Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Rootkit infection - possibly TDSS?

  • This topic is locked This topic is locked
3 replies to this topic

#1 Walter Sobchak

Walter Sobchak

  • Members
  • 1 posts
  • Local time:05:08 PM

Posted 11 April 2009 - 12:04 PM

I recently got slammed by a rootkit ("TDSS" rootkit??? The infected .sys files were named "Gaopdx...."). It happend around the time I started using "Windows Instant Messanger" for the 1st time, although I'm not sure if that was the culprit. The rootkit was discovered when I installed AVG(I was only using Malwarebytes before).
Since contracting the rootkit virus, my pc has been denied internet access(wireless). I tried to do a system restore to various previous restore points but was unsuccessful. I had to use another computer to research and download various antivirus(anti-rootkit) software, including the following:
AVG, Combofix, Rootrepeal, RootkitRevealer, Superantispyware, Gmer, Threatfire, Avast, Sophos, etc...
After many hours and different scans(also turning off system restore, scanning in Safe mode) the rootkit "appears" to be gone, although after everything I've read in the forums, I'm wondering if it's gone "FOR GOOD"... One of the rootkit files is named "gaopdxespixllldmvrekvmkrjexgsocfnvucyl.sys.rmv". I'm assuming the .rmv extension is thanks to a quarantine feature of one of my antivirus runs...??? The last scan I ran was with Sophos, and the only thing it turned up was "Hidden registry key - Location: \HKEY_USERS\.DEFAULT" (which I hope is just a harmless leftover from before???)
In spite of not having wireless access, I am able to connect physically(by usb cable) to router and the internet access is normal. But when I disconnect the usb cable and try to use wireless only, the results are weird! Here's what I mean:
My wireless connection "appears" to be connected and working fine(I tried using the windows "repair" feature on the wireless connection, which worked. The Win XP Network Connections feature declares the "Wireless Network Connection" to be "connected, firewalled". ) But here's the confusing part: I have a torrent downloader(Vuze), which IS able to download via my wireless connection, so the wireless connection is working to some extent!(Although the NAT/FIREWALL test is no longer successful, the download speed seems to be as fast as usual). However, in spite of Vuze working via wireless connection, none of my navigators are able to work with the wireless connection.(Neither IE explorer, nor Opera, which I upgraded.) I tried turning off the firewall but the navigators still can't connect.
By the way, after getting back online by USB connection, I discovered that my HOST file had been HIJACKED to deny service to the most popular Bittorent sites, i.e. Mininova, etc.... I had to edit the file to get it back to normal.
Would the rootkit problem and the Hijacked Host file be related? Anyway, my main goal is to repair my wireless access problem although I don't know where to start(Being a non-expert, I'd rather repair the connection if possible than having to create a whole new wireless connection, although I would if there were no other option...Now from what I've read, I'm worried of the prospect of having to reformat hard-disk/reload everything... yikes!) Please Help!

Here's the DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by walter at 16:55:14.03 on 2009-04-11
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.937 [GMT 2:00]

AV: avast! antivirus 4.8.1335 [VPS 090410-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\walter\Desktop\ANTIVIRUS SOFTWARE\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: &DownloadStudio: {cb789373-04d5-4ef4-9c16-871463fd0830} - c:\program files\conceiva\downloadstudio\WebDLBar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: ClipMate ClipBar 7: {f60c63ce-52af-4915-aac9-f100fcde270f} - c:\progra~1\clipma~1\CLIPMA~1.DLL
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [TDispVol] TDispVol.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTBatteryMeter] c:\program files\vibrategamedevicedriver\RFPIcon.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.09\amvconverter\grab.html
IE: Add to Media Manager... - c:\program files\mp3 player utilities 4.09\mediamanager\grab.html
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download Image Using DownloadStudio... - c:\program files\conceiva\downloadstudio\ds_img.htm
IE: Download Page Using DownloadStudio... - c:\program files\conceiva\downloadstudio\ds_all.htm
IE: Download Selection Using DownloadStudio... - c:\program files\conceiva\downloadstudio\ds_sel.htm
IE: Download Target Using DownloadStudio... - c:\program files\conceiva\downloadstudio\ds_file.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Show Page Links Using DownloadStudio... - c:\program files\conceiva\downloadstudio\ds_link.htm
IE: {4D0C4820-53F7-4d79-A2E1-5252683CF69C} - c:\program files\conceiva\downloadstudio\DownloadStudio.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {7FCA7BD7-8F4D-4a81-BE72-A470F4E517D5} - {05926058-0C40-4092-8521-78D9D281B457} - c:\program files\conceiva\downloadstudio\WebDLBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} - hxxp://www.crtvg.es/camweb/camera.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\walter\applic~1\mozilla\firefox\profiles\tct4qfb5.default\
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-4-10 51472]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-4-10 39184]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-8 114768]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-8 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-8 138680]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-8 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-8 352920]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\ad.tmp --> c:\windows\system32\AD.tmp [?]
R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [2005-4-12 4608]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-4-10 33040]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2006-2-15 3584]
S3 DynCal;Dynamic Calibration Service;c:\windows\system32\drivers\DynCal.sys [2004-9-12 8320]
S3 KIZDWEQWC;KIZDWEQWC;c:\docume~1\walter\locals~1\temp\KIZDWEQWC.exe [2009-4-9 539520]
S3 PLUsbbc2;Hi-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2006-9-16 7936]
S3 POTLIEDSY;POTLIEDSY;c:\docume~1\walter\locals~1\temp\potliedsy.exe --> c:\docume~1\walter\locals~1\temp\POTLIEDSY.exe [?]
S3 VNic;ULan Network Driver Module;c:\windows\system32\drivers\VNic.sys [2006-9-16 57516]

=============== Created Last 30 ================

2009-04-10 23:41 16,117,760 a------- c:\windows\system32\LNBJIXGQNCBUR
2009-04-10 13:57 <DIR> --d----- c:\program files\DIY DataRecovery MBRtool 2
2009-04-10 12:22 <DIR> --d----- c:\program files\ACW
2009-04-10 06:42 51,472 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-04-10 06:42 39,184 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-04-10 06:42 33,040 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-04-10 06:42 12,560 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-04-10 06:42 <DIR> --d----- c:\program files\ThreatFire
2009-04-08 18:09 <DIR> --dsh--- c:\documents and settings\walter\IECompatCache
2009-04-08 16:15 <DIR> --d----- c:\program files\Sophos
2009-04-07 16:39 <DIR> --dsh--- c:\documents and settings\walter\PrivacIE
2009-04-07 16:38 <DIR> --dsh--- c:\documents and settings\walter\IETldCache
2009-04-07 15:47 <DIR> -cd-h--- c:\windows\ie8
2009-04-07 15:23 <DIR> --d----- C:\ComboFix
2009-04-07 15:23 389,120 a------- c:\windows\system32\CF24677.exe
2009-04-06 10:07 <DIR> --d----- c:\program files\GOPlayer
2009-04-06 10:06 <DIR> --d----- c:\program files\common files\DivX Shared
2009-04-06 00:09 <DIR> a-dshr-- C:\cmdcons
2009-04-06 00:07 389,120 a------- c:\windows\system32\CF21692.exe
2009-04-05 23:50 389,120 a------- c:\windows\system32\CF18319.exe
2009-04-05 22:37 389,120 a------- c:\windows\system32\CF4029.exe
2009-04-05 22:19 16,084,992 a------- c:\windows\system32\QJKPYIRYD
2009-04-05 14:46 161,792 a------- c:\windows\SWREG.exe
2009-04-05 14:46 98,816 a------- c:\windows\sed.exe
2009-04-05 14:46 389,120 a------- c:\windows\system32\CF10028.exe
2009-04-05 13:10 19,248 a------- c:\windows\system32\drivers\rspsc32.sys
2009-04-05 13:10 <DIR> --d----- c:\program files\RootKit Hook Analyzer
2009-04-04 20:52 23,223,772 a------- c:\windows\system32\GID
2009-04-04 19:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-04 19:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 16:14 552 a------- c:\windows\system32\d3d8caps.dat
2009-04-04 11:39 34,816 a------- c:\windows\system32\drivers\gaopdxespixllldmvrekvmkrjexgsocfnvucyl.sys.rmv
2009-04-04 11:39 4 a------- c:\windows\system32\gaopdxcounter.rmv
2009-04-03 16:33 <DIR> --d----- c:\program files\Flash Favorite
2009-04-03 01:25 <DIR> --d----- c:\docume~1\walter\applic~1\GrabPro
2009-04-03 01:25 <DIR> --d----- c:\program files\Orbitdownloader
2009-04-01 12:23 <DIR> --d----- c:\program files\RegCleaner
2009-03-31 22:11 <DIR> --d----- c:\program files\Xvid
2009-03-30 01:11 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-30 01:01 <DIR> --d----- c:\docume~1\walter\applic~1\AVGTOOLBAR
2009-03-30 01:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-29 23:58 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-29 23:58 208,744 a------- c:\windows\system32\muweb.dll
2009-03-29 23:58 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-29 19:50 <DIR> --d----- c:\documents and settings\walter\Tracing
2009-03-29 19:50 921,624 a------- C:\img2-001.raw
2009-03-29 19:49 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2009-03-29 19:49 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-03-29 19:48 1,966,696 a------- c:\windows\system32\drivers\VX3000.sys
2009-03-29 19:48 709,992 a------- c:\windows\vVX3000.exe
2009-03-29 19:48 476,520 a------- c:\windows\vVX3000.dll
2009-03-29 19:48 202,088 a------- c:\windows\system32\LCCoin14.dll
2009-03-29 19:48 185,704 a------- c:\windows\system32\cVX3000.dll
2009-03-29 19:48 111,976 a------- c:\windows\VX3000.dll
2009-03-29 19:48 15,498 a------- c:\windows\VX3000.ini
2009-03-29 19:48 13,023 a------- c:\windows\VX3000.src
2009-03-29 19:46 <DIR> --d----- c:\program files\Microsoft LifeCam
2009-03-29 19:42 <DIR> --d----- c:\program files\Microsoft
2009-03-29 19:42 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-29 19:35 <DIR> --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-03-27 01:32 3,532 a------- C:\drmHeader.bin
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-02-24 21:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-02-24 21:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-02-24 21:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-02-24 21:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-02-24 21:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-02-24 21:34 684,032 a------- c:\windows\system32\DivX.dll
2009-02-19 12:26 121 a------- c:\docume~1\walter\applic~1\SQSDMTST.SYS
2009-02-09 13:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2007-07-16 20:35 0 a------- c:\docume~1\walter\applic~1\wklnhst.dat
2006-11-04 13:09 106,297 a------- c:\program files\mmswitch.exe
2006-11-04 11:08 15,926,792 a------- c:\program files\DivXInstaller.exe
2006-10-25 09:11 734,160 a------- c:\program files\VobSub_2.23.exe
2008-08-31 03:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083120080901\index.dat

============= FINISH: 16:56:22.46 ===============

Thanks for any help you may provide!!!

Attached Files

BC AdBot (Login to Remove)


#2 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:06:08 PM

Posted 20 April 2009 - 05:51 PM


Please note the nature of this infection.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:06:08 PM

Posted 24 April 2009 - 02:59 PM


Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the day I replied, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:06:08 PM

Posted 26 April 2009 - 12:06 PM


Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users