Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with rootkit.tdss/uac trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 lightrix

lightrix

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 27 July 2009 - 06:10 PM

When I log in to windows I get a spyware doctor alert that "rootkit.tdss is trying to change in uac*****.dll in the system32 folder." I have tried using MBAM to remove but to no avail. The Security Center Service will not start at all I have tried setting to automatic (delayed start) like it should be but as soon as I OK and close the properties window, it set back to disable.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Muniz at 17:25:50.77 on Mon 07/27/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1791.936 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\ATT Internet Tools\blsloader.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\UI0Detect.exe
I:\AntiVirus 2009 Removal\HiJackThis.exe
C:\Users\Muniz\Desktop\123.scr
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\sdclt.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
J:\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net/
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=0908&m=et1641-02w
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=0908&m=et1641-02w
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: BlspcHlpr Class: {15c9938f-cb96-496d-800a-b827f2e34ea1} - c:\program files\att internet tools\blspc.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eRecoveryService]
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [blspcloader] c:\program files\att internet tools\blsloader.exe
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: motive.com\patttbc.att
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-20 130936]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2008-12-24 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2008-12-24 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2008-12-24 482352]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090715.003\IDSvix86.sys [2009-7-19 293424]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-1-8 211216]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2008-12-24 115560]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-20 348752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-24 101936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-1-8 19096]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nav\1005000.086\symndisv.sys [2008-12-24 39984]
S2 gupdate1c9983fd7d3e2f;Google Update Service (gupdate1c9983fd7d3e2f);c:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
S3 GT;GT;c:\users\muniz\appdata\local\temp\GT.exe [2009-7-27 342912]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-7-9 17408]
S4 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2008-9-2 24576]

=============== Created Last 30 ================

2009-07-24 14:06 <DIR> --d----- C:\IT
2009-07-20 13:00 <DIR> --d----- c:\windows\system32\wbem\repository
2009-07-20 00:19 <DIR> --d----- c:\program files\OmegaVid
2009-07-20 00:15 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-20 00:15 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-20 00:15 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-20 00:15 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-20 00:15 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-20 00:15 <DIR> --d----- c:\programdata\PC Tools
2009-07-20 00:15 <DIR> --d----- c:\progra~2\PC Tools
2009-07-20 00:02 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-07-20 00:02 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-07-20 00:02 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-07-20 00:02 42,376 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-07-20 00:02 <DIR> --d----- c:\users\muniz\appdata\roaming\PC Tools
2009-07-20 00:02 <DIR> --d----- c:\program files\Spyware Doctor
2009-07-19 18:36 <DIR> a-d----- c:\programdata\TEMP
2009-07-19 18:19 219,648 a------- c:\windows\PEV.exe
2009-07-19 18:19 161,792 a------- c:\windows\SWREG.exe
2009-07-19 18:19 98,816 a------- c:\windows\sed.exe
2009-07-19 18:19 318,976 a------- c:\windows\system32\CF6052.exe
2009-07-19 18:19 6,736 a------- c:\windows\system32\drivers\PROCEXP90.SYS
2009-07-19 18:03 318,976 a------- c:\windows\system32\CF1330.exe
2009-07-19 14:30 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-19 14:29 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-19 14:29 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-19 14:29 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-19 14:28 <DIR> --d----- c:\program files\ToniArts
2009-07-09 15:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-07-09 15:16 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 15:16 1,419,232 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-07-09 15:16 17,408 a------- c:\windows\system32\drivers\netaapl.sys

==================== Find3M ====================

2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-04-30 07:37 293,376 a------- c:\windows\system32\psisdecd.dll
2009-04-30 07:37 428,544 a------- c:\windows\system32\EncDec.dll
2009-01-08 16:55 86,016 a------- c:\windows\inf\infstor.dat
2009-01-08 16:55 51,200 a------- c:\windows\inf\infpub.dat
2009-01-08 16:55 86,016 a------- c:\windows\inf\infstrng.dat
2008-08-15 22:59 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 21:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-12-27 07:18 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-27 07:18 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-12-27 07:18 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 17:28:26.41 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 lightrix

lightrix
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 29 July 2009 - 12:00 AM

Nevermind about this one the program unhack me fixed my problems. Thanks anyway

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 29 July 2009 - 05:05 PM

Thanks for letting us know lightrix.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users