Yet another TDL4@MBR

Hello and thanks in advance for your support

On Tuesday 26-APR-2011 at 20:50 CST I received a pop-up notification from my then security application Microsoft Security Essentials that an item had been detected on a website I was on and that it was quarantined. The description of the item was EXPLOIT:Win32/Pdfjsc.oj.

I went merrily along my way thinking all was well. Of course it was not. MSE found ROOTKIT TDSS during a full scan and indicated that a re-boot would solve it. Doing this three or 4 times did not solve it. Malware Bytes does not find anything. TDSSKiller only gets to 80% then stops.

I removed MSE last night and installed the trial version of Avast then performed a full scan and a boot scan. Nothing was found, but the bad url message has appeared several times.

After reading this forum some I downloaded and ran aswMBR and the log shows these results. I did press the FIX MBR and rebooted, then ran aswMBR again and TDL4@MBR was found again

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-04-28 17:35:33

17:35:33.093 OS Version: Windows 5.1.2600 Service Pack 3
17:35:33.093 Number of processors: 1 586 0x204
17:35:33.093 ComputerName: A(lastname) UserName:
17:35:33.781 Initialize success
17:35:38.093 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
17:35:38.093 Disk 0 Vendor: ST380021A 3.75 Size: 76319MB BusType: 3
17:35:38.093 Device \Driver\atapi → DriverStartIo 8a53933b
17:35:40.093 Disk 0 MBR read successfully
17:35:40.093 Disk 0 MBR scan
17:35:40.093 Disk 0 TDL4@MBR code has been found
17:35:40.093 Disk 0 MBR hidden
17:35:40.093 Disk 0 MBR [TDL4] ROOTKIT
17:35:40.093 Disk 0 trace - called modules:
17:35:40.093 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a5394f0]<<
17:35:40.093 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a5c3ab8]
17:35:40.093 3 CLASSPNP.SYS[f7637fd7] → nt!IofCallDriver → [0x8a4d4190]
17:35:40.093 \Driver\atapi[0x8a5c1858] → IRP_MJ_CREATE → 0x8a5394f0
17:35:40.093 Scan finished successfully
17:40:08.968 Disk 0 fixing MBR
17:40:08.984 Infection fixed successfully - please reboot ASAP
17:40:15.671 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Ann (lastname)\Desktop\MBR.dat”
17:40:15.671 The log file has been saved successfully to “C:\Documents and Settings\Ann (lastname)\Desktop\aswMBR.txt”

The last time I rebooted it came up to the BSOD with an error message IRQL_NOT_LESS_OR_EQUAL. I rebooted and it is working.

What shall I do next?

Thanks,
EAGLEWI

7:35:40.093 Disk 0 TDL4@MBR code has been found 17:35:40.093 Disk 0 MBR hidden 17:35:40.093 Disk 0 MBR [TDL4] **ROOTKIT**
  • scan again and click “FIX” and reboot
  • after reboot, new scan and click “save log” then post that log here in your next reply

Rescan system, press FIX (not FIX MBR as previously indicated, that is/was greyed out), reboted. Came up to BSOD with same error message as before. Rebooted, came up to desktop without anything on it. Waited 10 minutes then rebooted again. Ran aswMBR and saved log, results below

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-04-28 19:16:21

19:16:21.828 OS Version: Windows 5.1.2600 Service Pack 3
19:16:21.828 Number of processors: 1 586 0x204
19:16:21.828 ComputerName: AMIELKE UserName:
19:16:22.515 Initialize success
19:16:24.578 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
19:16:24.578 Disk 0 Vendor: ST380021A 3.75 Size: 76319MB BusType: 3
19:16:24.578 Device \Driver\atapi → DriverStartIo 8a53d33b
19:16:26.578 Disk 0 MBR read successfully
19:16:26.578 Disk 0 MBR scan
19:16:26.578 Disk 0 TDL4@MBR code has been found
19:16:26.578 Disk 0 MBR hidden
19:16:26.578 Disk 0 MBR [TDL4] ROOTKIT
19:16:26.578 Disk 0 trace - called modules:
19:16:26.578 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a53d4f0]<<
19:16:26.578 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a584ab8]
19:16:26.578 3 CLASSPNP.SYS[f7637fd7] → nt!IofCallDriver → [0x8a54ce58]
19:16:26.578 \Driver\atapi[0x8a5576f0] → IRP_MJ_CREATE → 0x8a53d4f0
19:16:26.578 Scan finished successfully
19:16:33.031 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Ann (lastname)\Desktop\MBR.dat”
19:16:33.031 The log file has been saved successfully to “C:\Documents and Settings\Ann (lastname)\Desktop\aswMBR.txt”

I have been leaving avast! Antivirus up and rtunning while I do these scans. Is that correct, or do I need to disable avast! Antivirus first?

Could you confirm that you pressed the fix button as reading the log it appears that you may have pressed save log

19:16:33.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ann (lastname)\Desktop\MBR.dat" 19:16:33.031 The log file has been saved successfully to "C:\Documents and Settings\Ann (lastname)\Desktop\aswMBR.txt"
If you did press the [b]FIX[/b] button did you get asked to reboot ?

Yes, I pressed the FIX button and was asked to reboot. I did this 4 times. Running aswMBR still showed the rootkit, tdsskiller would not complete, random google re-directs, etc. In other words, still sick

I am not sure, but I believe that I have fixed my system. Out of desperation I booted into the recovery console from an XP CD and ran the FIXMBR command which reported success. After this I booted and ran aswMBR which showed no problems, TDSSKiller which actually ran and showed no problems, Combofix which showed no problems, Malware Bytes which showed no problems, and of course a full avast! Virus Scan which found no problems.

Here is the scan results from aswMBR.

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-04-29 20:27:52

20:27:52.062 OS Version: Windows 5.1.2600 Service Pack 3
20:27:52.062 Number of processors: 1 586 0x204
20:27:52.062 ComputerName: A(lastname) UserName:
20:27:52.765 Initialize success
20:27:55.203 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
20:27:55.203 Disk 0 Vendor: ST380021A 3.75 Size: 76319MB BusType: 3
20:27:57.218 Disk 0 MBR read successfully
20:27:57.218 Disk 0 MBR scan
20:27:59.265 Disk 0 scanning sectors +156296385
20:27:59.281 Disk 0 scanning C:\WINDOWS\system32\drivers
20:28:10.718 Service scanning
20:28:11.984 Disk 0 trace - called modules:
20:28:12.000 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
20:28:12.000 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a5c4ab8]
20:28:12.000 3 CLASSPNP.SYS[f7637fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x8a596b00]
20:28:12.000 Scan finished successfully
20:28:36.953 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Ann (lastname)\Desktop\MBR.dat”
20:28:36.953 The log file has been saved successfully to “C:\Documents and Settings\Ann (lastname)\Desktop\maybe clean aswMBR.txt”

Is it safe to believe that the system is back to normal?

Would running additional scans and attaching the logs be beneficial in pronouncing the system to be clean?

Thanks,
EagleWI

Running aswMBR still showed the rootkit, tdsskiller would not complete, random google re-directs, etc. In other words, still sick

I am not sure, but I believe that I have fixed my system. Out of desperation I booted into the recovery console from an XP CD and ran the FIXMBR command which reported success. After this I booted and ran aswMBR which showed no problems, TDSSKiller which actually ran and showed no problems,

This is the new variant - it is becoming very prevalent at the moment and the only way to cure it is to do what you have done Fixmbr via the recovery console.

Are you experiencing any other problems ?

No, it appears to be operating normally at this time (fingers crossed). Time will tell though

For info aswMBR has now been updated to fix this problem without recourse to the RC - but it has only just been released ;D

Let it run for a day or so and then if there are no problems you should be good

i tried the updated fix, it worked as i was also infected. only one thing, when the program had finished and declared me “fixed” , it froze, i had to reboot bvia the power button, but i was able to restart with no issues, TY VM for this, as it is a little nasty bugger. cheers.

Ta I will pass that on about the freezing I have seen two instances of that now. But the fix still works

I, I have pretty much the same problem. I tried to run aswMBR, it produced this log:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 22:56:03

22:56:03.015 OS Version: Windows 5.1.2600 Service Pack 2
22:56:03.015 Number of processors: 1 586 0x207
22:56:03.015 ComputerName: SANDRA UserName: user
22:56:03.937 Initialize success
22:56:16.218 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
22:56:16.218 Disk 0 Vendor: Size: 0MB BusType: 0
22:56:16.218 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP0T1L0-c
22:56:16.218 Disk 1 Vendor: Maxtor_90680D4 PAS23B15 Size: 6485MB BusType: 3
22:56:16.218 Device \Driver\atapi → DriverStartIo 8234733b
22:56:18.234 Disk 0 MBR read successfully
22:56:18.250 Disk 0 MBR scan
22:56:18.250 Disk 0 TDL4@MBR code has been found
22:56:18.250 Disk 0 MBR hidden
22:56:18.250 Disk 0 MBR [TDL4] ROOTKIT
22:56:18.250 Disk 0 scanning C:\WINDOWS\system32\drivers
22:56:29.078 Service scanning
22:56:30.828 Service a3ee8651 C:\WINDOWS\System32\drivers\a3ee8651.sys HIDDEN
22:56:30.875 Service c59cd21b C:\WINDOWS\System32\drivers\c59cd21b.sys HIDDEN
22:56:31.968 Disk 0 trace - called modules:
22:56:31.968 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x823474f0]<<
22:56:31.984 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x823739c0]
22:56:31.984 3 CLASSPNP.SYS[f859405b] → nt!IofCallDriver → \Device\0000005c[0x823d2f18]
22:56:31.984 5 ACPI.sys[f84f9620] → nt!IofCallDriver → [0x82375b58]
22:56:31.984 \Driver\atapi[0x8239b030] → IRP_MJ_CREATE → 0x823474f0
22:56:31.984 Scan finished successfully
22:57:24.093 Disk 0 MBR has been saved successfully to “\Ares\Inbox\MBR.dat”
22:57:24.093 The log file has been saved successfully to “\Ares\Inbox\aswMBR.txt”

Now, what leaves me with an headache is that, at the end, aswMBR enables the “FixMBR” button, and NOT the “Fix” button that I expected (as the rootkit appears to be a TDL4@MBR per the log).

Why, and what should I do? Go for the recovery console and try with FIXMBR?

Is it the secondary hard disk, the reason it is enabled FIxMBR and not Fix?

Enlighten me, please, 'coz i’m in the deep dark right now.

It is also indicating two possible rootkits as well

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Thank you very much for the faster than light answer.

here is the log from TDSSKiller:

2011/05/03 23:37:58.0406 0864 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/03 23:38:00.0750 0864 ================================================================================
2011/05/03 23:38:00.0750 0864 SystemInfo:
2011/05/03 23:38:00.0750 0864
2011/05/03 23:38:00.0750 0864 OS Version: 5.1.2600 ServicePack: 2.0
2011/05/03 23:38:00.0812 0864 Product type: Workstation
2011/05/03 23:38:00.0812 0864 ComputerName: SANDRA
2011/05/03 23:38:00.0812 0864 UserName: user
2011/05/03 23:38:00.0875 0864 Windows directory: C:\WINDOWS
2011/05/03 23:38:00.0875 0864 System windows directory: C:\WINDOWS
2011/05/03 23:38:00.0875 0864 Processor architecture: Intel x86
2011/05/03 23:38:00.0875 0864 Number of processors: 1
2011/05/03 23:38:00.0875 0864 Page size: 0x1000
2011/05/03 23:38:00.0875 0864 Boot type: Normal boot
2011/05/03 23:38:00.0937 0864 ================================================================================
2011/05/03 23:38:05.0500 0864 Initialize success
2011/05/03 23:38:11.0609 0924 ================================================================================
2011/05/03 23:38:11.0609 0924 Scan started
2011/05/03 23:38:11.0609 0924 Mode: Manual;
2011/05/03 23:38:11.0609 0924 ================================================================================
2011/05/03 23:38:14.0531 0924 Suspicious service (NoAccess): a3ee8651
2011/05/03 23:38:14.0718 0924 a3ee8651 (8fdbd3f6be8a9b156eea052a994c96df) C:\WINDOWS\System32\drivers\a3ee8651.sys
2011/05/03 23:38:14.0718 0924 Suspicious file (NoAccess): C:\WINDOWS\System32\drivers\a3ee8651.sys. md5: 8fdbd3f6be8a9b156eea052a994c96df
2011/05/03 23:38:14.0734 0924 a3ee8651 - detected LockedService.Multi.Generic (1)
2011/05/03 23:38:15.0453 0924 ACPI (33d1373ee875ce8b063777f7e77815b7) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/03 23:38:15.0953 0924 ACPIEC (1c905333c0b9f3d7c68ddf25e54b00f9) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/03 23:38:16.0750 0924 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/05/03 23:38:17.0203 0924 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2011/05/03 23:38:19.0125 0924 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/03 23:38:19.0718 0924 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/03 23:38:20.0250 0924 atksgt (5b80e84af6b02ecab72dae9afee06309) C:\WINDOWS\system32\DRIVERS\atksgt.sys
2011/05/03 23:38:20.0921 0924 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/03 23:38:21.0484 0924 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/03 23:38:21.0843 0924 avgldx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys
2011/05/03 23:38:22.0515 0924 avgmfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2011/05/03 23:38:23.0031 0924 avgtdix (92d8e1e8502e649b60e70074eb29c380) C:\WINDOWS\System32\Drivers\avgtdix.sys
2011/05/03 23:38:23.0546 0924 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/03 23:38:23.0765 0924 Suspicious service (NoAccess): c59cd21b
2011/05/03 23:38:23.0921 0924 c59cd21b (33c978f68655fae66580026153e09297) C:\WINDOWS\System32\drivers\c59cd21b.sys
2011/05/03 23:38:23.0921 0924 Suspicious file (NoAccess): C:\WINDOWS\System32\drivers\c59cd21b.sys. md5: 33c978f68655fae66580026153e09297

continue in next post

– From previous post

2011/05/03 23:38:24.0031 0924 c59cd21b - detected LockedService.Multi.Generic (1)
2011/05/03 23:38:24.0421 0924 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/03 23:38:25.0062 0924 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/03 23:38:25.0421 0924 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/03 23:38:25.0828 0924 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/03 23:38:26.0812 0924 cmuda (e5adeef2c0db43964223f408f1fcc97e) C:\WINDOWS\system32\drivers\cmuda.sys
2011/05/03 23:38:27.0937 0924 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/03 23:38:28.0375 0924 dmboot (9fb634a0ed429aa64de57c53dd10ccf9) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/03 23:38:29.0000 0924 dmio (67decfaf3b6cdb34b3fa77d965281bb5) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/03 23:38:29.0421 0924 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/03 23:38:29.0781 0924 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/03 23:38:30.0171 0924 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/03 23:38:31.0093 0924 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/03 23:38:31.0515 0924 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/03 23:38:31.0968 0924 Fips (6e9d149cfae2af4783f85dbd6cedf7a1) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/03 23:38:32.0468 0924 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/03 23:38:32.0843 0924 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/05/03 23:38:33.0406 0924 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/03 23:38:33.0781 0924 Ftdisk (cc5f3af5711a1c7c8fa1d43bb16b401a) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/03 23:38:34.0109 0924 GMFilter (da9cf8e390bf7bcd671c36e63c337638) C:\WINDOWS\system32\drivers\GMFilter.sys
2011/05/03 23:38:34.0656 0924 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/03 23:38:35.0046 0924 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/03 23:38:35.0562 0924 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/03 23:38:36.0609 0924 i8042prt (0cab3ee361cfeab260b3906c8b6fb2be) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/03 23:38:37.0093 0924 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/05/03 23:38:37.0640 0924 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/03 23:38:38.0156 0924 IntelIde (161b54c8200663ada2c145d87e8d4340) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/03 23:38:38.0500 0924 intelppm (98bbc0e8efa90fff1ec9456ee7b0b1f1) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/03 23:38:38.0859 0924 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/05/03 23:38:39.0421 0924 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/03 23:38:39.0796 0924 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/03 23:38:40.0125 0924 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/03 23:38:40.0578 0924 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/03 23:38:40.0875 0924 irda (86c204836feec22510d434982d4221b8) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/05/03 23:38:41.0187 0924 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/03 23:38:41.0718 0924 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2011/05/03 23:38:42.0109 0924 isapnp (90bc6118193b4e8a76f0fc0d4a3572de) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/03 23:38:42.0531 0924 Kbdclass (71bfdda7b3006b45b18d8bac92bc9993) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/03 23:38:43.0000 0924 kbdhid (24334eb02603262309f648ef9e06496e) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/03 23:38:43.0359 0924 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/03 23:38:43.0531 0924 kprocesshacker2 (4af27cb32d2fe975fcee12b9e50eefad) C:\Archivos de programa\Anvanced Task manager (processhacker-2.14-bin)\x86\kprocesshacker.sys
2011/05/03 23:38:43.0968 0924 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/03 23:38:44.0625 0924 lirsgt (975b6cf65f44e95883f3855bae8cecaf) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
2011/05/03 23:38:45.0000 0924 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/03 23:38:45.0390 0924 Modem (b65f57d37e8d43089b701ed16e22d0e9) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/03 23:38:45.0734 0924 Mouclass (05e9c75c6797145a4983e9d0a4778bc3) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/03 23:38:46.0109 0924 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/03 23:38:46.0875 0924 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/03 23:38:47.0296 0924 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/03 23:38:47.0734 0924 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/03 23:38:48.0109 0924 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/03 23:38:48.0515 0924 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

–continue in next post

– continue from last post

2011/05/03 23:38:48.0953 0924 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/03 23:38:49.0375 0924 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/03 23:38:49.0734 0924 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/03 23:38:50.0218 0924 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/03 23:38:50.0578 0924 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/03 23:38:50.0984 0924 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/03 23:38:51.0406 0924 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/03 23:38:51.0781 0924 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/03 23:38:52.0218 0924 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/03 23:38:52.0671 0924 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/03 23:38:53.0359 0924 NGS (7b3238743de29edbd48f7524bae0d60e) c:\archivos de programa\norman\nvc\bin\ngs.sys
2011/05/03 23:38:53.0703 0924 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/03 23:38:54.0031 0924 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/03 23:38:54.0750 0924 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/03 23:38:55.0093 0924 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/03 23:38:55.0421 0924 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/03 23:38:55.0796 0924 Parport (0df0b83c90473ccfdc3dc882cbb6e4a9) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/03 23:38:56.0140 0924 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/03 23:38:56.0500 0924 ParVdm (fad44d704ecd7d39ad01415b8bb34204) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/03 23:38:56.0843 0924 PCI (a566b8da5e70b3237274d418853a87e0) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/03 23:38:57.0437 0924 PCIIde (33d63f0a9021acb4d75d83b646b93a30) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/03 23:38:57.0812 0924 Pcmcia (6374a34b03aea7971c976982a391ad07) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/03 23:38:59.0984 0924 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/03 23:39:00.0453 0924 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/03 23:39:00.0937 0924 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/03 23:39:02.0859 0924 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/03 23:39:03.0171 0924 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/05/03 23:39:03.0625 0924 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/03 23:39:04.0062 0924 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/03 23:39:04.0656 0924 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/03 23:39:05.0015 0924 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/03 23:39:05.0484 0924 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/03 23:39:05.0859 0924 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/03 23:39:06.0296 0924 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/03 23:39:06.0781 0924 redbook (28531a950381da67fc6412dfebcc8c5c) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/03 23:39:07.0359 0924 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
2011/05/03 23:39:07.0812 0924 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/05/03 23:39:08.0265 0924 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/03 23:39:08.0718 0924 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/03 23:39:09.0406 0924 Serial (fa9c4c4ac544301fa13c5c00a270399f) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/03 23:39:09.0968 0924 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/03 23:39:10.0468 0924 skbusenum (3d6728e159ee39e61a3598977448a5f0) C:\WINDOWS\system32\DRIVERS\skbusenum.sys
2011/05/03 23:39:11.0125 0924 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/03 23:39:11.0500 0924 sr (3c151d50cf3ae1683c6e3ec201b2ad3d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/03 23:39:12.0281 0924 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/03 23:39:13.0421 0924 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/03 23:39:14.0078 0924 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/03 23:39:15.0921 0924 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/03 23:39:16.0390 0924 tc131 (7cc0766022e8f3c03208377e26c69094) C:\WINDOWS\system32\Drivers\TC131.sys
2011/05/03 23:39:16.0937 0924 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/03 23:39:17.0875 0924 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/03 23:39:18.0718 0924 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/03 23:39:19.0421 0924 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/03 23:39:20.0312 0924 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/03 23:39:21.0046 0924 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/03 23:39:21.0468 0924 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/03 23:39:21.0859 0924 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/03 23:39:22.0265 0924 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/03 23:39:22.0734 0924 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/03 23:39:23.0328 0924 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/03 23:39:23.0609 0924 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/03 23:39:24.0015 0924 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/05/03 23:39:24.0921 0924 VirtualK (db4792814b15864211a3da338727db02) C:\WINDOWS\system32\drivers\VirtualK.sys
2011/05/03 23:39:25.0234 0924 VolSnap (d6ec4aff061665a10f0b1a9517d338e3) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/03 23:39:25.0875 0924 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/03 23:39:26.0828 0924 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/03 23:39:27.0359 0924 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/03 23:39:27.0609 0924 \HardDisk1 - detected Trojan-Clicker.Win32.Wistler.a (0)
2011/05/03 23:39:27.0671 0924 ================================================================================
2011/05/03 23:39:27.0671 0924 Scan finished
2011/05/03 23:39:27.0671 0924 ================================================================================
2011/05/03 23:39:27.0796 2220 Detected object count: 4
2011/05/03 23:39:45.0687 2220 LockedService.Multi.Generic(a3ee8651) - User select action: Skip
2011/05/03 23:39:45.0687 2220 LockedService.Multi.Generic(c59cd21b) - User select action: Skip
2011/05/03 23:39:45.0703 2220 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/03 23:39:45.0718 2220 \HardDisk0 (Trojan-Clicker.Win32.Wistler.a) - will be cured after reboot
2011/05/03 23:39:45.0718 2220 \HardDisk0 - ok
2011/05/03 23:39:45.0718 2220 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/05/03 23:39:45.0890 2220 \HardDisk1 (Trojan-Clicker.Win32.Wistler.a) - will be cured after reboot
2011/05/03 23:39:45.0937 2220 \HardDisk1 - ok
2011/05/03 23:39:45.0937 2220 Trojan-Clicker.Win32.Wistler.a(\HardDisk1) - User select action: Cure
2011/05/03 23:40:18.0281 2532 Deinitialize success

What should I do now?

(many, many, many thanks for the help, BTW)

Having cooled down the head a little, I notice that the two hidden services (that, being ony suspicious, I skipped) are stille there.

The TLD4 appears to have been erased. Should I say to TDSSKiller to erase those two services? Any idea what they could be?

Nope what we will do is use a different programme, last time I saw someone try to remove similar the system then failed to boot. So we will need to take it slowly

Also not only did you have TDL 4 but you also had whistler, two for the price of one

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.