 16:25 - 2012-01-04 16:25 - 0074840 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2012-01-04 16:25 - 2012-01-04 16:25 - 0000835 ____A C:\Documents and Settings\Administrator\Desktop\System Check.lnk
2012-01-04 16:25 - 2012-01-04 16:25 - 0000336 ____A C:\Documents and Settings\All Users\Application Data\SggGd86F9xBnVF
2012-01-04 16:25 - 2012-01-04 16:25 - 0000272 ____A C:\Documents and Settings\All Users\Application Data\~SggGd86F9xBnVF
2012-01-04 16:25 - 2012-01-04 16:25 - 0000160 ____A C:\Documents and Settings\All Users\Application Data\~SggGd86F9xBnVFr
2012-01-04 16:23 - 2011-09-30 17:58 - 0265416 ____A C:\Windows\System32\FNTCACHE.DAT
2012-01-04 16:22 - 2011-10-01 00:13 - 0017712 ____A C:\Windows\Windows Update.log
2012-01-04 16:22 - 2003-03-31 07:00 - 0000231 ____A C:\Windows\system.ini
2012-01-04 15:01 - 2011-09-30 17:58 - 0002318 ____A C:\Windows\regopt.log
2011-12-30 19:49 - 2011-10-01 11:52 - 0000000 ____D C:\Program Files\Mozilla Firefox
2011-12-29 20:44 - 2011-10-01 11:00 - 0000000 ____D C:\Program Files\Lx_cats
2011-12-10 15:24 - 2012-01-06 21:16 - 0018800 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-12-09 10:57 - 2011-10-01 00:12 - 0000000 ___SD C:\Windows\Downloaded Program Files
2011-12-01 12:25 - 2011-11-28 11:11 - 0000000 ____D C:\Documents and Settings\Administrator\My Documents\color
2011-11-28 13:37 - 2011-11-22 08:09 - 0027648 ____A C:\Documents and Settings\Administrator\My Documents\Formulation Chemist in our Wyandotte BASF.doc
2011-11-28 11:18 - 2011-11-11 21:45 - 0000000 ____D C:\Documents and Settings\Administrator\My Documents\basf
2011-11-25 17:17 - 2011-10-01 11:06 - 0000000 ____D C:\Documents and Settings\Administrator\Application Data\FaxCtr
2011-11-24 12:56 - 2011-11-24 12:56 - 0107259 ____A C:\Documents and Settings\Administrator\My Documents\registrar eku.pdf
2011-11-21 19:25 - 2011-11-21 19:25 - 1150499 ____A C:\Documents and Settings\Administrator\My Documents\us5719202 Pual Share.pdf
2011-11-21 19:23 - 2011-11-21 19:23 - 0945345 ____A C:\Documents and Settings\Administrator\My Documents\us 7479326 Paul Share.pdf
2011-11-20 10:17 - 2011-11-20 10:17 - 0047616 ____A C:\Documents and Settings\Administrator\My Documents\GretagMacbeth Spectrolino.doc
2011-11-18 09:48 - 2011-10-01 00:20 - 0000180 ___SH C:\Documents and Settings\LocalService\ntuser.ini
2011-11-18 09:46 - 2011-10-01 00:20 - 0000180 ___SH C:\Documents and Settings\NetworkService\ntuser.ini
2011-11-16 21:44 - 2011-11-16 21:44 - 0044544 ____A C:\Documents and Settings\Administrator\My Documents\Math Tables.doc
2011-11-13 19:32 - 2011-10-01 14:56 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2011-11-11 22:31 - 2011-11-11 22:21 - 0037376 ____A C:\Documents and Settings\Administrator\My Documents\Paul Share BASF.doc
2011-11-10 20:25 - 2011-11-10 20:23 - 0099098 ____A C:\Documents and Settings\Administrator\My Documents\Mark Sun expense report.pdf
2011-11-10 20:23 - 2011-10-01 11:11 - 0000000 ____D C:\Documents and Settings\Administrator\Application Data\Adobe
2011-11-10 18:04 - 2011-11-10 18:04 - 0028672 ____A C:\Documents and Settings\Administrator\My Documents\Product Development Scientist BASF.doc
2011-11-10 14:37 - 2011-11-10 14:37 - 0029184 ____A C:\Documents and Settings\Administrator\My Documents\Research Chemist job for BASF.doc
2011-11-09 14:51 - 2011-11-09 14:51 - 2217251 ____A C:\Documents and Settings\Administrator\My Documents\us 20090111934 china.pdf
2011-11-08 10:19 - 2011-11-07 15:26 - 0026112 ____A C:\Documents and Settings\Administrator\My Documents\AkzoNoble polymer chemist.doc
2011-11-02 10:11 - 2011-11-02 10:11 - 0024576 ____A C:\Documents and Settings\Administrator\My Documents\interview plan for siegwerk.doc
2011-10-31 12:37 - 2011-09-30 17:59 - 0360124 ____A C:\Windows\System32\PerfStringBackup.INI
2011-10-27 00:32 - 2011-10-12 15:09 - 0033792 ____A C:\Documents and Settings\Administrator\My Documents\Ink Formulations Chemist for Fujifilm.doc
2011-10-21 22:31 - 2011-10-14 22:04 - 2926080 ____A C:\Documents and Settings\Administrator\My Documents\Background for Mark Sun.ppt
2011-10-21 03:21 - 2011-10-21 03:21 - 0033280 ____A C:\Documents and Settings\Administrator\My Documents\chemtrend formulation chemist.doc
2011-10-21 02:59 - 2011-10-01 00:20 - 0000000 ___SD C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
2011-10-14 00:24 - 2011-10-14 00:24 - 0024064 ____A C:\Documents and Settings\Administrator\My Documents\Sun Chemical.doc
2011-10-12 16:00 - 2011-10-12 16:00 - 0030208 ____A C:\Documents and Settings\Administrator\My Documents\Sun Chemical seeking a Senior Chemist for Cincinnati.doc
2011-10-12 10:29 - 2011-10-12 10:29 - 0472808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2011-10-12 10:29 - 2011-10-12 10:29 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2011-10-12 10:29 - 2011-10-12 10:29 - 0145184 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2011-10-12 10:29 - 2011-10-12 10:29 - 0145184 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2011-10-12 10:29 - 2011-10-12 10:29 - 0073728 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javacpl.cpl
2011-10-12 10:29 - 2011-10-12 10:29 - 0000000 ____D C:\Windows\Sun
2011-10-12 10:29 - 2011-10-12 10:29 - 0000000 ____D C:\Program Files\Java
2011-10-12 10:29 - 2011-10-12 10:29 - 0000000 ____D C:\Program Files\Common Files\Java
2011-10-12 10:29 - 2011-10-12 10:29 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Sun
2011-10-12 10:27 - 2011-10-12 10:27 - 0000000 ____D C:\Documents and Settings\Administrator\Application Data\Sun

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2003-03-31 07:00] - [2003-03-31 07:00] - 1004032 ____A (Microsoft Corporation) a82b28bfc2e4455fe43022a498c0ef0a

C:\Windows\System32\winlogon.exe
[2003-03-31 07:00] - [2003-03-31 07:00] - 0516608 ____A (Microsoft Corporation) 2246d8d8f4714a2cedb21ab9b1849abb

C:\Windows\System32\Drivers\volsnap.sys
[2003-03-31 07:00] - [2003-03-31 07:00] - 0049152 ____A (Microsoft Corporation) 6fdc9523ef81617cf5028f47fcaf0fbe

==================== Restore Points (XP) =====================

========================= Memory info ======================

Percentage of memory in use: 60%
Total physical RAM: 509.8 MB
Available physical RAM: 200.68 MB
Total Pagefile: 1248.77 MB
Available Pagefile: 973.54 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.14 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:83.87 GB) (Free:77.3 GB) NTFS ==>[Drive with boot components]
3 Drive d: () (Fixed) (Total:65.18 GB) (Free:61.28 GB) NTFS

Microsoft DiskPart version 1.0
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B

Partitions of Disk 0:
===============

Microsoft DiskPart version 1.0
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 84 GB 32 KB
Partition 2 Extended 65 GB 84 GB
Partition 3 Logical 65 GB 84 GB

Disk: 0
Microsoft DiskPart version 1.0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 84 GB Healthy System

Disk: 0
Microsoft DiskPart version 1.0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D NTFS Partition 65 GB Healthy

joss09, Jan 8, 2012

#14
Broni Malware Annihilator

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
OK any security prompts.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.

Broni, Jan 8, 2012

#15
joss09 Newcomer, in training

a window popped up saying "backdoor.tidserv has not been found on your computer"

joss09, Jan 8, 2012

#16
Broni Malware Annihilator

Post new Bootkit Remover log.

Broni, Jan 8, 2012

#17
joss09 Newcomer, in training

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 1 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
ATA_Read(): DeviceIoControl() ERROR 1

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]

Done;
Press any key to quit...

joss09, Jan 8, 2012

#18
Broni Malware Annihilator
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Broni, Jan 8, 2012

#19
joss09 Newcomer, in training

i'm not sure why it is in chinese.
ComboFix 12-01-07.04 - Administrator 8/2012 Sun 20:29:25.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.936.86.1033.18.510.350 [GMT -5:00]
执行位置: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
Error: Cfiles.dat
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Administrator\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\documents and settings\All Users\Application Data\~SggGd86F9xBnVF
c:\documents and settings\All Users\Application Data\~SggGd86F9xBnVFr
c:\documents and settings\All Users\Application Data\SggGd86F9xBnVF
c:\windows\$NtUninstallKB45136$
c:\windows\$NtUninstallKB45136$\3106834216
c:\windows\$NtUninstallKB45136$\3136621221\@
c:\windows\$NtUninstallKB45136$\3136621221\cfg.ini
c:\windows\$NtUninstallKB45136$\3136621221\Desktop.ini
c:\windows\$NtUninstallKB45136$\3136621221\L\koiiiltl
c:\windows\$NtUninstallKB45136$\3136621221\U\00000001.@
c:\windows\$NtUninstallKB45136$\3136621221\U\00000002.@
c:\windows\$NtUninstallKB45136$\3136621221\U\00000004.@
c:\windows\$NtUninstallKB45136$\3136621221\U\80000000.@
c:\windows\$NtUninstallKB45136$\3136621221\U\80000004.@
c:\windows\$NtUninstallKB45136$\3136621221\U\80000032.@
c:\windows\system32\c_10001.nls
c:\windows\system32\c_10003.nls
c:\windows\system32\c_10007.nls
c:\windows\system32\c_10010.nls
c:\windows\system32\c_10017.nls
c:\windows\system32\c_10029.nls
c:\windows\system32\c_10079.nls
c:\windows\system32\c_10081.nls
c:\windows\system32\c_10082.nls
c:\windows\system32\c_20905.nls
c:\windows\system32\c_28593.nls
c:\windows\system32\c_28598.nls
.
发现受感染 c:\windows\system32\drivers\netbt.sys 并且成功解毒
从 - The cat found it 恢复原来档案
c:\windows\system32\qmgr.dll . . . 受感染！！
.
找不到。。。 "c:\windows\system32\drivers\intelppm.sys"！！
.
.
((((((((((((((((((((((((( 2011-12-09 至 2012-01-09 的新的档案 )))))))))))))))))))))))))))))))
.
.
2012-01-08 19:17 . 2012-01-08 19:18 -------- d-----w- C:\FRST
2012-01-07 02:16 . 2012-01-07 02:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-01-07 02:16 . 2012-01-07 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-07 02:16 . 2012-01-07 02:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-07 02:16 . 2011-12-10 20:24 18800 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-31 00:49 . 2011-12-31 00:49 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-31 00:49 . 2011-12-31 00:49 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-31 00:49 . 2011-12-31 00:49 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-31 00:49 . 2011-12-31 00:49 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-14 00:32 . 2011-10-01 19:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-12 15:29 . 2011-10-12 15:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-12 15:29 . 2011-10-12 15:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-31 00:49 . 2011-10-01 16:52 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2003-03-31 13312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-10-23 86016]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"Lexmark 5200 series"="c:\program files\Lexmark 5200 series\lxbtbmgr.exe" [2004-06-04 57344]
"LXBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2004-03-23 294912]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2003-03-31 208953]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com/webhp?client=aff-ime
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: DhcpNameServer = 192.168.254.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\65m8sdqv.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-08 20:35
Windows 5.1.2600 Service Pack 1 NTFS
.
扫描被隐藏的进程。。。
.
扫描被隐藏的启动组。。。
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
扫描被隐藏的文件。。。
.
扫描完成
被隐藏的档案: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST316002 rev.8.01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------
.
- - - - - - - > 'winlogon.exe'(652)
c:\windows\System32\ODBC32.dll
c:\windows\System32\msctfime.ime
.
- - - - - - - > 'lsass.exe'(716)
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(1352)
c:\windows\System32\msctfime.ime
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\System32\Msi.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
------------------------ 其他运行进程 ------------------------
.
c:\windows\System32\conime.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Lexmark 5200 series\lxbtbmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
完成时间: 2012-01-08 20:37:08 - 电脑已重新启动
ComboFix-quarantined-files.txt 2012-01-09 01:37
.
Pre-Run: 84,895,215,616 bytes free
Post-Run: 85,454,356,480 bytes free
.
winxpsp1_cn_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - 1A5D8A438EA48781CC67F3E4109A51A6

joss09, Jan 8, 2012

#20

(You must log in or sign up to reply here.)

Page 1 of 3

TechSpot | Technology News and Analysis
Copyright © 1998-2012, TechSpot, Inc.
Forum software by XenForo™
TechSpot is a registered trademark
All Rights Reserved