Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

webrootkit.tdss infected computer


  • This topic is locked This topic is locked
10 replies to this topic

#1 rnrstar

rnrstar

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 04 April 2009 - 07:47 PM

hello, how are you? my computer is currently infected with a virus called webrootkit.tdss (found via adaware program). i did read another poster on here had same infection but since no two computers are the same; i wanted to create a new post. if the answer given in the prior thread is valid, please let me know so i dont waste anybody's time. right now, most weblinks that i click on create pop ups to various ad pages and i have to goto a cached link to see the actual webpage. i do not want to format my drive and want to see if somebody can manually help me get rid of it. tia!

dds.txt:


DDS (Ver_09-03-16.01) - NTFSx86
Run by fong at 20:35:14.15 on Sat 04/04/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.111 [GMT -4:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\fong\Local Settings\Temporary Internet Files\Content.IE5\GDQGHBM3\dds[1].scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
uInternet Settings,ProxyOverride = sas.se1.attbb.net;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: BHO: {abd42510-9b22-41cd-9dcd-8182a2d07c63} - c:\windows\system32\iehelper.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Norton Internet Security 2006: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmesus.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [system tool] c:\windows\sysguard.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} - hxxps://insourcers.riahome.com/CABFiles/RSLoginModule.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://share.ovi.com/tools/uploader/ImageUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237943553359
DPF: {6C8E9E45-538C-473A-B83B-DA9AE1ED7604} - hxxps://insourcers.riahome.com/CABFiles/vspdf.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
DPF: {A8561647-E93C-11D3-AC3B-CE6078F7B616} - hxxps://insourcers.riahome.com/CABFiles/vsprint7.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://www.twango.com/tools/uploader/ImageUploader5.cab
DPF: {C0A63B86-4B21-11D3-BD95-D426EF2C7949} - hxxps://insourcers.riahome.com/CABFiles/vsflex7L.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D76D712E-4A96-11D3-BD95-D296DC2DD072} - hxxps://insourcers.riahome.com/CABFiles/vsflex7.cab
DPF: {EBB0431C-10EB-432D-8C53-64BDBEDBD86B} - hxxps://insourcers.riahome.com/CABFiles/xmlgridRS.cab
DPF: {F4721362-90E1-11D4-B547-00105A80AE07} - hxxps://insourcers.riahome.com/CABFiles/RIAInRSImport.cab
Notify: ddayw - c:\windows\system32\ddayw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2006-1-11 192104]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2006-1-11 202344]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2006-1-11 169576]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2006-2-5 139888]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-12-19 54968]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-3-25 1251720]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-1-18 109616]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080324.005\NAVENG.Sys [2008-3-24 82256]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080324.005\NavEx15.Sys [2008-3-24 895408]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-12-19 337592]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\fong\locals~1\temp\imspcloj.sys --> c:\docume~1\fong\locals~1\temp\iMSPCLOj.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-4-10 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-4-10 8320]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-12-19 198416]

=============== Created Last 30 ================

2009-04-03 02:00 0 a------- c:\windows\system32\AAWService_2009_04_03_02_00_48.dmp
2009-04-03 00:45 <DIR> --dsh--- c:\documents and settings\fong\IECompatCache
2009-04-03 00:40 10,752 a------- c:\windows\system32\iehelper.dll
2009-03-27 23:26 59,392 a------- c:\windows\system32\mcenspc.dll
2009-03-27 22:40 <DIR> --dsh--- c:\documents and settings\fong\PrivacIE
2009-03-27 22:39 <DIR> --dsh--- c:\documents and settings\fong\IETldCache
2009-03-27 22:31 <DIR> --d----- c:\windows\ie8updates
2009-03-27 22:24 <DIR> -cd-h--- c:\windows\ie8
2009-03-27 22:23 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-03-27 22:19 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2009-03-24 19:59 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-24 19:59 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-22 17:07 <DIR> --dsh--- c:\windows\system32\twain32
2009-03-22 16:52 24,576 a------- c:\windows\system32\stus.exe
2009-03-08 14:22 49,152 -------- c:\windows\system32\msrating.dll.mui
2009-03-08 14:22 2,560 -------- c:\windows\system32\mshta.exe.mui
2009-03-08 14:21 4,096 -------- c:\windows\system32\ie4uinit.exe.mui
2009-03-08 14:20 81,920 -------- c:\windows\system32\iedkcs32.dll.mui

==================== Find3M ====================

2009-04-04 00:10 14,336 a------- c:\windows\system32\userinit.exe
2009-03-24 19:59 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-24 19:59 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-02-06 21:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-07 18:21 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-01-07 18:20 134,144 -------- c:\windows\system32\dllcache\sqmapi.dll
2009-01-07 18:20 24,576 a------- c:\windows\system32\nlsdl.dll
2009-01-07 18:20 26,112 a------- c:\windows\system32\idndl.dll
2009-01-07 18:20 23,552 a------- c:\windows\system32\normaliz.dll
2009-01-07 18:20 265,720 a------- c:\windows\system32\msdbg2.dll
2006-05-03 06:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2006-03-05 19:16 13,560 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-02-21 07:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 09:43 27,648 ---sh--- c:\windows\system32\Smab0.dll
2005-10-07 20:13 337,593 a--sh--- c:\windows\system32\wyadd.bak1
2005-10-10 19:14 337,769 a--sh--- c:\windows\system32\wyadd.bak2

============= FINISH: 20:37:02.14 ===============

Attached Files


Edited by rnrstar, 04 April 2009 - 07:53 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:32 AM

Posted 09 April 2009 - 08:10 PM

Hello.

TDSSserv is a nasty infection.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:32 AM

Posted 12 April 2009 - 03:43 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the day I replied, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:32 AM

Posted 14 April 2009 - 02:47 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:32 AM

Posted 14 April 2009 - 07:46 PM

Hello.

Topic opened upon user's request.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 rnrstar

rnrstar
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 14 April 2009 - 07:57 PM

Hello.

Topic opened upon user's request.

With Regards,
Extremeboy

hello,how are you? just tell me what to do next....thanks.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:32 AM

Posted 15 April 2009 - 02:39 PM

Hello.

From your Pm it seems you don't want to format and you still have the same infection.

Let's continue.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 rnrstar

rnrstar
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 18 April 2009 - 10:41 AM

ok, will work o your instructions this weekend and get back to you tomorrow nite. thanks!

Edited by extremeboy, 18 April 2009 - 10:50 AM.
Remove Unnecessary quotes


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:32 AM

Posted 18 April 2009 - 10:51 AM

Thanks for letting me know.

Hear from you soon then :thumbup2:

Note: You don't need to quote me everytime, if there's a specific part you wish to quote, then that's fine other than that it's not necessary and makes things longer then it should be.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:32 AM

Posted 21 April 2009 - 02:58 PM

How's everything coming along?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:32 AM

Posted 24 April 2009 - 03:00 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users