Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

False Secirity Center Warnings


  • This topic is locked This topic is locked

#16
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
That happens sometimes. Maybe it's nothing. Test it for some time and get back to me with results :)
  • 0

Advertisements


#17
Bob_C

Bob_C

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
So here we are. I got back home and installed Avast. I tried shutting down: it was slow but did shut down nicely. Since I don't trust anything at the moment, here are the things that are "acting up":
-Spyware Guard is warning me of 2 things: 1) IE Search page has been changed (asks for restore old value or keep new value) and 2) BHO has been added
-Windows has the yellow shield asking for updates (normal looking)
- Avast is freaking out with hidden rootkit warnings and malicious url detections

So I assume we're getting close but no cigar yet?
  • 0

#18
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Bob_C,

Let's see what's left.

Step 1

Download GMER from Here. Note the file's name and save it to your root folder, such as C:.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Step 2

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" should be Cure
    • (If suspicious file is detected please click on it and change it to Skip).
  • Click Continue button
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 3

Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply

Step 4

Please don't forget to include these items in your reply:

  • GMER log
  • TDSSKiller log
  • aswMBR log
It would be helpful if you could post each log in separate post
  • 0

#19
Bob_C

Bob_C

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
I'll get to this soon. I so appreciate your help. The one part of the instructions that confuses me a bit is in Step 1. 1) I don't really know what a root folder means, so I'm unsure how to save to one; and 2)the link to bleeping computer has a large number of possible applications for me to turn off/disable. Will there be anything for me to turn of besides Spybot, Spyware Guard and Avast. Those are all I use besides the "security center" things that come with all windows products. I turn those off too? I don't think malwarebytes is a running application, so wouldn't need to disable it? Thanks. Bob
  • 0

#20
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Bob_C,

1) I don't really know what a root folder means, so I'm unsure how to save to one


Save application on C:\ drive that is root folder. You can also save it to your Desktop and run it.

2)the link to bleeping computer has a large number of possible applications for me to turn off/disable. Will there be anything for me to turn of besides Spybot, Spyware Guard and Avast.


You must find only application you have and disable them. This link is universal link for everyone :)

One more thing. Please uninstall Spybot. You really don't need it. He isn't updated for some time and there is a little help from it.
  • 0

#21
Bob_C

Bob_C

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
Greetings. Sorry for the delay. GMER prompted me early about rootkit activity. So I selected "no" as you suggested and the log is below.
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-18 08:35:27
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3160815AS rev.4.AAB
Running: wce9374d.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\kwqcifoc.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 [email protected] code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA5B21BF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA5B21A5D]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA5B79902]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8230231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8230231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8230231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8230231B
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----
  • 0

#22
Bob_C

Bob_C

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
HFD to you and/or yours!
I assume I should wait for you to respond to my last posted log (the gmer rootkit one) before I continue with your sequence of steps last posted by you? Thanks.
  • 0

#23
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Bob_C,

Thank you :). To you too!

Great! We found a problem. Please do Step 2 and 3 (TDSSKiller and aswMBR) and post their log. Test your system then.
  • 0

#24
Bob_C

Bob_C

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
2011/06/19 14:15:33.0703 3132 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/19 14:15:34.0296 3132 ================================================================================
2011/06/19 14:15:34.0296 3132 SystemInfo:
2011/06/19 14:15:34.0296 3132
2011/06/19 14:15:34.0296 3132 OS Version: 5.1.2600 ServicePack: 2.0
2011/06/19 14:15:34.0296 3132 Product type: Workstation
2011/06/19 14:15:34.0296 3132 ComputerName: BOB-3CDE5CE5327
2011/06/19 14:15:34.0296 3132 UserName: Bob
2011/06/19 14:15:34.0296 3132 Windows directory: C:\WINDOWS
2011/06/19 14:15:34.0296 3132 System windows directory: C:\WINDOWS
2011/06/19 14:15:34.0296 3132 Processor architecture: Intel x86
2011/06/19 14:15:34.0296 3132 Number of processors: 1
2011/06/19 14:15:34.0296 3132 Page size: 0x1000
2011/06/19 14:15:34.0296 3132 Boot type: Normal boot
2011/06/19 14:15:34.0296 3132 ================================================================================
2011/06/19 14:15:35.0640 3132 Initialize success
2011/06/19 14:15:44.0937 3148 ================================================================================
2011/06/19 14:15:44.0937 3148 Scan started
2011/06/19 14:15:44.0937 3148 Mode: Manual;
2011/06/19 14:15:44.0937 3148 ================================================================================
2011/06/19 14:15:45.0187 3148 Aavmker4 (3f6884eff406238d39aaa892218f1df7) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/06/19 14:15:45.0281 3148 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/19 14:15:45.0359 3148 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/06/19 14:15:45.0468 3148 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/06/19 14:15:45.0531 3148 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/06/19 14:15:45.0625 3148 AgereSoftModem (35c391e40471a0b479328fc7b1b5f40f) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/06/19 14:15:45.0953 3148 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/06/19 14:15:46.0093 3148 aswFsBlk (7f08d9c504b015d81a8abd75c80028c5) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/06/19 14:15:46.0125 3148 aswMon2 (c2181ef6b54752273a0759a968c59279) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/06/19 14:15:46.0171 3148 aswRdr (ac48bdd4cd5d44af33087c06d6e9511c) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/06/19 14:15:46.0234 3148 aswSnx (b64134316fcd1f20e0f10ef3e65bd522) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/06/19 14:15:46.0296 3148 aswSP (d6788e3211afa9951ed7a4d617f68a4f) C:\WINDOWS\system32\drivers\aswSP.sys
2011/06/19 14:15:46.0390 3148 aswTdi (4d100c45517809439c7b6dd98997fa00) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/06/19 14:15:46.0453 3148 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/19 14:15:46.0515 3148 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/19 14:15:46.0593 3148 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/19 14:15:46.0718 3148 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/19 14:15:46.0796 3148 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/19 14:15:46.0890 3148 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/19 14:15:46.0921 3148 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/06/19 14:15:47.0031 3148 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/19 14:15:47.0093 3148 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/19 14:15:47.0156 3148 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/19 14:15:47.0203 3148 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/06/19 14:15:47.0453 3148 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/19 14:15:47.0546 3148 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/19 14:15:47.0593 3148 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/19 14:15:47.0640 3148 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/19 14:15:47.0703 3148 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/19 14:15:47.0781 3148 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/19 14:15:47.0859 3148 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/06/19 14:15:47.0937 3148 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/19 14:15:48.0015 3148 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2011/06/19 14:15:48.0062 3148 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/06/19 14:15:48.0109 3148 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/19 14:15:48.0140 3148 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/06/19 14:15:48.0203 3148 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/06/19 14:15:48.0234 3148 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/19 14:15:48.0265 3148 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/19 14:15:48.0328 3148 GcKernel (97983db98129efe4e2d215ce350a7546) C:\WINDOWS\system32\DRIVERS\GcKernel.sys
2011/06/19 14:15:48.0375 3148 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/19 14:15:48.0421 3148 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys
2011/06/19 14:15:48.0453 3148 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/06/19 14:15:48.0515 3148 HIDSwvd (bd205320308fb41c88a4049a2d1764b4) C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
2011/06/19 14:15:48.0562 3148 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/19 14:15:48.0687 3148 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/19 14:15:48.0812 3148 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/19 14:15:49.0015 3148 ialm (2aae7be67911f4aec9ad28e9cfb9096f) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/06/19 14:15:49.0218 3148 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/19 14:15:49.0328 3148 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/19 14:15:49.0359 3148 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/19 14:15:49.0406 3148 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/06/19 14:15:49.0453 3148 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/19 14:15:49.0484 3148 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/19 14:15:49.0546 3148 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/19 14:15:49.0609 3148 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/19 14:15:49.0671 3148 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/19 14:15:49.0734 3148 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/19 14:15:49.0765 3148 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/19 14:15:49.0796 3148 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/06/19 14:15:49.0875 3148 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/19 14:15:49.0921 3148 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/19 14:15:50.0109 3148 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2011/06/19 14:15:50.0187 3148 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2011/06/19 14:15:50.0281 3148 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/06/19 14:15:50.0359 3148 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2011/06/19 14:15:50.0437 3148 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\WINDOWS\system32\DRIVERS\lvrs.sys
2011/06/19 14:15:50.0484 3148 lvselsus (e6ba3db1e07745a79e67fa5afe34bdfb) C:\WINDOWS\system32\DRIVERS\lvselsus.sys
2011/06/19 14:15:50.0734 3148 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/06/19 14:15:50.0937 3148 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/19 14:15:51.0000 3148 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/19 14:15:51.0062 3148 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/19 14:15:51.0109 3148 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/19 14:15:51.0156 3148 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/19 14:15:51.0234 3148 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/19 14:15:51.0296 3148 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/19 14:15:51.0328 3148 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/19 14:15:51.0390 3148 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/19 14:15:51.0421 3148 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/19 14:15:51.0468 3148 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/19 14:15:51.0531 3148 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/19 14:15:51.0578 3148 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/06/19 14:15:51.0640 3148 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/19 14:15:51.0703 3148 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/06/19 14:15:51.0750 3148 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/19 14:15:51.0812 3148 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/06/19 14:15:51.0859 3148 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/19 14:15:51.0921 3148 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/19 14:15:51.0953 3148 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/19 14:15:51.0984 3148 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/19 14:15:52.0078 3148 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/19 14:15:52.0140 3148 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/19 14:15:52.0234 3148 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/06/19 14:15:52.0296 3148 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/19 14:15:52.0359 3148 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/19 14:15:52.0484 3148 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/19 14:15:52.0546 3148 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/19 14:15:52.0562 3148 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/19 14:15:52.0625 3148 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/06/19 14:15:52.0750 3148 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/19 14:15:52.0765 3148 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/19 14:15:52.0859 3148 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/19 14:15:52.0921 3148 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/19 14:15:52.0968 3148 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/06/19 14:15:53.0046 3148 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/06/19 14:15:53.0296 3148 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/19 14:15:53.0328 3148 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/19 14:15:53.0359 3148 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/19 14:15:53.0500 3148 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/19 14:15:53.0593 3148 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/19 14:15:53.0625 3148 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/19 14:15:53.0671 3148 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/19 14:15:53.0734 3148 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/19 14:15:53.0765 3148 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/19 14:15:53.0828 3148 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/19 14:15:53.0890 3148 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/19 14:15:54.0000 3148 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/19 14:15:54.0062 3148 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2011/06/19 14:15:54.0203 3148 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/19 14:15:54.0281 3148 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/06/19 14:15:54.0359 3148 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/19 14:15:54.0437 3148 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/19 14:15:54.0515 3148 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/19 14:15:54.0609 3148 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/06/19 14:15:54.0734 3148 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/19 14:15:54.0796 3148 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/19 14:15:55.0015 3148 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/19 14:15:55.0125 3148 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/19 14:15:55.0171 3148 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/19 14:15:55.0218 3148 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/19 14:15:55.0281 3148 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/19 14:15:55.0390 3148 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/19 14:15:55.0515 3148 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/19 14:15:55.0609 3148 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/06/19 14:15:55.0671 3148 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/19 14:15:55.0750 3148 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/19 14:15:55.0812 3148 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/19 14:15:55.0875 3148 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/19 14:15:55.0921 3148 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/19 14:15:55.0984 3148 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/06/19 14:15:56.0031 3148 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/06/19 14:15:56.0125 3148 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/19 14:15:56.0187 3148 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/19 14:15:56.0281 3148 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/19 14:15:56.0437 3148 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/06/19 14:15:56.0500 3148 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/06/19 14:15:56.0515 3148 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/06/19 14:15:56.0515 3148 ================================================================================
2011/06/19 14:15:56.0515 3148 Scan finished
2011/06/19 14:15:56.0515 3148 ================================================================================
2011/06/19 14:15:56.0546 2096 Detected object count: 1
2011/06/19 14:15:56.0546 2096 Actual detected object count: 1
2011/06/19 14:16:27.0078 2096 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Skip
  • 0

#25
Bob_C

Bob_C

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-19 14:24:19
-----------------------------
14:24:19.296 OS Version: Windows 5.1.2600 Service Pack 2
14:24:19.296 Number of processors: 1 586 0x401
14:24:19.296 ComputerName: BOB-3CDE5CE5327 UserName: Bob
14:24:20.421 AVAST engine 6.0.1125 defs: 11061901
14:24:20.421 Initialize success
14:24:27.156 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
14:24:27.156 Disk 0 Vendor: ST3160815AS 4.AAB Size: 152627MB BusType: 3
14:24:27.156 Device \Driver\atapi -> DriverStartIo 8230231b
14:24:29.171 Disk 0 MBR read successfully
14:24:29.171 Disk 0 MBR scan
14:24:29.171 Disk 0 MBR:Alureon-G [Rtk]
14:24:29.171 Disk 0 [email protected] code has been found
14:24:29.171 Disk 0 Windows XP default MBR code found via API
14:24:29.171 Disk 0 MBR hidden
14:24:29.171 Disk 0 MBR [TDL4] **ROOTKIT**
14:24:29.171 Disk 0 trace - called modules:
14:24:29.171 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x823024d0]<<
14:24:29.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8236c8a0]
14:24:29.703 3 CLASSPNP.SYS[f84d405b] -> nt!IofCallDriver -> [0x822da0d8]
14:24:29.703 \Driver\atapi[0x82378b60] -> IRP_MJ_CREATE -> 0x823024d0
14:24:29.703 AVAST engine scan C:\WINDOWS\system32
14:26:17.859 Scan finished successfully
14:27:19.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bob\Desktop\MBR.dat"
14:27:19.140 The log file has been saved successfully to "C:\Documents and Settings\Bob\Desktop\aswMBR.txt"
  • 0

Advertisements


#26
Bob_C

Bob_C

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
There are the next two logs I posted just before this one. I did not re-scan with GMER. Also, I still have not downloaded the updates from windows (yellow shield) which may or may not be infected. Since I am running Spyware Guard, it is alerting me still about IE registry value being changed and asking if I want to restore old or keep new. I've just been closing that alert w/o responding. Questions: 1) Should I accept the updates from windows and 2)should I "accept" the new value for IE? You've suggested to "test my system". At the moment Avast! is pretty active with url blocks. I did delete spybot S&D. So, I'm just running avast, windows security center's firewall and spyware guard (even though I use firefox. Maybe I shouldn't bother w/ spyware guard?)Thanks for the continued attention.
  • 0

#27
Bob_C

Bob_C

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
Hello. Not to be annoying, but do I respond to avast yet? It now says a "suspicious hidden item (a rootkit) is found and to remove immediately". So far, I have not. Avast now also says it has found a suspicious file using a heuristic method, whatever that is, and asks for files to be submitted to virus lab for analysis.And finally, it requests me to run the avast scan prior to booting windows...which it would do automatically if I said OK. Should I do any of these things? I'm still not trusting anything until I begin to get a green light after our work together. I'm not excited about submitting things to the lab, for some reason. Thanks again.
BTW, I realize, that when I get popup messages about avast blocking a malicious url, that's probably a good thing. I see where I could likely turn off the announcing of each blocked url.
  • 0

#28
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
You must rescan with TDSSKiller. You choose Skip option instead Cure.

Please scan one more time and make sure you choose Cure this time.
  • 0

#29
Bob_C

Bob_C

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
Done. Scanned to the "cure" prompt, but chose "skip". Then scanned again and chose "cure". Rebooted. So far, avast is pretty quiet :>)
-windows updates? accept or not?
-turned off spywareguard since I don't use IE; but I know it will ask me to "accept new" or "restore old" IE settings if I turn it on
-still have spywareblaster running

Looks like we're getting close!! Are we?
Thanks
  • 0

#30
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Bob_C,

Yes. We did it. Just to make sure that infection won't come back please do one more scan with aswMBR and post log here for me.

In mean while I'll prepare final cleanup for you.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP