Jump to content


Photo
- - - - -

Rootkit.tdss


  • This topic is locked This topic is locked
62 replies to this topic

#41 Dakeyras

Dakeyras

    True Member

  • Experts
  • PipPipPipPip
  • 437 posts
  • Gender:Male
  • Location:The Tundra

Posted 23 September 2009 - 04:34 PM

Hi. :blink:

Well, I appreciate your continued help. I also saw that a number of you guys were helping others who appear to have the same problem as me! I suppose the more people working on it, the sooner we will crack it, right?

You're welcome!

That is the theory one hopes plus I will be sharing my research with my colleagues soon as I have something definite and visa versa as this is how we collaborate against the fight with malware.

One side question: my desktop is becoming rather cluttered, can I remove some of the stuff I have downloaded? (At this point, everything you have asked me to download is still on my desktop. I was planning on keeping MBAM, RSIT, GMER, HiJack This and Erunt for now, but can I get rid of the other stuff for now?

I would prefer you leave everything in-place, as some applications will require a specific removal process. By all means delete any logs on the desktop you have already posted.

One work around I can suggest is create a new folder on the desktop called say My Log Tools. Move all into this folder and as/if I request them, move them temp' back to the desktop then back again when finished scanning etc. When finished with all move all to the desktop prior to my complete removal instructions for all, thank you.

The Radix log is too large to post, even a s zip file, it will not allow me to attach it. What should I do?

OK, I ran a scan with this on my test box and it is indeed rather large(my own is around the 160 KB mark in in size). Try splitting it into two logs(or three) if the need and post/attach each individually. Not ideal I admit and in the mean time I will see if another viable method for myself to be able to research the Radix log created.

Member of UNITE


#42 voight75

voight75

    New Member

  • Members
  • Pip
  • 35 posts

Posted 23 September 2009 - 04:59 PM

Dakeyras,

I have tried to split it up, even into 5 different pieces, and it is still too large to post. There appears to be some sort of attachment size limit for each thread, and it looks like we have used 321.18k of 500k, or am I misunderstanding that? Either way, I cannot think of a way to post these logs. Do you have an ftp site or something similar? Or could I e-mail you maybe?

#43 Dakeyras

Dakeyras

    True Member

  • Experts
  • PipPipPipPip
  • 437 posts
  • Gender:Male
  • Location:The Tundra

Posted 23 September 2009 - 05:11 PM

Try and upload it to my submission channel here please, if no success we will try something else. :blink:

Member of UNITE


#44 voight75

voight75

    New Member

  • Members
  • Pip
  • 35 posts

Posted 23 September 2009 - 05:18 PM

Ok, I am submitting it to your channel in parts. First part just sent.

#45 voight75

voight75

    New Member

  • Members
  • Pip
  • 35 posts

Posted 23 September 2009 - 05:27 PM

Ok, it worked, I hope. I submitted it to your channel in 4 parts, all sent successfully.

#46 Dakeyras

Dakeyras

    True Member

  • Experts
  • PipPipPipPip
  • 437 posts
  • Gender:Male
  • Location:The Tundra

Posted 23 September 2009 - 05:47 PM

Nicely done, got all the uploads thanks! :blink:

Rather a lot for myself to research and at a quick glance at all, something does grab my attention. So please be patient until I have throughly researched all.

In the meantime I would like for your good self to carry out the following please:

New Java Installation:

  • Click here to visit Java's website.
  • Scroll down to Java SE Runtime Environment (JRE) 6 Update 16. Click on Download.
  • Select Windows from the drop-down list for Platform.
  • Select Multi-language from the drop-down list for Language.
  • Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  • Click on jre-6u16-windows-i586-p.exe link to download it and save this to a convenient location.
  • Double click on jre-6u16-windows-i586-p.exe to install Java.
Run Kaspersky Online AV Scanner:

Go to this Kaspersky website and perform an online antivirus scan.

Note: Use Internet Explorer for this scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
This online tuturial will help explain how to use the aforementioned online scan.

When completed the above, please post back the following:
  • How is you computer performing now? Any problems encountered and or any further symptoms?
  • Kaspersky report.

Member of UNITE


#47 voight75

voight75

    New Member

  • Members
  • Pip
  • 35 posts

Posted 23 September 2009 - 09:47 PM

Dakeyras,

Ok, I downloaded the Java updates and did the Kaspersky scan (all 3hours of it!) :)

No other new problems etc to report.

Here is the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, September 23, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, September 24, 2009 00:17:03
Records in database: 2876926
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 96455
Threats found: 2
Infected objects found: 8
Suspicious objects found: 0
Scan duration: 03:17:43


File name / Threat / Threats count
winlogon.exe\LMIinit.dll/winlogon.exe\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
C:\WINDOWS\system32\LMIinit.dll/C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
globalroot\Device\Ide\IdePort1\rxvnntsi\rxvnntsi\tdlwsp.dll/globalroot\Device\Ide\IdePort1\rxvnntsi\rxvnntsi\tdlwsp.dll Infected: Packed.Win32.TDSS.z 4
C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1

Selected area has been scanned.

#48 Dakeyras

Dakeyras

    True Member

  • Experts
  • PipPipPipPip
  • 437 posts
  • Gender:Male
  • Location:The Tundra

Posted 24 September 2009 - 08:07 AM

Hi. :)

Ok, I downloaded the Java updates and did the Kaspersky scan (all 3hours of it!)

Aye sometimes it can be a lengthy scan indeed.

A question please: have you got a Genuine Windows XP installation CD-ROM?

Please remove/uninstall both LogMeIn & Protector Suite QL. They are not malicious but I suspect they will hinder the overall malware removal process and may be inadvertently used as a vector for the malware to launch. By all means reinstall both applications when we are finished.

Run a File Search:

Press Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "jvtmz.sys" >> "%userprofile%\desktop\look.txt"
A blank command window will open on your desktop, then close in a minute or two. This is normal.
A file called look.txt should appear on your Desktop. Please post the contents of this file.

Member of UNITE


#49 voight75

voight75

    New Member

  • Members
  • Pip
  • 35 posts

Posted 24 September 2009 - 12:56 PM

Dakeyras,

Ok, I have uninstalled the two programs you mentioned. I have a 2 disc set I got with my laptop (laptop is about 3 years old); the set is Toshiba Recovery andApplications/Drivers. Would Windows XP be included on that (XP was installed when I bought the laptop.)

The look.txt file was blank, nothing to post.

#50 Dakeyras

Dakeyras

    True Member

  • Experts
  • PipPipPipPip
  • 437 posts
  • Gender:Male
  • Location:The Tundra

Posted 25 September 2009 - 06:20 AM

Hi. :)

I apoligise for the delay had some personal matters to attend to for most of yesterday/all evening.

I have a 2 disc set I got with my laptop (laptop is about 3 years old); the set is Toshiba Recovery andApplications/Drivers.

Ah I see, I was going to ask you to install the Recovery Console as a precaution but I do not think we can with the type CD's mentioned. I will have a think about this, in the meantime please carry out the below, thank you.

Scan with TDSSKiller:

Please download TDSSKiller.zip and extract it to the Desktop.

From within the newly created tdsskiller folder move TDSSKiller.exe to the desktop and delete the tdsskiller folder.

Click on Start >> Run... >> copy in the following text, and press Enter:
"%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v
There will be a log on your desktop with the name report.
Copy and paste the contents of this log into your next reply.

MBR Rootkit Detector:

Please download The MBR Rootkit Detector by GMER
Be sure to download it to the root of your drive, e.g. C:\MBR.exe
Once the download has finished, click Start >> Run... >> copy in the following text, and press Enter:
\mbr
A log will be generated called MBR.txt. Post it in your next reply.

Member of UNITE


#51 voight75

voight75

    New Member

  • Members
  • Pip
  • 35 posts

Posted 25 September 2009 - 10:39 AM

Dakeyras,

No problem at all. Ok, here are the logs:

mbr log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


report.txt:


Host Name: RICHARD
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Richard Lunan
Registered Organization:
Product ID: 76487-OEM-0011903-00817
Original Install Date: 12/22/2006, 3:06:34 AM
System Up Time: 0 Days, 0 Hours, 15 Minutes, 48 Seconds
System Manufacturer: TOSHIBA
System Model: Satellite U205
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 15 Stepping 6 GenuineIntel ~1995 Mhz
BIOS Version: TOSHIB - 970814
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-06:00) Central Time (US & Canada)
Total Physical Memory: 2,039 MB
Available Physical Memory: 1,236 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,001 MB
Virtual Memory: In Use: 47 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\RICHARD
Hotfix(s): 197 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: Q147222
[84]: KB887998 - QFE
[85]: KB930494 - QFE
[86]: SP3 - SP
[87]: M928366 - Update
[88]: S867460 - Update
[89]: KB888316 - Update
[90]: KB894553 - Update
[91]: KB895678 - Update
[92]: MC05Upd1 - Update
[93]: KB900325 - Update
[94]: Q927978
[95]: Q936181
[96]: Q954430
[97]: IDNMitigationAPIs - Update
[98]: NLSDownlevelMapping - Update
[99]: KB929399
[100]: KB952069_WM9
[101]: KB968816_WM9
[102]: KB973540_WM9
[103]: KB911565
[104]: KB913800
[105]: KB917734_WMP10
[106]: KB926251
[107]: KB936782_WMP10
[108]: KB936782_WMP11
[109]: KB939683
[110]: KB954154_WM11
[111]: KB959772_WM11
[112]: KB925398_WMP64
[113]: KB923689
[114]: KB941569
[115]: KB928090-IE7 - Update
[116]: KB929969 - Update
[117]: KB931768-IE7 - Update
[118]: KB933566-IE7 - Update
[119]: KB937143-IE7 - Update
[120]: KB938127-IE7 - Update
[121]: KB939653-IE7 - Update
[122]: KB942615-IE7 - Update
[123]: KB944533-IE7 - Update
[124]: KB947864-IE7 - Update
[125]: KB950759-IE7 - Update
[126]: KB953838-IE7 - Update
[127]: KB956390-IE7 - Update
[128]: KB958215-IE7 - Update
[129]: KB960714-IE7 - Update
[130]: KB961260-IE7 - Update
[131]: KB963027-IE7 - Update
[132]: KB969897-IE7 - Update
[133]: KB969897-IE8 - Update
[134]: KB971930-IE8 - Update
[135]: KB971961-IE8 - Update
[136]: KB972260-IE8 - Update
[137]: MSCompPackV1 - Update
[138]: KB936929 - Service Pack
[139]: KB923561 - Update
[140]: KB938464 - Update
[141]: KB938464-v2 - Update
[142]: KB946648 - Update
[143]: KB950760 - Update
[144]: KB950762 - Update
[145]: KB950974 - Update
[146]: KB951066 - Update
[147]: KB951072-v2 - Update
[148]: KB951376 - Update
[149]: KB951376-v2 - Update
[150]: KB951698 - Update
[151]: KB951748 - Update
[152]: KB951978 - Update
[153]: KB952004 - Update
[154]: KB952287 - Update
[155]: KB952954 - Update
[156]: KB953839 - Update
[157]: KB954211 - Update
[158]: KB954459 - Update
[159]: KB954550-v5 - Update
[160]: KB954600 - Update
[161]: KB955069 - Update
[162]: KB955839 - Update
[163]: KB956391 - Update
[164]: KB956572 - Update
[165]: KB956744 - Update
[166]: KB956802 - Update
[167]: KB956803 - Update
[168]: KB956841 - Update
[169]: KB956844 - Update
[170]: KB957095 - Update
[171]: KB957097 - Update
[172]: KB958644 - Update
[173]: KB958687 - Update
[174]: KB958690 - Update
[175]: KB959426 - Update
[176]: KB960225 - Update
[177]: KB960715 - Update
[178]: KB960803 - Update
[179]: KB960859 - Update
[180]: KB961118 - Update
[181]: KB961371 - Update
[182]: KB961373 - Update
[183]: KB961501 - Update
[184]: KB967715 - Update
[185]: KB968389 - Update
[186]: KB968537 - Update
[187]: KB969898 - Update
[188]: KB970238 - Update
[189]: KB970653-v3 - Update
[190]: KB971557 - Update
[191]: KB971633 - Update
[192]: KB971657 - Update
[193]: KB973346 - Update
[194]: KB973354 - Update
[195]: KB973507 - Update
[196]: KB973815 - Update
[197]: KB973869 - Update
NetWork Card(s): 3 NIC(s) Installed.
[01]: Intel® PRO/100 VE Network Connection
Connection Name: Local Area Connection
[02]: Intel® PRO/Wireless 3945ABG Network Connection
Connection Name: Wireless Network Connection
DHCP Enabled: Yes
DHCP Server: 192.168.2.1
IP address(es)
[01]: 192.168.2.2
[03]: 1394 Net Adapter
Connection Name: 1394 Connection
10:33:14:406 SetPrivileges: OpenThreadToken error 1008
10:33:14:406 ForceUnloadDriver: NtUnloadDriver error 2
10:33:14:406 ForceUnloadDriver: NtUnloadDriver error 2
10:33:14:406 ForceUnloadDriver: NtUnloadDriver error 2
10:33:14:500 main: Driver KLMD successfully dropped
10:33:14:546 main: Driver KLMD successfully loaded
10:33:14:546
scanning registry ...
10:33:14:593 ScanServices: Searching service UACd.sys
10:33:14:593 ScanServices: Open/Create key error 2
10:33:14:593 ScanServices: Searching service TDSSserv.sys
10:33:14:593 ScanServices: Open/Create key error 2
10:33:14:593 ScanServices: Searching service gaopdxserv.sys
10:33:14:593 ScanServices: Open/Create key error 2
10:33:14:593 ScanServices: Searching service gxvxcserv.sys
10:33:14:593 ScanServices: Open/Create key error 2
10:33:14:593 ScanServices: Searching service MSIVXserv.sys
10:33:14:593 ScanServices: Open/Create key error 2
10:33:14:609 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000
10:33:14:812 UnhookRegistry: Kernel local addr: C00000
10:33:15:15 UnhookRegistry: KeServiceDescriptorTable addr: C8B520
10:33:15:15 UnhookRegistry: KiServiceTable addr: C0D8B0
10:33:15:62 UnhookRegistry: NtEnumerateKey service number (local): 47
10:33:15:62 UnhookRegistry: NtEnumerateKey local addr: CA1E14
10:33:15:234 KLMD_OpenDevice: Trying to open KLMD device
10:33:15:234 KLMD_GetSystemRoutineAddress: Trying to get system routine address ZwEnumerateKey
10:33:15:234 KLMD_ReadMem: Trying to ReadMemory 0x804E380F[0x4]
10:33:15:234 UnhookRegistry: NtEnumerateKey service number (kernel): 47
10:33:15:234 KLMD_ReadMem: Trying to ReadMemory 0x804E49CC[0x4]
10:33:15:234 UnhookRegistry: NtEnumerateKey real addr: 80578E14
10:33:15:234 UnhookRegistry: NtEnumerateKey calc addr: 80578E14
10:33:15:234 UnhookRegistry: No SDT hooks found on NtEnumerateKey
10:33:15:234 KLMD_ReadMem: Trying to ReadMemory 0x80578E14[0xA]
10:33:15:234 UnhookRegistry: Splicing found on NtEnumerateKey
10:33:15:234 KLMD_WriteMem: Trying to WriteMemory 0x80578E14[0xA]
10:33:15:234 UnhookRegistry: NtEnumerateKey (Splicing) unhooked successfully
10:33:15:234
completed
10:33:15:234 Files deleted on next reboot: 0
10:33:15:234 Registry node deleted on next reboot: 0
10:33:15:234

#52 Dakeyras

Dakeyras

    True Member

  • Experts
  • PipPipPipPip
  • 437 posts
  • Gender:Male
  • Location:The Tundra

Posted 25 September 2009 - 12:41 PM

Hi. :)

Please delete your current copy of ComboFix and empty the Recycle Bin.

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please include the C:\ComboFix.txt in your next reply for further review.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Extra Note: Please ensure that you allow the Recovery Console to be installed if prompted as we may need to use this.

When completed the above, please post back the following in the order asked for:
  • How is you computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.

Member of UNITE


#53 voight75

voight75

    New Member

  • Members
  • Pip
  • 35 posts

Posted 25 September 2009 - 01:43 PM

Dakeyras,

Same problem with combofix, yet again. It just will not start the auto-scan. It loads, creates system restore, then states that scan is about to begin (may take 10 minutes etc.), then nothing at all. I let it sit for almost 40 minutes, and still nothing. This has happened every time I have tried to run combofix, except the once I ran it in Safe Mode.

#54 Dakeyras

Dakeyras

    True Member

  • Experts
  • PipPipPipPip
  • 437 posts
  • Gender:Male
  • Location:The Tundra

Posted 25 September 2009 - 03:16 PM

Hi. :)

Hmmmm not looking good at all I'm afraid. Be prepared as mentioned prior I may have to recommend a reformat and reinstallation of the Windows operating system. :)

The below may seem tedious but bare with myself on this please.

OK was the Recovery Console installed during the last or any of the previous ComboFix runs in Normal Mode?

If not sure a quick easy way to check is to reboot your machine and just after the post(power on self test) check you should see these options as shown here.

Next:

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):

C:\windows\ntbtlog.txt

Then empty the Recycle Bin.
  • Restart your computer.
  • Just before the XP loading screen starts hit F8 as if going to safe mode.
  • From the advanced boot menu choose "enable boot logging" then hit enter.
  • Post the following file:
C:\windows\ntbtlog.txt

Next:

Please download IceSword and extract it to the desktop.

Once IceSword is extracted, with all browser and Explorer windows closed, run IceSword
  • Once IceSword is open, click the Win32 Service Function on the left Menu Bar
    If any red entries are found, click the blue Log Tab at the top of the screen and save the log to documents folder as service-list.txt.
  • Now, Click IceSword's Process Function on the left Menu Bar
    If any red entries are found, click the blue Log tab at the top of the screen and save the log to documents folder as processlist.txt.
Note: If the need use multiple replies to post any logs and or upload to my channel.

Member of UNITE


#55 voight75

voight75

    New Member

  • Members
  • Pip
  • 35 posts

Posted 25 September 2009 - 03:53 PM

Dakeyras,

There were no red entries found using Ice Sword. If I need to reformat/reinstall, what do I need to do to prepare? I am going to buy a couple of memory sticks to put all of my personal files on (photos, music etc) Is there anything else I need to be doing? Also, are your colleagues having as much trouble with this Rootkit as we are, or is there something especially pernicious about my situation? I appreciate all of your help. Thanks.

Here is the ntblog.txt:

Service Pack 3 9 25 2009 15:31:22.375
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS
Loaded driver compbatt.sys
Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS
Loaded driver pciide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver pcmcia.sys
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver TVALZ.SYS
Loaded driver Thpevm.SYS
Loaded driver thpdrv.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\system32\DRIVERS\ialmnt5.sys
Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys
Loaded driver \SystemRoot\system32\DRIVERS\w39n51.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\drivers\tifm21.sys
Loaded driver \SystemRoot\system32\DRIVERS\sdbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\Apfiltr.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\tdcmdpst.sys
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\drivers\iviaspi.sys
Loaded driver \SystemRoot\system32\drivers\pfc.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys
Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys
Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\Tvs.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\DRIVERS\Tvs.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\DRIVERS\Tvs.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\DRIVERS\Tvs.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\DRIVERS\Tvs.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\psched.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\tbiosdrv.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\drivers\ADIHdAud.sys
Loaded driver \SystemRoot\system32\drivers\AEAudio.sys
Loaded driver \SystemRoot\system32\DRIVERS\Tvs.sys
Loaded driver \SystemRoot\system32\DRIVERS\AGRSM.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Fdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Flpydisk.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Udfs.SYS
Loaded driver \SystemRoot\System32\Drivers\meiudf.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipfltdrv.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\Mpfp.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
Loaded driver \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys
Loaded driver \SystemRoot\System32\Drivers\tcusb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\mfehidk.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\tdudf.sys
Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys
Loaded driver \SystemRoot\system32\DRIVERS\s24trans.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Loaded driver \SystemRoot\system32\DRIVERS\netdevio.sys
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys
Did not load driver \SystemRoot\System32\Drivers\Serial.SYS
Loaded driver \SystemRoot\System32\Drivers\ASCTRM.SYS
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Did not load driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Did not load driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\drivers\mfebopk.sys
Loaded driver \SystemRoot\system32\drivers\mfeavfk.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys
Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\System32\Drivers\IsDrv122.sys
Loaded driver \SystemRoot\system32\drivers\LVUSBSta.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys

#56 voight75

voight75

    New Member

  • Members
  • Pip
  • 35 posts

Posted 25 September 2009 - 03:55 PM

Oh, I almost forgot, the Recovery Console is installed.

#57 Dakeyras

Dakeyras

    True Member

  • Experts
  • PipPipPipPip
  • 437 posts
  • Gender:Male
  • Location:The Tundra

Posted 25 September 2009 - 05:10 PM

Hi. :)

If I need to reformat/reinstall, what do I need to do to prepare? I am going to buy a couple of memory sticks to put all of my personal files on (photos, music etc) Is there anything else I need to be doing?

What you have mentioned RE backing up is fine and I will provide advice on how to use your Toshiba CD's to do so if the need.

Also, are your colleagues having as much trouble with this Rootkit as we are, or is there something especially pernicious about my situation? I appreciate all of your help. Thanks.

It is proving is proving to be somewhat of a challenge to pinpoint exactly what is the launch vector and you are very welcome!

Oh, I almost forgot, the Recovery Console is installed.

Good to know.

Boot.ini Check:

I would like to check the current state of the Boot.ini file to check if it is corrupted or not as follows:
  • Open Notepad.
  • Copy and Paste everything from the Code Box below into Notepad: <----Start >> Run... type in notepad and select OK
@Echo off
xcopy C:\boot.ini "%userprofile%\desktop\" /h
attrib -s -h "%userprofile%\desktop\boot.ini"
ren "%userprofile%\desktop\boot.ini" bootini.txt
Del %0
  • Go to File >> Save As
  • Save File name as "Look.bat" <-- Make sure to include the qoutes'.
  • Change Save as Type to All Files and save the file to your Desktop.
  • It should look like this: Posted Image
Now double click on the desktop Look.bat to run the batch file. It will self-delete when completed and produce a notepad text file named bootini on your desktop.

Member of UNITE


#58 voight75

voight75

    New Member

  • Members
  • Pip
  • 35 posts

Posted 25 September 2009 - 05:22 PM

Dakeyras,

Here you go:

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /forceresetreg

#59 Dakeyras

Dakeyras

    True Member

  • Experts
  • PipPipPipPip
  • 437 posts
  • Gender:Male
  • Location:The Tundra

Posted 25 September 2009 - 09:38 PM

Hi. :)

I can no longer in good conscience let this malware infection remain on your computer.

Being honest so far I have been unable to identify the cause and would be providing your good self with a disservice if I let your computer remain infected and used online.

Some may disagree with my attitude/decision about what I have decidecd.............but I was both taught and trained long and hard to get into the position I am today to be able to both assist and provide advice for individuals such as your good self.

The first tenant being do no harm to a individuals computer and or leave them exposed to malware unduly.

I stand by what I have mentioned above and what is the the most prudent course of action I mention below/now voight75 .

With this in mind I my most honest advice now is for your good self to disconnect this computer from the Internet immediately. If you do any banking or other financial transactions on the computer or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Then carry out/perform a reformat and reinstallation of the Windows operating system.

How to do so as follows:

Using the Toshiba Recovery CD's is outlined here and you can check for your exact modal.

If you require further advice about using the above recovery CD's by all means inform myself and I research further on your behalf to find the exact methodology.

The below is some advice I do have on what to do after the reformat and reinstallation.

Reformat and Reinstallation Advice:

  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
    Here are some free Anti Virus programs which I recommend to use:
    • Antivir PersonalEditionClassic
      • Free anti-virus software for Windows.
      • Detects and removes more than 50,000 viruses. Free support.
    • avast! 4 Home Edition
        • Anti-virus program for Windows.
        • The home edition is freeware for noncommercial users.
    • Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
    • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
      Here are some free Firewalls which I recommend to use:
      (Use only one, and disable your Windows Firewall)
    Note: Only ever have installed/use one Anti-Virus application and Software Firewall. Otherwise a system conflict will occur and this also lessens overall online protection!

    Keep your system updated-[ b]Microsoft [/b]releases patches for Windows and other products regularly:
    • I advise you visit: http://update.micros...t.aspx?ln=en-us
    • Install the Active X
    • Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
    • Start >> All Programs >> Microsoft Updates
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialise and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Malwarebytes' Anti-Malware - Download it from here
    The tutorial on how to use MBAM is located here
  • Install WinPatrol - Download it from here
    You can find information about how WinPatrol works here
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    Download it from here
    The tutorial on how to use Spyware Blaster is located here
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for your computer becoming infected again will reduce dramatically. Any questions feel free to ask OK!

Member of UNITE


#60 voight75

voight75

    New Member

  • Members
  • Pip
  • 35 posts

Posted 26 September 2009 - 12:01 AM

Dakeyras,

Ok, this is what I had feared. I will back up tomorrow and then either Sunday or Monday do the reformat, using the Toshiba provided CDs. Will I lose my McAfee etc when I reformat, ie: wil I have to buy a new subscription etc? I will most likely have other questions relating to the reformat, so please keep an eye out here, as I will definitely have questions. Thank you for all of your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users