Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to get rid of virus Rootkit.TDSS!sd6


  • This topic is locked This topic is locked
2 replies to this topic

#1 met1

met1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 26 February 2009 - 07:19 PM

DDS (Ver_09-02-01.01) - NTFSx86
Run by markT at 13:07:38.69 on Fri 27/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.64.1033.18.2015.1334 [GMT 13:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\avgagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
F:\ArchiCAD_resource\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://companyweb/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://companyweb
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [Modem Booster]
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [HPWH myPrintMileage Agent] c:\program files\hewlett-packard\hp business inkjet 1100 series\toolbox\mpm.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uExplorerRun: [svcho] c:\windows\svcho.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://black/tsweb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2004-3-16 9344]
R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-11-27 40840]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-2-25 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-2-25 38208]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-17 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-9 27656]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-11-27 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-11-27 81288]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-11-27 160792]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-17 298264]
R2 avgagent;AVG7 Remote Support Service (AvgAgent);avgagent.exe /srvfsys --> avgagent.exe [?]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-11-27 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-11-27 1079176]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20030319.002\NAVENG.sys [2004-3-16 61732]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20030319.002\NAVEX15.sys [2004-3-16 519333]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-2-25 33088]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
R3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [2005-12-13 16384]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2004-3-16 468480]

=============== Created Last 30 ================

2009-02-26 07:58 1,089,601 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-02-25 09:01 38,208 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-02-25 09:01 33,088 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-02-25 09:01 51,520 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-02-25 09:01 12,608 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-02-16 15:40 16,896 a------- c:\windows\syssvc.exe
2009-02-02 12:55 2,341,368 a------- C:\AutoSave_Untitled.skp
2009-02-02 12:49 2,274,328 a------- C:\Untitled.skp
2009-02-02 12:21 34,031,720 a------- c:\temp\GoogleSketchUpWEN.exe
2009-01-29 13:19 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-29 13:19 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-01-29 13:19 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-29 13:19 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-29 13:19 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-29 13:19 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-01-29 13:19 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-01-29 13:19 117,760 -------- c:\windows\system32\prntvpt.dll
2009-01-29 13:18 <DIR> --d----- C:\79d7fb3dbff39a9fec2b
2009-01-29 13:18 <DIR> --d----- c:\windows\SxsCaPendDel
2009-01-29 13:13 <DIR> --d----- c:\program files\MSXML 6.0

==================== Find3M ====================

2009-01-21 09:34 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-01-21 09:34 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-01-20 07:33 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-09 07:28 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-09 07:28 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2008-12-21 12:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-12 08:34 108,331 a------- c:\program files\setuplog.txt

============= FINISH: 13:09:08.94 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 12 March 2009 - 11:38 AM

Welcome :thumbup2:
Thank you for using our forums.
I am reviewing your log. In the meantime, please address the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you are an employee and this system is owned by your employer, do you have permission to make changes to it?

* If you are using any cracked (illegal) software, please uninstall that.

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.
That includes BitTorrent, uTorrent, and similar programs. There is a list here: http://spywarehammer.com/simplemachinesfor...php?topic=110.0

* Please understand it is very important that you follow the instructions given to you during the cleaning of malware. This can sometimes be a tricky process and often requires things be done in a certain sequence to be effective. Please do not wait days between steps in this process. It is requested you respond at least within 48 hours. Any longer and it becomes necessary to update all information and start over. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.
Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.

I look forward to your reply so we can begin removing the malware.

If you have since resolved the original problem you were having, we would appreciate your letting us know.

Edited by Bugbatter, 12 March 2009 - 11:39 AM.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#3 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 20 March 2009 - 12:19 PM

Due to inactivity, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users