Page 1 of 4 1234 LastLast
Results 1 to 10 of 37

Thread: Click.GiftLoad infection

  1. 2011-05-08, 19:39 #1
    anbelo
    anbelo is offline
    Junior Member
    Join Date
    May 2011
    Posts
    20

    Default Click.GiftLoad infection

    Hello, and thank you very much in advance for your help.
    A few days ago my PC spontaneously restarted, and after the reboot Windows notified it had recovered itself from a serious error. Then I tried to install the latest Windows update, but the installation failed; in a moment I couldn't even access the Windows Update page. I ran Spybot-S&D and it found Click.GiftLoad. Now I'm working in safe mode (as I can do nothing in normal mode, everything going too slow). Since then I've only connected the computer to the internet in order to download ERUNT, DDS, etc. and to read the forum. I have also run ATF Cleaner, GooredFix and TDSSKiller as suggested by a friend, but it didn't work.
    Thank you very much again.

    .
    DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
    Run by andres1 at 18:59:26,95 on 08/05/2011
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.34.3082.18.1023.765 [GMT 2:00]
    .
    AV: Panda Antivirus Pro 2010 *Enabled/Updated* {EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A}
    FW: Panda Personal Firewall 2010 *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\andres1\Escritorio\shazam\spybot\dds.com
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.es/
    uInternet Connection Wizard,ShellNext = hxxp://www.pandasoftware.com/redirector/?prod=104&app=KeysSupport&lang=spa
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\docume~1\andres1\config~1\temp\bldjad.exe
    BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    mRun: [NeroFilterCheck] c:\archivos de programa\archivos comunes\ahead\lib\NeroCheck.exe
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [SoundMAXPnP] c:\archivos de programa\analog devices\core\smax4pnp.exe
    mRun: [XboxStat] "c:\archivos de programa\microsoft xbox 360 accessories\XboxStat.exe" silentrun
    mRun: [APVXDWIN] "c:\archivos de programa\panda security\panda antivirus pro 2010\APVXDWIN.EXE" /s
    mRun: [SCANINICIO] "c:\archivos de programa\panda security\panda antivirus pro 2010\Inicio.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
    mRun: [QuickTime Task] "c:\archivos de programa\quicktime\qttask.exe" -atboottime
    mRun: [CERTUI] c:\archivos de programa\acotec\certui\CerTUI.exe
    mRun: [RegistrarUsrDNIeCertStoreDLL] "c:\archivos de programa\dnie\udcs.exe"
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\andres1\menini~1\progra~1\inicio\certui.lnk - c:\archivos de programa\acotec\certui\CerTui.exe
    StartupFolder: c:\docume~1\andres1\menini~1\progra~1\inicio\uninst~1.lnk - c:\windows\certui\uninstall.exe
    StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\logite~1.lnk - c:\archivos de programa\logitech\setpoint\SetPoint.exe
    mPolicies-system: EnableUA = 0 (0x0)
    IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: fnmt.es\www.cert
    DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
    DPF: {1C4C6BC7-91F1-4FD3-A208-B07B6C1BDBFB} - hxxps://www.juntadeandalucia.es/economiayhacienda/apl/surnet/firma/instalacion/SignV2.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} - hxxps://www.cert.fnmt.es/content/pages_std/ficheros_apps_usuarios/capicom.cab
    DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} - hxxps://www1.aeat.es/imagenes/comun/cactivex.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avldr - avldr.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\archiv~1\markany\conten~1\MACSMA~1.DLL
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mrjmptwa.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\andres1\datosd~1\mozilla\firefox\profiles\d7wjsik5.default\
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: 1-Click YouTube Video Downloader: YoutubeDownloader@PeterOlayev.com - %profile%\extensions\YoutubeDownloader@PeterOlayev.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Acotec PKCS#11: acotec@acotec.es - c:\archivos de programa\mozilla firefox\extensions\acotec@acotec.es
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\archivos de programa\java\jre6\lib\deploy\jqs\ff
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2010-6-19 159112]
    R2 aawservice;Ad-Aware 2007 Service;c:\archivos de programa\lavasoft\ad-aware 2007\aawservice.exe [2007-6-5 607576]
    R3 NETIMFLT01060039;PANDA NDIS IM Filter Miniport v1.6.0.39;c:\windows\system32\drivers\neti1639.sys [2010-6-19 199432]
    S0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [2010-6-19 28552]
    S1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2010-6-19 75016]
    S1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2010-6-19 53128]
