Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32trojan.tdss and mbr rootkits found


  • This topic is locked This topic is locked
21 replies to this topic

#1 earthmud

earthmud

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 25 July 2009 - 09:14 PM

My computer seems to be infected with at least these two issues. Last night my computer rebooted itself and I started seeing a "Google installer has encountered a problem and needs to close". I tried running spybot and mbam but neither work. Norton 360 will not scan my drive either and also randomly shuts down. Ad-aware found win32tojant.dss but cannot clean it. Other symptoms include freezing up and random audio ads that seem to come from nowhere. I get redirects when using both Firefox and google. I am running windows xp sp2. I downloaded rootrepeal and it found two mbr rootkits on drive c and d along with a bunch of other stuff. I am a fairly experienced user but cannot seem to make any headway as far as removing anything. I have not deleted anything at this point. I have installed DDS, rootrepeal, and combofix( I did not run combofix due to warning saying that norton was still running) and already had hijack this installed. I have not tried to fix anything else without talking to you guys first. I will be online till this is resolved and will not bail if help is recieved(I was up till 5 am last night trying to see what I could do). My external drive was full so I bought another and am currently backing up my pc, but for some reason my pc wouldn't allow seagates backup to work so I have to use "copy files instead(the virus?) which is taking quite a while(should be done in an hour or so. My pc has had no issues until last night. Any help resolving these issues is much appreciated. Thanks in advance. J

Attached File  DDS.txt   12.35KB   17 downloads

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 28 July 2009 - 04:29 PM

Go

HERE
and download SysProt AntiRootkit. Unzip it to your

Desktop
  • Run SysProt >> Click on the Log tab
  • Tick ALL the boxes at the "Write to log" section (Do NOT tick

    the "Hidden Objects Only" options)
  • Hit the Create Log button
  • When it asked for scanning option, choose Scanning all drives

    >> Hit Start button (Do NOT hit "Ok" button)
  • Let it scan until finish
  • Find the log.txt inside the SysProt folder and

    attach
    the log here.


NEXT


Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe



Double click it & post the log it creates on desktop. (mbr.log)

Edited by fenzodahl512, 28 July 2009 - 04:30 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 earthmud

earthmud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 28 July 2009 - 06:05 PM

Thanks for the help. My PC is barely working.

Attached Files



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 29 July 2009 - 01:32 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 earthmud

earthmud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 29 July 2009 - 09:13 AM

ComboFix 09-07-28.04 - HP_Administrator 07/29/2009 7:03.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1443 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{D2206D84-25E6-4C93-AE0A-CFF97BB8A1D8}
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{D2206D84-25E6-4C93-AE0A-CFF97BB8A1D8}\chrome.manifest
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{D2206D84-25E6-4C93-AE0A-CFF97BB8A1D8}\chrome\content\_cfg.js
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{D2206D84-25E6-4C93-AE0A-CFF97BB8A1D8}\chrome\content\overlay.xul
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{D2206D84-25E6-4C93-AE0A-CFF97BB8A1D8}\install.rdf
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\Installer\647e82c.msp
c:\windows\kb913800.exe
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-28 00:35 . 2009-07-28 00:35 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\NOS
2009-07-28 00:35 . 2009-07-28 00:35 -------- d-----w- c:\program files\NOS
2009-07-27 23:13 . 2009-07-27 23:16 -------- d-----w- c:\documents and settings\HP_Administrator\DoctorWeb
2009-07-27 01:26 . 2009-07-27 01:26 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-27 01:26 . 2009-07-27 01:50 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-07-27 00:33 . 2009-07-27 00:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-26 02:47 . 2009-07-26 02:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-07-25 22:09 . 2009-07-25 22:09 -------- d-----w- c:\program files\Seagate
2009-07-25 22:09 . 2009-07-25 22:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Seagate
2009-07-25 22:08 . 2009-07-25 22:08 -------- d-----w- c:\program files\MSXML 6.0
2009-07-25 22:08 . 2009-07-25 22:08 -------- d-sh--w- c:\windows\ftpcache
2009-07-25 07:24 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-25 05:36 . 2009-07-25 05:36 -------- d-----w- c:\program files\Norton Support
2009-07-17 22:01 . 2009-07-17 22:01 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Temp
2009-07-17 22:01 . 2009-07-17 22:01 -------- d-----w- c:\docume~1\HP_ADM~1\LOCALS~1\APPLIC~1\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 01:29 . 2007-01-04 19:01 3546 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-07-29 01:29 . 2007-01-04 19:01 3546 ----a-w- c:\docume~1\HP_ADM~1\APPLIC~1\wklnhst.dat
2009-07-25 22:09 . 2006-11-16 20:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-22 21:41 . 2007-01-15 21:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-07-22 21:41 . 2007-01-15 21:32 -------- d-----w- c:\docume~1\HP_ADM~1\APPLIC~1\uTorrent
2009-07-11 01:30 . 2007-01-01 08:44 -------- d-----w- c:\program files\Winamp
2009-06-16 14:55 . 2004-08-09 21:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-09 21:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:24 . 2004-08-09 21:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 01:26 . 2009-02-24 01:57 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-07 15:44 . 2004-08-09 21:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 04:15 . 2009-05-01 04:15 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-05-01 04:15 . 2009-05-01 04:15 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-01 04:15 . 2009-05-01 04:15 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2007-02-23 06:18 . 2007-02-23 06:18 251 -c--a-w- c:\program files\wt3d.ini
2009-07-22 19:30 . 2009-03-17 22:15 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-06-30 20:44 . 2008-09-20 22:51 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Google Update"="c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2008-9-21 303104]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\HPZipm12.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19069:TCP"= 19069:TCP:BitComet 19069 TCP
"19069:UDP"= 19069:UDP:BitComet 19069 UDP
"9488:TCP"= 9488:TCP:BitComet 9488 TCP
"9488:UDP"= 9488:UDP:BitComet 9488 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/23/2009 6:26 PM 64160]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [4/30/2009 9:15 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [4/30/2009 9:15 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [4/30/2009 9:15 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090722.001\IDSXpx86.sys [7/27/2009 2:53 PM 276344]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 2:35 PM 181544]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [4/30/2009 9:15 PM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/2/2009 5:26 PM 101936]
R3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\HP_Administrator\Desktop\SysProt\SysProtDrv.sys [7/28/2009 3:47 PM 44288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1029456]
S2 twdd;twdd;c:\windows\system32\drivers\uyfs.sys --> c:\windows\system32\drivers\uyfs.sys [?]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [11/16/2006 1:09 PM 82048]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/27/2009 5:35 PM 66056]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SYSPROTDRV.SYS
*Deregistered* - akrgfrte
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-dwshd.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {08FD87EF-2A15-11D1-AF00-00A0C91F4B89} - hxxp://eservices.scottsdaleaz.gov/dmc/digprintrm/webplot.cab
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab
DPF: {54D53429-945C-4188-B460-C81356541882} - hxxp://photosmart.hpphoto.com/Download/HPeServicesLocalPrint.CAB
FF - ProfilePath - c:\docume~1\HP_ADM~1\APPLIC~1\Mozilla\Firefox\Profiles\tqc0qxqn.default\
FF - plugin: c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-29 07:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2009-07-29 7:07
ComboFix-quarantined-files.txt 2009-07-29 14:07

Pre-Run: 68,541,534,208 bytes free
Post-Run: 68,695,330,816 bytes free

171 --- E O F --- 2009-07-27 10:00

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 29 July 2009 - 11:38 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
UACd.sys

Rootkit::
C:\Windows\system32\drivers\UACohifirjtkd.sys
C:\WINDOWS\system32\UACflovbrspym.db
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACktawrijbxh.dll
C:\WINDOWS\system32\UACosvsvernom.dat
C:\WINDOWS\system32\UACpxdvaqdwdk.dll
C:\WINDOWS\system32\UACvkosvxfqrm.dll
C:\WINDOWS\system32\UACwymylypdvb.dll
C:\WINDOWS\Temp\UAC93de.tmp
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\UAC7c19.tmp

File::
C:\Windows\system32\drivers\UACohifirjtkd.sys
C:\WINDOWS\system32\UACflovbrspym.db
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACktawrijbxh.dll
C:\WINDOWS\system32\UACosvsvernom.dat
C:\WINDOWS\system32\UACpxdvaqdwdk.dll
C:\WINDOWS\system32\UACvkosvxfqrm.dll
C:\WINDOWS\system32\UACwymylypdvb.dll
C:\WINDOWS\Temp\UAC93de.tmp
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\UAC7c19.tmp

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 earthmud

earthmud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 29 July 2009 - 04:35 PM

Thanks again for all the help. Things seem to be running much smoother now. Dig your avatar by the way.

Attached Files



#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 29 July 2009 - 05:12 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
dwshd.sys
dwshd
twdd

File::
c:\windows\system32\drivers\uyfs.sys

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dwshd.sys]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Let ComboFix reboot.. Then, please run SysProt Antirootkit once again as you did before


6. Pease post the following reports/logs into your next reply:
  • Combofix.txt
  • SysProt log.

Edited by fenzodahl512, 29 July 2009 - 05:17 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 earthmud

earthmud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 29 July 2009 - 05:49 PM

Logs.

Attached Files



#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 29 July 2009 - 11:36 PM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 earthmud

earthmud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 30 July 2009 - 09:42 AM

It's running pretty well. Ten times better than before. Last night before running mbam and ESET
Norton started freaking out and warned that it found Packed.generic.200, trojanfakeavalert, and hacktool.rootkit. then removed them. I ran Mbam to check and see if they were stilll there and it found a few things. After your reply I ran Mbam again and it came up clean. Here are both mbam logs and ESET. Thanks again for all the help.

Malwarebytes' Anti-Malware 1.39
Database version: 2526
Windows 5.1.2600 Service Pack 2

7/29/2009 6:23:59 PM
mbam-log-2009-07-29 (18-23-59).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 90800
Time elapsed: 48 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\hp_administrator\Desktop\avenger.exe (Trojan.Agnet) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACktawrijbxh.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACvkosvxfqrm.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP870\A0097900.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP870\A0097903.dll (Trojan.TDSS) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.39
Database version: 2526
Windows 5.1.2600 Service Pack 2

7/29/2009 8:26:40 PM
mbam-log-2009-07-29 (20-26-40).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 213062
Time elapsed: 1 hour(s), 24 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files

  • Attached File  log.txt   1.33KB   3 downloads


#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 30 July 2009 - 09:48 AM

Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 earthmud

earthmud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 30 July 2009 - 05:28 PM

Everything seems pretty good! Yea!!!!!!!!!!!! The only issues I'm having is for some reason windows will not recognize my norton antivirus and gives security warning. Norton itself seems to be running fine now. Spybot found HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/securitycenter/antivirus override. Mbam shows nothing. The only other question is, does this rootrepeal report mean anything? Either way I can't thank you enough for all the help. In a day and age where everyone seems to be out for themselves it's nice to know there are still people like yourself who are willing to help others without expecting something in return. Peace and thanks. J

Attached Files

  • Attached File  RR.txt   38.86KB   13 downloads


#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 30 July 2009 - 05:36 PM

I'm not an expert in interpreting RR log.. But to my limited knowledge, it shows nothing malicious..

About your Norton, maybe you need to uninstall >> reinstall it.. Anyhow, I'm not a fan of Norton.. I prefer free AV like Avira, Avast or AVG :thumbup2:

Anymore questions? :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 earthmud

earthmud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 31 July 2009 - 01:54 PM

Sorry about the delay. Everything seems fine but for some reason the myspace music players only work with chrome and not IE or Firefox. Everything worked fine before the virus. Any idea's?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users