View Full Version : Unknown Problem and it's bad
FlaCajun
2010-12-14, 01:33
I am not sure about doing anything, because I don't know if my computer will be able to boot back up.
The Problem(s)
About 10 days ago my primary desktop (up to date McAfee, Malwarebytes & Spybot) was in the process of re-booting itself (I didn't reboot it).
However, during the boot-up the process stopped,
and the screen to choose the last known 'good' config or safe mode appeared.
The computer would not boot-up, even in safe mode.
Didn't fix the primary computer because I was going to using a newer back-up computer but doesn't have all the programs as the primary.
A couple of days ago, the back-up computer started doing the exact same thing and stopped the same place in the boot process and couldn't be booted up in normal mode. However, the back-up computer could be booted up in safe mode without networking.
Malware found 1 virus. After the fix and after multiple attempts, the computer finally booted up in normal mode.
But. it booted up with a modified Browser window that I had never seen before and icons on the desktop, "Launch White Smoke translator" and "Buy White Smoke translator" that I had never installed nor seen before.
With computer able to connect to the internet, I updated Malwarebytes and re-ran it. Over 800 viruses/Malware were found with most being White Smoke intrusions.
However, 2 are Trojan.Agent "6to4v32.dll" and "certstore.dat".
I haven't removed the infections because I presume that a re-boot will be necessary, and I am not sure if the computer will be boot up again.
Also, didn't know if some type of boot up disc needs to be made.
I would guess whatever has infected the back-up computer is also the cause of the primary computer's issues as well.
Please advise.
Thanks for your help.
FlaCajun
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Just so you know we only work on one computer at a time or it gets very confusing. We can work on your primary computer and when where done this thread will be closed and then you can post for the second one. If both computers are experiencing the same thing I would suggest that your router is infected. What I would do is to unplug your back up computer from the internet and turn the computer off. Then reset your router, there generally is a little pin hole on the back that a paper clip can slip in , hold it in for about 10 seconds or so, then you will have to setup your router.
After you do that run this program and post the log
Download DDS from one of the links below to your desktop
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com)
Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files) (http://windows.microsoft.com/en-us/windows-vista/Compress-and-uncompress-files-zip-files)
FlaCajun
2010-12-19, 02:05
I am going to work on the secondary computer first, unless otherwise instructed. It has booted up in regular mode, but cannot connect to the internet.
The primary computer doesn't boot up even in safe mode.
(note: I purchased a Spybot start-up disc this past week).
The files on the secondary computer have been backed up.
I will be using a laptop to down load the files suggested
and transfer the results via flash drive.
The laptop security programs are updated (McAfee, Malwarebytes, Spybot)
and the flash drive will be scanned prior to any activity.
Also, Malwarebytes has found over 800 virus files, most of them White Smoke
with 2 trojans. But, the removal of the programs has not been executed awaiting your instructions.
I will get you the DDS files.
Thanks.
If you already ran Malwarebytes, open it and go into the Reports tab and copy and paste the report for me to see.
Then go ahead and run DDS and post the log
FlaCajun
2010-12-19, 06:44
Here is the Malwarebytes log.
DDS log to follow.
It was too long so I zipped the file.
I uploaded the file using the paper clip attachment.
It has been scanned for viruses.
Don't know if it worked.
FlaCajun
2010-12-19, 06:55
DDS Log and Attach.txt
DDS (Ver_10-12-12.02) - NTFSx86
Run by Raymond Green at 23:47:15.04 on Sat 12/18/2010
Internet Explorer: 7.0.5730.11
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\WINDOWS\system32\sol.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Raymond Green\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.kitco.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [<NO NAME>]
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 0
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166462899750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R? eLock2BurnerLockDriver;eLock2BurnerLockDriver
R? eLock2FSCTLDriver;eLock2FSCTLDriver
R? mferkdk;McAfee Inc. mferkdk
R? PortRW;PortRW
S? McProxy;McAfee Proxy Service
S? McShield;McAfee Real-time Scanner
S? McSysmon;McAfee SystemGuards
S? mfeavfk;McAfee Inc. mfeavfk
S? mfebopk;McAfee Inc. mfebopk
S? mfehidk;McAfee Inc. mfehidk
S? mfesmfk;McAfee Inc. mfesmfk
=============== Created Last 30 ================
2010-12-13 11:09:18 -------- d-----w- c:\docume~1\raymon~1\applic~1\whitesmoketoolbar
2010-12-13 06:47:46 -------- d-----w- c:\program files\whitesmoketoolbar
2010-12-13 06:47:33 -------- d-----w- c:\program files\WhiteSmoke Translator
2010-12-13 06:47:17 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-13 06:47:04 53248 ----a-w- c:\windows\system32\6to4v32.dll
==================== Find3M ====================
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5E6735]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5ec990]; MOV EAX, [0x8a5eca0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Harddisk0\DR0[0x8A649AB8]
3 CLASSPNP[0xBA8E905B] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\0000006a[0x8A630598]
5 ACPI[0xBA77F620] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> [0x8A66A940]
\Driver\atapi[0x8A657A08] -> IRP_MJ_CREATE -> 0x8A5E6735
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5E657B
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
============= FINISH: 23:49:20.75 ===============
==== Installed Programs ======================
Acer eDataSecurity Management
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
AVIVO Codecs
Comcast Toolbar
ERUNT 1.1j
eSignal
Fibonacci Trader 4
Fibonacci/Galactic Trader 4
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
HP Officejet Pro K550 Series
Intel(R) Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.1
Microsoft IntelliType Pro 6.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Misc
NTI Backup NOW! 4
NTI CD & DVD-Maker
OCA Client history tool install
PartitionMagic
PowerDVD
PowerQuest PartitionMagic 8.0
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Sentinel System Driver
Spybot - Search & Destroy
Toolbox
Trading Rooms Technologies, Inc TradingRooms Application
UGuide
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
WebFldrs XP
Whitesmoke Translator
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
==== End Of File ===========================
Hi,
Before we proceed, you had Malwarebytes set to TAKE NO ACTION, rerun Malwarebytes and this time make sure you select FIX CHECKED. Then post the new Malwarebytes log. You can attach it, thats fine.
Your computer is also infected with a rootkit
Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract the file and run it.
Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
Please post the content of the TDSSKiller log
FlaCajun
2010-12-19, 15:04
The Malwarebyte fixes were run on 800+ problems.
White Smoke icons are still on the desktop.
That could be because I didn't reboot the computer as Malware asked.
I am concerned about whether the computer will boot back up in normal mode. Although it may bootup in Safe Mode, I don't know what the ability is to troubleshoot from Safe Mode.
I re-ran Malwarebytes and no problems were found (attached log).
However, since the desktop will not connect to the internet, update of the database wasn't possible. Last update was Dec 13, 2010
If you want me to reboot, let me know.
I understand the risk.
Tddsskiller is being run and a log will be posted shortly.
Here is the Malwarebytes log
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5305
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11
12/19/2010 7:51:37 AM
mbam-log-2010-12-19 (07-51-37).txt
Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 298240
Time elapsed: 45 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
FlaCajun
2010-12-19, 15:25
TDSSKiller found 1 problem and it was corrected.
The computer hasn't been rebooted yet to clean up everything.
I will await for you call on that one.
Also, the desktop is stil unable to connect to the internet (awaiting a reboot?), even thought Network Connections list the Local Area Connection and Internet Connection as 'Connected'.
Here is the TDSSkiller log.
2010/12/19 08:18:48.0671 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/19 08:18:48.0671 ================================================================================
2010/12/19 08:18:48.0671 SystemInfo:
2010/12/19 08:18:48.0671
2010/12/19 08:18:48.0671 OS Version: 5.1.2600 ServicePack: 2.0
2010/12/19 08:18:48.0671 Product type: Workstation
2010/12/19 08:18:48.0671 ComputerName: RAYMOND-DESKTOP
2010/12/19 08:18:48.0671 UserName: Raymond Green
2010/12/19 08:18:48.0671 Windows directory: C:\WINDOWS
2010/12/19 08:18:48.0671 System windows directory: C:\WINDOWS
2010/12/19 08:18:48.0671 Processor architecture: Intel x86
2010/12/19 08:18:48.0671 Number of processors: 2
2010/12/19 08:18:48.0671 Page size: 0x1000
2010/12/19 08:18:48.0671 Boot type: Normal boot
2010/12/19 08:18:48.0671 ================================================================================
2010/12/19 08:18:53.0531 Initialize success
2010/12/19 08:18:58.0375 ================================================================================
2010/12/19 08:18:58.0375 Scan started
2010/12/19 08:18:58.0375 Mode: Manual;
2010/12/19 08:18:58.0375 ================================================================================
2010/12/19 08:18:59.0093 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/19 08:18:59.0125 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/19 08:18:59.0234 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/12/19 08:18:59.0265 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/12/19 08:18:59.0500 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/19 08:18:59.0531 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/19 08:18:59.0656 ati2mtag (86a7a22f3670465ef575614e001159c0) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/19 08:18:59.0796 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/19 08:18:59.0828 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/19 08:18:59.0859 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/19 08:18:59.0890 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/19 08:18:59.0953 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/19 08:18:59.0984 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/19 08:19:00.0031 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/19 08:19:00.0281 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/19 08:19:00.0359 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/19 08:19:00.0406 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/19 08:19:00.0453 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/19 08:19:00.0500 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/19 08:19:00.0578 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/19 08:19:00.0656 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/19 08:19:00.0734 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/19 08:19:00.0750 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/19 08:19:00.0796 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/19 08:19:00.0875 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/12/19 08:19:01.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/19 08:19:01.0031 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/19 08:19:01.0046 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/19 08:19:01.0125 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys
2010/12/19 08:19:01.0171 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/19 08:19:01.0218 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/19 08:19:01.0312 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/19 08:19:01.0500 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/19 08:19:01.0578 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/12/19 08:19:01.0640 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/19 08:19:01.0796 int15.sys (4d8d5b1c895ea0f2a721b98a7ce198f1) C:\Acer\Empowering Technology\eRecovery\int15.sys
2010/12/19 08:19:02.0031 IntcAzAudAddService (284bcb80391783d328a8d8163e97fd58) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/12/19 08:19:02.0390 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/19 08:19:02.0421 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/12/19 08:19:02.0437 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/19 08:19:02.0468 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/19 08:19:02.0515 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/19 08:19:02.0546 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/19 08:19:02.0625 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/19 08:19:02.0671 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/19 08:19:02.0718 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/19 08:19:02.0750 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/19 08:19:02.0796 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/19 08:19:02.0828 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/19 08:19:02.0953 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/12/19 08:19:03.0015 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
2010/12/19 08:19:03.0171 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys
2010/12/19 08:19:03.0265 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2010/12/19 08:19:03.0312 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2010/12/19 08:19:03.0437 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/19 08:19:03.0500 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/19 08:19:03.0546 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/12/19 08:19:03.0640 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/19 08:19:03.0687 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/19 08:19:03.0734 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/19 08:19:03.0765 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys
2010/12/19 08:19:03.0812 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/19 08:19:03.0859 MRxSmb (025af03ce51645c62f3b6907a7e2be5e) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/19 08:19:03.0906 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/19 08:19:03.0953 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/19 08:19:04.0000 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/19 08:19:04.0031 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/19 08:19:04.0046 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/19 08:19:04.0078 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/19 08:19:04.0109 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/19 08:19:04.0187 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/19 08:19:04.0218 Ndisuio (8d3ce6b579cde8d37acc690b67dc2106) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/19 08:19:04.0250 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/19 08:19:04.0296 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/19 08:19:04.0328 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/19 08:19:04.0375 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/19 08:19:04.0437 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/19 08:19:04.0500 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/19 08:19:04.0531 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
2010/12/19 08:19:04.0625 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/19 08:19:04.0656 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/19 08:19:04.0687 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/19 08:19:04.0734 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/19 08:19:04.0781 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/19 08:19:04.0828 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/19 08:19:04.0859 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/19 08:19:04.0906 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/19 08:19:04.0953 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/19 08:19:05.0203 Point32 (dcdf0421a1c14f2923e298a30fd7636d) C:\WINDOWS\system32\DRIVERS\point32.sys
2010/12/19 08:19:05.0250 PortRW (a7e67865db59e54801122077df8ade36) C:\WINDOWS\system32\Drivers\PortRW.sys
2010/12/19 08:19:05.0343 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/19 08:19:05.0390 PQNTDrv (b26019a686d36e22f954e67c8fec4297) C:\WINDOWS\system32\drivers\PQNTDrv.sys
2010/12/19 08:19:05.0500 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/19 08:19:05.0578 psdfilter (00b670d8a36c7134cfc66b446a18cc92) C:\WINDOWS\system32\Drivers\psdfilter.sys
2010/12/19 08:19:05.0593 psdvdisk (e9a60343cb7c39090638b1dd574f26eb) C:\WINDOWS\system32\Drivers\psdvdisk.sys
2010/12/19 08:19:05.0625 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/19 08:19:05.0812 qsnpyk (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\lcxse.sys
2010/12/19 08:19:05.0859 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/19 08:19:05.0906 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/19 08:19:05.0921 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/19 08:19:05.0953 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/19 08:19:06.0000 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/19 08:19:06.0046 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/19 08:19:06.0093 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/19 08:19:06.0156 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/19 08:19:06.0218 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/19 08:19:06.0343 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/19 08:19:06.0421 Sentinel (8627c992b8a80504fc477b2e8ff8ec4f) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
2010/12/19 08:19:06.0468 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/19 08:19:06.0500 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/19 08:19:06.0531 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/19 08:19:06.0609 SNTNLUSB (87f799c486302aceff098e067d481d9c) C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS
2010/12/19 08:19:06.0781 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/19 08:19:06.0812 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/19 08:19:06.0875 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/19 08:19:06.0953 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/19 08:19:07.0000 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/19 08:19:07.0156 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/19 08:19:07.0218 Tcpip (1dbf125862891817f374f407626967f4) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/19 08:19:07.0265 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/19 08:19:07.0312 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/19 08:19:07.0359 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/19 08:19:07.0468 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\WINDOWS\system32\drivers\UBHelper.sys
2010/12/19 08:19:07.0546 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/19 08:19:07.0625 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/19 08:19:07.0718 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/19 08:19:07.0765 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/19 08:19:07.0796 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/19 08:19:07.0828 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/19 08:19:07.0875 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/19 08:19:07.0890 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/19 08:19:07.0921 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/12/19 08:19:07.0968 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/19 08:19:08.0078 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/19 08:19:08.0156 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/19 08:19:08.0328 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/19 08:19:08.0390 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/19 08:19:08.0453 yukonwxp (ba6d2b32372a879aa817829c7cd2cb15) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
2010/12/19 08:19:08.0703 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/19 08:19:08.0734 ================================================================================
2010/12/19 08:19:08.0734 Scan finished
2010/12/19 08:19:08.0734 ================================================================================
2010/12/19 08:19:08.0750 Detected object count: 1
2010/12/19 08:19:35.0203 \HardDisk1 - will be cured after reboot
2010/12/19 08:19:35.0203 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
You will need to reboot for the TDSSkiller fix to take. What this rootkit has done was infected your Master Boot Record, thats most likely why you could not boot up
After you reboot than run this program.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
FlaCajun
2010-12-19, 17:41
Computer booted up fine.
Internet connection appears to be fine as well.
Whitesmoke icons are on the desktop and remains in the startup menu.
However, the executable and directory the icons point to in "C:\Program Files" doesn't exist.
ComboFix 10-12-18.02 - Raymond Green 12/19/2010 9:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1512 [GMT -5:00]
Running from: c:\documents and settings\Raymond Green\Desktop\ComboFix.exe
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\snetcfg.exe
G:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2010-11-19 to 2010-12-19 )))))))))))))))))))))))))))))))
.
2010-12-19 04:21 . 2010-12-19 04:22 -------- d-----w- c:\program files\ERUNT
2010-12-14 11:08 . 2010-12-14 11:08 -------- d-----w- c:\documents and settings\Raymond Green\Application Data\Leadertech
2010-12-13 06:47 . 2010-12-13 06:47 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-13 06:46 . 2010-12-13 06:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2009-10-28 20:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2009-10-28 20:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 16050176]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-07-23 352256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
c:\documents and settings\Raymond Green\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Seagate 2GE90A5R Product Registration.lnk - c:\documents and settings\Raymond Green\Application Data\Leadertech\PowerRegister\Seagate 2GE90A5R Product Registration.exe [2010-12-14 1731736]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launch Whitesmoke Translator.lnk - c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe [N/A]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [8/15/2003 5:57 PM 3456]
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-03 16:22]
2010-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-03 16:22]
2007-12-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]
2007-12-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-22 01:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
AddRemove-tradingrooms-client-avx - c:\program files\Trading Rooms Technologies
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-19 09:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3472)
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-12-19 09:50:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-19 14:50
Pre-Run: 222,743,883,776 bytes free
Post-Run: 222,909,427,712 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - A33D7543B44F59615E404E779CCBE6C1
FlaCajun
2010-12-19, 17:43
Forgot this, the ComboFix log was posted directly from the infected computer.
First time this could be done during this problem.
:bigthumb:
Go here
c:\documents and settings\All Users\Start Menu\Programs\Startup
and remove WhiteSmoke
Then delete this folder
c:\program files\WhiteSmoke Translator
Then reboot and let me know if there still present or if you had problems removing those
FlaCajun
2010-12-19, 18:42
Boot up was fine.
Any sign of Whitesmoke is gone.
Great.
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
FlaCajun
2010-12-19, 21:56
ESET has been run.
No threats found.
:bigthumb:
Let me tell you about viruses , years ago when windows 95 came out viruses started to appear, they where written by kids or some low life that had nothing better to do, if you caught one it was more of a nuisance than anything, but not no more, this garbage is written by cyber criminals, organized gangs of thieves out of Russia, the Ukraine, China and other parts of the world. These people have only one goal, and thats to steal anything they can from you in the form of bank account numbers and log on info, credit card numbers and passwords to the sites you frequent and the list goes on. There are some threats going around now that are uncleanable, which means you would have to reformat your drive and reinstall windows, all documents and pictures would be infected so there all lost, not nice. In your case a Rootkit was installed infecting your Master Boot Record, that a series of files that boot up your computer. All appears fine now but the reason for my ranting is that you need to sit down, have a cold beer or whatever and rethink your surfing and internet habits so you dont get hit again.
So what we can do now is close this thread and then post for the other computer. I will be online on and off the rest of the day, I will look out for it and reply when I see it.
Before I close this let me know if you feel you still have any issues ?
FlaCajun
2010-12-19, 22:32
Thanks for the update.
The problem began when I clicked on link about the Wikilinks story.
The primary computer hard drive went nuts (swap file on steriods).
When it lasted for about a minute, I pulled the internet cable.
I was unable to stop the hard drive going nuts.
Closing down applications and re-booting the computer wasn't possible.
So, I did something I never thought I would do ... I pulled the power plug.
After about 10 minutes, the power was plugged back in and the computer wouldn't boot up.
A couple of days later, the secondary computer had the same problem
without clicking on a news link abut Wikilinks.
So, I am not sure how this happened, but the computers will be fortified as well as possible.
The computer is running great now.
Thank you very much for your help.
As usual, a $75 donation will follow.
Regarding the other computer, since it won't boot,
I suppose I will need to wait for the Spybot boot CD-Rom to arrive,
unless you have a better idea.
When the CD arrives, I will start another thread.
Once again, thanks for your excellent help.
Thanks for your offer of a donation, there used for research and to help keep us online, thank you
have you tried booting to last known good
To Access Last Known Good
Go to Start> Shut off your Computer> Restart
Or if the computer is off press the power button
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Last Known Good
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
FlaCajun
2010-12-19, 22:59
Yes, that was tried as well as safe mode, without success.
Ok, thanks for the info. Do you have your windows CD or the Recovery CD that came with your system ?
FlaCajun
2010-12-20, 02:57
I should have it.
If I find it, I will post a new thread.
Thanks for your help.
Fla Cajun
What I would do if you find your disk is to post here and have them help you get up and running.
http://forums.whatthetech.com/index.php?showforum=119
So this thread will be closed, I will keep and eye open for you when you return.
Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken