Trogan/virus

[bluefishbeagle]

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-19 18:30:56
-----------------------------
18:30:56.230 OS Version: Windows 5.1.2600 Service Pack 3
18:30:56.230 Number of processors: 1 586 0x905
18:30:56.230 ComputerName: HASSELCOMPUTER UserName: Administrator
18:30:57.041 Initialize success
18:31:20.635 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:31:20.635 Disk 0 Vendor: HITACHI_DK23EA-40 00K3A0A6 Size: 38154MB BusType: 3
18:31:20.635 Device \Driver\atapi -> DriverStartIo 8653e2c6
18:31:20.655 Disk 0 MBR read successfully
18:31:20.655 Disk 0 MBR scan
18:31:20.655 Disk 0 TDL4@MBR code has been found
18:31:20.655 Disk 0 Windows XP default MBR code found via API
18:31:20.665 Disk 0 MBR hidden
18:31:20.665 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
18:31:20.665 Disk 0 MBR [TDL4] **ROOTKIT**
18:31:20.665 Disk 0 trace - called modules:
18:31:20.665 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8653e49f]<<
18:31:20.675 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86942ab8]
18:31:20.675 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000077[0x869f4f18]
18:31:20.995 5 ACPI.sys[f7317620] -> nt!IofCallDriver -> [0x86989940]
18:31:20.995 \Driver\atapi[0x86662248] -> IRP_MJ_CREATE -> 0x8653e49f
18:31:20.995 Scan finished successfully
18:31:39.121 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:31:39.131 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-19 22:49:20
-----------------------------
22:49:20.871 OS Version: Windows 5.1.2600 Service Pack 3
22:49:20.871 Number of processors: 1 586 0x905
22:49:20.871 ComputerName: HASSELCOMPUTER UserName: Administrator
22:49:24.475 Initialize success
22:50:02.697 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:50:02.697 Disk 0 Vendor: HITACHI_DK23EA-40 00K3A0A6 Size: 38154MB BusType: 3
22:50:02.697 Device \Driver\atapi -> DriverStartIo 8658c2c6
22:50:02.697 Disk 0 MBR read successfully
22:50:02.697 Disk 0 MBR scan
22:50:02.707 Disk 0 TDL4@MBR code has been found
22:50:02.707 Disk 0 Windows XP default MBR code found via API
22:50:02.707 Disk 0 MBR hidden
22:50:02.727 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
22:50:02.727 Disk 0 MBR [TDL4] **ROOTKIT**
22:50:02.727 Disk 0 trace - called modules:
22:50:02.727 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8658c49f]<<
22:50:02.727 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86942ab8]
22:50:02.727 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000077[0x869f4f18]
22:50:03.058 5 ACPI.sys[f7317620] -> nt!IofCallDriver -> [0x86989940]
22:50:03.058 \Driver\atapi[0x8683c430] -> IRP_MJ_CREATE -> 0x8658c49f
22:50:03.068 Scan finished successfully
22:50:08.033 Disk 0 MBR read successfully
22:50:08.043 Disk 0 TDL4@MBR code has been found
22:50:08.053 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
22:50:08.053 Disk 0 fixing MBR ...
22:50:08.053 Disk 0 MBR restored successfully
22:50:08.063 Verifying disinfection
22:50:20.107 Infection fixed successfully - please reboot ASAP
22:50:31.549 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
22:50:31.559 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

[ken545]

Go ahead and reboot and run aswMBR and post the NEW log please

[bluefishbeagle]

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-20 06:14:00
-----------------------------
06:14:00.665 OS Version: Windows 5.1.2600 Service Pack 3
06:14:00.665 Number of processors: 1 586 0x905
06:14:00.665 ComputerName: HASSELCOMPUTER UserName: Administrator
06:14:01.967 Initialize success
06:14:10.119 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
06:14:10.129 Disk 0 Vendor: HITACHI_DK23EA-40 00K3A0A6 Size: 38154MB BusType: 3
06:14:10.229 Disk 0 MBR read successfully
06:14:10.229 Disk 0 MBR scan
06:14:10.229 Disk 0 Windows XP default MBR code
06:14:10.229 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
06:14:10.239 Disk 0 scanning sectors +78124095
06:14:10.529 Disk 0 scanning C:\WINDOWS\system32\drivers
06:14:27.794 Service scanning
06:14:28.525 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
06:14:28.555 Service vsdatant C:\WINDOWS\System32\vsdatant.sys **LOCKED** 32
06:14:29.086 Modules scanning
06:14:40.232 Disk 0 trace - called modules:
06:14:40.242 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS rdbss.sys
06:14:40.563 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86985ab8]
06:14:40.563 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000077[0x86986f18]
06:14:40.563 5 ACPI.sys[f7317620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86984940]
06:14:40.573 Scan finished successfully
06:14:50.136 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
06:14:50.146 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

[ken545]

Your new log looks fine now , how is your system behaving ?

[bluefishbeagle]

Everything seems to be OK I can shutdown and restart normally. Do you the the system and HD drive is clean now?

[bluefishbeagle]

Zone alarm file seems to be corrupted, it may be my fault since I tried to do an uninstall before getting on line with you. I need to clean off the rest of the files for it since I'm going to be using a different AV and firewall.

[ken545]

Lets check this file and make sure its ok

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again

C:\WINDOWS\system32\drivers\tcpip.sys <--This file

If the site is busy you can try this one
http://virusscan.jotti.org/en





Then run TDSSKiller again and make sure you post the NEW log please

[bluefishbeagle]

The "here" link to instruct windows to show all file and folders takes me to bleeping computer.com ???

[bluefishbeagle]

Disregard, I figured it out.

[ken545]

Yes it does, and its one of the better malware removal forums. The link its taking you to will have instructions for your Operating System to show all files and folders