Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tdlclk.dll, trojan.win32.tdss.aalc, rootkit keeps coming back


  • This topic is locked This topic is locked
23 replies to this topic

#1 ThreeFingersDown

ThreeFingersDown

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 28 November 2009 - 05:03 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/273580/please-help-vista-virus-cannot-seem-to-get-rid-of-it/ ~ OB

I have gotten rid of most of my annoying problems but this (trojan.win32.tdss.aalc (v)) keeps sporadically showing up in my Vipre scans. Also Vipre consistently stops (tdlclk.dss) from opening.

Here are my DDS and RootRepal logs

Thank you very much in advance.

Attached Files


Edited by Orange Blossom, 28 November 2009 - 05:48 PM.


BC AdBot (Login to Remove)

 


#2 ThreeFingersDown

ThreeFingersDown
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 29 November 2009 - 07:11 PM

I just ran a full system scan and this came up as well.

Trojan.Win32.generic!BT

#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:27 PM

Posted 06 December 2009 - 02:14 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 ThreeFingersDown

ThreeFingersDown
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 07 December 2009 - 12:16 PM

Thank you very much, I have had the same problem for the past couple of weeks. I think its a rootkit that resides in C:\Windows\System32\svchost.exe because thats where Viper keeps blocking files from. Also my scans keep coming up with this, (trojan.win32.tdss.aalc.v) no matter how many times I try to remove it. Please let me know if there is anything else I can do.

I attached both my DDS file and my Virus Scan file.

Here is my Text DDS, and then my viper log is right after that.

___________________________________________


DDS (Ver_09-12-01.01) - NTFSx86
Run by Bill at 11:57:26.17 on Mon 12/07/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2029.1036 [GMT -5:00]

AV: System Defender *On-access scanning enabled* (Updated) {3A6346EA-D677-4796-9A57-F338A957C0EB}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: System Defender *enabled* {372196F9-100B-4CDC-ABD7-B3008A06CB28}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WinService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMCreateRestore.exe
C:\Users\Bill\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [SBAMTray] c:\program files\sunbelt software\vipre\SBAMTray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam 666.exe" /runcleanupscript
mRunServices: [Microzoft] spoolv.exe
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: rahuziti.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
IFEO: image file execution options - svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\bill\appdata\roaming\mozilla\firefox\profiles\e203kyo4.default\
FF - prefs.js: browser.startup.homepage - www.Google.com
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\pace anti-piracy\ilok\NPPaceILok.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\users\bill\appdata\roaming\mozilla\firefox\profiles\e203kyo4.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\users\bill\appdata\roaming\mozilla\firefox\profiles\e203kyo4.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-22 207280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-11 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 74480]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-8-5 93360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-7-30 202928]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-22 112592]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2009-9-10 16400]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2009-9-7 1012040]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-8-10 69936]
R2 SCM_Service;SCM_Service;c:\windows\system32\WinService.exe [2007-8-19 180224]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2009-9-10 97808]
R3 iLokDrvr;Usb Driver;c:\windows\system32\drivers\iLokDrvr.sys [2009-5-21 52008]
R3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [2009-9-10 21648]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2009-9-10 21904]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 7408]
S0 OemBiosDevice;Royalty OEM Bios Extension;c:\windows\system32\drivers\royal.sys [2007-8-19 240128]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2007-2-7 206336]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-22 358600]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-11-22 1141200]

=============== Created Last 30 ================

2009-12-07 16:51:49 12800 ----a-w- c:\windows\system32\tdlclk.dll
2009-12-06 05:30:06 0 d-----w- c:\users\bill\appdata\roaming\LucasArts
2009-12-06 05:30:02 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-12-06 05:30:02 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-12-06 05:30:01 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-12-06 05:30:01 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-12-06 05:30:01 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-12-06 05:30:00 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-12-06 05:30:00 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-12-06 05:30:00 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-12-02 06:38:20 23552 ----a-w- c:\windows\system32\tdlcmd.dll
2009-12-01 06:40:56 0 d-----w- c:\programdata\Gamerizon
2009-11-30 18:23:23 2646054 ----a-w- C:\Space_Ambient.aif
2009-11-30 06:26:21 0 d-----w- c:\program files\Enigma Software Group
2009-11-25 04:37:50 2454 ----a-w- c:\windows\system32\tmp.reg
2009-11-24 06:13:12 0 d-----w- c:\program files\Free Window Registry Repair
2009-11-24 06:04:55 0 d-----w- c:\users\bill\appdata\roaming\SmartPCTools
2009-11-24 06:02:37 356352 ----a-w- c:\windows\eSellerateEngine.dll
2009-11-24 05:57:05 0 d-----w- c:\program files\RegFix Mantra
2009-11-23 18:23:11 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-23 04:56:43 628 --sha-r- c:\users\bill\ntuser.pol
2009-11-23 04:32:39 0 d-----w- c:\users\bill\appdata\roaming\PC Tools
2009-11-23 04:32:39 0 d-----w- c:\programdata\PC Tools
2009-11-23 04:32:39 0 d-----w- c:\program files\Spyware Doctor
2009-11-23 04:32:39 0 d-----w- c:\program files\common files\PC Tools
2009-11-23 04:31:23 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-23 04:31:23 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-23 00:54:05 104 ----a-w- c:\windows\system32\SBRC.dat
2009-11-22 10:03:07 0 d-----w- c:\program files\WinPcap
2009-11-16 14:12:01 0 d-sh--w- C:\System Defender
2009-11-16 14:11:51 0 d-sh--w- c:\programdata\7b57961
2009-11-12 20:24:09 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-12 20:23:49 0 d-----w- c:\users\bill\appdata\roaming\SUPERAntiSpyware.com

