Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit.tdss


  • This topic is locked This topic is locked
2 replies to this topic

#1 Svatle

Svatle

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 22 August 2009 - 06:43 AM

Hi. Spyware doctor informs me that I have been infected with Rootkit.tdds. This message apperes when I try to install new windows updates.

Also my Norton Antivirus program wont do searces on the computer. I get an error message:
Invalid function An unanticipated error has occured. If it persists, please send the information below to our support department: Context: NVCOD - ScanThread Routine: NscExecuteScan Error value: 0x00300002 Error name: NDIORC_CANT_OPEN_PHYS

When I do a google search, some hits redirects me to different add pages.

I also get a message from Google instalation program telling me that it has a problem and needs to shut down. The files its complaining about are:
C:\DOCUME~1\SVENAT~1\LOKALE~1\Temp\WERc9e8.dir00\GoogleUpdate.exe.mdmp
C:\DOCUME~1\SVENAT~1\LOKALE~1\Temp\WERc9e8.dir00\appcompat.txt

I did an online scan using Housecall, and it also found rootkit. The program was unable to remove it.

After reading about the truble people are having with this malware, I turn to you for help.

Here are the different logs you request:



DDS (Ver_09-07-30.01) - NTFSx86
Run by Sven Atle Kvernenes at 13:15:49,98 on 22.08.2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.47.1044.18.1014.412 [GMT 2:00]

AV: Norman Security Suite *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}

============== Running Processes ===============

C:\Programfiler\Norman\Npm\Bin\Elogsvc.exe
C:\Programfiler\Norman\Ngs\Bin\Nprosec.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programfiler\Norman\Npm\Bin\Zanda.exe
C:\Programfiler\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\DOCUME~1\SVENAT~1\LOKALE~1\Temp\INSTAL~2.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programfiler\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programfiler\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Programfiler\Java\jre6\bin\jusched.exe
C:\Programfiler\Norman\Npm\Bin\ZLH.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Windows Media Player\WMPNSCFG.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programfiler\Norman\Npm\Bin\scheduler.exe
C:\Programfiler\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Norman\nse\bin\NSESVC.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Norman\Nvc\Bin\nvcoas.exe
C:\Programfiler\Norman\Nvc\Bin\Nip.exe
C:\Programfiler\Norman\Nvc\Bin\cclaw.exe
C:\Programfiler\MSN Messenger\usnsvc.exe
C:\Programfiler\Opera\Opera.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Sven Atle Kvernenes\Skrivebord\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.inatur.no/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = elevproxy:8080
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: SweetIM For Internet Explorer: {bc4ffe41-de9f-46fa-b455-aad49b9f9938} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programfiler\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SWEETIE: {1a0aadcd-3a72-4b5f-900f-e3bb5a838e2a} - SWEETIE Class
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programfiler\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programfiler\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programfiler\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programfiler\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SweetIM For Internet Explorer: {bc4ffe41-de9f-46fa-b455-aad49b9f9938} -
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\programfiler\msn messenger\MsnMsgr.Exe" /background
uRun: [Uniblue RegistryBooster 2009] c:\programfiler\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [WMPNSCFG] c:\programfiler\windows media player\WMPNSCFG.exe
uRun: [swg] c:\programfiler\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\programfiler\synaptics\syntp\SynTPEnh.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Microsoft Works Update Detection] c:\programfiler\fellesfiler\microsoft shared\works shared\WkUFind.exe
mRun: [QuickTime Task] "c:\programfiler\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\programfiler\itunes\iTunesHelper.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HPHUPD06] c:\programfiler\hewlett-packard\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HP Software Update] "c:\programfiler\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\programfiler\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [SunJavaUpdateSched] "c:\programfiler\java\jre6\bin\jusched.exe"
mRun: [Norman ZANDA] "c:\programfiler\norman\npm\bin\ZLH.EXE" /LOAD /SPLASH
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\adobeg~1.lnk - c:\programfiler\fellesfiler\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\hpdigi~1.lnk - c:\programfiler\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\hppsc1~1.lnk - c:\programfiler\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\hpoddt~1.lnk - c:\programfiler\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\hurtig~1.lnk - c:\programfiler\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\interv~1.lnk - c:\programfiler\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\micros~1.lnk - c:\programfiler\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\start-~1\progra~1\oppstart\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\sven atle kvernenes\start-meny\programmer\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programfiler\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\programfiler\java\jre6\bin\jp2iexp.dll
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.21.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\programfiler\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\felles~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\svenat~1\progra~1\mozilla\firefox\profiles\yy1foi9k.default\
FF - prefs.js: browser.startup.homepage - www.ebay.com
FF - component: c:\documents and settings\sven atle kvernenes\programdata\mozilla\firefox\profiles\yy1foi9k.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\EbayAccessService.dll
FF - component: c:\documents and settings\sven atle kvernenes\programdata\mozilla\firefox\profiles\yy1foi9k.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\EbayFormSubmitObserver.dll
FF - plugin: c:\documents and settings\sven atle kvernenes\lokale innstillinger\programdata\myvrnpapi\npmyvr.dll
FF - plugin: c:\programfiler\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\programfiler\opera\program\plugins\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\programfiler\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programfiler\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programfiler\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys [2006-8-3 13543]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-21 130936]
R1 NGS;Norman General Security Driver;c:\programfiler\norman\ngs\bin\ngs.sys [2009-8-21 22712]
R1 NPROSEC;Norman Security driver;c:\programfiler\norman\ngs\bin\nprosec.sys [2009-8-21 53816]
R2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\svenat~1\lokale~1\temp\INSTAL~2.EXE [2007-10-26 217220]
R2 Ndiskio;Ndiskio;c:\programfiler\norman\nse\bin\Ndiskio.sys [2009-8-21 20448]
R2 Norman ZANDA;Norman ZANDA;c:\programfiler\norman\npm\bin\Zanda.exe [2008-4-24 408696]
R2 NPROSECSVC;Norman Security service;c:\programfiler\norman\ngs\bin\nprosec.exe [2009-8-21 121912]
R2 NVOY;Norman Resource Provider;c:\programfiler\norman\npm\bin\nvoy.exe [2009-8-21 126008]
R3 nsesvc;Norman Scanner Engine Service;c:\programfiler\norman\nse\bin\Nsesvc.exe [2009-8-21 310328]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2009-8-21 19512]
R3 nvcoas;Norman Virus Control on-access component;c:\programfiler\norman\nvc\bin\Nvcoas.exe [2009-8-21 195640]
R3 Scheduler;Norman Scheduler Service;c:\programfiler\norman\npm\bin\scheduler.exe [2009-8-21 130104]
S2 gupdate1c9b0484cb70dee;Google Update Service (gupdate1c9b0484cb70dee);c:\programfiler\google\update\GoogleUpdate.exe [2009-3-29 133104]
S3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [2006-7-11 84608]
S3 NVCScheduler;Norman Virus Control Scheduler;"c:\programfiler\norman\npm\bin\nvcsched.exe" --> c:\programfiler\norman\npm\bin\Nvcsched.exe [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\programfiler\spyware doctor\pctsAuxs.exe [2009-8-21 348752]
S3 sdCoreService;PC Tools Security Service;c:\programfiler\spyware doctor\pctsSvc.exe [2009-8-21 1095560]

=============== Created Last 30 ================

2009-08-22 00:39 <DIR> --d-hr-- c:\documents and settings\sven atle kvernenes\Siste
2009-08-21 22:40 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-08-21 22:39 <DIR> --d----- c:\programfiler\fellesfiler\Symantec Shared
2009-08-21 22:39 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-08-21 22:39 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-21 22:39 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-08-21 22:39 <DIR> --d----- c:\programfiler\fellesfiler\PC Tools
2009-08-21 22:39 <DIR> --d----- c:\programfiler\Spyware Doctor
2009-08-21 22:39 <DIR> --d----- c:\docume~1\svenat~1\progra~1\PC Tools
2009-08-21 22:39 <DIR> --d----- c:\docume~1\alluse~1\progra~1\PC Tools
2009-08-21 22:37 <DIR> --d----- c:\windows\system32\drivers\NSS
2009-08-21 22:37 <DIR> --d----- c:\programfiler\Norton Security Scan
2009-08-21 22:37 <DIR> --d----- c:\docume~1\alluse~1\progra~1\Symantec
2009-08-21 22:37 <DIR> --d----- c:\docume~1\alluse~1\progra~1\Norton
2009-08-21 22:37 <DIR> --d----- c:\programfiler\NortonInstaller
2009-08-21 22:37 <DIR> --d----- c:\docume~1\alluse~1\progra~1\NortonInstaller
2009-08-21 22:34 <DIR> --d----- c:\programfiler\Windows Installer Clean Up
2009-08-21 22:34 <DIR> --d----- c:\programfiler\MSECACHE
2009-08-21 22:21 212,024 a------- c:\windows\system32\nscrnsav.scr
2009-08-21 22:21 19,512 a------- c:\windows\system32\drivers\nvcw32mf.sys
2009-08-21 22:20 <DIR> --d----- c:\programfiler\Norman
2009-08-21 21:45 <DIR> --d----- C:\5c151dafb48d4804bc03756a82
2009-08-21 21:44 <DIR> --d----- C:\a0bc67701073438e83
2009-08-21 21:44 <DIR> -cd-h--- c:\docume~1\alluse~1\progra~1\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
2009-08-21 21:37 <DIR> --d-hr-- C:\AHCache
2009-08-21 00:38 3,532 a------- C:\drmHeader.bin
2009-08-21 00:04 <DIR> --d----- c:\docume~1\svenat~1\progra~1\MozillaControl
2009-08-21 00:00 <DIR> --d----- c:\programfiler\Mozilla ActiveX Control v1.7.12
2009-08-20 23:59 <DIR> --d----- c:\programfiler\VideoLAN
2009-08-20 23:56 <DIR> --d----- c:\programfiler\Graboid
2009-08-20 14:59 <DIR> --d----- c:\docume~1\svenat~1\progra~1\System Tweaker
2009-08-20 14:58 <DIR> --d----- c:\programfiler\Uniblue
2009-08-20 14:58 <DIR> -cd-h--- c:\docume~1\alluse~1\progra~1\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2009-08-20 14:48 <DIR> --d----- c:\docume~1\svenat~1\progra~1\Uniblue
2009-08-19 11:39 46,113 a------- c:\windows\Sysvxd.exe
2009-08-06 13:18 626,960 a----r-- c:\windows\system32\hpvaut32.dll
2009-08-06 13:18 487,424 a----r-- c:\windows\system32\hpvcp70.dll
2009-08-06 13:18 344,064 a----r-- c:\windows\system32\hpvcr70.dll
2009-08-06 13:18 44,544 a----r-- c:\windows\system32\MSXML4a.dll
2009-08-06 13:14 <DIR> --d----- c:\programfiler\HP
2009-08-06 13:13 94,836 a------- c:\windows\HPHins03.dat
2009-08-06 13:13 2,651 -------- c:\windows\hphmdl03.dat
2009-07-23 14:03 139,152 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-23 14:03 139,152 a------- c:\docume~1\svenat~1\progra~1\PnkBstrK.sys
2009-07-23 14:03 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-07-23 14:02 794,408 a------- c:\windows\system32\pbsvc.exe
2009-07-23 14:02 75,064 a------- c:\windows\system32\PnkBstrA.exe

==================== Find3M ====================

2009-08-22 00:19 411,498 a------- c:\windows\system32\perfh014.dat
2009-08-22 00:19 73,088 a------- c:\windows\system32\perfc014.dat
2009-08-05 11:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 11:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-25 05:23 411,368 ac------ c:\windows\system32\deploytk.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 15:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 21:04 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 21:04 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 15:31 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 19:01 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 19:01 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 19:01 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 19:01 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 19:01 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 19:01 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 19:01 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 19:01 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 19:01 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 19:01 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 19:01 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 19:01 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 13:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 10:27 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 10:27 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 10:27 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 10:27 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 10:27 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 10:27 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 13:18 92,928 ac------ c:\windows\system32\drivers\ksecdd.sys
2009-06-24 13:18 92,928 a------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 16:43 119,808 ac------ c:\windows\system32\t2embed.dll
2009-06-16 16:43 81,920 ac------ c:\windows\system32\fontsub.dll
2009-06-15 12:45 76,800 ac------ c:\windows\system32\telnet.exe
2009-06-10 16:16 84,992 ac------ c:\windows\system32\avifil32.dll
2009-06-10 09:22 2,066,432 ac------ c:\windows\system32\mstscax.dll
2009-06-10 08:16 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 21:11 1,294,336 a------- c:\windows\system32\quartz.dll
2006-07-28 16:20 168 ac------ c:\docume~1\svenat~1\progra~1\wklnhst.dat
2008-10-22 17:16 32,768 ac-sh--- c:\windows\system32\config\systemprofile\lokale innstillinger\logg\history.ie5\mshist012008102220081023\index.dat
2008-09-09 07:07 16,384 ac-sh--- c:\windows\temp\history\history.ie5\index.dat

============= FINISH: 13:16:30,42 ===============


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/22 13:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9B991000 Size: 876544 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0x9BAD7000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9AC1A000 Size: 49152 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UACfjnopykxel.dll]
Process: svchost.exe (PID: 1688) Address: 0x10000000 Size: 65536

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UAClpvpwvngdd.sys

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:54 AM

Posted 01 September 2009 - 10:27 PM

Hello and welcome to Bleeping Computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:54 AM

Posted 06 September 2009 - 06:49 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users