62 replies to this topic

[MeNeedHelpz]

I copied to system32 and with the cd in, the same thing happens

[CatByte]

OK

then lets rename the winlogon back

boot back into the recovery console and type the following at the c:\windows prompt

cd system32
ren winlogon.exe winlogon.old
ren winlogon.bad winlogon.exe
dir winlogon.*

make sure you have a c:\windows\system32\winlogon.exe when the dir shows up


let me know if that worked.

[MeNeedHelpz]

Apparently I don't have a winlogon.bad any more and only a winlogon.old and a newly copied winlogon.exe (after trying to rename it back). Still have the problem

[MeNeedHelpz]

Found it. It was in windows folder. Moved it to system32 folder and renamed it back to winlogon.exe. Now the blue user selection screen shows up. however as soon as I log in, I get a error report "windows explorer has encountered a problem and needs to close. We are sorry for the incovenience". When I try to start explorer.exe via run prompt I get same message. And I still get the norton a-v warnings that they blocked an attack/detected a virus

[CatByte]

OK,

then the infection has taken a hold of the replaced files as well, either download the diagnostic scans i want you to run via another computer, transfer via USB stick...browse to the USB stick in Task Manager > transfer to your local disk (c:\drive - copy/paste) and run them

or start IE via Task manager > type iexplore in File > new and download the files directly to your c:\ drive > browse to them via task manager and run them.


I need to see the extent of the infection with these diagnostic logs, then we can set about fixing it


take your time, do it carefully, no need to rush, we can fix this.

[MeNeedHelpz]

heres the dds.text log: (attach.text is attached like the program told me to do)

DDS (Ver_10-12-12.02) - NTFSx86
Run by Jimmy at 13:43:16.60 on Sun 01/02/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.705 [GMT -5:00]

AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Programs\Nero8\New Folder\Nero 8\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
D:\Programs\Nero8\New Folder\Nero 8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jimmy\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1241404235&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
uInternet Settings,ProxyServer = http=127.0.0.1:59274
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.3.0.5\IPSBHO.DLL
BHO: Encarta Web Companion Helper Object: {955be0b8-bc85-4caf-856e-8e0d8b610560} - c:\program files\common files\microsoft shared\encarta web companion\ENCWCBAR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
TB: Encarta Web Companion: {147d6308-0614-4112-89b1-31402f9b82c4} - c:\program files\common files\microsoft shared\encarta web companion\ENCWCBAR.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [L06AXLRD_25653484] "d:\programs\microsoft student\microsoft student 2006 dvd\EDICT.EXE" -m
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [core700extrasetup.exe] c:\documents and settings\jimmy\application data\8d6cce9ac69335523aed001a30207992\core700extrasetup.exe
uRun: [Google Update] "c:\documents and settings\jimmy\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10i_ActiveX.exe -update activex
mRun: [D-Link AirPlus XtremeG DWL-G520] c:\drivers\d-link\airplus xtremeg dwl-g520\AirPlusCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SecurDisc] d:\programs\nero8\new folder\nero 8\incd\NBHGui.exe
mRun: [InCD] d:\programs\nero8\new folder\nero 8\incd\InCD.exe
mRun: [NBKeyScan] "d:\programs\nero8\new folder\nero 8\nero backitup\NBKeyScan.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRunOnce: [SWHelper] "c:\windows\system32\macromed\shockwave 10\PostUpdate.exe" 1010011
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237758770780
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245066177968
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://nxcache.nexon.net/mabinogi/renderer/mabiweb.2010.5.03.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {BB7E62CD-6811-470D-9265-9E7902F50605} - hxxp://ecdownload.moondo.com/17/patcher/moondoax.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-26 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-26 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-22 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-26 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-26 116784]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.3.0.5\ccsvchst.exe [2010-10-26 126392]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2009-3-22 547744]
R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2009-6-10 180480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-3-5 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20101231.001\IDSXpx86.sys [2011-1-1 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110102.003\NAVENG.SYS [2011-1-2 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110102.003\NAVEX15.SYS [2011-1-2 1360760]
S2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;"c:\program files\solidworks\cosmos\floworks\bincfw\standaloneslv.exe" --> c:\program files\solidworks\cosmos\floworks\bincfw\StandAloneSlv.exe [?]
S2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;"c:\program files\solidworks\cosmos\floworks\bincfw\standaloneslv.exe" --> c:\program files\solidworks\cosmos\floworks\bincfw\StandAloneSlv.exe [?]

=============== Created Last 30 ================

2011-01-02 04:03:55 1004032 ----a-w- c:\windows\explorer.exe
2011-01-02 04:03:55 1004032 ----a-w- c:\windows\explorer.bad
2011-01-02 04:03:55 1004032 ----a-w- C:\explorer.exe
2011-01-02 04:03:23 516608 ----a-w- C:\winlogon.exe
2011-01-02 04:03:23 516608 ----a-w- c:\windows\winlogon.old
2011-01-02 04:03:23 516608 ----a-w- c:\windows\winlogon.badd
2011-01-02 04:03:23 516608 ----a-w- c:\windows\system32\Winlogon.oldd
2011-01-02 04:03:23 516608 ----a-w- c:\windows\system32\winlogon.old
2011-01-02 04:03:23 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-12-30 02:59:00 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2010-12-30 02:59:00 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2010-12-30 02:57:49 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-12-30 02:56:56 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-12-30 02:55:54 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-12-30 02:54:40 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2010-12-30 02:54:39 18688 -c--a-w- c:\windows\system32\dllcache\irsir.sys
2010-12-30 02:54:38 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2010-12-30 02:54:38 23552 -c--a-w- c:\windows\system32\dllcache\irmk7.sys
2010-12-30 02:54:38 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2010-12-30 02:54:37 88192 -c--a-w- c:\windows\system32\dllcache\irda.sys
2010-12-30 02:54:30 90200 -c--a-w- c:\windows\system32\dllcache\io8ports.dll
2010-12-30 02:54:30 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2010-12-30 02:54:29 38784 -c--a-w- c:\windows\system32\dllcache\io8.sys
2010-12-30 02:54:28 5504 -c--a-w- c:\windows\system32\dllcache\intelide.sys
2010-12-30 02:54:28 13056 -c--a-w- c:\windows\system32\dllcache\inport.sys
2010-12-30 02:54:27 16000 -c--a-w- c:\windows\system32\dllcache\ini910u.sys
2010-12-30 02:52:44 50751 -c--a-w- c:\windows\system32\dllcache\hsf_tone.sys
2010-12-30 02:51:59 470144 -c--a-w- c:\windows\system32\dllcache\g200d.dll
2010-12-30 02:50:56 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-12-30 02:49:57 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
2010-12-30 02:48:38 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-12-30 02:47:59 46464 -c--a-w- c:\windows\system32\dllcache\atibt829.sys
2010-12-30 02:43:14 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-12-30 02:42:59 38400 -c--a-w- c:\windows\system32\dllcache\8514a.dll
2010-12-30 02:42:59 12288 -c--a-w- c:\windows\system32\dllcache\4mmdat.sys
2010-12-30 02:42:58 689216 -c--a-w- c:\windows\system32\dllcache\3dfxvs.dll
2010-12-30 02:42:58 148352 -c--a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2010-12-30 02:42:57 762780 -c--a-w- c:\windows\system32\dllcache\3cwmcru.sys
2010-12-30 02:42:57 11264 -c--a-w- c:\windows\system32\dllcache\1394vdbg.sys
2010-12-30 02:42:35 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-12-23 01:06:35 815104 ----a-w- c:\windows\system32\xvidcore.dll
2010-12-23 01:06:35 77824 ----a-w- c:\windows\system32\xvid.ax
2010-12-23 01:06:35 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-12-23 01:06:35 -------- d-----w- c:\program files\Xvid
2010-12-21 03:43:49 -------- d-----w- c:\docume~1\jimmy\locals~1\applic~1\Ares
2010-12-21 02:22:50 -------- d-----w- c:\docume~1\jimmy\applic~1\PriceGong
2010-12-18 02:00:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2010-12-18 01:57:15 -------- d-----w- c:\docume~1\jimmy\locals~1\applic~1\Mozilla
2010-12-16 23:49:57 -------- d-----w- c:\docume~1\jimmy\locals~1\applic~1\Google
2010-12-16 23:49:35 -------- d-----w- c:\docume~1\jimmy\locals~1\applic~1\Deployment
2010-12-16 01:45:12 -------- d-----w- c:\docume~1\jimmy\applic~1\Local
2010-12-16 01:41:36 -------- d-----w- c:\program files\common files\DivX Shared

==================== Find3M ====================

2010-11-29 04:56:07 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-11-29 04:56:07 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-11-29 04:55:59 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-11-24 19:33:14 214864 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-11-24 19:33:14 214864 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 00:44:54 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-11-08 22:57:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-16 18:55:00 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-10-16 18:55:00 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-10-16 18:55:00 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2010-10-16 18:55:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-16 18:55:00 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-16 18:55:00 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-16 18:55:00 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-16 18:55:00 2293194 ----a-w- c:\windows\system32\nvdata.bin
2010-10-16 18:55:00 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-10-16 18:55:00 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-16 18:55:00 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-16 17:04:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-10-16 17:04:16 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-10-16 17:04:16 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 17:04:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-16 17:04:14 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-10-16 17:04:14 145000 ----a-w- c:\windows\system32\nvcolor.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST340014A rev.3.16 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x898A3555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x898a97b0]; MOV EAX, [0x898a982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x89890AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x899069B8]
\Driver\atapi[0x898BF350] -> IRP_MJ_CREATE -> 0x898A3555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST340014A_______________________________3.16____#4a3336584444504620
2020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x898A339B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 13:45:47.31 ===============

Attached Files

•  Attach.txt   240.81KB   292 downloads

[CatByte]

Hi

Please do the following:

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

[MeNeedHelpz]

i got a message saying Combo fix has detected rootkit activity and needs to reboot the machine. Was this suppose to happen?

[CatByte]

yes

[MeNeedHelpz]

where is this combofix.txt? i cant find it

[CatByte]

It should have opened up on it's own once Combofix completed after the restart Once the computer rebooted after you received that message, did combofix continue on with it's scan....did it complete to stage 50? Have a look at C:\Combofix.txt...see if there is a log there If not, run ComboFix again

[MeNeedHelpz]

when it reboots the computer, do i need to go to the boot menu? cause both times, after it reboots, i let it load normally and it goes to the user account selection/log on screen and after i log in, it is still the blank desktop screen and combofix is not running in the task manager processes.

[CatByte]

Are you able to boot into safe mode?

Give safe mode a try - boot back into safe mode if Combofix reboot the machine again, so a log can be produced.


To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY repeatedly,
• this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode
• Then press the Enter Key on your Keyboard
• go into your usual account

[MeNeedHelpz]

combofix doesnt continue to run after reboot, safe mode or no safe mode. I have Norton A-V permanently disabled (until i manually enable it). There is no file C:\Combofix.txt.

[CatByte]

OK

run the following program

then give ComboFix another try afterwards


Please download TDSSKiller.zip

• Extract it to your desktop
• Double click TDSSKiller.exe
• Press Start Scan
  
  • Only if Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now
• Copy and paste the log in your next reply
  
  • A copy of the log will be saved automatically to the root of the drive (typically C:\)