    S1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2010-6-19 22072]
    S1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2010-6-19 193800]
    S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2010-6-19 41144]
    S1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2010-6-19 46728]
    S2 ckfhatpqubgol;ckfhatpqubgol;"c:\docume~1\andres1\config~1\temp\dat1aed.tmp.exe" --service --> c:\docume~1\andres1\config~1\temp\DAT1AED.tmp.exe [?]
    S2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k panda --> c:\windows\system32\svchost -k Panda [?]
    S2 Panda Software Controller;Panda Software Controller;c:\archivos de programa\panda security\panda antivirus pro 2010\PsCtrlS.exe [2010-6-19 173312]
    S2 PAVDRV;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2010-6-19 84024]
    S2 PAVFNSVR;Panda Function Service;c:\archivos de programa\panda security\panda antivirus pro 2010\PavFnSvr.exe [2010-6-19 169216]
    S2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2010-6-19 163336]
    S2 PavPrSrv;Panda Process Protection Service;c:\archivos de programa\archivos comunes\panda security\pavshld\PavPrSrv.exe [2010-6-19 62768]
    S2 PAVSRV;Panda On-Access Anti-Malware Service;c:\archivos de programa\panda security\panda antivirus pro 2010\PAVSRV51.EXE [2010-6-19 291584]
    S2 PskSvcRetail;Panda PSK service;c:\archivos de programa\panda security\panda antivirus pro 2010\psksvc.exe [2010-6-19 28928]
    S2 srvA50;srvA50;c:\windows\system32\svchost.exe -k netsvcs [2006-3-2 14336]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
    S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
    S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]
    S3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
    S3 RkPavproc1;RkPavproc1;c:\windows\system32\drivers\RkPavproc1.sys [2011-4-30 16648]
    S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\rkpavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
    S3 RkPavproc3;RkPavproc3;\??\c:\windows\system32\drivers\rkpavproc3.sys --> c:\windows\system32\drivers\RkPavproc3.sys [?]
    S3 RkPavproc4;RkPavproc4;\??\c:\windows\system32\drivers\rkpavproc4.sys --> c:\windows\system32\drivers\RkPavproc4.sys [?]
    S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-14 50048]
    .
    =============== File Associations ===============
    .
    JSEFile=c:\archiv~1\pandas~2\pandaa~1\PAVSCRIP.EXE "%1" %*
    VBEFile=c:\archiv~1\pandas~2\pandaa~1\PAVSCRIP.EXE "%1" %*
    VBSFile=c:\archiv~1\pandas~2\pandaa~1\PAVSCRIP.EXE "%1" %*
    .
    =============== Created Last 30 ================
    .
    2011-05-05 16:12:06 -------- d-----w- C:\PANDA
    2011-04-30 16:39:03 16648 ----a-w- c:\windows\system32\drivers\RkPavproc1.sys
    2011-04-29 23:32:51 0 ----a-w- c:\windows\system32\tmp.tmp
    2011-04-29 20:42:09 37888 ----a-w- c:\windows\system32\mrjmptwa.dll
    2011-04-29 20:40:28 11968 ----a-w- c:\archivos de programa\mozilla firefox\null0.8191773321168803.exe
    2011-04-13 18:19:48 196608 ----a-w- C:\aeat.dll
    2011-04-12 20:24:21 -------- d-----w- c:\archivos de programa\DNIe
    2011-04-12 18:32:01 -------- d-----w- c:\windows\CerTUI
    2011-04-12 18:32:01 -------- d-----w- c:\archivos de programa\ACOTEC
    .
    ==================== Find3M ====================
    .
    2011-03-21 18:13:18 295042 ----a-w- c:\windows\system32\shimg.dll
    2011-03-07 05:33:36 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 08:43:22 434176 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:53:03 1858048 ----a-w- c:\windows\system32\win32k.sys
    2011-02-17 18:55:28 832512 ----a-w- c:\windows\system32\wininet.dll
    2011-02-17 18:55:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-02-17 18:55:27 78336 ----a-w- c:\windows\system32\ieencode.dll
    2011-02-17 18:55:27 17408 ----a-w- c:\windows\system32\corpol.dll
    2011-02-17 12:54:06 5632 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec
    2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-09 13:53:27 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:27 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-08 13:33:28 978944 ----a-w- c:\windows\system32\mfc42.dll
    2011-02-08 13:33:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Maxtor_6V320F0 rev.VA111900 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86E45730]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86e4ba10]; MOV EAX, [0x86e4ba8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F36AB8]
    3 CLASSPNP[0xF762FFD7] -> nt!IofCallDriver[0x804E13B9] -> [0x86EFDAE8]
    \Driver\atapi[0x86ED0D28] -> IRP_MJ_CREATE -> 0x86E45730
    error: Read Uno de los dispositivos vinculados al sistema no funciona.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86E4557B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 19:01:15,96 ===============

    Click.GiftLoad: [SBI $89783858] Configuración del usuario (Valor del registro, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe


    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2007-06-29 unins000.exe (51.41.0.0)
    2009-04-02 unins001.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2011-03-18 Includes\Adware.sbi (*)
    2011-03-22 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2011-03-08 Includes\DialerC.sbi (*)
    2011-02-24 Includes\HeavyDuty.sbi (*)
    2011-03-29 Includes\Hijackers.sbi (*)
    2011-03-29 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-12-14 Includes\Keyloggers.sbi (*)
    2011-03-08 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2011-04-05 Includes\Malware.sbi (*)
    2011-05-03 Includes\MalwareC.sbi (*)
    2011-02-24 Includes\PUPS.sbi (*)
    2011-03-15 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2009-01-13 Includes\Security.sbi (*)
    2011-05-03 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2011-02-24 Includes\Spyware.sbi (*)
    2011-05-03 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2010-12-28 Includes\Trojans.sbi (*)
    2011-05-02 Includes\TrojansC-02.sbi (*)
    2011-05-03 Includes\TrojansC-03.sbi (*)
    2011-05-03 Includes\TrojansC-04.sbi (*)
    2011-05-04 Includes\TrojansC-05.sbi (*)
    2011-03-08 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll
  2. 2011-05-11, 02:10 #2
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


    Besides Click.Giftload, your infected with a nasty Rootkit




    REGEDIT4

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
    "svchost.exe"=-

    Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

    If you saved the file correctly it should look like this




    Download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  3. 2011-05-11, 09:55 #3
    anbelo
    anbelo is offline
    Junior Member
    Join Date
    May 2011
    Posts
    20

    Default

    Hi Ken, thank you very much for your support.
    ---

    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-11 09:47:44
    -----------------------------
    09:47:44.484 OS Version: Windows 5.1.2600 Service Pack 3
    09:47:44.484 Number of processors: 2 586 0x604
    09:47:44.484 ComputerName: ANDRES-15E02CCC UserName: andres1
    09:47:45.546 Initialize success
    09:48:00.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17
    09:48:00.906 Disk 0 Vendor: Maxtor_6V320F0 VA111900 Size: 305245MB BusType: 3
    09:48:00.921 Device \Driver\atapi -> DriverStartIo 86e4f57b
    09:48:00.937 Disk 0 MBR read error 0
    09:48:00.953 Disk 0 MBR scan
    09:48:00.968 Disk 0 unknown MBR code
    09:48:01.000 MBR BIOS signature not found 0
    09:48:01.015 Disk 0 scanning sectors +625121280
    09:48:01.031 Disk 0 scanning C:\WINDOWS\system32\drivers
    09:48:07.328 Service scanning
    09:48:11.750 Disk 0 trace - called modules:
    09:48:11.765 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86e4f730]<<
    09:48:11.781 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86eedab8]
    09:48:11.812 3 CLASSPNP.SYS[f762ffd7] -> nt!IofCallDriver -> [0x86f16b48]
    09:48:11.843 \Driver\atapi[0x86f1eca8] -> IRP_MJ_CREATE -> 0x86e4f730
    09:48:11.953 Scan finished successfully
    09:48:38.703 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\andres1\Escritorio\shazam\spybot\MBR.dat"
    09:48:38.734 The log file has been saved successfully to "C:\Documents and Settings\andres1\Escritorio\shazam\spybot\aswMBR.txt"
  4. 2011-05-11, 10:14 #4
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning

    Re-Run aswMBR

    Click Scan

    On completion of the scan

    Click Fix





    Save the log as before and post in your next reply
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  5. 2011-05-11, 10:34 #5
    anbelo
    anbelo is offline
    Junior Member
    Join Date
    May 2011
    Posts
    20

    Default

    After re-scanning, the "Fix" button is disabled, I can only push the "FixMBR" button. Should I?

    Also, I must mention before your first reply I was provided by Panda with a "SafeCD" for scanning the computer, and it disinfected 3 files (nothing changed, though):

    File checked : /mnt/sda1/WINDOWS/system32/mrjmptwa.dll
    Found virus :Generic Malware Virus disinfected
    File checked : /mnt/sda1/WINDOWS/Temp/srv1E4.tmp
    Found virus :Generic Trojan Virus disinfected
    File checked : /mnt/sda1/WINDOWS/Temp/srvA50.tmp
    Found virus :Generic Trojan Virus disinfected

    Of course, now that you are assisting me I will stick to your instructions, but I wanted you to know this for you to have all the info. Sorry for not mentioning before.
  6. 2011-05-11, 10:36 #6
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    No, dont use FIXMBR.

    See if this program will run


    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • Press Start Scan
      • Only if Malicious objects are found then ensure Cure is selected
      • Then click Continue > Reboot now
    • Copy and paste the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\)
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  7. 2011-05-11, 11:03 #7
    anbelo
    anbelo is offline
    Junior Member
    Join Date
    May 2011
    Posts
    20

    Default

    It ran now!

    2011/05/11 10:51:14.0828 1824 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
    2011/05/11 10:51:14.0859 1824 ================================================================================
    2011/05/11 10:51:14.0859 1824 SystemInfo:
    2011/05/11 10:51:14.0859 1824
    2011/05/11 10:51:14.0859 1824 OS Version: 5.1.2600 ServicePack: 3.0
    2011/05/11 10:51:14.0859 1824 Product type: Workstation
    2011/05/11 10:51:14.0859 1824 ComputerName: ANDRES-15E02CCC
    2011/05/11 10:51:14.0859 1824 UserName: andres1
    2011/05/11 10:51:14.0859 1824 Windows directory: C:\WINDOWS
    2011/05/11 10:51:14.0859 1824 System windows directory: C:\WINDOWS
    2011/05/11 10:51:14.0859 1824 Processor architecture: Intel x86
    2011/05/11 10:51:14.0859 1824 Number of processors: 2
    2011/05/11 10:51:14.0859 1824 Page size: 0x1000
    2011/05/11 10:51:14.0859 1824 Boot type: Safe boot with network
    2011/05/11 10:51:14.0859 1824 ================================================================================
    2011/05/11 10:51:15.0187 1824 Initialize success
    2011/05/11 10:51:27.0578 1976 ================================================================================
    2011/05/11 10:51:27.0578 1976 Scan started
    2011/05/11 10:51:27.0578 1976 Mode: Manual;
    2011/05/11 10:51:27.0578 1976 ================================================================================
    2011/05/11 10:51:29.0078 1976 ACPI (cf2a07e1751a2d612d7e13aa431ab057) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/05/11 10:51:29.0171 1976 ACPIEC (1c905333c0b9f3d7c68ddf25e54b00f9) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/05/11 10:51:29.0234 1976 ADIHdAudAddService (0f0186521e3f45a2a3bf7cd3ee3fb8ca) C:\WINDOWS\system32\drivers\ADIHdAud.sys
    2011/05/11 10:51:29.0359 1976 AEAudioService (9f59ae2de835641fbb0c6afd80d8fa9b) C:\WINDOWS\system32\drivers\AEAudio.sys
    2011/05/11 10:51:29.0421 1976 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/05/11 10:51:29.0484 1976 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
    2011/05/11 10:51:29.0843 1976 APPFLT (2fc5d743822771fb40a053ac38b10012) C:\WINDOWS\system32\Drivers\APPFLT.SYS
    2011/05/11 10:51:30.0156 1976 AsIO (c959989e2ce8da9bde8cafddba84badf) C:\WINDOWS\system32\drivers\AsIO.sys
    2011/05/11 10:51:30.0281 1976 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/05/11 10:51:30.0343 1976 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/05/11 10:51:30.0546 1976 ati2mtag (86a7a22f3670465ef575614e001159c0) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/05/11 10:51:30.0656 1976 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/05/11 10:51:30.0781 1976 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/05/11 10:51:30.0875 1976 AVerBDA (126bbd8a8755ff7e3fdbe2ff3a1909c8) C:\WINDOWS\system32\DRIVERS\AVerBDA3x.sys
    2011/05/11 10:51:31.0031 1976 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/05/11 10:51:31.0156 1976 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/05/11 10:51:31.0234 1976 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/05/11 10:51:31.0343 1976 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/05/11 10:51:31.0406 1976 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/05/11 10:51:31.0468 1976 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/05/11 10:51:32.0187 1976 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys
    2011/05/11 10:51:32.0265 1976 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/05/11 10:51:32.0406 1976 dmboot (c252a99c0a78b39faa2e2d1d048b1050) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/05/11 10:51:32.0484 1976 dmio (33b4d4039cd2cb25351a7bf13b2988d9) C:\WINDOWS\system32\drivers\dmio.sys
    2011/05/11 10:51:32.0562 1976 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/05/11 10:51:32.0687 1976 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/05/11 10:51:32.0843 1976 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/05/11 10:51:32.0921 1976 DSAFLT (c64c790e8a752b001a6b08ac194e5e5b) C:\WINDOWS\system32\Drivers\DSAFLT.SYS
    2011/05/11 10:51:33.0093 1976 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/05/11 10:51:33.0171 1976 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/05/11 10:51:33.0218 1976 Fips (e5e61f2c07344e91dbfb7eafde549ab4) C:\WINDOWS\system32\drivers\Fips.sys
    2011/05/11 10:51:33.0312 1976 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/05/11 10:51:33.0406 1976 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/05/11 10:51:33.0468 1976 FNETMON (72a4e942508abe5803ded728a2799d0f) C:\WINDOWS\system32\Drivers\fnetmon.SYS
    2011/05/11 10:51:33.0578 1976 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/05/11 10:51:33.0640 1976 Ftdisk (cc5f3af5711a1c7c8fa1d43bb16b401a) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/05/11 10:51:33.0703 1976 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2011/05/11 10:51:33.0843 1976 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/05/11 10:51:33.0937 1976 HdAudAddService (f58d2900c66a1e773e3375098e0e9337) C:\WINDOWS\system32\drivers\HdAudio.sys
    2011/05/11 10:51:34.0046 1976 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/05/11 10:51:34.0171 1976 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/05/11 10:51:34.0359 1976 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/05/11 10:51:34.0578 1976 i8042prt (4a2490a66e8271901e89dd5fb79748ae) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/05/11 10:51:34.0703 1976 IDSFLT (c4cfc85c311a9e1a8a50baeb080343e1) C:\WINDOWS\system32\Drivers\IDSFLT.SYS
    2011/05/11 10:51:34.0765 1976 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/05/11 10:51:35.0046 1976 intelppm (49a060498c09db18c3ea9939789005ab) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/05/11 10:51:35.0140 1976 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/05/11 10:51:35.0234 1976 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/05/11 10:51:35.0343 1976 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/05/11 10:51:35.0406 1976 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/05/11 10:51:35.0546 1976 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/05/11 10:51:35.0593 1976 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/05/11 10:51:35.0703 1976 isapnp (0f3d281b0410fe5d482aada37d20524b) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/05/11 10:51:35.0765 1976 Kbdclass (188ddd286bc0daea6984858c6a4d7bbf) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/05/11 10:51:35.0859 1976 kbdhid (72efebecf76eb1dccc5ba9ea746d90e8) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/05/11 10:51:35.0968 1976 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/05/11 10:51:36.0062 1976 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/05/11 10:51:36.0156 1976 L8042Kbd (5a11400ea1f0a106fe7edb28c270f7b8) C:\WINDOWS\system32\Drivers\L8042Kbd.sys
    2011/05/11 10:51:36.0250 1976 L8042mou (20c919b52897b72ebcb2ad2fc29d8ef0) C:\WINDOWS\system32\Drivers\L8042mou.sys
    2011/05/11 10:51:36.0421 1976 LHidKe (31b582394da3290dff300f10952e9a4d) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
    2011/05/11 10:51:36.0500 1976 LMouKE (90a794d0a0bf3531c4ba1c0510449629) C:\WINDOWS\system32\Drivers\LMouKE.sys
    2011/05/11 10:51:36.0609 1976 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/05/11 10:51:36.0687 1976 Modem (9024556e739b8469d2b8f5f0e4c9bc9f) C:\WINDOWS\system32\drivers\Modem.sys
    2011/05/11 10:51:36.0734 1976 Mouclass (6fd36b4994a2363659a65c9f970cfdb7) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/05/11 10:51:36.0828 1976 mouhid (8ee532e516b2d23d686cfc1cc0a15c25) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/05/11 10:51:36.0937 1976 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/05/11 10:51:37.0015 1976 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
    2011/05/11 10:51:37.0140 1976 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/05/11 10:51:37.0234 1976 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/05/11 10:51:37.0328 1976 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/05/11 10:51:37.0406 1976 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/05/11 10:51:37.0500 1976 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/05/11 10:51:37.0562 1976 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/05/11 10:51:37.0625 1976 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/05/11 10:51:37.0734 1976 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/05/11 10:51:37.0828 1976 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
    2011/05/11 10:51:37.0890 1976 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/05/11 10:51:38.0000 1976 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/05/11 10:51:38.0093 1976 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/05/11 10:51:38.0156 1976 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/05/11 10:51:38.0218 1976 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/05/11 10:51:38.0281 1976 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/05/11 10:51:38.0343 1976 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/05/11 10:51:38.0406 1976 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/05/11 10:51:38.0484 1976 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/05/11 10:51:38.0562 1976 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/05/11 10:51:38.0718 1976 NETFLTDI (c530477bb0e1c7b978cbc2a45f300887) C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
    2011/05/11 10:51:38.0812 1976 NETIMFLT01060039 (1aeacdf5a0b9d43b9b942d2d738d1ffb) C:\WINDOWS\system32\DRIVERS\neti1639.sys
    2011/05/11 10:51:38.0953 1976 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/05/11 10:51:39.0000 1976 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/05/11 10:51:39.0093 1976 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/05/11 10:51:39.0203 1976 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/05/11 10:51:39.0265 1976 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/05/11 10:51:39.0359 1976 Parport (e7855cbd8bd1fda085a3f92cff7906e2) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/05/11 10:51:39.0421 1976 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/05/11 10:51:39.0500 1976 ParVdm (fad44d704ecd7d39ad01415b8bb34204) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/05/11 10:51:39.0578 1976 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\Drivers\pavboot.sys
    2011/05/11 10:51:39.0656 1976 PAVDRV (831acdb182529bd9d153b141f28b1cb0) C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
    2011/05/11 10:51:39.0765 1976 PavProc (ce249bd36ef6130deaddb90ec542a784) C:\WINDOWS\system32\DRIVERS\PavProc.sys
    2011/05/11 10:51:40.0031 1976 PCI (f11bc84ae6c7b003b5e0c8eeb4a1f444) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/05/11 10:51:40.0156 1976 PCIIde (33d63f0a9021acb4d75d83b646b93a30) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/05/11 10:51:40.0218 1976 Pcmcia (f50c27cca56dc97b3a45e7f0059bd2ba) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/05/11 10:51:40.0671 1976 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/05/11 10:51:40.0781 1976 PRISM_A02 (586a0f9139d14729217dfff1259ffdbd) C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
    2011/05/11 10:51:40.0875 1976 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/05/11 10:51:41.0031 1976 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/05/11 10:51:41.0109 1976 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/05/11 10:51:41.0390 1976 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/05/11 10:51:41.0468 1976 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/05/11 10:51:41.0531 1976 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/05/11 10:51:41.0593 1976 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/05/11 10:51:41.0671 1976 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/05/11 10:51:41.0718 1976 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/05/11 10:51:41.0828 1976 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/05/11 10:51:41.0906 1976 redbook (20950948970a0ea329b4254052bcf093) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/05/11 10:51:42.0031 1976 RkPavproc1 (ad291c360a62ff1309174e777476d21e) C:\WINDOWS\system32\drivers\RkPavproc1.sys
    2011/05/11 10:51:42.0328 1976 RTL8023xp (df4930b33a5d32f46c71e6cd5df68650) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    2011/05/11 10:51:42.0484 1976 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/05/11 10:51:42.0609 1976 SenFiltService (eca77beeb2be8d573cf1b265e44fbfbd) C:\WINDOWS\system32\drivers\Senfilt.sys
    2011/05/11 10:51:42.0703 1976 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/05/11 10:51:42.0750 1976 Serial (f41b42b92ae9c1191858c3f80cc24a9c) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/05/11 10:51:42.0843 1976 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/05/11 10:51:43.0015 1976 ShldDrv (25d7d8fd7e150cfbda160ebb38171334) C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
    2011/05/11 10:51:43.0140 1976 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/05/11 10:51:43.0328 1976 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/05/11 10:51:43.0484 1976 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/05/11 10:51:43.0484 1976 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
    2011/05/11 10:51:43.0500 1976 sptd - detected LockedFile.Multi.Generic (1)
    2011/05/11 10:51:43.0546 1976 sr (ccb3065c3ee63a4515fe84af9e78d1dd) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/05/11 10:51:43.0687 1976 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/05/11 10:51:43.0906 1976 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/05/11 10:51:44.0031 1976 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/05/11 10:51:44.0250 1976 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/05/11 10:51:44.0562 1976 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/05/11 10:51:44.0718 1976 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/05/11 10:51:44.0812 1976 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/05/11 10:51:44.0875 1976 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/05/11 10:51:44.0937 1976 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/05/11 10:51:45.0125 1976 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/05/11 10:51:45.0265 1976 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/05/11 10:51:45.0406 1976 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/05/11 10:51:45.0500 1976 usbbus (9419faac6552a51542dbba02971c841c) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
    2011/05/11 10:51:45.0578 1976 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/05/11 10:51:45.0703 1976 USBCCID (2825e0e294686a26506690059e1f437a) C:\WINDOWS\system32\DRIVERS\usbccid.sys
    2011/05/11 10:51:45.0796 1976 UsbDiag (c0a466fa4ffec464320e159bc1bbdc0c) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
    2011/05/11 10:51:45.0906 1976 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/05/11 10:51:46.0046 1976 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/05/11 10:51:46.0156 1976 USBModem (f74a54774a9b0afeb3c40adec68aa600) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
    2011/05/11 10:51:46.0234 1976 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/05/11 10:51:46.0296 1976 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/05/11 10:51:46.0375 1976 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/05/11 10:51:46.0468 1976 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/05/11 10:51:46.0531 1976 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
    2011/05/11 10:51:46.0578 1976 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/05/11 10:51:46.0703 1976 VolSnap (c41ffdc191e6c832e2e53c967eae0a16) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/05/11 10:51:46.0859 1976 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/05/11 10:51:47.0140 1976 Wdf01000 (060e8cb99cc0a6751db5810c042b0d45) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    2011/05/11 10:51:47.0265 1976 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/05/11 10:51:47.0546 1976 WNMFLT (5229193dac40312f1b9fad5fa0f57774) C:\WINDOWS\system32\Drivers\WNMFLT.SYS
    2011/05/11 10:51:47.0609 1976 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    2011/05/11 10:51:47.0703 1976 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/05/11 10:51:47.0781 1976 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/05/11 10:51:47.0859 1976 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/05/11 10:51:47.0937 1976 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/05/11 10:51:48.0093 1976 xusb20 (c1c30732240de36551f438d5412959be) C:\WINDOWS\system32\DRIVERS\xusb20.sys
    2011/05/11 10:51:48.0187 1976 xusb21 (ee9144207ee0211eb5656ba6808ac4a0) C:\WINDOWS\system32\DRIVERS\xusb21.sys
    2011/05/11 10:51:48.0296 1976 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/05/11 10:51:48.0312 1976 ================================================================================
    2011/05/11 10:51:48.0312 1976 Scan finished
    2011/05/11 10:51:48.0312 1976 ================================================================================
    2011/05/11 10:51:48.0359 1912 Detected object count: 2
    2011/05/11 10:53:21.0234 1912 LockedFile.Multi.Generic(sptd) - User select action: Skip
    2011/05/11 10:53:21.0281 1912 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
    2011/05/11 10:53:21.0281 1912 \HardDisk0 - ok
    2011/05/11 10:53:21.0281 1912 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2011/05/11 10:53:39.0656 1924 Deinitialize success
  8. 2011-05-11, 12:58 #8
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Make sure you rebooted after running TDSSKiller to have it take effect

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  9. 2011-05-11, 13:42 #9
    anbelo
    anbelo is offline
    Junior Member
    Join Date
    May 2011
    Posts
    20

    Default

    Now this is what has happened: ComboFix has started after telling me my Panda AV was still active (it had no "Exit" option, so I pressed the upper-right corner "X", but it went ahead). Now it's on the "Install MS Windows Recovery Console" screen. Should I continue anyway, or stop it and disable Panda before? And in this in latter case, how do I stop it? (again no "Exit" button, just "Yes" or "No").
  10. 2011-05-11, 14:12 #10
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Keep Going
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules