Members

Blog Posts

txmlpews

Posted by Wesley on May 28, 2024 at 8:49pm 0 Comments

https://mez.ink/joxawematiko https://x.com/JohnEpps182923/status/1795616225869087174 https://axisuweckehe.localinfo.jp/posts/53918153 https://nongaluryqaj.shopinfo.jp/posts/53918127… Continue

dbrtkbjj

Posted by Samuel on May 28, 2024 at 8:49pm 0 Comments

https://www.taskade.com/p/pdf-e-pub-hellboy-artists-collection-richard-corben-by-mike-mignola-richard-corben-dave-stewart-clem-01HZ0VWHHKEVD3VYFHQ00WS84X https://chudoshighing.amebaownd.com/posts/53918147… Continue

yohhzfaj

Posted by Peter on May 28, 2024 at 8:49pm 0 Comments

https://www.taskade.com/p/shiver-junji-ito-selected-stories-by-junji-ito-on-ipad-01HZ0W9T81FBVB9D3T5290K7TZ https://mez.ink/thomas2014 https://pastelink.net/u67siutr… Continue

isgrrfsw

Posted by Agatha on May 28, 2024 at 8:43pm 0 Comments

https://nasydygazyny.amebaownd.com/posts/53918071 http://taylorhicks.ning.com/photo/albums/gzzpplaa https://open.firstory.me/story/clwr3jtl104an01r2h7khb6p1… Continue

Top Content 

1 Specialist Removal Firm in Bangalore Will Make Sure of Painless Relocation

Specialist Removal Firm in Bangalore Will Make Sure of Painless Relocation
2 Most Beneficial Tips for Making Residential Shifting Easier

Most Beneficial Tips for Making Residential Shifting Easier
3 Support in School

Support in School
4 How to Combine SEO with Content Marketing

How to Combine SEO with Content Marketing
5 Time to Snap 8% off old school runescape cheap gold with code RSHFD8 from Rsorder for Gower Trailer& Father's day 6.18-6.20

Time to Snap 8% off old school runescape cheap gold with code RSHFD8 from Rsorder for Gower Trailer& Father's day 6.18-6.20

NoteScribe: Notes, PDF Annotation, Drawing and Sketching last version to windows 7, 10 x32

======================================================================

Download NoteScribe: Notes, PDF Annotation, Drawing and Sketching last version to windows 7, 10 x32 from the server or mirror

======================================================================

6 - Serials & keys - unlocks the worldFind product information, ratings and reviews for Olly Keep It Movin' Fiber Snappy
Apple Vitamins Gummies - 60 Count online on Target.com.
6 Sep 2005 ... For backing up important documents, Backup Plus hits all the right points, though
it suffers from a few quirks. ... including a disk, a Zip drive, a Jaz drive, and even
formatted CD-RW/DVD-RW discs. ... Version: Backup Plus 7.7.1.Systray icons missing | Windows Problem Solver - winhlp.com home

Hydraulic Lift Trucks

Quick Maintenance and Backup for MS SQL

Grab Text

TrayIconsOK

TrayIconsOK


TrayIconsOK
Page 1 of 2 - Trojan.Hiloti and/or Trojan.Malcol - posted in Virus, Trojan, Spyware, and Malware Removal Logs: It seems I've been infected through my parents' machines when visiting them for Christmas. I am no longer on their network so I've eliminated cross contamination. But here's what's happening: I think it's a rootkit. Symantec quarantined some files as a Malcol infection and Anti-Malware quarantined some file as Hiloti. The malware has blocked Windows Up...

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer. a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Trojan.Hiloti and/or Trojan.Malcol

JediJoel 03 Jan 2011

It seems I've been infected through my parents' machines when visiting them for Christmas. I am no longer on their network so I've eliminated cross contamination. But here's what's happening:

I think it's a rootkit. Symantec quarantined some files as a Malcol infection and Anti-Malware quarantined some file as Hiloti. The malware has blocked Windows Updates and I'm receiving the error 0x80072efe. The Windows Firewall and Internet Sharing service gets turned off every 20 min or so and I cannot manually restart it (Access denied: error code 5). And on startup I receive the Windows Security balloon notification that SAV has been disabled but only briefly. I think the infection is leveraging svchost PID 1160 as the memory usage for this task is unusually high. I just can't figure out what drivers or dlls this thing is loading to stay persistent. Here are the requested logs:


DDS (Ver_10-12-12.02) - NTFSx86
Run by G$ at 11:20:18.50 on Mon 01/03/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.834 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated*

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\PROGRA

1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\TrayIconsOK\TrayIconsOK.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\G$\Desktop\dds.scr

uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: <06849e9f-c8d7-4d59-b87d-784b7d6be0b3> - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: <53707962-6F74-2D53-2644-206D7942484F> - No File
EB: <32683183-48a0-441b-a342-7c2a440a9478> - No File
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra

1\VPTray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SNPSTD2] c:\windows\vsnpstd2.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [TrayOK] c:\program files\trayiconsok\TrayIconsOK.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume

1.lnk - c:\program files\trayiconsok\TrayIconsOK.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra

2\office11\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\ivt corporation\bluesoleil\transsend\ie\tsinfo.htm
IE: Send via &Message. - c:\program files\ivt corporation\bluesoleil\transsend\ie\tssms.htm
IE: <92780B25-18CC-41C8-B9BE-3C9C571A8263> - - c:\progra

2\office11\REFIEBAR.DLL
DPF: <6E32070A-766D-4EE6-879C-DC1FA91D2FC3> - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1293840020187
DPF: <8FFBE65D-2C9C-4669-84BD-5829DC0B603C> - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - - c:\windows\system32\skype4com.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: <091eb208-39dd-417d-a5dd-7e2c2d8fb9cb> - c:\progra

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-6-17 20744]
R0 lfsfilt;NDAS Lean File Sharing Service;c:\windows\system32\drivers\lfsfilt.sys [2009-10-20 555496]
R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2009-10-20 119784]
R0 ndasfs;ndasfs;c:\windows\system32\drivers\ndasfs.sys [2009-10-20 561640]
R1 ndasfat;NDAS FAT File System Service;c:\windows\system32\drivers\ndasfat.sys [2009-10-20 461288]
R1 ndasrofs;NDAS ROFS File System Service;c:\windows\system32\drivers\ndasrofs.sys [2009-10-20 793576]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-6-17 30088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-19 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 26248]
R3 NAVENG;NAVENG;c:\progra

1\20110101.005\naveng.sys [2011-1-1 86008]
R3 NAVEX15;NAVEX15;c:\progra

1\20110101.005\navex15.sys [2011-1-1 1360760]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2009-10-20 386024]
S3 BsMobileCS;BsMobileCS;c:\program files\ivt corporation\bluesoleil\BsMobileCS.exe [2009-2-27 143467]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [2009-10-20 378344]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-11 27904]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]

2011-01-03 05:12:29 98816 ----a-w- c:\windows\sed.exe
2011-01-03 05:12:29 89088 ----a-w- c:\windows\MBR.exe
2011-01-03 05:12:29 256512 ----a-w- c:\windows\PEV.exe
2011-01-03 05:12:29 161792 ----a-w- c:\windows\SWREG.exe
2011-01-03 05:11:59 -------- d-----w- C:\ComboFix
2011-01-02 01:57:18 6144 ------w- c:\windows\system32\3.tmp
2011-01-02 01:56:15 6144 ------w- c:\windows\system32\2.tmp
2011-01-02 01:32:42 -------- d-----w- c:\docume

1\Malwarebytes
2011-01-02 01:32:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-02 01:32:33 -------- d-----w- c:\docume

1\Malwarebytes
2011-01-02 01:32:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-02 01:32:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-02 01:08:32 -------- d-----w- c:\program files\Sophos
2010-12-31 19:05:31 388096 ----a-r- c:\docume

1\microsoft\installer\<45a66726-69bc-466b-a7a4-12fcba4883d7>\HiJackThis.exe
2010-12-31 19:05:30 -------- d-----w- c:\program files\Trend Micro
2010-12-31 01:33:36 -------- d-----w- C:\backups
2010-12-30 11:06:10 -------- d-----w- c:\docume

1\eIfHo06511
2010-12-14 09:44:39 -------- d-----w- c:\program files\JDownloader

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05:35 81920 ------w- c:\windows\system32\ieencode.dll
2010-11-03 12:59:07 369664 ------w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-07 20:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 20:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 20:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541060G9AT00 rev.MB3OA60A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5A3555]
_asm < PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5a97b0]; MOV EAX, [0x8a5a982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; >
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A560AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000009a[0x8A5D49E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A5BCD98]
\Driver\atapi[0x8A586638] -> IRP_MJ_CREATE -> 0x8A5A3555
kernel: MBR read successfully
_asm < XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; >
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskHTS541060G9AT00_________________________MB3OA60A#5&2db186e&0&0.0.0#<53f56307-b6bf-11d0-94f2-00a0c91efb8b> device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5A339B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

Attached Files

rigacci 09 Jan 2011

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having. along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
    • DDS.scr
    • DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

JediJoel 09 Jan 2011

Thanks for the reply. Here are the update logs. After posting on the forum and receiving the "possible TDL3 rootkit" notice from GMER I sought out and ran a TLD3 removal program (site: http://www.tizersecure.com/about_TDL3_rootkit_detect_remove.php ). It was a command-line program which identified an infection in atapi.sys. After removal the program restarted my machine but I don't think removal was successful as I'm still experiencing the same symptoms. I also read that Hitman was able to identify and fix a TDL3 infection so I ran a scan without any luck. Hitman didn't pick up the problem and so I didn't use it to "fix" any thing (nothing cleaned or quarantined through Hitman). Since infection I can see an extra step in startup. Before the Windows XP slash screen a progress bar loads (similar to when a machine is loading after hibernation or loading something with ramdisk.sys). I did not see this bar when starting the machine prior to infection although startup has slowed down so viewing this bar could be a result of the slow startup or it could also be the infection loading during startup. Below are the logs:


DDS (Ver_10-12-12.02) - NTFSx86
Run by G$ at 15:00:02.90 on Sun 01/09/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.547 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *Disabled/Updated*

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\PROGRA

1\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\TrayIconsOK\TrayIconsOK.exe
C:\Program Files\iTunes\iTunesHelper.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\G$\Desktop\dds.scr

uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: <06849e9f-c8d7-4d59-b87d-784b7d6be0b3> - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: <53707962-6F74-2D53-2644-206D7942484F> - No File
EB: <32683183-48a0-441b-a342-7c2a440a9478> - No File
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra

1\VPTray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SNPSTD2] c:\windows\vsnpstd2.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [TrayOK] c:\program files\trayiconsok\TrayIconsOK.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume

1.lnk - c:\program files\trayiconsok\TrayIconsOK.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra

2\office11\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\ivt corporation\bluesoleil\transsend\ie\tsinfo.htm
IE: Send via &Message. - c:\program files\ivt corporation\bluesoleil\transsend\ie\tssms.htm
IE: <92780B25-18CC-41C8-B9BE-3C9C571A8263> - - c:\progra

2\office11\REFIEBAR.DLL
DPF: <6E32070A-766D-4EE6-879C-DC1FA91D2FC3> - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1293840020187
DPF: <8FFBE65D-2C9C-4669-84BD-5829DC0B603C> - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - - c:\windows\system32\skype4com.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: <091eb208-39dd-417d-a5dd-7e2c2d8fb9cb> - c:\progra

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-6-17 20744]
R0 lfsfilt;NDAS Lean File Sharing Service;c:\windows\system32\drivers\lfsfilt.sys [2009-10-20 555496]
R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2009-10-20 119784]
R0 ndasfs;ndasfs;c:\windows\system32\drivers\ndasfs.sys [2009-10-20 561640]
R1 ndasfat;NDAS FAT File System Service;c:\windows\system32\drivers\ndasfat.sys [2009-10-20 461288]
R1 ndasrofs;NDAS ROFS File System Service;c:\windows\system32\drivers\ndasrofs.sys [2009-10-20 793576]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-6-17 30088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-19 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 26248]
R3 NAVENG;NAVENG;c:\progra

1\20110101.005\naveng.sys [2011-1-1 86008]
R3 NAVEX15;NAVEX15;c:\progra

1\20110101.005\navex15.sys [2011-1-1 1360760]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2009-10-20 386024]
S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\g$\desktop\tdl3 razor\tizerbruteforceex.sys --> c:\documents and settings\g$\desktop\tdl3 razor\TizerBruteForceEx.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [2009-10-20 378344]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-11 27904]

2011-01-06 10:13:10 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-06 10:13:08 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-01-06 10:12:48 -------- d-----w- c:\docume

1\Hitman Pro
2011-01-06 09:52:27 96512 ----a-w- c:\windows\system32\drivers\x001.sys
2011-01-03 05:12:29 98816 ----a-w- c:\windows\sed.exe
2011-01-03 05:12:29 89088 ----a-w- c:\windows\MBR.exe
2011-01-03 05:12:29 256512 ----a-w- c:\windows\PEV.exe
2011-01-03 05:12:29 161792 ----a-w- c:\windows\SWREG.exe
2011-01-03 05:11:59 -------- d-----w- C:\ComboFix
2011-01-02 01:57:18 6144 ------w- c:\windows\system32\3.tmp
2011-01-02 01:56:15 6144 ------w- c:\windows\system32\2.tmp
2011-01-02 01:32:42 -------- d-----w- c:\docume

1\Malwarebytes
2011-01-02 01:32:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-02 01:32:33 -------- d-----w- c:\docume

1\Malwarebytes
2011-01-02 01:32:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-02 01:32:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-02 01:08:32 -------- d-----w- c:\program files\Sophos
2010-12-31 19:05:31 388096 ----a-r- c:\docume

1\microsoft\installer\<45a66726-69bc-466b-a7a4-12fcba4883d7>\HiJackThis.exe
2010-12-31 19:05:30 -------- d-----w- c:\program files\Trend Micro
2010-12-31 01:33:36 -------- d-----w- C:\backups
2010-12-30 11:06:10 -------- d-----w- c:\docume

1\eIfHo06511
2010-12-14 09:44:39 -------- d-----w- c:\program files\JDownloader

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05:35 81920 ------w- c:\windows\system32\ieencode.dll
2010-11-03 12:59:07 369664 ------w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541060G9AT00 rev.MB3OA60A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5AB555]
_asm < PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5b17b0]; MOV EAX, [0x8a5b182c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; >
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A5E9AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000009b[0x8A5ED9E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A5DA940]
\Driver\atapi[0x8A58D780] -> IRP_MJ_CREATE -> 0x8A5AB555
kernel: MBR read successfully
_asm < XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; >
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskHTS541060G9AT00_________________________MB3OA60A#5&2db186e&0&0.0.0#<53f56307-b6bf-11d0-94f2-00a0c91efb8b> device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5AB39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-09 15:27:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 HTS541060G9AT00 rev.MB3OA60A
Running: gmer.exe; Driver: C:\DOCUME

SSDT 8A585C88 ZwAlertResumeThread
SSDT 8A5ED5B8 ZwAlertThread
SSDT 8A23DD98 ZwAllocateVirtualMemory
SSDT 8A2119D0 ZwConnectPort
SSDT 8A4DDAE0 ZwCreateMutant
SSDT 8A21B3F0 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9F221CB0]
SSDT 8A5CDDE0 ZwFreeVirtualMemory
SSDT 8A4DC750 ZwImpersonateAnonymousToken
SSDT 8A5D0860 ZwImpersonateThread
SSDT 8A35C698 ZwMapViewOfSection
SSDT 8A584F88 ZwOpenEvent
SSDT 8A2FE890 ZwOpenProcessToken
SSDT 8A5C2518 ZwOpenThreadToken
SSDT 8A401D98 ZwQueryValueKey
SSDT 8A26A238 ZwResumeThread
SSDT 8A2ECC08 ZwSetContextThread
SSDT 8A306F88 ZwSetInformationProcess
SSDT 8A583A38 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9F221F10]
SSDT 8A5184B8 ZwSuspendProcess
SSDT 8A556308 ZwSuspendThread
SSDT 8A301DE0 ZwTerminateProcess
SSDT 8A546B70 ZwTerminateThread
SSDT 8A368AA8 ZwUnmapViewOfSection
SSDT 8A4613C8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

text ntkrnlpa.exe!ZwCallbackReturn + 2558 80501D90 4 Bytes CALL B730A7C4
init C:\WINDOWS\System32\DRIVERS\gtipci21.sys entry point in "init" section [0xB8BDDA80]
. System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !
. C:\DOCUME

1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

text C:\WINDOWS\Explorer.EXE[396] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A8000A
.text C:\WINDOWS\Explorer.EXE[396] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A9000A
.text C:\WINDOWS\Explorer.EXE[396] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\WINDOWS\System32\svchost.exe[1144] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0081000A
.text C:\WINDOWS\System32\svchost.exe[1144] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0082000A
.text C:\WINDOWS\System32\svchost.exe[1144] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0080000C
.text C:\WINDOWS\System32\svchost.exe[1144] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01B2000A
.text C:\WINDOWS\System32\svchost.exe[1144] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00DA000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2816] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FD000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2816] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FE000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2816] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FC000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2816] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3764] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A5AB39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A5AB39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A5AB39B
Device \FileSystem\ndasrofs \Device\NdasRofsControl ndasfs.sys (NDAS LFS Filter/XIMETA, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device ndasrofs.sys (NDAS RO File System Driver/XIMETA, Inc.)
Device ndasfs.sys (NDAS LFS Filter/XIMETA, Inc.)
Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskHTS541060G9AT00_________________________MB3OA60A#5&2db186e&0&0.0.0#<53f56307-b6bf-11d0-94f2-00a0c91efb8b> device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000d1801173b (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000d1801173b@001256f7e937 0x59 0xDD 0x3E 0x57.
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x57 0x56 0xC6 0x26.
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00.
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x81 0x58 0xD4 0x79.
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6C 0xD2 0x76 0xE3.
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000d1801173b
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x57 0x56 0xC6 0x26.
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00.
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x81 0x58 0xD4 0x79.
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC6 0xB8 0x21 0x12.
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000d1801173b (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x57 0x56 0xC6 0x26.
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00.
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x81 0x58 0xD4 0x79.
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC6 0xB8 0x21 0x12.

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 19: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 20: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 21: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 22: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 23: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 24: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 25: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 26: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 27: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 36: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 40: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 42: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 43: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 45: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

Attached Files

gringo_pr 10 Jan 2011

JediJoel 26 Jan 2011

Initial prognosis is good. After running TDSSKiller.exe the system rebooted. The machine restarted and loaded the OS faster than usual. Upon reboot automatic updates started to download (an action disabled by the rootkit). It looks like things are good. I am going to run the machine for a bit and see if the Windows Firewall service stops but I think things are back to normal. Thanks for the help and you patience in keeping the thread open. Here is the log:

2011/01/26 10:56:39.0281 TDSS rootkit removing tool 2.4.15.0 Jan 22 2011 19:37:53
2011/01/26 10:56:39.0281 ================================================================================
2011/01/26 10:56:39.0281 SystemInfo:
2011/01/26 10:56:39.0281
2011/01/26 10:56:39.0281 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/26 10:56:39.0281 Product type: Workstation
2011/01/26 10:56:39.0281 ComputerName: MAC-N-CHEESE
2011/01/26 10:56:39.0281 UserName: G$
2011/01/26 10:56:39.0281 Windows directory: C:\WINDOWS
2011/01/26 10:56:39.0281 System windows directory: C:\WINDOWS
2011/01/26 10:56:39.0281 Processor architecture: Intel x86
2011/01/26 10:56:39.0281 Number of processors: 1
2011/01/26 10:56:39.0281 Page size: 0x1000
2011/01/26 10:56:39.0281 Boot type: Normal boot
2011/01/26 10:56:39.0281 ================================================================================
2011/01/26 10:56:39.0546 Initialize success
2011/01/26 10:56:43.0140 ================================================================================
2011/01/26 10:56:43.0140 Scan started
2011/01/26 10:56:43.0140 Mode: Manual;
2011/01/26 10:56:43.0140 ================================================================================
2011/01/26 10:56:45.0265 1001E (ae03ce743cba34d9f90ad65714a26183) C:\WINDOWS\system32\drivers\1001E.sys
2011/01/26 10:56:45.0437 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/26 10:56:45.0453 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/01/26 10:56:45.0562 aeaudio (ad707942e4ccb28d77cee5ed989c9e55) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/01/26 10:56:45.0640 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/26 10:56:45.0718 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/26 10:56:45.0968 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/26 10:56:46.0078 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
2011/01/26 10:56:46.0203 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/26 10:56:46.0296 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\x001.sys
2011/01/26 10:56:46.0343 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/26 10:56:46.0437 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/26 10:56:46.0500 b57w2k (2fa609c3411ec5f77f42d0b04d304ae5) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/01/26 10:56:46.0578 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/26 10:56:46.0703 BT (8e2d9ece59dfe7d310201e0d65d97ecb) C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
2011/01/26 10:56:46.0796 Btcsrusb (942c602296119d758547808221c85a2c) C:\WINDOWS\system32\Drivers\btcusb.sys
2011/01/26 10:56:46.0875 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/01/26 10:56:46.0953 BtHidBus (ce441ccd98c5ecb10cb12fcaf97322ec) C:\WINDOWS\system32\Drivers\BtHidBus.sys
2011/01/26 10:56:47.0140 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
2011/01/26 10:56:47.0203 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/01/26 10:56:47.0312 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/01/26 10:56:47.0375 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/01/26 10:56:47.0468 btnetBUs (d3c277a51ef9e2ec972d6221f99c0b6d) C:\WINDOWS\system32\Drivers\btnetBus.sys
2011/01/26 10:56:47.0640 BTNetFilter (4f26303becbb7cc5ca8ff39593124cf2) C:\Program Files\IVT Corporation\BlueSoleil\Device\Win2k\BTNetFilter.sys
2011/01/26 10:56:47.0875 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/26 10:56:48.0078 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/26 10:56:48.0203 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/26 10:56:48.0265 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/26 10:56:48.0312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/26 10:56:48.0437 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/01/26 10:56:48.0515 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/01/26 10:56:48.0687 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/26 10:56:48.0781 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/26 10:56:48.0859 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/26 10:56:48.0890 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/26 10:56:48.0937 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/26 10:56:49.0171 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2011/01/26 10:56:49.0234 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2011/01/26 10:56:49.0296 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2011/01/26 10:56:49.0375 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/26 10:56:49.0453 eabfiltr (c6aca0190ee7b614673ee0c91863b1eb) C:\WINDOWS\System32\drivers\EABFiltr.sys
2011/01/26 10:56:49.0531 eabusb (da1011db09ad641de40cd5cca70c0c43) C:\WINDOWS\system32\drivers\eabusb.sys
2011/01/26 10:56:49.0765 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/01/26 10:56:49.0859 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/01/26 10:56:49.0921 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/26 10:56:50.0140 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/01/26 10:56:50.0218 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/26 10:56:50.0312 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/26 10:56:50.0359 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/26 10:56:50.0406 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/26 10:56:50.0437 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/26 10:56:50.0484 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/01/26 10:56:50.0562 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/26 10:56:50.0640 GTIPCI21 (7d074058804ad398f93ca0a08af83ff2) C:\WINDOWS\system32\DRIVERS\gtipci21.sys
2011/01/26 10:56:50.0718 HidBth (7bd2de4c85eb4241eed57672b16a7d8d) C:\WINDOWS\system32\DRIVERS\hidbth.sys
2011/01/26 10:56:50.0812 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/26 10:56:50.0953 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/01/26 10:56:51.0109 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/01/26 10:56:51.0171 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/01/26 10:56:51.0234 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/26 10:56:51.0390 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/26 10:56:51.0468 ialm (d95eb1c9b3a5c2f6fdeab05dd03736fe) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/01/26 10:56:51.0531 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/26 10:56:51.0671 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/26 10:56:51.0750 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/26 10:56:51.0843 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/26 10:56:52.0078 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/26 10:56:52.0156 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/26 10:56:52.0218 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/26 10:56:52.0265 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/01/26 10:56:52.0296 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/26 10:56:52.0359 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/26 10:56:52.0421 IvtBtBUs (71e1fc547cc488d5cd7bf0860c96f5af) C:\WINDOWS\system32\Drivers\IvtBtBus.sys
2011/01/26 10:56:52.0468 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/26 10:56:52.0500 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/26 10:56:52.0734 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/26 10:56:52.0781 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/26 10:56:53.0062 lfsfilt (d98f42e4d526448a9276010a74f4c101) C:\WINDOWS\system32\DRIVERS\lfsfilt.sys
2011/01/26 10:56:53.0156 LoopBeMidi1 (de65ebd42567c33c0152e308a982b834) C:\WINDOWS\system32\drivers\loopbe1.sys
2011/01/26 10:56:53.0234 lpx (6ef4fdde95dd58440f5242c2ba459e0f) C:\WINDOWS\system32\DRIVERS\lpx.sys
2011/01/26 10:56:53.0296 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/26 10:56:53.0390 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/26 10:56:53.0437 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/26 10:56:53.0500 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/26 10:56:54.0125 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/26 10:56:54.0328 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/26 10:56:54.0406 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/26 10:56:54.0500 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/26 10:56:54.0562 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/26 10:56:54.0609 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/26 10:56:54.0671 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/26 10:56:54.0812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/26 10:56:54.0937 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/26 10:56:54.0984 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/26 10:56:55.0046 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/26 10:56:55.0296 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\PROGRA

1\20110124.003\naveng.sys
2011/01/26 10:56:55.0484 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\PROGRA

1\20110124.003\navex15.sys
2011/01/26 10:56:55.0734 ndasbus (b9c9db9ce88e39c37f0e544bd51e6e7c) C:\WINDOWS\system32\DRIVERS\ndasbus.sys
2011/01/26 10:56:55.0812 ndasfat (a4fe380cc37676274f993c09acdf184f) C:\WINDOWS\system32\DRIVERS\ndasfat.sys
2011/01/26 10:56:55.0875 ndasfs (466cb08d60ca31543f9a92de41855f0d) C:\WINDOWS\system32\DRIVERS\ndasfs.sys
2011/01/26 10:56:56.0046 ndasrofs (8cce314294c35febdb7312f5be9a6d87) C:\WINDOWS\system32\DRIVERS\ndasrofs.sys
2011/01/26 10:56:56.0281 ndasscsi (b9266024863bddd2f774db3d519f367a) C:\WINDOWS\system32\DRIVERS\ndasscsi.sys
2011/01/26 10:56:56.0359 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/26 10:56:56.0437 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/26 10:56:56.0500 Ndisprot (a3b80c6e0774815c362aeb5ed5ac047d) C:\WINDOWS\system32\drivers\Ndisprot.sys
2011/01/26 10:56:56.0562 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/26 10:56:56.0609 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/26 10:56:56.0687 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/26 10:56:56.0734 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/26 10:56:56.0781 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/26 10:56:56.0859 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/26 10:56:57.0062 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/01/26 10:56:57.0078 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/26 10:56:57.0140 NSNDIS5 (53f7546e8daefb3a0813f5e19c4613c9) C:\WINDOWS\system32\NSNDIS5.SYS
2011/01/26 10:56:57.0390 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/26 10:56:57.0515 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/26 10:56:57.0687 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/26 10:56:57.0734 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/26 10:56:57.0781 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/26 10:56:57.0812 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/26 10:56:57.0859 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/26 10:56:57.0906 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/26 10:56:58.0015 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/26 10:56:58.0078 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/26 10:56:58.0125 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/01/26 10:56:58.0375 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
2011/01/26 10:56:58.0468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/26 10:56:58.0515 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/26 10:56:58.0562 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/26 10:56:58.0656 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/26 10:56:58.0781 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/26 10:56:58.0968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/26 10:56:59.0046 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/01/26 10:56:59.0093 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/26 10:56:59.0140 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/26 10:56:59.0171 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/26 10:56:59.0218 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/26 10:56:59.0265 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/26 10:56:59.0375 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/26 10:56:59.0437 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/26 10:56:59.0500 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/26 10:56:59.0593 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/01/26 10:56:59.0734 SAVRT (cdb565c093b0105086cc630b32f9e6e6) C:\Program Files\Symantec AntiVirus\savrt.sys
2011/01/26 10:56:59.0781 SAVRTPEL (1042cb5a003f9aed8d6cec56a0fc6c49) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2011/01/26 10:57:00.0031 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/01/26 10:57:00.0171 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/26 10:57:00.0218 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/26 10:57:00.0281 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/26 10:57:00.0375 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/26 10:57:00.0484 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/26 10:57:00.0578 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2011/01/26 10:57:00.0703 smwdm (858934c454bdc6664c752bf0cd3eaeae) C:\WINDOWS\system32\drivers\smwdm.sys
2011/01/26 10:57:00.0812 SndTDriverV32 (3b4d9b067230fab80ea1e3cfa1c11337) C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2011/01/26 10:57:01.0062 snpstd2 (c01904b1390ce8893331698e54e58ca5) C:\WINDOWS\system32\DRIVERS\snpstd2.sys
2011/01/26 10:57:01.0281 SPBBCDrv (cc22bf5631c4837abcd81d75de8fb1aa) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/01/26 10:57:01.0390 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/26 10:57:01.0515 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\System32\Drivers\sptd.sys
2011/01/26 10:57:01.0687 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/26 10:57:01.0796 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/26 10:57:01.0875 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/01/26 10:57:01.0968 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/26 10:57:02.0015 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/26 10:57:02.0078 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/26 10:57:02.0328 SymEvent (5156f63e684e8c864ff40e40d5309f41) C:\Program Files\Symantec\SYMEVENT.SYS
2011/01/26 10:57:02.0421 SYMREDRV (5314e345dfc068504cfb2676d3b2ca39) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/01/26 10:57:02.0484 SYMTDI (8cd0a1478256240249b8ee88e6f25e94) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/01/26 10:57:02.0750 SynTP (0f332c0ba9b968ebc8cbb906416f8597) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/01/26 10:57:02.0843 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/26 10:57:02.0937 tbhsd (10a926ef723a816d3db771608f184e3b) C:\WINDOWS\system32\drivers\tbhsd.sys
2011/01/26 10:57:03.0031 Tcpip (4afb3b0919649f95c1964aa1fad27d73) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/26 10:57:03.0078 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/26 10:57:03.0125 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/26 10:57:03.0171 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/26 10:57:03.0265 tifm21 (f779ba4cd37963ab4600c9871b7752a3) C:\WINDOWS\system32\drivers\tifm21.sys
2011/01/26 10:57:03.0437 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/26 10:57:03.0546 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/26 10:57:03.0625 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/01/26 10:57:03.0718 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/26 10:57:03.0796 usbbus (5353218b3265e3b8190335059f697a11) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2011/01/26 10:57:03.0875 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/26 10:57:03.0968 UsbDiag (7dd3eefc62a1ef44e5f940fa651ed9ed) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
2011/01/26 10:57:04.0000 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/26 10:57:04.0078 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/26 10:57:04.0187 USBModem (083031a78822eccbd7510bccd3e20d4c) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2011/01/26 10:57:04.0250 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/26 10:57:04.0281 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/26 10:57:04.0328 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/26 10:57:04.0375 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/26 10:57:04.0437 VComm (0955553090e0a88614e5b8a02af9324c) C:\WINDOWS\system32\DRIVERS\VComm.sys
2011/01/26 10:57:04.0500 VcommMgr (ea0d7c68dc77b478f1c08022b8afe8ca) C:\WINDOWS\system32\Drivers\VcommMgr.sys
2011/01/26 10:57:04.0562 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/26 10:57:04.0625 VHidMinidrv (95a38e0a1b06109ad2bfb50dd40e31db) C:\WINDOWS\system32\drivers\VHIDMini.sys
2011/01/26 10:57:04.0718 VolSnap (7d6322d2567d94acf1e8c4b79ea1c880) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/26 10:57:04.0734 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/01/26 10:57:04.0953 w29n51 (d6006de6a6ed423d8016a03bc50cbe6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys
2011/01/26 10:57:05.0281 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/26 10:57:05.0406 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/26 10:57:05.0500 wlluc48 (dca17912a1926ae427537648fc0e74d5) C:\WINDOWS\system32\DRIVERS\wlluc48.sys
2011/01/26 10:57:05.0578 wlluc48b (212724e926b6b0cb41cadf579b9bf024) C:\WINDOWS\system32\DRIVERS\wlluc48b.sys
2011/01/26 10:57:05.0671 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/01/26 10:57:05.0765 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/01/26 10:57:05.0812 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/26 10:57:05.0906 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/26 10:57:05.0984 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/26 10:57:06.0062 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/26 10:57:06.0062 ================================================================================
2011/01/26 10:57:06.0062 Scan finished
2011/01/26 10:57:06.0062 ================================================================================
2011/01/26 10:57:06.0062 Detected object count: 2
2011/01/26 10:57:21.0359 VolSnap (7d6322d2567d94acf1e8c4b79ea1c880) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/26 10:57:26.0546 Backup copy found, using it..
2011/01/26 10:57:26.0609 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
2011/01/26 10:57:26.0609 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
2011/01/26 10:57:26.0687 \HardDisk0 - will be cured after reboot
2011/01/26 10:57:26.0687 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/26 10:57:32.0093 Deinitialize success

gringo_pr 26 Jan 2011

yes the rootkit has been cleared. Now it is time to sweep up and lock the doors.

I would like you to download an updated virsion of combofix.


http://www.bleepingcomputer.com/forums/t/371159/trojanhiloti-andor-...
TrayIconsOK

Views: 3

Comment

You need to be a member of On Feet Nation to add comments!

Join On Feet Nation

© 2024   Created by PH the vintage.   Powered by

Badges  |  Report an Issue  |  Terms of Service