Jump to content

Rootkit.tdss


voight75

Recommended Posts

Dakeyras,

No problem at all. Ok, here are the logs:

mbr log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

report.txt:

Host Name: RICHARD

OS Name: Microsoft Windows XP Professional

OS Version: 5.1.2600 Service Pack 3 Build 2600

OS Manufacturer: Microsoft Corporation

OS Configuration: Standalone Workstation

OS Build Type: Multiprocessor Free

Registered Owner: Richard Lunan

Registered Organization:

Product ID: 76487-OEM-0011903-00817

Original Install Date: 12/22/2006, 3:06:34 AM

System Up Time: 0 Days, 0 Hours, 15 Minutes, 48 Seconds

System Manufacturer: TOSHIBA

System Model: Satellite U205

System type: X86-based PC

Processor(s): 1 Processor(s) Installed.

[01]: x86 Family 6 Model 15 Stepping 6 GenuineIntel ~1995 Mhz

BIOS Version: TOSHIB - 970814

Windows Directory: C:\WINDOWS

System Directory: C:\WINDOWS\system32

Boot Device: \Device\HarddiskVolume1

System Locale: en-us;English (United States)

Input Locale: en-us;English (United States)

Time Zone: (GMT-06:00) Central Time (US & Canada)

Total Physical Memory: 2,039 MB

Available Physical Memory: 1,236 MB

Virtual Memory: Max Size: 2,048 MB

Virtual Memory: Available: 2,001 MB

Virtual Memory: In Use: 47 MB

Page File Location(s): C:\pagefile.sys

Domain: WORKGROUP

Logon Server: \\RICHARD

Hotfix(s): 197 Hotfix(s) Installed.

[01]: File 1

[02]: File 1

[03]: File 1

[04]: File 1

[05]: File 1

[06]: File 1

[07]: File 1

[08]: File 1

[09]: File 1

[10]: File 1

[11]: File 1

[12]: File 1

[13]: File 1

[14]: File 1

[15]: File 1

[16]: File 1

[17]: File 1

[18]: File 1

[19]: File 1

[20]: File 1

[21]: File 1

[22]: File 1

[23]: File 1

[24]: File 1

[25]: File 1

[26]: File 1

[27]: File 1

[28]: File 1

[29]: File 1

[30]: File 1

[31]: File 1

[32]: File 1

[33]: File 1

[34]: File 1

[35]: File 1

[36]: File 1

[37]: File 1

[38]: File 1

[39]: File 1

[40]: File 1

[41]: File 1

[42]: File 1

[43]: File 1

[44]: File 1

[45]: File 1

[46]: File 1

[47]: File 1

[48]: File 1

[49]: File 1

[50]: File 1

[51]: File 1

[52]: File 1

[53]: File 1

[54]: File 1

[55]: File 1

[56]: File 1

[57]: File 1

[58]: File 1

[59]: File 1

[60]: File 1

[61]: File 1

[62]: File 1

[63]: File 1

[64]: File 1

[65]: File 1

[66]: File 1

[67]: File 1

[68]: File 1

[69]: File 1

[70]: File 1

[71]: File 1

[72]: File 1

[73]: File 1

[74]: File 1

[75]: File 1

[76]: File 1

[77]: File 1

[78]: File 1

[79]: File 1

[80]: File 1

[81]: File 1

[82]: File 1

[83]: Q147222

[84]: KB887998 - QFE

[85]: KB930494 - QFE

[86]: SP3 - SP

[87]: M928366 - Update

[88]: S867460 - Update

[89]: KB888316 - Update

[90]: KB894553 - Update

[91]: KB895678 - Update

[92]: MC05Upd1 - Update

[93]: KB900325 - Update

[94]: Q927978

[95]: Q936181

[96]: Q954430

[97]: IDNMitigationAPIs - Update

[98]: NLSDownlevelMapping - Update

[99]: KB929399

[100]: KB952069_WM9

[101]: KB968816_WM9

[102]: KB973540_WM9

[103]: KB911565

[104]: KB913800

[105]: KB917734_WMP10

[106]: KB926251

[107]: KB936782_WMP10

[108]: KB936782_WMP11

[109]: KB939683

[110]: KB954154_WM11

[111]: KB959772_WM11

[112]: KB925398_WMP64

[113]: KB923689

[114]: KB941569

[115]: KB928090-IE7 - Update

[116]: KB929969 - Update

[117]: KB931768-IE7 - Update

[118]: KB933566-IE7 - Update

[119]: KB937143-IE7 - Update

[120]: KB938127-IE7 - Update

[121]: KB939653-IE7 - Update

[122]: KB942615-IE7 - Update

[123]: KB944533-IE7 - Update

[124]: KB947864-IE7 - Update

[125]: KB950759-IE7 - Update

[126]: KB953838-IE7 - Update

[127]: KB956390-IE7 - Update

[128]: KB958215-IE7 - Update

[129]: KB960714-IE7 - Update

[130]: KB961260-IE7 - Update

[131]: KB963027-IE7 - Update

[132]: KB969897-IE7 - Update

[133]: KB969897-IE8 - Update

[134]: KB971930-IE8 - Update

[135]: KB971961-IE8 - Update

[136]: KB972260-IE8 - Update

[137]: MSCompPackV1 - Update

[138]: KB936929 - Service Pack

[139]: KB923561 - Update

[140]: KB938464 - Update

[141]: KB938464-v2 - Update

[142]: KB946648 - Update

[143]: KB950760 - Update

[144]: KB950762 - Update

[145]: KB950974 - Update

[146]: KB951066 - Update

[147]: KB951072-v2 - Update

[148]: KB951376 - Update

[149]: KB951376-v2 - Update

[150]: KB951698 - Update

[151]: KB951748 - Update

[152]: KB951978 - Update

[153]: KB952004 - Update

[154]: KB952287 - Update

[155]: KB952954 - Update

[156]: KB953839 - Update

[157]: KB954211 - Update

[158]: KB954459 - Update

[159]: KB954550-v5 - Update

[160]: KB954600 - Update

[161]: KB955069 - Update

[162]: KB955839 - Update

[163]: KB956391 - Update

[164]: KB956572 - Update

[165]: KB956744 - Update

[166]: KB956802 - Update

[167]: KB956803 - Update

[168]: KB956841 - Update

[169]: KB956844 - Update

[170]: KB957095 - Update

[171]: KB957097 - Update

[172]: KB958644 - Update

[173]: KB958687 - Update

[174]: KB958690 - Update

[175]: KB959426 - Update

[176]: KB960225 - Update

[177]: KB960715 - Update

[178]: KB960803 - Update

[179]: KB960859 - Update

[180]: KB961118 - Update

[181]: KB961371 - Update

[182]: KB961373 - Update

[183]: KB961501 - Update

[184]: KB967715 - Update

[185]: KB968389 - Update

[186]: KB968537 - Update

[187]: KB969898 - Update

[188]: KB970238 - Update

[189]: KB970653-v3 - Update

[190]: KB971557 - Update

[191]: KB971633 - Update

[192]: KB971657 - Update

[193]: KB973346 - Update

[194]: KB973354 - Update

[195]: KB973507 - Update

[196]: KB973815 - Update

[197]: KB973869 - Update

NetWork Card(s): 3 NIC(s) Installed.

[01]: Intel® PRO/100 VE Network Connection

Connection Name: Local Area Connection

[02]: Intel® PRO/Wireless 3945ABG Network Connection

Connection Name: Wireless Network Connection

DHCP Enabled: Yes

DHCP Server: 192.168.2.1

IP address(es)

[01]: 192.168.2.2

[03]: 1394 Net Adapter

Connection Name: 1394 Connection

10:33:14:406 SetPrivileges: OpenThreadToken error 1008

10:33:14:406 ForceUnloadDriver: NtUnloadDriver error 2

10:33:14:406 ForceUnloadDriver: NtUnloadDriver error 2

10:33:14:406 ForceUnloadDriver: NtUnloadDriver error 2

10:33:14:500 main: Driver KLMD successfully dropped

10:33:14:546 main: Driver KLMD successfully loaded

10:33:14:546

scanning registry ...

10:33:14:593 ScanServices: Searching service UACd.sys

10:33:14:593 ScanServices: Open/Create key error 2

10:33:14:593 ScanServices: Searching service TDSSserv.sys

10:33:14:593 ScanServices: Open/Create key error 2

10:33:14:593 ScanServices: Searching service gaopdxserv.sys

10:33:14:593 ScanServices: Open/Create key error 2

10:33:14:593 ScanServices: Searching service gxvxcserv.sys

10:33:14:593 ScanServices: Open/Create key error 2

10:33:14:593 ScanServices: Searching service MSIVXserv.sys

10:33:14:593 ScanServices: Open/Create key error 2

10:33:14:609 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000

10:33:14:812 UnhookRegistry: Kernel local addr: C00000

10:33:15:15 UnhookRegistry: KeServiceDescriptorTable addr: C8B520

10:33:15:15 UnhookRegistry: KiServiceTable addr: C0D8B0

10:33:15:62 UnhookRegistry: NtEnumerateKey service number (local): 47

10:33:15:62 UnhookRegistry: NtEnumerateKey local addr: CA1E14

10:33:15:234 KLMD_OpenDevice: Trying to open KLMD device

10:33:15:234 KLMD_GetSystemRoutineAddress: Trying to get system routine address ZwEnumerateKey

10:33:15:234 KLMD_ReadMem: Trying to ReadMemory 0x804E380F[0x4]

10:33:15:234 UnhookRegistry: NtEnumerateKey service number (kernel): 47

10:33:15:234 KLMD_ReadMem: Trying to ReadMemory 0x804E49CC[0x4]

10:33:15:234 UnhookRegistry: NtEnumerateKey real addr: 80578E14

10:33:15:234 UnhookRegistry: NtEnumerateKey calc addr: 80578E14

10:33:15:234 UnhookRegistry: No SDT hooks found on NtEnumerateKey

10:33:15:234 KLMD_ReadMem: Trying to ReadMemory 0x80578E14[0xA]

10:33:15:234 UnhookRegistry: Splicing found on NtEnumerateKey

10:33:15:234 KLMD_WriteMem: Trying to WriteMemory 0x80578E14[0xA]

10:33:15:234 UnhookRegistry: NtEnumerateKey (Splicing) unhooked successfully

10:33:15:234

completed

10:33:15:234 Files deleted on next reboot: 0

10:33:15:234 Registry node deleted on next reboot: 0

10:33:15:234

Link to post
Share on other sites

  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

Hi. :)

Please delete your current copy of ComboFix and empty the Recycle Bin.

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.

Extra Note: Please ensure that you allow the Recovery Console to be installed if prompted as we may need to use this.

When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.

Link to post
Share on other sites

Dakeyras,

Same problem with combofix, yet again. It just will not start the auto-scan. It loads, creates system restore, then states that scan is about to begin (may take 10 minutes etc.), then nothing at all. I let it sit for almost 40 minutes, and still nothing. This has happened every time I have tried to run combofix, except the once I ran it in Safe Mode.

Link to post
Share on other sites

Hi. :)

Hmmmm not looking good at all I'm afraid. Be prepared as mentioned prior I may have to recommend a reformat and reinstallation of the Windows operating system. :)

The below may seem tedious but bare with myself on this please.

OK was the Recovery Console installed during the last or any of the previous ComboFix runs in Normal Mode?

If not sure a quick easy way to check is to reboot your machine and just after the post(power on self test) check you should see these options as shown here.

Next:

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):

C:\windows\ntbtlog.txt

Then empty the Recycle Bin.

  • Restart your computer.
  • Just before the XP loading screen starts hit F8 as if going to safe mode.
  • From the advanced boot menu choose "enable boot logging" then hit enter.
  • Post the following file:

C:\windows\ntbtlog.txt

Next:

Please download IceSword and extract it to the desktop.

Once IceSword is extracted, with all browser and Explorer windows closed, run IceSword

  • Once IceSword is open, click the Win32 Service Function on the left Menu Bar
    If any red entries are found, click the blue Log Tab at the top of the screen and save the log to documents folder as service-list.txt.
  • Now, Click IceSword's Process Function on the left Menu Bar
    If any red entries are found, click the blue Log tab at the top of the screen and save the log to documents folder as processlist.txt.

Note: If the need use multiple replies to post any logs and or upload to my channel.

Link to post
Share on other sites

Dakeyras,

There were no red entries found using Ice Sword. If I need to reformat/reinstall, what do I need to do to prepare? I am going to buy a couple of memory sticks to put all of my personal files on (photos, music etc) Is there anything else I need to be doing? Also, are your colleagues having as much trouble with this Rootkit as we are, or is there something especially pernicious about my situation? I appreciate all of your help. Thanks.

Here is the ntblog.txt:

Service Pack 3 9 25 2009 15:31:22.375

Loaded driver \WINDOWS\system32\ntoskrnl.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver ohci1394.sys

Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS

Loaded driver compbatt.sys

Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS

Loaded driver pciide.sys

Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Loaded driver pcmcia.sys

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver PxHelp20.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver TVALZ.SYS

Loaded driver Thpevm.SYS

Loaded driver thpdrv.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\system32\DRIVERS\ialmnt5.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\w39n51.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\drivers\tifm21.sys

Loaded driver \SystemRoot\system32\DRIVERS\sdbus.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\Apfiltr.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\tdcmdpst.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\system32\drivers\iviaspi.sys

Loaded driver \SystemRoot\system32\drivers\pfc.sys

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys

Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys

Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\Tvs.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\DRIVERS\Tvs.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\DRIVERS\Tvs.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\DRIVERS\Tvs.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\DRIVERS\Tvs.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\psched.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\system32\DRIVERS\tbiosdrv.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\drivers\ADIHdAud.sys

Loaded driver \SystemRoot\system32\drivers\AEAudio.sys

Loaded driver \SystemRoot\system32\DRIVERS\Tvs.sys

Loaded driver \SystemRoot\system32\DRIVERS\AGRSM.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Fdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Flpydisk.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Udfs.SYS

Loaded driver \SystemRoot\System32\Drivers\meiudf.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipfltdrv.sys

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\Drivers\Mpfp.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Loaded driver \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys

Loaded driver \SystemRoot\System32\Drivers\tcusb.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\drivers\mfehidk.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\tdudf.sys

Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys

Loaded driver \SystemRoot\system32\DRIVERS\s24trans.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

Loaded driver \SystemRoot\system32\DRIVERS\netdevio.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys

Did not load driver \SystemRoot\System32\Drivers\Serial.SYS

Loaded driver \SystemRoot\System32\Drivers\ASCTRM.SYS

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Did not load driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Did not load driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\drivers\mfebopk.sys

Loaded driver \SystemRoot\system32\drivers\mfeavfk.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\DRIVERS\LVPr2Mon.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\System32\Drivers\IsDrv122.sys

Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Link to post
Share on other sites

Hi. :)

If I need to reformat/reinstall, what do I need to do to prepare? I am going to buy a couple of memory sticks to put all of my personal files on (photos, music etc) Is there anything else I need to be doing?
What you have mentioned RE backing up is fine and I will provide advice on how to use your Toshiba CD's to do so if the need.
Also, are your colleagues having as much trouble with this Rootkit as we are, or is there something especially pernicious about my situation? I appreciate all of your help. Thanks.
It is proving is proving to be somewhat of a challenge to pinpoint exactly what is the launch vector and you are very welcome!
Oh, I almost forgot, the Recovery Console is installed.
Good to know.

Boot.ini Check:

I would like to check the current state of the Boot.ini file to check if it is corrupted or not as follows:

  • Open Notepad.
  • Copy and Paste everything from the Code Box below into Notepad: <----Start >> Run... type in notepad and select OK

@Echo off
xcopy C:\boot.ini "%userprofile%\desktop\" /h
attrib -s -h "%userprofile%\desktop\boot.ini"
ren "%userprofile%\desktop\boot.ini" bootini.txt
Del %0

  • Go to File >> Save As
  • Save File name as "Look.bat" <-- Make sure to include the qoutes'.
  • Change Save as Type to All Files and save the file to your Desktop.
  • It should look like this: LookBat.gif

Now double click on the desktop Look.bat to run the batch file. It will self-delete when completed and produce a notepad text file named bootini on your desktop.

Link to post
Share on other sites

Dakeyras,

Here you go:

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /forceresetreg

Link to post
Share on other sites

Hi. :)

I can no longer in good conscience let this malware infection remain on your computer.

Being honest so far I have been unable to identify the cause and would be providing your good self with a disservice if I let your computer remain infected and used online.

Some may disagree with my attitude/decision about what I have decidecd.............but I was both taught and trained long and hard to get into the position I am today to be able to both assist and provide advice for individuals such as your good self.

The first tenant being do no harm to a individuals computer and or leave them exposed to malware unduly.

I stand by what I have mentioned above and what is the the most prudent course of action I mention below/now voight75 .

With this in mind I my most honest advice now is for your good self to disconnect this computer from the Internet immediately. If you do any banking or other financial transactions on the computer or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Then carry out/perform a reformat and reinstallation of the Windows operating system.

How to do so as follows:

Using the Toshiba Recovery CD's is outlined here and you can check for your exact modal.

If you require further advice about using the above recovery CD's by all means inform myself and I research further on your behalf to find the exact methodology.

The below is some advice I do have on what to do after the reformat and reinstallation.

Reformat and Reinstallation Advice:

  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
    Here are some free Anti Virus programs which I recommend to use:

    [*]Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

    Here are some free Firewalls which I recommend to use:

    (Use only one, and disable your Windows Firewall)

Note: Only ever have installed/use one Anti-Virus application and Software Firewall. Otherwise a system conflict will occur and this also lessens overall online protection!

Keep your system updated-[ b]Microsoft releases patches for Windows and other products regularly:

[*]Make your Internet Explorer more secure - This can be done by following these simple instructions:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.

    [*]Next press the Apply button and then the OK to exit the Internet Properties page.

[*]Malwarebytes' Anti-Malware - Download it from here

The tutorial on how to use MBAM is located here

[*]Install WinPatrol - Download it from here

You can find information about how WinPatrol works here

[*]Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Download it from here

The tutorial on how to use Spyware Blaster is located here

[*]Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for your computer becoming infected again will reduce dramatically. Any questions feel free to ask OK!

Link to post
Share on other sites

Dakeyras,

Ok, this is what I had feared. I will back up tomorrow and then either Sunday or Monday do the reformat, using the Toshiba provided CDs. Will I lose my McAfee etc when I reformat, ie: wil I have to buy a new subscription etc? I will most likely have other questions relating to the reformat, so please keep an eye out here, as I will definitely have questions. Thank you for all of your help.

Link to post
Share on other sites

Hi. :P

Not good news I admit but I assure you it is the most prudent course of action to take. If this was one of my machines and or my wife's laptop I would not hesitate to carry out a reformat and reinstallation of the Windows operating system.

By all means you can reinstall your McAfee SecurityCenter and reactivate it and continue to use until the subscription runs out. If you have forgotten the reactivation password this article explains how to retrieve it. Feel free to ask myself any questions if in the need for further advice and you are very welcome!

Link to post
Share on other sites

Dakeyras,

Ok! I have successfully reformatted my laptop. I have re-installed the McAfee Security Suite, which I believe provides me with a firewall, anti-virus etc, as you mentioned in your previous post.

Thank you again for all of your help. It is very much appreciated. I will know where to come if I ever have any problems again.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.