Inactive Backdoor.tidserv blocking access to task manager and Internet connection

Status
Not open for further replies.
A

Aspinxtreem

Posts: 31   +0
Hi there,

Yesterday I clicked on a link from a Google search result page and my computer was infected with a virus. After turning off system restore and running Symantec, several trojans and backdoor tidserv were located. I was able to temporarily access the Internet in safe mode and downloaded the Symantec FixTDSS. I ran it and my computer restarted successfully but I am not able to view/access any report. I've tried running it in both safe and normal modes to no avail.

I am unable to access the Internet (I'm using a smart phone to post), task manager or regedit. I was able to open Msconfig and chose diagnostic startup and unchecked all of the suspicious files in the startup menu, most ending in "tssd". While that helped on reboot (my screen wasn't filled with phony symantec messages) I am still unable to get online to download the suggested programs listed in other similar posts.

Does anyone have suggestions for next steps?

Thank you in advance for your help.
 
Start with this:
  • Click on Start> type devmgmt.msc click OK
  • Choose > View> click on Show hidden devices
  • Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
  • Highlight that driver and right click on it and select DISABLE - NOT uninstall.
  • Reboot the your computer.

See if you can get online to download Malwarebytes. If you can't, download the program to a flash drive and install it on the problem computer:

malwarebytesgc8.png

Malwarebytes' Anti-Malware
  • Please download Malwarebytes' Anti-Malware from from HERE
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    [o] Update Malwarebytes' Anti-Malware
    [o] and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please paste this log with your reply
    [o] If you accidentally close it, the log file is saved here and will be named like this:
    [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
========================
It's very important hat you do the check in red above. Hopefully it will remove enough so that you can run the preliminary malware scans.

Let me know- we'll go from there.
 
Thanks for the reply.

I tried running Device Manager in both safe and normal modes and while the manager opens, none of the devices are listed. I selected show hidden devices but nothing came up.

Also, I can't access the Internet anymore so I will have to download that program from a friend's computer. Are there any additional programs I should download at the same time?

Thanks again!
 
Malwarebytes Report:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

10/5/2010 9:45:33 PM
mbam-log-2010-10-05 (21-45-33).txt

Scan type: Quick scan
Objects scanned: 125743
Time elapsed: 7 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ihsjfxrt (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlevmydi (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.130,93.188.160.210 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5fe717eb-6cd2-4b60-809a-fe7fb3375e36}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.130,93.188.160.210 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5fe717eb-6cd2-4b60-809a-fe7fb3375e36}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.130,93.188.160.210 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{67732a68-10d7-4955-aea9-9fbd11478d23}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.130,93.188.160.210 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


Please let me know what I should do next. Thank you so much!!
 
Sorry for the duplicate replies, but I just wanted to give you an update. I was able to turn my device manager back on by running services.msc in safe mode and changing device mgr to automatic (it was disabled, as was plug and play). I don't see TDSSserv.sys anywhere in the list. I am attaching a screenshot of the non plug and play list.

Thanks!
 

Attachments

  • Devmgmt.JPG
    Devmgmt.JPG
    63.3 KB · Views: 4
I see an entry in the Device Manager Fix TDSS. What is this? You have a DNS Changer malware infection- please do the following. you might want to print out for reference:
DNS Changer
You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

  • [1]. Shut down your computer, and any other computer connected to your router.
    [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
    [3]. Unplug the router. Wait sixty seconds.
    [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
    [5].With the router unplugged, start your computer. Run MBAM again.
    [6].Connect to the router again. The turn the router back on.
    [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
    [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
Let me knw if you can get back online after and we'll go from there.
 
Thanks Bobbye!

Before I posted to this site, I went through the steps Symantec suggested, including downloading this Backdoor.Tidserv Removal Tool (found here http://www.symantec.com/security_response/writeup.jsp?docid=2010-090608-3309-99). The tool is supposed to run, restart your system, and give you a status of the removal upon reboot. Because the phony Windows security alert pops up and blocks everything else as soon as my system reboots, I was never able to view the status report from the FixTDSS tool. Should I remove this tool?

I will take the steps you suggest and post my results shortly.

Thanks again for your help!
 
Bobbye,

I tried to do the DNS flush but received an error message. Once I entered "ipconfig /flushdns" and hit enter, I received an error message that said "Windows IP Configuration - Could not flush the DNS resolver cache: function failed during execution"

Any suggestions?
 
"Windows IP Configuration - Could not flush the DNS resolver cache: function failed during execution"
Click to expand...

The solution to fix this error message is to enable the DNS Client service again in the Services configuration menu.:
Start> Run> type in services.msc> double click on DNS Client> set Startup Type to Automatic> Start the Service> then Exit Services.

Try the flush again. If you get same message, reboot, then try.
 
I had a lot of trouble getting online, but was able to access the internet after:

- following your flush/reset instructions
- using Microsoft help's page to change most of the settings in my service manager because the virus had disabled everything
- creating a new user account because every time I tried to access IE from my user account, the virus phony Windows security window opened (even though my second MBAM scan came back clean)
- downloading and reinstalling my network and chipset drivers

After all that, I'm back online. Thank you.

Please let me know what steps I should take next.
 
One note - I am able to access webpages if I type in the exact web address. I am unable to use search engines to locate a webpage. I tried searching using Google, Yahoo, and Bing and each time I clicked on a result, I was redirected to a bogus page.
 
FixTDSS tool. Should I remove this tool?
Click to expand...
Yes, please.

You did a good job! The system is likely in better shape now due to your hard work.
Since we jump started, I'd like to back up and have you run the following:
  • Download DDS by sUBs and save it to your desktop.

    After downloading the tool, disconnect from the internet and disable all antivirus protection.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • When done, DDS will open two (2) logs: Please paste both in your next reply.
    [o]DDS.txt
    [o]Attach.txt
  • Close the program window, and delete the program from your desktop.
  • Enable your Antivirus protection and reconnect to the internet.
Please note: You may have to disable any script protection running if the scan fails to run.
========================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
==========================================
When you have finished, paste the logs for review in your next reply . OK to use multiple posts if needed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.Pleas
 
Thank you again for your help.

Here is the DDS.txt log


DDS (Ver_10-10-10.03) - NTFSx86
Run by Admin at 22:06:08.64 on Sat 10/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.641 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wuauclt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {3F777025-3835-4117-B9FA-5E5230669310} - hxxps://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {971127BB-259F-48C2-BD75-5F97A3331551} - hxxp://connect.ontrackinview.com/msrdp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
Hosts: 212.117.178.25 www.google.com
Hosts: 212.117.163.43 search.yahoo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\d1gk3n47.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-17 64160]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-1 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101001.002\naveng.sys [2010-10-1 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101001.002\navex15.sys [2010-10-1 1371184]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2009-3-18 73368]
S0 FixTDSS;FixTDSS; [x]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-12-18 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-12-18 174720]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S4 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2009-3-18 139264]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-11 24652]

=============== Created Last 30 ================

2010-10-10 01:23:03 -------- d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-10-10 01:20:35 -------- d-sh--w- c:\documents and settings\admin\IECompatCache
2010-10-10 00:36:27 -------- d-----w- c:\program files\ESET
2010-10-10 00:23:29 -------- d-----w- c:\docume~1\admin\locals~1\applic~1\Symantec
2010-10-09 17:57:30 -------- d-----w- c:\docume~1\admin\locals~1\applic~1\Mozilla
2010-10-09 17:38:42 -------- d-sh--w- c:\documents and settings\admin\PrivacIE
2010-10-09 17:35:13 457 ----a-w- c:\windows\system32\vcredist_x86.bat
2010-10-09 17:35:12 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
2010-10-09 17:35:09 155648 ----a-w- c:\windows\system32\bcmwlapi.dll
2010-10-06 01:29:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-06 01:29:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-06 01:29:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-06 01:29:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-05 02:20:22 0 ----a-w- c:\windows\Mxaqup.bin
2010-10-05 02:17:36 843264 ----a-w- c:\windows\system32\drivers\irrvpg.sys
2010-10-05 02:17:27 194560 ----a-w- c:\windows\Jzigia.exe
2010-10-05 02:17:20 67072 --sha-r- c:\windows\system32\nlsfuncg.dll
2010-10-05 02:16:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-10-05 02:16:34 41984 ----a-w- c:\windows\system32\wupdate.exe

==================== Find3M ====================


============= FINISH: 22:07:02.98 ===============
 
Here is the attach.txt log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/17/2009 1:50:05 AM
System Uptime: 10/9/2010 9:32:24 PM (1 hours ago)

Motherboard: Dell Inc. | |
Processor: Genuine Intel(R) CPU T2300 @ 1.66GHz | Microprocessor | 1664/166mhz
Processor: Genuine Intel(R) CPU T2300 @ 1.66GHz | Microprocessor | 1664/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 24.545 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&10575340&0&0102
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&10575340&0&0102
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 2.0
Adobe Photoshop Elements 4.0
Adobe Reader 9.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Boingo Wi-Fi
Bonjour
Broadcom Gigabit Integrated Controller
Citrix Access Gateway Plugin
Citrix Web Client
Dell ResourceCD
DJ_SF_03_D2500_Software_Min
DW WLAN Card Utility
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB921411)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet D2500 Printer Driver Software 10.0 Rel .3
HP Deskjet D2500 Printer Driver Software 11.0 Rel .3
iPhone Configuration Utility
iTunes
Java(TM) 6 Update 13
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Standard 2007 Trial
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Mobile Broadband Generic Drivers
Modem Helper
Mozilla Firefox (3.6.3)
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NVIDIA Drivers
OZ776 SCR CardBus Windows Driver
Photosmart 140,240,7200,7600,7700,7900 Series
Picasa 3
PowerDVD 5.7
PS140
QuickTime
Remote Desktop Web Connection
Roxio DLA
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
SigmaTel Audio
Skyhook Wireless Wi-Fi Service
Sonic Update Manager
Symantec AntiVirus
SyncBack
Toolbox
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Verizon Wireless USB760 Firmware Updates
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VZAccess Manager
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB839210
WM Converter 2.0
XLS Viewer Components v3.2
Zinio Reader

==== Event Viewer Messages From Past Week ========

10/9/2010 1:37:38 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
10/9/2010 1:36:51 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
10/5/2010 11:54:57 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/5/2010 11:31:02 AM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\rasacd.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
10/5/2010 11:30:30 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\rasacd.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.
10/5/2010 11:21:56 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/5/2010 11:17:28 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm OMCI SAVRT SAVRTPEL SPBBCDrv SYMTDI
10/5/2010 11:17:03 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
10/5/2010 11:17:03 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
10/5/2010 11:12:25 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/5/2010 11:11:39 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/5/2010 10:43:41 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss SAVRT SAVRTPEL SPBBCDrv SYMTDI Tcpip
10/5/2010 10:43:41 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
10/5/2010 10:43:41 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/5/2010 10:43:41 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/5/2010 10:43:41 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
10/5/2010 10:43:41 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/5/2010 10:43:41 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/5/2010 10:19:00 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: RasAcd
10/4/2010 10:18:29 PM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: A device attached to the system is not functioning.
10/3/2010 11:01:24 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

==== End Of File ===========================
 
and finally, here is the Eset log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=db17033a6b76944ca3c3c50d79b3cf8f
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-10-10 01:16:18
# local_time=2010-10-09 09:16:18 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=42153
# found=4
# cleaned=0
# scan_time=1996
C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.EB trojan 00000000000000000000000000000000 I
C:\WINDOWS\Jzigia.exe a variant of Win32/Kryptik.HEG trojan 00000000000000000000000000000000 I
C:\WINDOWS\WMSvasri.dll a variant of Win32/Kryptik.HDE trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\spool\prtprocs\w32x86\w31y93o79.dll Win32/Olmarik.ACK trojan 00000000000000000000000000000000 I
 
The following 2 IPs for Hosts files are listed as:
Hosts: 212.117.178.25 www.google.com
Hosts: 212.117.163.43 search.yahoo.com
But the 2 IPs are for:
netname: SERVER-NETWORK
descr: root SA
country: LU > Luxemburg.
I notice you have the Corporate and Enterprise versions of some programs and also run Remote Desktop Web Connection
Is this network related to your work? If not, it's why you're having the redirect> the searches are being routed through Luxemburg for Yahoo and Google.

There are also several infections in the Eset log, so you are still getting active infections:

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :Processes	
:Files 
C:\Documents and Settings\All Users\Documents\Server\hlp.dat 
C:\WINDOWS\Jzigia.exe 
C:\WINDOWS\WMSvasri.dll 
C:\WINDOWS\system32\spool\prtprocs\w32x86\w31y93o79.dll 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===================================
After removing the above entries:
Download TDSSKiller. Extract the zipped file to your desktop.

Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
Code: 
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
  • This will have the program write a detailed log
  • The screen will resemble this black screen:
2663_5.jpg

  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
  • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
  • Follow the prompts and attach the report to your next reply.

Leave both the OTMoveIt log and TDSSKiller log in next reply.
See if you can now run Combofix:


Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
 
Bobbye said:
The following 2 IPs for Hosts files are listed as:
Hosts: 212.117.178.25 www.google.com
Hosts: 212.117.163.43 search.yahoo.com
But the 2 IPs are for:
netname: SERVER-NETWORK
descr: root SA
country: LU > Luxemburg.
I notice you have the Corporate and Enterprise versions of some programs and also run Remote Desktop Web Connection
Is this network related to your work? If not, it's why you're having the redirect> the searches are being routed through Luxemburg for Yahoo and Google.
Click to expand...

The remote desktop web connection (I believe this is related to Citrix?) is how I access my work server from my personal computer.

As far as the corp/enterprise editions, I'm not sure exactly which programs they are but I can think of two things:
- Symantec: A few years ago, when I was in school, I was able to download Symantec for free from the school's IT site. Maybe that was a corporate/enterprise version.
- MS Office: I received a discount on MS Office by purchasing the disc through my husband's work. I don't have the disc handy, but maybe that is also a corp/ent edition?


Also, I was able to successfully run OTMovit. I was required to reboot to complete the process, and the log is below:

All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\Documents and Settings\All Users\Documents\Server\hlp.dat moved successfully.
C:\WINDOWS\Jzigia.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\WMSvasri.dll
C:\WINDOWS\WMSvasri.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\spool\prtprocs\w32x86\w31y93o79.dll
C:\WINDOWS\system32\spool\prtprocs\w32x86\w31y93o79.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Admin
->Temp folder emptied: 52899898 bytes
->Temporary Internet Files folder emptied: 661506 bytes
->FireFox cache emptied: 29412580 bytes
->Flash cache emptied: 742 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Emily

User: Guest
->Temp folder emptied: 222 bytes
->Temporary Internet Files folder emptied: 145634 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 134 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 831488 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 519843 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 81.00 mb

OTM by OldTimer - Version 3.1.16.1 log created on 10102010_114759

Files moved on Reboot...
File C:\WINDOWS\bcm52.tmp not found!

Registry entries deleted on Reboot...


When I extracted TDSSKiller.exe to the desktop and typed
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
in the Run box, I received an error (image of the error message attached).

When I opened the .exe file, there is a button labeled "log" on the bottom. I didn't run anything, I just wanted to let you know everything I saw.

Thank you!!
 

Attachments

  • error.JPG
    error.JPG
    23 KB · Views: 2
Okay, for TDSSServ, omit the Command and pick it up here after the extraction:
  • Double click on the file TDSSKiller.exe.
  • Wait for the scan and disinfection process to be over.
  • When the scan is over, the utility outputs a list of detected objects with description.
    [o]The utility automatically selects an action (Cure or Delete) for malicious objects.
    [o]The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
  • After clicking Next, the utility applies selected actions and outputs the result.
  • is necessary to reboot the PC after the disinfection is over.
The default quarantine folder is in the system disk root folder, e.g.C:\TDSSKiller_Quarantine\
A log file named report.txt should have been created and saved to the root directory:

See if that works better for you.
 
I was able to run both programs. I hope this isn't a huge problem but I think I accidentally selected delete instead of quarantine on the TDSS Killer option menu. Sorry!!

TDSS Killer and ComboFix logs are below (in multiple replies):

TDSS Killer (Part I)