==================== Find3M ====================

2009-12-07 16:26:15 34800 ----a-w- c:\programdata\nvModes.dat
2009-11-20 08:19:41 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-11 02:58:59 12800 ----a-w- c:\windows\system32\LogonUI(349).exe
2009-11-11 02:58:59 12800 ----a-w- c:\windows\system32\LogonUI(349)(73).exe
2009-11-08 06:04:23 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-08 06:04:23 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-08 06:04:20 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-08 16:31:46 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-08 16:31:44 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-08 16:31:44 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-08 16:31:14 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-02 19:19:04 1152470 ----a-w- c:\windows\UDB.zip
2009-09-27 22:47:30 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 22:47:00 92776 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-27 22:47:00 805480 ----a-w- c:\windows\system32\nvsvc.dll
2009-09-27 22:47:00 4033128 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 22:47:00 3553896 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 22:47:00 3172968 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 22:47:00 215656 ----a-w- c:\windows\system32\nvvsvc.exe
2009-09-27 22:47:00 195176 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 22:47:00 1309288 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-27 22:47:00 1292904 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-27 22:46:00 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 22:46:00 13949544 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-27 21:12:22 7614056 ----a-w- c:\windows\system32\nvd3dum.dll
2009-09-27 21:12:22 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-27 21:12:22 2169448 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 21:12:22 1997416 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 21:12:22 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 21:12:22 170600 ----a-w- c:\windows\system32\nvcod167.dll
2009-09-27 21:12:22 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 21:12:22 11197032 ----a-w- c:\windows\system32\nvoglv32.dll
2009-09-27 21:12:22 1074280 ----a-w- c:\windows\system32\nvapi.dll
2009-09-24 14:24:18 490088 ----a-w- c:\windows\system32\nvuninst.exe
2008-10-06 18:48:06 174 --sha-w- c:\program files\desktop.ini
2008-10-06 18:40:23 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-07-29 08:23:28 744075 ---ha-w- c:\program files\common files\data.dat
2008-01-29 21:10:00 760708 ----a-w- c:\program files\ac3filter_1_11.exe
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-10-09 20:02:52 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-10-09 20:02:52 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-10-09 20:02:52 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-11-01 16:23:14 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012007110120071102\index.dat
2009-03-15 06:52:45 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009031520090316\index.dat
2009-03-25 06:24:52 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009032520090326\index.dat
2009-05-31 19:27:17 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009053120090601\index.dat
2009-07-13 16:56:44 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009071320090714\index.dat
2009-07-31 15:51:40 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009073120090801\index.dat
2009-08-05 06:02:45 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009080520090806\index.dat
2009-08-08 22:56:31 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009080820090809\index.dat
2009-08-14 05:42:23 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009081420090815\index.dat
2009-08-26 17:48:25 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009082620090827\index.dat
2009-08-29 22:22:05 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009082920090830\index.dat
2009-09-06 07:05:46 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009090620090907\index.dat

