Anti-virus software compromised

August 3, 2011 at 18:20:29
Specs: Windows XP
My anti-virus software keeps closing down mid scan, and my browsers have been infected with the '100ksearches' trojan where all my search results get redirected to other sites.

Please help, have tried running several anti-virus and trojan killing software in safe mode but when I boot up back in normal mode the same things happen.


See More: Anti-virus software compromised

Report •


#1
August 3, 2011 at 18:47:10
nassman,

The infection will return if its source is the Master Boot Record. It loads the infection as soon as you boot into Windows!

For this reason, please download aswMBR:
http://public.avast.com/~gmerek/asw...
Save it to the Desktop.

XP users - Double-click aswMBR.exe to start the tool.

Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop,
Note - Do NOT attempt any fix anything!!.

Please post the log produced by aswMBR in your next reply.


Also, you will notice that another file is created on the Desktop. It is named MBR.dat.

If you have a USB flash drive, please move the mbr.dat file to it.
If not, move the mbr.dat from the Desktop, to the C:\ drive.

This is important, just in case we need to have access to the MBR information!!


Next, download TDSSKiller
http://support.kaspersky.com/downlo...


Execute TDSSKiller.exe by double-clicking on it.

Click: ‘Start Scan’

If Malicious objects are found, do NOT allow the tool to Cure!
Click the arrow next to 'Cure' and select Skip
We need to see the report first, as it may show false detections!!

Click: 'Continue'

When the tool is done, a log is produced at the root drive which is typically C:\
For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt

Also post the TDSSKiller log in your reply..

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#2
August 3, 2011 at 19:05:08
Thank you so much for the quick reply.


aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-04 12:00:18
-----------------------------
12:00:18.562 OS Version: Windows 5.1.2600 Service Pack 2
12:00:18.562 Number of processors: 2 586 0x605
12:00:18.562 ComputerName: BILL-AF42084BDF UserName: Acer
12:00:18.812 Initialize success
12:00:41.359 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
12:00:41.359 Disk 0 Vendor: ST3808110AS 3.AAE Size: 76319MB BusType: 3
12:00:43.375 Disk 0 MBR read successfully
12:00:43.375 Disk 0 MBR scan
12:00:43.375 Disk 0 Windows XP default MBR code
12:00:43.390 Disk 0 scanning sectors +156280320
12:00:43.437 Disk 0 scanning C:\WINDOWS\system32\drivers
12:00:48.437 File: C:\WINDOWS\system32\drivers\ipsec.sys **SUSPICIOUS**
12:00:51.250 Service scanning
12:00:51.578 Service .redbook \* **LOCKED** 123
12:00:52.453 Modules scanning
12:00:53.828 Module: C:\WINDOWS\system32\DRIVERS\ipsec.sys **SUSPICIOUS**
12:00:56.796 Disk 0 trace - called modules:
12:00:56.828 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85f29a90]<<
12:00:56.828 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8656aab8]
12:00:56.843 3 CLASSPNP.SYS[f761d05b] -> nt!IofCallDriver -> [0x862e7668]
12:00:56.859 \Driver\00001141[0x862a8500] -> IRP_MJ_CREATE -> 0x85f29a90
12:00:56.875 Scan finished successfully
12:01:16.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Acer\Desktop\MBR.dat"
12:01:16.078 The log file has been saved successfully to "C:\Documents and Settings\Acer\Desktop\aswMBR.txt"

_____________________________________________________________________


2011/08/04 12:02:52.0687 2868 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11
2011/08/04 12:02:53.0609 2868 ================================================================================
2011/08/04 12:02:53.0609 2868 SystemInfo:
2011/08/04 12:02:53.0609 2868
2011/08/04 12:02:53.0609 2868 OS Version: 5.1.2600 ServicePack: 2.0
2011/08/04 12:02:53.0609 2868 Product type: Workstation
2011/08/04 12:02:53.0609 2868 ComputerName: BILL-AF42084BDF
2011/08/04 12:02:53.0609 2868 UserName: Acer
2011/08/04 12:02:53.0609 2868 Windows directory: C:\WINDOWS
2011/08/04 12:02:53.0609 2868 System windows directory: C:\WINDOWS
2011/08/04 12:02:53.0609 2868 Processor architecture: Intel x86
2011/08/04 12:02:53.0609 2868 Number of processors: 2
2011/08/04 12:02:53.0609 2868 Page size: 0x1000
2011/08/04 12:02:53.0609 2868 Boot type: Normal boot
2011/08/04 12:02:53.0609 2868 ================================================================================
2011/08/04 12:02:54.0156 2868 Initialize success
2011/08/04 12:02:59.0390 2968 ================================================================================
2011/08/04 12:02:59.0390 2968 Scan started
2011/08/04 12:02:59.0406 2968 Mode: Manual;
2011/08/04 12:02:59.0406 2968 ================================================================================
2011/08/04 12:03:00.0390 2968 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/04 12:03:00.0437 2968 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/04 12:03:00.0468 2968 ADM8511 (b05f2367f62552a2de7e3c352b7b9885) C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
2011/08/04 12:03:00.0531 2968 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/08/04 12:03:00.0578 2968 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/08/04 12:03:00.0718 2968 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/08/04 12:03:00.0828 2968 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/04 12:03:00.0859 2968 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/04 12:03:00.0906 2968 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/04 12:03:00.0953 2968 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/04 12:03:00.0984 2968 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/04 12:03:01.0015 2968 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/04 12:03:01.0125 2968 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/04 12:03:01.0156 2968 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/04 12:03:01.0203 2968 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/04 12:03:01.0390 2968 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/04 12:03:01.0437 2968 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/04 12:03:01.0500 2968 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/08/04 12:03:01.0531 2968 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/04 12:03:01.0578 2968 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/04 12:03:01.0656 2968 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/04 12:03:01.0718 2968 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/04 12:03:01.0781 2968 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2011/08/04 12:03:01.0796 2968 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/04 12:03:01.0812 2968 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/08/04 12:03:01.0859 2968 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/08/04 12:03:01.0875 2968 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/04 12:03:01.0906 2968 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/04 12:03:01.0953 2968 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/08/04 12:03:01.0968 2968 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/04 12:03:02.0015 2968 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/04 12:03:02.0093 2968 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/04 12:03:02.0187 2968 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/04 12:03:02.0250 2968 ialm (6fcb904910da07c9dc2593d66438fa29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/08/04 12:03:02.0328 2968 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/04 12:03:02.0500 2968 IntcAzAudAddService (60d7460b07012d364ced11dd9fd83e1f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/08/04 12:03:02.0656 2968 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/04 12:03:02.0687 2968 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/08/04 12:03:02.0718 2968 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/04 12:03:02.0765 2968 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/04 12:03:02.0781 2968 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/04 12:03:02.0843 2968 IPSec (2cd5fa122008b0c9b77832984cd9695d) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/04 12:03:02.0843 2968 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 2cd5fa122008b0c9b77832984cd9695d, Fake md5: 64537aa5c003a6afeee1df819062d0d1
2011/08/04 12:03:02.0859 2968 IPSec - detected Rootkit.Win32.ZAccess.e (0)
2011/08/04 12:03:02.0906 2968 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/04 12:03:02.0953 2968 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/04 12:03:02.0984 2968 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/04 12:03:03.0000 2968 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/04 12:03:03.0046 2968 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/04 12:03:03.0093 2968 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/04 12:03:03.0187 2968 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/04 12:03:03.0234 2968 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/04 12:03:03.0250 2968 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/04 12:03:03.0281 2968 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/04 12:03:03.0328 2968 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/04 12:03:03.0359 2968 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/04 12:03:03.0421 2968 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/04 12:03:03.0484 2968 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/04 12:03:03.0531 2968 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/04 12:03:03.0546 2968 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/04 12:03:03.0578 2968 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/04 12:03:03.0609 2968 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/04 12:03:03.0640 2968 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/04 12:03:03.0687 2968 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/04 12:03:03.0703 2968 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/04 12:03:03.0718 2968 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/04 12:03:03.0750 2968 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/04 12:03:03.0781 2968 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/04 12:03:03.0796 2968 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/04 12:03:03.0843 2968 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/04 12:03:03.0906 2968 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/08/04 12:03:03.0984 2968 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/04 12:03:04.0015 2968 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/04 12:03:04.0078 2968 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/04 12:03:04.0125 2968 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/04 12:03:04.0140 2968 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/04 12:03:04.0187 2968 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/08/04 12:03:04.0234 2968 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/08/04 12:03:04.0265 2968 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/04 12:03:04.0281 2968 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/04 12:03:04.0312 2968 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2011/08/04 12:03:04.0359 2968 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/04 12:03:04.0421 2968 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/04 12:03:04.0468 2968 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/04 12:03:04.0656 2968 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/04 12:03:04.0703 2968 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/04 12:03:04.0718 2968 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/04 12:03:04.0843 2968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/04 12:03:04.0890 2968 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/04 12:03:04.0906 2968 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/04 12:03:04.0937 2968 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/04 12:03:04.0984 2968 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/04 12:03:05.0015 2968 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/04 12:03:05.0062 2968 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/04 12:03:05.0140 2968 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/04 12:03:05.0171 2968 redbook (d279a4f4df45a62f8b9d0cdad2d1e330) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/04 12:03:05.0187 2968 redbook - detected Rootkit.Win32.ZAccess.c (0)
2011/08/04 12:03:05.0437 2968 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/04 12:03:05.0500 2968 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/08/04 12:03:05.0515 2968 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/08/04 12:03:05.0562 2968 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/04 12:03:05.0671 2968 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/04 12:03:05.0718 2968 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/04 12:03:05.0781 2968 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/04 12:03:05.0828 2968 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/04 12:03:05.0875 2968 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/04 12:03:06.0000 2968 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/04 12:03:06.0046 2968 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/04 12:03:06.0093 2968 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/04 12:03:06.0109 2968 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/04 12:03:06.0140 2968 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/04 12:03:06.0234 2968 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
2011/08/04 12:03:06.0281 2968 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/04 12:03:06.0359 2968 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/04 12:03:06.0421 2968 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/08/04 12:03:06.0468 2968 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/08/04 12:03:06.0515 2968 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/04 12:03:06.0562 2968 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/04 12:03:06.0578 2968 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/04 12:03:06.0625 2968 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/08/04 12:03:06.0671 2968 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/04 12:03:06.0703 2968 usbser (49106ee29074e6a3d3ac9e24c6d791d8) C:\WINDOWS\system32\drivers\usbser.sys
2011/08/04 12:03:06.0765 2968 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/04 12:03:06.0796 2968 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/04 12:03:06.0843 2968 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/08/04 12:03:06.0890 2968 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/04 12:03:06.0921 2968 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/04 12:03:06.0968 2968 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/08/04 12:03:07.0031 2968 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/04 12:03:07.0187 2968 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/04 12:03:07.0218 2968 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/04 12:03:07.0281 2968 yukonwxp (518c4d4dcb93c88316303694163bbd63) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
2011/08/04 12:03:07.0343 2968 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/04 12:03:07.0437 2968 Boot (0x1200) (0c259fe5c0c187f7a91e073f52b8cafa) \Device\Harddisk0\DR0\Partition0
2011/08/04 12:03:07.0453 2968 ================================================================================
2011/08/04 12:03:07.0453 2968 Scan finished
2011/08/04 12:03:07.0453 2968 ================================================================================
2011/08/04 12:03:07.0468 2952 Detected object count: 2
2011/08/04 12:03:07.0468 2952 Actual detected object count: 2
2011/08/04 12:03:40.0765 2952 Rootkit.Win32.ZAccess.e(IPSec) - User select action: Skip
2011/08/04 12:03:40.0781 2952 Rootkit.Win32.ZAccess.c(redbook) - User select action: Skip



Report •

#3
August 3, 2011 at 19:34:44
nassman,

There is a RootKit showing there: ZeroAccess (ZA)
Not a good one.
ZA has 2 drivers; one that kills security software, and the other does the redirects.

Please download ComboFix:
http://download.bleepingcomputer.co...

Save ComboFix.exe to your Desktop!!


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of CF.

Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link: http://www.bleepingcomputer.com/for...


Now, double-click on ComboFix.exe to run the program.
Follow the prompts.

Make sure you install the Recovery Console part since you are running Windows XP!

When done, click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Since this report can be quite large, please go to the Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the ComboFix report, and click on 'Open'
You will see the following:
Your file has been uploaded successfully: (Name and size of the file)

Please copy the 'Download link', and provide it in your reply.

Notes:

1.Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

Related Solutions

#4
August 4, 2011 at 20:25:37
Hey, have run combofix but my Internet connection is now non existent, have tried system restore to before I ran combofix didn't help, have also tried repairing the connection and re installing again no help. I know that it's not the connection itself because my wireless is still working, I'm currently using my iPhone at home to write this. Don't know what to do. My home setup is cable Internet running through a d-link router both wired and wireless, my computer is connected via Ethernet cable.

Apologies for the delay and thankyou again for your assistance.


Report •

#5
August 4, 2011 at 22:11:15
Please restsrt the computer and see if you regain the Internet connection.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#6
August 4, 2011 at 22:22:36
Have restarted several times, have also turned off and on both the router and the modem several times, disabled and then enabled my connections, did all the things that I know of to try and get it going with no luck. My google chrome browser is also no longer opening up keep getting error messages, int. explorer and firefox both open but cannot open any web pages.

Report •

#7
August 4, 2011 at 23:02:33
Please go to Start > Run > Command > type in the following bolded text: NETSH WINSOCK RESET CATALOG

Press: Enter

Reboot your computer.

Any progress?

If no joy, try the following:

Download WinsockXPFix to a clean machine and copy it to a USB flash drive, or CD:
http://www.snapfiles.com/get/winsoc...

Next, plug it in the infected pc, and copy the file to the Desktop.

Double Click on winsockxpfix icon on your Desktop.

Press 'Fix' button

Allow your system to reboot.

Is your connection restored?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#8
August 7, 2011 at 18:13:05
Unfortunately this didn't work. I wanted to ask if I reformat my computer and reinstall windows that virus would surely be removed?

Report •

#9
August 7, 2011 at 18:41:04
Just in case aaflac44 is not available, I reckon you are nearly clean, try this manual method of reconnecting.

http://www.bleepingcomputer.com/com...

Also, check this.

Infection has enabled proxy
http://www.bleepingcomputer.com/vir...
Start > Control Panel > Internet Options > Connections > LAN settings, untick > Use a proxy server for your LAN. Click OK twice.


Report •

#10
August 7, 2011 at 20:43:29
Thanks, Johnw.

Info on Repair option:
http://support.microsoft.com/kb/289256

This is a very nasty Rootkit.

nassman,

Can you move the ComboFix report that was produced to a USB Flash drive, and upload it from a different computer?

The report may show what the problem is. Need the info to determine if ZA has not been cleared and is still active.

Also, if you connect the computer to the modem, not wireless, does it work?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#11
August 7, 2011 at 22:23:55
Another thought...

Start > right click My Computer, and click: Manage
Click Services and Applications.
Click Services.

Double- click 'DHCP Client' and click: Start
Set the 'Startup type' to: Automatic

Now, try to connect.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#12
August 9, 2011 at 06:54:10
nassman,

It appears that this infection is raising havoc with Internet connections. Several cases abound in the forums...

We need to look at a 'DDS' log EventViewer section.
It may give a clue which network driver is malfunctioning/missing.

Please download DDS from one of these locations:
http://download.bleepingcomputer.co...
http://download.bleepingcomputer.co...

Save it to a USB flash drive on a clean computer. (See Note** below)

Move it to the Desktop of the infected computer.

Double-click to run the tool

When done, DDS opens two (2) logs:
-DDS.txt
-Attach.txt

Save both reports to your Desktop, and once again move to a USB flash drive.

Go to a computer with an Internet connection, and, since these reports are quite large, please go to the 'Uploading' website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the DDS.txt, and click on 'Open'

You will see the following:
Your file has been uploaded successfully: (Name and size of the file)
Please copy the 'Download link'.

Do the same for the Attach.txt

Please copy the 'Download link', for each report, and provide them in your reply.

Note**:
Let's make sure the flash drive is not infected also!!

Please download Flash Disinfector:
http://www.techsupportforum.com/sec...

Save to your Desktop.

Double-click 'Flash_Disinfector.exe' to run it.
Follow any prompts that may appear.

The utility asks to insert your flash drive and/or other removable drives. Please do so.

Wait until it finishes scanning and then exit the program.

Reboot your computer when done.

Note: Flash_Disinfector will remove any autorun.inf files, create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it.

Don’t delete this folder. It will help protect your drives from future infection.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#13
August 9, 2011 at 08:13:17
Post above edited, added Flash Disinfector...

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#14
August 9, 2011 at 21:31:24
Apologies for the delay had to borrow a laptop to upload this combofix log.

The link is http://uploading.com/files/e76487ac...

I'm about to do the next step (DDS)


Report •

#15
August 9, 2011 at 21:41:40
No apologies necessary.

Thanks for the info. Will wait for DDS logs.


~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#16
August 9, 2011 at 21:52:37
Here are the links for the DDS logs

http://uploading.com/files/28dd1b69...

http://uploading.com/files/e8683b9d...



Report •

#17
August 9, 2011 at 23:38:47
While I check all the info, please do the following:

Please go to Start > Run , type notepad.exe and press: OK

Copy the following text into notepad:

reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD" >> C:\found.txt start C:\found.txt


Go to File > Save As, and save the file to the Desktop as look.bat
Go to the Desktop, and double-click the file

Please search for C:\found.txt, and copy/paste the contents in your reply.

Also, do you have the CD for Windows XP Professional?

And, did you totally uninstall your AntiVirus program? Whether you did or not, which AV program is it?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#18
August 10, 2011 at 08:30:35
Looking at all the info, and need a check for the following...

Please search for the following files:

C:\WINDOWS\system32\DRIVERS\ipsec.sys
C:\WINDOWS\system32\DRIVERS\redbook.sys

You can place them in the search box, or, you can right-click the Start button, select ‘Explore’ and navigate to the location of the files.

Right-click each of the files and select: 'Properties'

See if there is a 'Digital Signature' tab for each one of them.

If so, what does it say?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#19
August 10, 2011 at 16:09:38
nassman,

Disregard the post above #18, do the following instead

This is also something that will not require a download...

Please close any open windows/browsers.
Also, close/disable all AntiVirus and AntiMalware programs so they do not
interfere with the running of ComboFix.


Open notepad and copy/paste the info below into it:

FileLook::
C:\WINDOWS\system32\DRIVERS\ipsec.sys
C:\WINDOWS\system32\DRIVERS\redbook.sys


Save this as CFScript.txt, in the same location as ComboFix.exe - on the Desktop.

http://img19.imageshack.us/img19/45...

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt

Please move the new log to a USB drive, and upload as before.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#20
August 11, 2011 at 20:41:59
nassman,

I realize that working with only one computer makes the removal of this Rootkit difficult.

Here is the situation:

This Registry entry:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.redbook]
"ImagePath"="\*"

And this file:
C:\Windows\System32\DRIVERS\redbook.sys (infected)

Are responsible for the lack of Internet.

In order to remedy this, the legit file (C:\Windows\System32\DRIVERS\redbook.sys) needs to be replaced.

A tool needs to be downloaded and run to find a good clean replacement for the file.
Then the file needs to be replaced with the clean copy.

Also need to check:
C:\Windows\System32\DRIVERS\ipsec.sys to see if it is involved.


You can try running sfc /scannow first. That requires no download, and may work. Nothing to lose here...

To do this simply go to Start > Run, and type in:
sfc /scannow

This command initiates the Windows File Protection service to scan all protected files, verifies their integrity, and replaces any files with which it finds a problem.

You may or may not be asked for the Windows XP CD…


If you do not want to continue with this topic, or, have resolved the problem otherwise, would appreciate your giving an update on the situation.

Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#21
August 12, 2011 at 08:46:42
There is a new tool fo ZAccess Rootkit...

Download AntiZeroAccess:
http://anywhere.webrootcloudav.com/...
Save to the Desktop!

XP users: Double-click antizeroaccess.exe to start the program.
Vista and Windows 7 users: Right-click > run as Administrator

A command (black) window opens.
Type Y to start a system scan, and then press: Enter

Wait until the scan is complete.
Follow the instructions on the screen.

To close the program, press any key.
If a restart is required, do it immediately.

Please post the log file AntiZeroAccess creates.


If you cannot get the tool to run:
Go to Start > Run, type in: cmd.exe

When the command prompt opens, copy/paste the following commands, one at a time, and press ‘Enter‘ after each:

cd "%userprofile%\desktop"
cacls antizeroaccess.exe /e /g everyone:f
antizeroaccess.exe

Click ‘Y’ to allow it to remove whatever it finds.

Then, post its log.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#22
August 12, 2011 at 23:57:20
Sorry for the delay I'm away with work will perform all of those things as soon as I get back. Thankyou again for all your help aaflac

Report •

#23
August 13, 2011 at 11:02:18
Good to hear from you, nassman.

Will re-look at your reports etc., and be ready when you return.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •


Ask Question