2010/10/10 12:06:32.0812 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/10 12:06:32.0812 ================================================================================
2010/10/10 12:06:32.0812 SystemInfo:
2010/10/10 12:06:32.0812
2010/10/10 12:06:32.0812 OS Version: 5.1.2600 ServicePack: 2.0
2010/10/10 12:06:32.0812 Product type: Workstation
2010/10/10 12:06:32.0812 ComputerName: E-BB33648EF8934
2010/10/10 12:06:32.0812 UserName: Admin
2010/10/10 12:06:32.0812 Windows directory: C:\WINDOWS
2010/10/10 12:06:32.0812 System windows directory: C:\WINDOWS
2010/10/10 12:06:32.0812 Processor architecture: Intel x86
2010/10/10 12:06:32.0812 Number of processors: 2
2010/10/10 12:06:32.0812 Page size: 0x1000
2010/10/10 12:06:32.0812 Boot type: Normal boot
2010/10/10 12:06:32.0812 ================================================================================
2010/10/10 12:06:32.0984 Initialize success
2010/10/10 12:06:37.0187 ================================================================================
2010/10/10 12:06:37.0187 Scan started
2010/10/10 12:06:37.0187 Mode: Manual;
2010/10/10 12:06:37.0187 ================================================================================
2010/10/10 12:06:38.0734 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/10 12:06:38.0781 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/10 12:06:38.0890 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/10/10 12:06:38.0968 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2010/10/10 12:06:39.0421 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/10 12:06:39.0468 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/10 12:06:39.0531 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/10 12:06:39.0593 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/10 12:06:39.0671 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/10/10 12:06:39.0812 BCM43XX (345d38f298368dd6b0df5c4f37457a22) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/10/10 12:06:40.0046 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/10 12:06:40.0109 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/10 12:06:40.0187 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/10 12:06:40.0265 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/10 12:06:40.0328 Cdrom (882b4257e5a5adfb6b5c03e8a02d4bf1) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/10 12:06:40.0421 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2010/10/10 12:06:40.0531 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/10/10 12:06:40.0812 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/10 12:06:40.0937 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2010/10/10 12:06:41.0015 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/10 12:06:41.0093 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2010/10/10 12:06:41.0109 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/10/10 12:06:41.0140 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
2010/10/10 12:06:41.0156 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2010/10/10 12:06:41.0375 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2010/10/10 12:06:41.0390 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2010/10/10 12:06:41.0437 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2010/10/10 12:06:41.0453 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2010/10/10 12:06:41.0546 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2010/10/10 12:06:41.0625 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/10 12:06:41.0843 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/10 12:06:41.0937 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/10 12:06:42.0000 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/10 12:06:42.0046 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/10 12:06:42.0125 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/10/10 12:06:42.0156 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/10/10 12:06:42.0359 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/10/10 12:06:42.0406 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/10/10 12:06:42.0718 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/10 12:06:42.0750 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/10 12:06:42.0781 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/10 12:06:42.0812 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/10 12:06:42.0890 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/10/10 12:06:42.0921 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/10 12:06:42.0937 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/10 12:06:43.0000 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/10/10 12:06:43.0250 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/10 12:06:43.0328 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/10 12:06:43.0421 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/10/10 12:06:43.0453 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/10/10 12:06:43.0531 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/10/10 12:06:43.0625 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/10 12:06:43.0937 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/10 12:06:44.0000 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/10 12:06:44.0078 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/10 12:06:44.0125 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/10/10 12:06:44.0203 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/10 12:06:44.0234 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/10 12:06:44.0250 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/10 12:06:44.0484 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/10 12:06:44.0562 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/10 12:06:44.0562 Suspicious service (NoAccess): irrvpg
2010/10/10 12:06:44.0625 irrvpg (f7cabb38fd9350f065e974ac1fea2ae9) C:\WINDOWS\system32\drivers\irrvpg.sys
2010/10/10 12:06:44.0625 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\irrvpg.sys. md5: f7cabb38fd9350f065e974ac1fea2ae9
2010/10/10 12:06:44.0640 irrvpg - detected Locked service (1)
2010/10/10 12:06:44.0671 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/10 12:06:44.0734 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/10 12:06:44.0812 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/10 12:06:45.0093 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/10 12:06:45.0156 Lbd (419590ebe7855215bb157ea0cf0d0531) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/10/10 12:06:45.0312 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/10 12:06:45.0390 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/10 12:06:45.0546 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/10 12:06:45.0703 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/10 12:06:45.0750 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/10 12:06:45.0828 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/10 12:06:45.0953 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/10 12:06:46.0156 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/10 12:06:46.0171 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/10 12:06:46.0203 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/10 12:06:46.0281 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/10 12:06:46.0312 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/10 12:06:46.0515 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101001.002\naveng.sys
2010/10/10 12:06:46.0593 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101001.002\navex15.sys
2010/10/10 12:06:46.0890 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/10 12:06:46.0906 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/10 12:06:46.0937 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/10 12:06:46.0968 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/10 12:06:46.0984 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/10 12:06:47.0031 Net6IM (aa6443f0dd9f554db9889f17f7dddb7c) C:\WINDOWS\system32\DRIVERS\net6im51.sys
2010/10/10 12:06:47.0093 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/10 12:06:47.0328 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/10 12:06:47.0375 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/10 12:06:47.0484 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/10 12:06:47.0734 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/10 12:06:48.0140 nv (5796a04ccc99542fdfb43f2accd803df) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/10 12:06:48.0250 NWADI (fc2a8aaa0f3321f41231ede0af1968ae) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
2010/10/10 12:06:48.0468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/10 12:06:48.0656 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/10 12:06:48.0687 NWUSBCDFIL (224131778c92aee8c13afac5fbff19ca) C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys
2010/10/10 12:06:48.0765 NWUSBModem (b7112f30d7eff4b5052eba879f46228f) C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
2010/10/10 12:06:48.0859 NWUSBPort (b7112f30d7eff4b5052eba879f46228f) C:\WINDOWS\system32\DRIVERS\nwusbser.sys
2010/10/10 12:06:48.0921 NWUSBPort2 (b7112f30d7eff4b5052eba879f46228f) C:\WINDOWS\system32\DRIVERS\nwusbser2.sys
2010/10/10 12:06:49.0015 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2010/10/10 12:06:49.0203 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/10 12:06:49.0234 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/10 12:06:49.0312 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/10 12:06:49.0375 PCASp50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\WINDOWS\system32\Drivers\PCASp50.sys
2010/10/10 12:06:49.0500 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/10 12:06:49.0546 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/10 12:06:49.0718 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/10/10 12:06:49.0937 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/10 12:06:49.0953 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/10 12:06:49.0984 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/10 12:06:50.0062 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/10 12:06:50.0281 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/10 12:06:50.0421 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/10 12:06:50.0437 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/10 12:06:50.0468 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/10 12:06:50.0500 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/10 12:06:50.0515 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/10 12:06:50.0609 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/10 12:06:50.0656 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/10 12:06:50.0687 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/10 12:06:50.0921 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
2010/10/10 12:06:50.0953 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2010/10/10 12:06:51.0234 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/10 12:06:51.0296 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/10 12:06:51.0343 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/10 12:06:51.0390 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/10 12:06:51.0609 SMSIVZAM5 (1e715247efffdda938c085913045d599) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS
2010/10/10 12:06:51.0984 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2010/10/10 12:06:52.0078 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/10 12:06:52.0171 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/10 12:06:52.0390 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/10 12:06:52.0468 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
2010/10/10 12:06:52.0562 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/10 12:06:52.0640 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/10 12:06:52.0828 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS
2010/10/10 12:06:53.0046 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2010/10/10 12:06:53.0140 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2010/10/10 12:06:53.0296 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/10 12:06:53.0406 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/10 12:06:53.0687 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/10 12:06:53.0765 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/10 12:06:53.0843 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/10 12:06:53.0937 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/10 12:06:54.0000 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/10 12:06:54.0078 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/10 12:06:54.0312 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/10 12:06:54.0406 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINDOWS\system32\DRIVERS\usbccid.sys
2010/10/10 12:06:54.0468 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/10 12:06:54.0500 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/10 12:06:54.0546 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/10 12:06:54.0781 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/10 12:06:54.0875 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/10 12:06:54.0937 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
 
TDSS Killer (Part II)

2010/10/10 12:06:54.0984 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/10/10 12:06:55.0031 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/10 12:06:55.0078 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/10 12:06:55.0265 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/10 12:06:55.0406 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/10/10 12:06:55.0500 Wpsnuio (904571ee28f8f7d98b3ef1635a77c6d4) C:\WINDOWS\system32\DRIVERS\wpsnuio.sys
2010/10/10 12:06:55.0812 ==================================================================
==============
2010/10/10 12:06:55.0812 Scan finished
2010/10/10 12:06:55.0812 ================================================================================
2010/10/10 12:06:55.0828 Detected object count: 1
2010/10/11 19:31:51.0546 HKLM\SYSTEM\ControlSet001\services\irrvpg - will be deleted after reboot
2010/10/11 19:31:51.0546 HKLM\SYSTEM\ControlSet002\services\irrvpg - will be deleted after reboot
2010/10/11 19:31:51.0546 C:\WINDOWS\system32\drivers\irrvpg.sys - will be deleted after reboot
2010/10/11 19:31:51.0546 Locked service(irrvpg) - User select action: Delete
2010/10/11 19:32:29.0625 Deinitialize success


ComboFix

ComboFix 10-10-09.06 - Admin 10/11/2010 22:10:34.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.408 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\All Users\Documents\Server\server.dat
c:\documents and settings\Guest\Local Settings\Application Data\{C7BC5C65-8987-4C37-8014-930AC3E94F64}
c:\documents and settings\Guest\Local Settings\Application Data\{C7BC5C65-8987-4C37-8014-930AC3E94F64}\chrome.manifest
c:\documents and settings\Guest\Local Settings\Application Data\{C7BC5C65-8987-4C37-8014-930AC3E94F64}\chrome\content\_cfg.js
c:\documents and settings\Guest\Local Settings\Application Data\{C7BC5C65-8987-4C37-8014-930AC3E94F64}\chrome\content\overlay.xul
c:\documents and settings\Guest\Local Settings\Application Data\{C7BC5C65-8987-4C37-8014-930AC3E94F64}\install.rdf
c:\windows\system32\bidisp.dll
c:\windows\system32\wupdate.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-09-12 to 2010-10-12 )))))))))))))))))))))))))))))))
.

2010-10-10 16:00 . 2010-10-10 16:00 -------- dc----w- C:\TDSSKiller_Quarantine
2010-10-10 15:57 . 2010-10-10 15:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-10 15:47 . 2010-10-10 15:47 -------- dc----w- C:\_OTM
2010-10-10 02:28 . 2004-08-04 10:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-10-10 02:01 . 2010-10-10 02:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-10 00:36 . 2010-10-10 00:36 -------- d-----w- c:\program files\ESET
2010-10-09 17:38 . 2010-10-09 17:38 -------- d-----w- c:\program files\Intel
2010-10-09 17:35 . 2009-10-07 19:01 457 ----a-w- c:\windows\system32\vcredist_x86.bat
2010-10-09 17:35 . 2009-10-07 19:01 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
2010-10-09 17:35 . 2009-10-07 19:01 155648 ----a-w- c:\windows\system32\bcmwlapi.dll
2010-10-09 16:35 . 2010-10-10 02:33 -------- d-----w- c:\documents and settings\Admin
2010-10-06 01:29 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-06 01:29 . 2010-10-10 01:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-06 01:29 . 2010-10-06 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-06 01:29 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-05 17:48 . 2010-10-05 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IsolatedStorage
2010-10-05 15:17 . 2010-10-05 15:17 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-05 02:20 . 2010-10-05 13:17 0 ----a-w- c:\windows\Mxaqup.bin
2010-10-05 02:17 . 2010-10-05 02:17 67072 --sha-r- c:\windows\system32\nlsfuncg.dll
2010-10-05 02:16 . 2010-10-05 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-04-11 03:38 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-09-09 05:18 57344 ----a-w- c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-01-08 12:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boingo Wi-Fi]
2010-10-06 04:57 2179 -c--a-w- c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2009-10-07 19:01 2498560 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-07-20 00:26 52896 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-01-19 14:14 7401472 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2006-01-19 14:14 73728 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-01-19 14:14 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 22:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-01 04:05 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-09-28 01:33 125168 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
2009-07-21 18:02 2707526 ----a-w- c:\program files\Zinio\ZinioReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PlugPlay"=2 (0x2)
"Netman"=3 (0x3)
"CryptSvc"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"ALG"=3 (0x3)
"ADVService"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"ACDaemon"=3 (0x3)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"Wmi"=2 (0x2)
"WmdmPmSN"=2 (0x2)
"wltrysvc"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TlntSvr"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"SNDSrvc"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RemoteAccess"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"odserv"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netlogon"=2 (0x2)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSIServer"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=2 (0x2)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"helpsvc"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=2 (0x2)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"DefWatch"=2 (0x2)
"COMSysApp"=3 (0x3)
"ClipSrv"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=3 (0x3)
"Alerter"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/17/2009 3:13 AM 64160]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/1/2010 8:06 PM 102448]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [3/18/2009 12:19 PM 73368]
S0 FixTDSS;FixTDSS; [x]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [12/18/2009 12:13 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [12/18/2009 12:12 PM 174720]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S4 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [3/18/2009 12:19 PM 139264]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/11/2009 3:33 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmd25
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:38]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {3F777025-3835-4117-B9FA-5E5230669310} - hxxps://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\d1gk3n47.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-Csaperiwedok - c:\windows\WMSvasri.dll
MSConfigStartUp-KOO9RV9K4Z - c:\docume~1\Emily\LOCALS~1\Temp\Jhp.exe
MSConfigStartUp-Nzafucegaqabih - c:\windows\amekuhup.dll
MSConfigStartUp-SMH2B46TDP - c:\docume~1\Emily\LOCALS~1\Temp\Jhm.exe
MSConfigStartUp-wupdate - c:\windows\system32\wupdate.exe
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
AddRemove-Skyhook Wireless Wi-Fi Service - c:\program files\Skyhook Wireless\Wi-Fi Service\svcsetup.exe
AddRemove-{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E} - c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzscr01.exe
AddRemove-{89998BCF-F415-468a-8282-CB042765A26F} - c:\program files\Hewlett-Packard\Digital Imaging\{89998BCF-F415-468a-8282-CB042765A26F}\setup\hpzscr01.exe
AddRemove-{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} - c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1260)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-10-11 22:17:06
ComboFix-quarantined-files.txt 2010-10-12 02:17

Pre-Run: 26,041,073,664 bytes free
Post-Run: 26,016,153,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6E1F2C477CDE27958F561BB051600433
 
Questions:
1.
using Microsoft help's page to change most of the settings in my service manager because the virus had disabled everything
Click to expand...
I'm not sure what you did for this, but the Services shouldn't be listed under msconfig in the Registry. There is a way to set Services directly from within the MMC Services module> There are 89 Services being started from the registry.
2. Did you put everything in the system on Startup in msconfig? You are going to have to get the system pared back down to only starting up what is needed and you don't have everything running in the background.
3. Is there any change in the system at this point? What?
4. How is startup and shutdown speed? Slow?

I'd like you to update and run a new scan with Malwarebytes: You do check for removal in this, but I will see what is found:

malwarebytesgc8.png

Malwarebytes' Anti-Malware
  • Please download Malwarebytes' Anti-Malware from from HERE
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    [o] Update Malwarebytes' Anti-Malware
    [o] and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach this log with your reply
    [o] If you accidentally close it, the log file is saved here and will be named like this:
    [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
========================
 
Additional comments:
  1. Look here for the list: C:\TDSSKiller_Quarantine
  2. Do you need to have Boingo Wi-Fi start on boot and run in the background?
  3. Why do you have the ZinioReader starting on boot and running in the background? It's used to read magazines in digital rather than paper format
  4. The Hosts I asked you about in Luxenburg> are they involved in your work connections?
    Hosts: 212.117.178.25 www.google.com
    Hosts: 212.117.163.43 search.yahoo.com
    But the 2 IPs are for:
    netname: SERVER-NETWORK
    descr: root SA
    country: LU > Luxemburg.
  5. Please submit these files to VirScan for identificcation. If you get message they have already been identified, request a repeat:
Please go to VirSCAN.org FREE on-line scan service:
If busy, you can use one of the following: ( you only need one)
VirusTotal
Jotti

  • [1]. Copy and paste the following file paths into the Suspicious files to scan box on the top of the page. Do one at a time and wait for each scan:

    c:\windows\Mxaqup.bin
    c:\windows\system32\nlsfuncg.dll
    C:\WINDOWS\Jzigia.exe
    Click to expand...
    [2]. At the upload site, click once inside the window next to Browse.
    [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
    [4]. Click on the Upload button.
    This will perform a scan across multiple different virus scanning engines.
    Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    Important: Wait for all of the scanning engines to complete.
    [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
    [6]. Paste the contents of the Clipboard in your next reply.
===================================
Java(TM) 6 Update 13 is very old. Please update t current version v6u21:
Check this site .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

I think a big problem for you may be lack of maintenance, not uninstalling programs you no longer use, Services set incorrectly and excess processes starting on boot and running in the background.
 
Bobbye said:
Questions:
1.
I'm not sure what you did for this, but the Services shouldn't be listed under msconfig in the Registry. There is a way to set Services directly from within the MMC Services module> There are 89 Services being started from the registry.
2. Did you put everything in the system on Startup in msconfig? You are going to have to get the system pared back down to only starting up what is needed and you don't have everything running in the background.
3. Is there any change in the system at this point? What?
4. How is startup and shutdown speed? Slow?
Click to expand...

When I went to services.msc, all of the services were disabled. I went to the Windows help site, which lists the default setting for Microsoft services and I changed them accordingly. When I would restart the computer, all of the services would default to disabled again. That isn't happening anymore.

I am still running the selective startup on msconfig. I am only running what is necessary for startup.

The system is running much better and more quickly. I am still receiving some errors, but things are looking much better!

Startup and shut down are much quicker.
 
Bobbye said:
I'd like you to update and run a new scan with Malwarebytes: You do check for removal in this, but I will see what is found:
Click to expand...

Hi Bobeye,

Here is my latest MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4826

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

10/15/2010 9:00:21 AM
mbam-log-2010-10-15 (09-00-21).txt

Scan type: Full scan (C:\|)
Objects scanned: 210001
Time elapsed: 1 hour(s), 31 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Emily\Application Data\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wupdate.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D93BFF2F-54EE-4543-8B33-39D9E81A57B4}\RP1\A0000021.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\10.10.2010_11.58.47\susp0000\svc0000\tsk0000.dta (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\_OTM\MovedFiles\10102010_114759\C_WINDOWS\Jzigia.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\_OTM\MovedFiles\10102010_114759\C_WINDOWS\WMSvasri.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
C:\_OTM\MovedFiles\10102010_114759\C_WINDOWS\system32\spool\prtprocs\w32x86\w31y93o79.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.


Thank you!!
 
There is one new infection plus the TDSS Quarantine: The 'new' entry is actually another files from the Trojan.Fake Alert which was removed in the First Mbam scan. So we still haven't found the source. Unfortunately there is no date to go by.

The entries for System Volume are for restore points and not active in the system. I will have you drop the old restore points and set a new, clean one when we're through. The Qoobox files are where the quarantined files found in Combofix are sent. they also aren't active and will be removed.

Please reboot the computer, then run the Eset scan again: You also need to submit the files I left to VirScan.

The file above, hotfix.exe is from Trojan.Fake Alert.

When we're finished, I'm going to refer you to a site for the Services. There are too many on Automatic. Microsoft tends to throw everything on startup at boot and it isn't necessary. Only a few need to be on Automatic startup- the rest can be set to Manual and some can even be set to Disabled.
 
Status
Not open for further replies.

Similar threads

midian182
China wants to severely limit young people's mobile use and internet access
Replies
24
Views
685
Endymio
Endymio
D
White House announces over $42 billion to expand high-speed broadband access across the...
Replies
12
Views
544
WhoCaresAnymore
WhoCaresAnymore
midian182
Unclassified letter reveals NSA's warrantless purchase of Americans' internet browsing...
Replies
6
Views
169
erickmendes
erickmendes

Latest posts

Back