============= FINISH: 11:58:13.64 ===============










_______________________________________________________________________

<SBCSThreatEngineResults version="3.1.2837" ><summary scanGUID="{60E8DD00-AFE9-45C1-A3F9-B627776DFACB}" scanDescription="0 - Quick, 0 - Manual" threatDefinitionVersion="5547" ><scannerResults><numThreats found="1" ignored="0"/><numTracesScanned cookies="8" registry="32833" files="3267" folders="680" processes="49" total="36837"/><numTracesFound cookies="0" registry="0" files="1" folders="0" processes="0" total="1"/><dateTimeStampUTC start="2009-12-07T16:43:37" end="2009-12-07T16:46:02"/><errors></errors></scannerResults><cleanerResults><numThreats deleted="0" quarantined="1" ignored="0" reportonly="0" total="1"/><dateTimeStampUTC start="2009-12-07T16:46:24" end="2009-12-07T16:46:27"/><errors></errors></cleanerResults></summary><scannerOptions scanAllLocalDrives="false" scanCookies="false" scanProcesses="false" scanRegistry="false" scanProcessesDeep="false" suspendActiveThreats="false" scanAllUsers="false" useFileNameAndChecksum="false" dontCalcChecksum="false" scanCommonTactics="false" scanArchives="false" scanKnownFileTypes="false" recursiveFileScan="false" findLowRiskThreats="false" keepScanRecord="false" maxCheckFileLen="0" minCheckFileLen="0" scanVipreSuspicious="false" scanDerivatives="false"><userIncludedPaths></userIncludedPaths><userExcludedPaths></userExcludedPaths><ignoredThreats>
</ignoredThreats></scannerOptions><cleanerOptions></cleanerOptions><threats></threats></SBCSThreatEngineResults>

Attached Files



#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:27 PM

Posted 08 December 2009 - 04:04 PM

Hello ThreeFingersDown,

:( to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 ThreeFingersDown

ThreeFingersDown
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 09 December 2009 - 03:22 AM

I had some trouble running Combofix, the first time I got this "CD Emulation Drivers Detected." and it told me to re-boot and I did. Then it told me this "Combofix has detected presence of a Rootkit activity, and will restart the computer" so I restarted a 2nd time. Third time booting up Combofix ran and then crashed.

So I did this whole thing again including the 2 dialog boxes and 2 re-boots, but on the third time Combofix ran without crashing. It said it was getting rid of some stuff and restarted my computer. Upon this restart Combofix was starting to compile info for the text log and BAM! Viper blocks tdlclk.dll again.

So this little nasty is still kicking around somewhere : /

Here is my Combofix file

I know you guys are busy, so sincerely thank you for your time and help.

---------------------------------------------------------------------------------------------------------------

ComboFix 09-12-08.03 - Bill 12/09/2009 2:29.3.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2029.1225 [GMT -5:00]
Running from: c:\users\Bill\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1181871191-4164290024-1905974208-1002
c:\$recycle.bin\S-1-5-21-1181871191-4164290024-1905974208-1003
c:\$recycle.bin\S-1-5-21-1181871191-4164290024-1905974208-1004
c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\api.dat
c:\windows\system32\Data
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\msvcsv60.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tdlcmd.dll
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))))))))
.

2009-12-09 07:44 . 2009-12-09 07:47 -------- d-----w- c:\users\Bill\AppData\Local\temp
2009-12-09 07:44 . 2009-12-09 07:44 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2009-12-09 07:44 . 2009-12-09 07:44 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-12-09 07:44 . 2009-12-09 07:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-09 07:22 . 2009-12-09 07:22 -------- d-----w- C:\32788R22FWJFW
2009-12-06 05:30 . 2009-12-06 05:30 -------- d-----w- c:\users\Bill\AppData\Roaming\LucasArts
2009-12-06 05:30 . 2009-03-09 20:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-12-06 05:30 . 2009-03-09 20:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-12-06 05:30 . 2009-03-16 19:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-12-06 05:30 . 2009-03-16 19:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-12-06 05:30 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-12-06 05:30 . 2009-03-16 19:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-12-06 05:30 . 2008-10-15 11:22 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-12-06 05:30 . 2008-10-15 11:22 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-12-01 06:40 . 2009-12-01 06:40 -------- d-----w- c:\programdata\Gamerizon
2009-11-30 06:26 . 2009-11-30 06:39 -------- d-----w- c:\program files\Enigma Software Group
2009-11-24 06:13 . 2009-11-30 06:39 -------- d-----w- c:\program files\Free Window Registry Repair
2009-11-24 06:04 . 2009-11-24 06:04 -------- d-----w- c:\users\Bill\AppData\Roaming\SmartPCTools
2009-11-24 06:02 . 2009-11-24 06:02 356352 ----a-w- c:\windows\eSellerateEngine.dll
2009-11-24 05:57 . 2009-11-24 16:58 -------- d-----w- c:\program files\RegFix Mantra
2009-11-23 19:04 . 2009-11-23 19:04 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\SUPERAntiSpyware.com
2009-11-23 18:23 . 2009-12-04 07:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-23 04:36 . 2009-11-23 04:36 -------- d-----w- c:\users\Bill\AppData\Local\Threat Expert
2009-11-23 04:31 . 2009-11-28 20:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-23 04:31 . 2009-11-23 06:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-23 04:13 . 2009-11-23 04:13 -------- d-----w- c:\users\Default\AppData\Roaming\Malwarebytes
2009-11-23 00:54 . 2009-11-23 04:25 104 ----a-w- c:\windows\system32\SBRC.dat
2009-11-16 14:12 . 2009-11-16 14:12 -------- d-----w- C:\System Defender
2009-11-16 14:11 . 2009-11-17 07:28 -------- d-sh--w- c:\programdata\7b57961
2009-11-12 20:24 . 2009-11-12 20:24 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-12 20:23 . 2009-11-23 18:23 -------- d-----w- c:\users\Bill\AppData\Roaming\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 07:51 . 2009-12-09 07:51 25600 ----a-w- c:\windows\system32\tdlcmd.dll
2009-12-09 07:47 . 2009-06-13 03:56 34800 ----a-w- c:\programdata\nvModes.dat
2009-12-09 07:03 . 2009-10-21 19:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-08 20:18 . 2009-09-08 20:16 -------- d-----w- c:\users\Bill\AppData\Roaming\Digidesign
2009-12-07 17:02 . 2009-12-07 17:02 4844296 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-07 06:01 . 2008-01-22 13:09 -------- d-----w- c:\users\Bill\AppData\Roaming\uTorrent
2009-12-07 05:54 . 2007-08-19 23:51 -------- d-----w- c:\program files\Steam
2009-12-05 04:55 . 2009-12-05 04:55 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-03 21:14 . 2009-10-22 07:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-10-22 07:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 17:28 . 2009-11-23 19:49 117760 ----a-w- c:\users\Bill\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-01 18:15 . 2009-09-09 05:32 16 ----a-w- c:\windows\msocreg32.dat
2009-11-29 00:56 . 2009-03-18 07:56 -------- d-----w- c:\program files\Google
2009-11-28 20:33 . 2009-10-05 05:32 -------- d-----w- c:\users\Bill\AppData\Roaming\Sony
2009-11-28 20:31 . 2009-08-08 22:57 -------- d-----w- c:\program files\Darwinia
2009-11-28 20:31 . 2009-08-08 22:34 -------- d-----w- c:\program files\Crayon Physics Deluxe
2009-11-25 16:12 . 2009-11-23 19:04 117760 ----a-w- c:\windows\System32\config\systemprofile\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-25 16:11 . 2006-11-02 13:00 2032 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\d3d9caps.dat
2009-11-24 17:02 . 2007-10-27 19:36 -------- d-----w- c:\program files\Electronic Arts
2009-11-24 16:59 . 2009-07-10 06:03 -------- d-----w- c:\program files\Telltale Games
2009-11-24 05:55 . 2007-11-14 15:14 -------- d-----w- c:\programdata\Lavasoft
2009-11-23 19:40 . 2009-07-03 05:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-23 05:36 . 2009-11-23 04:32 -------- d-----w- c:\program files\Spyware Doctor
2009-11-23 04:33 . 2009-11-23 04:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-23 04:32 . 2009-11-23 04:32 -------- d-----w- c:\users\Bill\AppData\Roaming\PC Tools
2009-11-23 04:32 . 2009-11-23 04:32 -------- d-----w- c:\programdata\PC Tools
2009-11-20 08:19 . 2009-08-05 19:58 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-20 08:17 . 2009-03-04 18:19 -------- d-----w- c:\program files\Lavasoft
2009-11-11 02:58 . 2008-09-07 15:23 12800 ----a-w- c:\windows\system32\LogonUI(349).exe
2009-11-11 02:58 . 2008-09-07 15:23 12800 ----a-w- c:\windows\system32\LogonUI(349)(73).exe
2009-11-08 06:05 . 2007-08-23 04:41 -------- d-----w- c:\programdata\NVIDIA
2009-11-07 17:59 . 2009-11-16 14:12 457688 ----a-w- c:\programdata\7b57961\sqlite3.dll
2009-11-07 17:59 . 2009-11-16 14:12 722392 ----a-w- c:\programdata\7b57961\mozcrt19.dll
2009-11-05 06:23 . 2009-11-05 06:23 -------- d-----w- c:\users\Bill\AppData\Roaming\runic games
2009-11-05 06:20 . 2009-11-05 06:20 -------- d-----w- c:\program files\Runic Games
2009-11-04 16:56 . 2007-09-23 14:35 -------- d-----w- c:\program files\Common Files\Steam
2009-11-02 07:38 . 2009-11-02 07:38 -------- d-----w- c:\program files\iTunes
2009-11-02 07:38 . 2009-11-02 07:38 -------- d-----w- c:\program files\iPod
2009-11-02 07:38 . 2008-07-27 01:11 -------- d-----w- c:\program files\Common Files\Apple
2009-11-02 07:35 . 2009-11-02 07:35 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-27 15:37 . 2009-10-27 15:37 -------- d-----w- c:\program files\Defraggler
2009-10-27 15:34 . 2009-10-27 15:34 -------- d-----w- c:\program files\CCleaner
2009-10-22 07:43 . 2007-08-19 15:10 106848 ----a-w- c:\users\Bill\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-22 07:42 . 2007-08-19 15:08 106848 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-22 07:24 . 2009-10-22 07:24 -------- d-----w- c:\users\Bill\AppData\Roaming\Malwarebytes
2009-10-22 06:26 . 2008-12-13 08:21 -------- d-----w- c:\program files\WinDS PRO
2009-10-22 06:17 . 2008-03-02 22:12 -------- d-----w- c:\program files\AML Products
2009-10-21 19:57 . 2009-10-21 19:57 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Malwarebytes
2009-10-21 19:44 . 2009-10-21 19:44 -------- d-----w- c:\programdata\Malwarebytes
2009-10-21 19:29 . 2009-10-21 19:29 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Apple Computer
2009-10-19 17:15 . 2007-08-19 15:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-08 16:31 . 2009-11-23 04:32 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-08 16:31 . 2009-11-23 04:32 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-08 16:31 . 2009-11-23 04:32 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-08 16:31 . 2009-11-23 04:32 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-06 21:31 . 2009-11-23 04:32 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-02 19:19 . 2009-11-23 04:32 1152470 ----a-w- c:\windows\UDB.zip
2009-09-27 22:47 . 2009-09-27 22:47 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 22:47 . 2009-09-27 22:47 92776 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-27 22:47 . 2009-09-27 22:47 805480 ----a-w- c:\windows\system32\nvsvc.dll
2009-09-27 22:47 . 2009-09-27 22:47 4033128 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 22:47 . 2009-09-27 22:47 3553896 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 22:47 . 2009-09-27 22:47 3172968 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 22:47 . 2009-09-27 22:47 215656 ----a-w- c:\windows\system32\nvvsvc.exe
2009-09-27 22:47 . 2009-09-27 22:47 195176 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 22:47 . 2009-09-27 22:47 1309288 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-27 22:47 . 2009-09-27 22:47 1292904 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-27 22:46 . 2009-09-27 22:46 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 22:46 . 2009-09-27 22:46 13949544 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-27 21:12 . 2009-09-27 21:12 9509832 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2009-09-27 21:12 . 2009-09-27 21:12 490088 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-27 21:12 . 2009-09-27 21:12 2169448 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 21:12 . 2009-09-27 21:12 1997416 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 21:12 . 2009-09-27 21:12 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 21:12 . 2009-09-27 21:12 170600 ----a-w- c:\windows\system32\nvcod167.dll
2009-09-27 21:12 . 2009-09-27 21:12 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 21:12 . 2009-09-27 21:12 11197032 ----a-w- c:\windows\system32\nvoglv32.dll
2009-09-27 21:12 . 2007-08-13 21:13 7614056 ----a-w- c:\windows\system32\nvd3dum.dll
2009-09-27 21:12 . 2007-08-13 21:13 1074280 ----a-w- c:\windows\system32\nvapi.dll
2009-09-24 14:24 . 2007-09-12 09:28 490088 ----a-w- c:\windows\system32\nvuninst.exe
2009-09-24 13:55 . 2009-11-23 04:32 97208 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-09-24 13:55 . 2009-11-23 04:32 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-23 21:10 . 2009-11-23 04:32 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2008-07-29 08:23 . 2008-04-07 16:55 744075 ---ha-w- c:\program files\Common Files\data.dat
2008-01-29 21:10 . 2008-01-29 21:09 760708 ----a-w- c:\program files\ac3filter_1_11.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-02 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2009-08-15 77824]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-09-07 959784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=Digi32.dll
"Midi2"=diomidi.dll
"midi4"=ma_cmidn.dll
"midi3"=ma_cmidn.dll
"midi5"=ma_cmidn.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NETGEAR WG111v2 Smart Wizard.lnk]
backup=c:\windows\pss\NETGEAR WG111v2 Smart Wizard.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Bill^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Sid Registration.lnk]
backup=c:\windows\pss\Sid Registration.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeTaskScheduler]
2006-11-17 09:42 53341 ------w- c:\program files\Creative\Shared Files\CTSched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-09-27 22:47 92776 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17RunE]
2007-04-09 01:40 14848 ----a-w- c:\windows\System32\P17RunE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-18]
"EnableNotifications\\Ref"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1181871191-4164290024-1905974208-1000]
"EnableNotificationsRef"=dword:00000003

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [11/22/2009 11:32 PM 207280]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R1 SBRE;SBRE;c:\windows\System32\drivers\SBREDrv.sys [8/5/2009 02:58 PM 93360]
R1 sbtis;sbtis;c:\windows\System32\drivers\sbtis.sys [7/30/2009 02:30 AM 202928]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [11/22/2009 11:32 PM 112592]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\System32\drivers\diginet.sys [9/10/2009 02:47 AM 16400]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [9/7/2009 01:02 PM 1012040]
R2 sbapifs;sbapifs;c:\windows\System32\drivers\sbapifs.sys [8/10/2009 07:06 PM 69936]
R2 SCM_Service;SCM_Service;c:\windows\System32\WinService.exe [8/19/2007 04:26 PM 180224]
R3 iLokDrvr;Usb Driver;c:\windows\System32\drivers\iLokDrvr.sys [5/21/2009 01:40 PM 52008]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
S0 OemBiosDevice;Royalty OEM Bios Extension;c:\windows\System32\drivers\royal.sys [8/19/2007 10:35 AM 240128]
S3 dalwdmservice;dal service;c:\windows\System32\drivers\Dalwdm.sys [9/10/2009 02:47 AM 97808]
S3 MBX2DFU;MBX2DFU;c:\windows\System32\drivers\mbx2dfu.sys [9/10/2009 02:47 AM 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\System32\drivers\mbx2midk.sys [9/10/2009 02:47 AM 21904]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\System32\drivers\wg111v2.sys [2/7/2007 04:20 AM 206336]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/22/2009 11:32 PM 358600]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [11/23/2008 02:18 AM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 21:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\e203kyo4.default\
FF - prefs.js: browser.startup.homepage - www.Google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\PACE Anti-Piracy\iLok\NPPaceILok.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\programdata\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\e203kyo4.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\e203kyo4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Microzoft - spoolv.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-09 02:47
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x85F6BF61]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x87dcb322
\Driver\ACPI -> acpi.sys @ 0x80696d4c
\Driver\atapi -> atapi.sys @ 0x805b99aa
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1181871191-4164290024-1905974208-1000\Software\SecuROM\License information*]
"datasecu"=hex:21,c5,61,f3,d4,e8,8e,86,03,98,55,02,71,e8,8b,ed,2b,a0,df,d0,01,
8f,6b,03,f3,5c,0b,75,b1,a5,49,cf,ca,9a,ae,49,bb,b2,5a,66,18,f3,20,9c,f8,81,\
"rkeysecu"=hex:4d,65,55,91,a7,37,7e,73,2d,60,0e,e2,bb,60,50,91
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-12-09 02:56:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-09 07:56

Pre-Run: 73,556,992,000 bytes free
Post-Run: 73,274,974,208 bytes free

- - End Of File - - D449C9ADFEE20399207E5C53C4C870AD

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:27 PM

Posted 09 December 2009 - 05:08 AM

Hello ThreeFingersDown,

Often CD emulating software is interfering with the detection of this rootkit. Please do the following and AFTER that, re-run Combofix.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Post me the Combofix log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 ThreeFingersDown

ThreeFingersDown
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 09 December 2009 - 06:08 PM

So I ran defogger and disabled my CD emulator which got rid of the first pop up, but combofix still popped up with the "combofix has found rootkit activity" dialog and restarted. Upon restart Combofix started doing its thing but somewhere about 10 min in it crashed and I got a blue screen of death.

Upon restarting after that nothing seemed changed, viper was still popping up with tdlclk.dll warnings and malewarebytes was still findingrootkit tdss but not fully deleting it.

Please let me know what my next step should be, thanks.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:27 PM

Posted 10 December 2009 - 06:29 AM

Okay, lets try the TDSS removal tool. Please let me know if after running the tool and re-starting your computer, your security software is still picking up the TDL files (or TDSS rootkit, its the same thing).
  • Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop (very important its located there!).
  • Click start > run and copy paste the following bolded text in the run box
    "%userprofile%\desktop\tdsskiller.exe" -l report.txt
  • When it finished press any key to continue.
  • If needed reboot the computer.
It will produce a text file (report.txt) on the desktop. Post this in your next reply.

Edited by elise025, 10 December 2009 - 07:07 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 ThreeFingersDown

ThreeFingersDown
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 10 December 2009 - 12:17 PM

Hi here is my TDSSkiller log. As I'm writing this I'm getting pop ups from Viper (tdlclk.dll) so I guess it didn't fully work : (

Here you go!


(EDIT) - I just ran Malwarebytes after I posted this and the scan came up with the usual suspect (Rootkit.TDSS) the file was "windows/system32/tdlcmd.dll"


----------------------------------------------------------------------------------------------------------



Host Name: BILL-JR
OS Name: Microsoft® Windows Vistaâ„¢ Ultimate
OS Version: 6.0.6001 Service Pack 1 Build 6001
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Bill
Registered Organization:
Product ID: 89580-OEM-7300542-26573
Original Install Date: 8/19/2007, 01:58:33 PM
System Boot Time: 12/10/2009, 12:03:18 PM
System Manufacturer: INTEL_
System Model: DP35DP__
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 6 Model 15 Stepping 11 GenuineIntel ~2331 Mhz
BIOS Version: Intel Corp. DPP3510J.86A.0216.2007.0502.1916, 5/2/2007
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-05:00) Eastern Time (US & Canada)
Total Physical Memory: 2,029 MB
Available Physical Memory: 1,175 MB
Page File: Max Size: 4,299 MB
Page File: Available: 3,447 MB
Page File: In Use: 852 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\BILL-JR
Hotfix(s): 124 Hotfix(s) Installed.
[01]: {5D96A7C7-7CDB-434D-B9AA-E77BE2F11BFB}
[02]: 933246
[03]: KB941236 Windows DreamScene Content
[04]: KB944427 Windows DreamScene Content
[05]: KB931133 Windows DreamScene Content
[06]: 929327
[07]: 933713
[08]: 932926
[09]: 932925
[10]: KB925902
[11]: KB929399
[12]: KB929735
[13]: KB930178
[14]: KB930857
[15]: KB931099
[16]: KB931573
[17]: KB932471
[18]: KB933579
[19]: KB933729
[20]: KB935652
[21]: KB936021
[22]: KB936357
[23]: KB936782
[24]: KB936825
[25]: KB937077
[26]: KB938127
[27]: KB938952
[28]: KB939159
[29]: KB941202
[30]: KB941229
[31]: KB941568
[32]: KB941569
[33]: KB941644
[34]: KB943055
[35]: KB943078
[36]: KB945553
[37]: KB946026
[38]: KB946456
[39]: KB947172
[40]: KB905866
[41]: KB928089
[42]: KB929123
[43]: KB929916
[44]: KB931213
[45]: KB931836
[46]: KB933360
[47]: KB933928
[48]: KB935280
[49]: KB935509
[50]: KB935807
[51]: KB936824
[52]: KB937143
[53]: KB937287
[54]: KB938123
[55]: KB938194
[56]: KB938371
[57]: KB938464
[58]: KB938979
[59]: KB939653
[60]: KB941649
[61]: KB941651
[62]: KB941693
[63]: KB942615
[64]: KB942624
[65]: KB942763
[66]: KB943302
[67]: KB943411
[68]: KB943899
[69]: KB944533
[70]: KB946041
[71]: KB947562
[72]: KB947864
[73]: KB948590
[74]: KB948609
[75]: KB948610
[76]: KB948881
[77]: KB950124
[78]: KB950125
[79]: KB950126
[80]: KB950582
[81]: KB950759
[82]: KB950760
[83]: KB950762
[84]: KB950974
[85]: KB951066
[86]: KB951072
[87]: KB951376
[88]: KB951618
[89]: KB951698
[90]: KB951978
[91]: KB952069
[92]: KB952287
[93]: KB952709
[94]: KB953155
[95]: KB953733
[96]: KB953838
[97]: KB953839
[98]: KB954154
[99]: KB954211
[100]: KB954366
[101]: KB954459
[102]: KB955020
[103]: KB955069
[104]: KB955302
[105]: KB956390
[106]: KB956391
[107]: KB956802
[108]: KB956841
[109]: KB957095
[110]: KB957097
[111]: KB958215
[112]: KB958481
[113]: KB958483
[114]: KB958623
[115]: KB958624
[116]: KB958644
[117]: KB958687
[118]: KB958690
[119]: KB959772
[120]: KB960225
[121]: KB960714
[122]: KB961260
[123]: KB936330
[124]: 940157
Network Card(s): 1 NIC(s) Installed.
[01]: Intel® 82566DC-2 Gigabit Network Connection
Connection Name: Local Area Connection 666
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
IP address(es)
[01]: 192.168.1.101
[02]: fe80::940e:6b5f:729e:9e70
12:11:23:550 1780
Scanning Registry ...
12:11:23:581 1780
Scanning Kernel memory ...
12:11:23:597 1780 Driver "atapi" Irp handler infected by TDSS rootkit ... 12:11:23:597 1780 cured
12:11:23:612 1780 File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 12:11:23:659 1780 will be cured on next reboot
12:11:23:659 1780
Completed

Results:
12:11:23:659 1780 Infected objects in memory: 1
12:11:23:659 1780 Cured objects in memory: 1
12:11:23:659 1780 Infected objects on disk: 1
12:11:23:659 1780 Objects on disk cured on reboot: 1
12:11:23:659 1780 Objects on disk deleted on reboot: 0
12:11:23:659 1780 Registry nodes deleted on reboot: 0
12:11:23:659 1780

Edited by ThreeFingersDown, 10 December 2009 - 12:24 PM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:27 PM

Posted 10 December 2009 - 04:05 PM

Well, it is possible it worked. According to the log something was cured.

Please let me know if you are having any redirects while browsing the internet.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 ThreeFingersDown

ThreeFingersDown
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 11 December 2009 - 12:39 PM

Well it appears that you are right, I think Tdss killer might have gotten rid of that guy. I am planning on running GMER in a min, but after a malwarebytes scan and viper scan nothing has come up. AND I'm not getting any re-directs in my web-browser!

I will go run GMER and update this with its log, but I'm feeling pretty good right about now! THANK YOU!

#13 ThreeFingersDown

ThreeFingersDown
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 11 December 2009 - 01:51 PM

Here is my GMER log.


--------------------------------------------------------------------------

GMER 1.0.15.15273 - http://www.gmer.net
Rootkit scan 2009-12-11 13:18:58
Windows 6.0.6001 Service Pack 1
Running: q5y4wtdu.exe; Driver: C:\Users\Bill\AppData\Local\Temp\kgldqpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x8280ACDC]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x8280AECE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x8280A982]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x8280B0D6]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 43C 81EFAA00 3 Bytes [DC, AC, 80]
.text ntkrnlpa.exe!KeSetTimerEx + 440 81EFAA04 3 Bytes [CE, AE, 80]
.text ntkrnlpa.exe!KeSetTimerEx + 854 81EFAE18 3 Bytes [82, A9, 80]
.text ntkrnlpa.exe!KeSetTimerEx + 918 81EFAEDC 3 Bytes [D6, B0, 80] {SALC ; MOV AL, 0x80}

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\tdx \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x50 0xF8 0xB5 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9D 0x37 0xDD 0xD4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x50 0x99 0xD2 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDD 0x65 0xD2 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x50 0xF8 0xB5 0xA8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9D 0x37 0xDD 0xD4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x50 0x99 0xD2 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDD 0x65 0xD2 0x11 ...
Reg HKLM\SOFTWARE\Classes\ShellExecuteHook.SABShellExecuteHook@ SABShellExecuteHook Class
Reg HKLM\SOFTWARE\Classes\ShellExecuteHook.SABShellExecuteHook\CLSID
Reg HKLM\SOFTWARE\Classes\ShellExecuteHook.SABShellExecuteHook\CLSID@ {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}
Reg HKLM\SOFTWARE\Classes\ShellExecuteHook.SABShellExecuteHook\CurVer
Reg HKLM\SOFTWARE\Classes\ShellExecuteHook.SABShellExecuteHook\CurVer@ ShellExecuteHook.SABShellExecuteHook.1
Reg HKLM\SOFTWARE\Classes\ShellExecuteHook.SABShellExecuteHook.1@ SABShellExecuteHook Class
Reg HKLM\SOFTWARE\Classes\ShellExecuteHook.SABShellExecuteHook.1\CLSID
Reg HKLM\SOFTWARE\Classes\ShellExecuteHook.SABShellExecuteHook.1\CLSID@ {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}
Reg HKLM\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1@ SASContextMenu Class
Reg HKLM\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1\CLSID
Reg HKLM\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1\CLSID@ {CA8ACAFA-5FBB-467B-B348-90DD488DE003}
Reg HKLM\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte@ SASContextMenu Class
Reg HKLM\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\CLSID
Reg HKLM\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\CLSID@ {CA8ACAFA-5FBB-467B-B348-90DD488DE003}
Reg HKLM\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\CurVer
Reg HKLM\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASConte\CurVer@ SUPERAntiSpywareContextMenuExt.SASCon.1

---- EOF - GMER 1.0.15 ----

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:27 PM

Posted 11 December 2009 - 04:24 PM

Can you please delete your copy of Combofix, download a new one and run it?

Please post me the log file.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 ThreeFingersDown

ThreeFingersDown
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 14 December 2009 - 01:33 PM

I tried to download Combofix and got this message

"ComboFix is not available for download until an issue with the program has been resolved. Please be patient while the developer fixes the program and makes it available once again. As more information becomes available, we will update this page. "



I'm a little weary, I guess I can wait until this gets fixed.

PS. Haven't had any more problems yet, thank you very much.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users