Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with RootKit.TDSS


  • This topic is locked This topic is locked
3 replies to this topic

#1 jinsoop3

jinsoop3

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 01 January 2010 - 11:09 PM

Help please. Started with Malware Defense and now everything points to RootKit.TDSS. Tried to run DDS but it won't run. Ran RootRepeal OK and ark.txt is listed below and Malwarebytes log is listed below. Rootkit.TDSS is repeatedly found and removed by Malwareby

Slow to log in, sometimes freezes, virus scans constanly find stuff, TaskMgr only runs from command line, not Ctl-Alt-dlt. After a few reboots, virus software is disabled.

Malwarebytes' Anti-Malware 1.43
Database version: 3462
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/1/2010 1:50:38 PM
mbam-log-2010-01-01 (13-50-38).txt

Scan type: Quick Scan
Objects scanned: 145687
Time elapsed: 8 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\twilby\Local Settings\Temp\H8SRTb322.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTnpyroyihub.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRT1e9b.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRT398.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRT3b56.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/01 17:08
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x984F7000 Size: 815104 File Visible: No Signed: -
Status: -

Name: jigdi.sys
Image Path: jigdi.sys
Address: 0xBA0A8000 Size: 54016 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x94FA0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMDS.SYS
Image Path: SYMDS.SYS
Address: 0xB9DCE000 Size: 352256 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xB9D90000 Size: 180224 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\system volume information\efadata\sdmys_0c7c349824c1dd574050f10b
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: c:\system volume information\efadata\sdmys_0c7c349824c1dd5784af5bbc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\twilby\local settings\temp\~df510f.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\twilby\local settings\temp\~dfadc3.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\twilby\local settings\temp\~dfade4.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\twilby\local settings\temp\~dfe26c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\twilby\Local Settings\Apps\2.0\RZJ32Y73.QAQ\08PV1A5P.Q2Y\manifests\TeamClean.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\twilby\Local Settings\Apps\2.0\RZJ32Y73.QAQ\08PV1A5P.Q2Y\manifests\TeamClean.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8915c0c8

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8914f720

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89178880

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8928d298

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x88fbe4e8

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x98d10266

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89168610

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x87c848f8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x98d1025c

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x88eeeed8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x98d1026b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x98d10275

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x89178b18

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x88e23450

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x89140700

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x89170cf0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x88ef9e10

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0x98d1027a

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8916b6f0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x89168a18

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa08617a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x98d10248

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89263100

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x89166c98

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x98d1024d

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x88e8d840

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0x98d10284

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0x98d1027f

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8919b0e8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8937ed00

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8916b460

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8918d0f8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x98d10270

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89163c08

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x891a20e8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0x9882b0b0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89340270

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8916f5a8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x88e238e0

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x891ef3d8

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x891926c8

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x891cd868

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x891c7e60

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x89d6d898

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x891c18e0

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x89d6dbb0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x891c1e10

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x891f0228

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x88f025e8

==EOF==

BC AdBot (Login to Remove)

 


#2 jinsoop3

jinsoop3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 04 January 2010 - 11:42 AM

(Originally submitted JAN 1) - Help please. Started with Malware Defense and now everything points to RootKit.TDSS. Tried to run DDS but it won't run. Ran RootRepeal OK and ark.txt is listed below and Malwarebytes log is listed below. Rootkit.TDSS is repeatedly found and removed by Malwarebytes.

Slow to log in, sometimes freezes, virus scans constanly find stuff, TaskMgr only runs from command line, not Ctl-Alt-dlt. After a few reboots, virus software is disabled.


(NOTE I WAS UNABLE TO APPEND TO MY ORIGINAL POST ON JAN 1, so I CREATED A NEW POST ON JAN 4th with UPDATED INFORMATION)

(Added on JAN 4) - Things appear to be better today, but I am not confident that the thing is completely gone.
McAffee is installed and has run a full scan without any issues. Malwarebytes has been run a dozen times over the last few daysand has not shown any issues. Avira antivirus was installed temporarily and anything that was found early on is no longer there. Superspyware has been run a couple of times without any issues (some tracking cookies before I disabled cookies). I ran Rootkit_TDSSKiller.exe that I downloaded from Bleeping Computer (before posting at Hijack this) a bunch of times and that was clear. (Log below). And now this morning, I was able to run the DDS tool (it just started and stopped before). Logs are attached.

Why am I nervous? Task Manager is very slow to start up from the Ctl-Alt-Del menu, but very quick from the command line. Awkward pauses in the OS and applications from time to time. DDS did not run even when the anti virus software was showing all clear. Everything I read about Rootkit.TDSS is that it is difficult. And I don't see how simply running these 4 or 5 anti malware tools over and over again would be ablt to get rid of it, because that was
not hard, just time consuming and I am just not that smart with PC's. Please advise on next steps. I work on this laptop so I am going to avoid VPN'ing in until I hear further from you.

Thank you.


Malwarebytes' Anti-Malware 1.43
Database version: 3462
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/1/2010 1:50:38 PM
mbam-log-2010-01-01 (13-50-38).txt

Scan type: Quick Scan
Objects scanned: 145687
Time elapsed: 8 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\twilby\Local Settings\Temp\H8SRTb322.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTnpyroyihub.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRT1e9b.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRT398.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRT3b56.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/01/01 17:08
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x984F7000 Size: 815104 File Visible: No Signed: -
Status: -

Name: jigdi.sys
Image Path: jigdi.sys
Address: 0xBA0A8000 Size: 54016 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x94FA0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMDS.SYS
Image Path: SYMDS.SYS
Address: 0xB9DCE000 Size: 352256 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xB9D90000 Size: 180224 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\system volume information\efadata\sdmys_0c7c349824c1dd574050f10b
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: c:\system volume information\efadata\sdmys_0c7c349824c1dd5784af5bbc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\twilby\local settings\temp\~df510f.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\twilby\local settings\temp\~dfadc3.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\twilby\local settings\temp\~dfade4.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\twilby\local settings\temp\~dfe26c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\twilby\Local Settings\Apps\2.0\RZJ32Y73.QAQ\08PV1A5P.Q2Y\manifests\TeamClean.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\twilby\Local Settings\Apps\2.0\RZJ32Y73.QAQ\08PV1A5P.Q2Y\manifests\TeamClean.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8915c0c8

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8914f720

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89178880

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8928d298

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x88fbe4e8

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x98d10266

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89168610

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x87c848f8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x98d1025c

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x88eeeed8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x98d1026b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x98d10275

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x89178b18

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x88e23450

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x89140700

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x89170cf0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x88ef9e10

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0x98d1027a

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8916b6f0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x89168a18

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa08617a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x98d10248

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89263100

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x89166c98

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x98d1024d

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x88e8d840

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0x98d10284

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0x98d1027f

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8919b0e8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8937ed00

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8916b460

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8918d0f8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x98d10270

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89163c08

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x891a20e8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0x9882b0b0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89340270

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8916f5a8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x88e238e0

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x891ef3d8

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x891926c8

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x891cd868

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x891c7e60

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x89d6d898

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x891c18e0

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x89d6dbb0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x891c1e10

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x891f0228

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x88f025e8

==EOF==


TDSS rootkit removing tool, Kaspersky Lab 2009
version 2.1.1 Dec 20 2009 02:40:02

Scanning Registry ...

Scanning Kernel memory ...

Completed

Results:
Infected objects in memory: 0
Cured objects in memory: 0
Infected objects on disk: 0
Objects on disk cured on reboot: 0
Objects on disk deleted on reboot: 0
Registry nodes deleted on reboot: 0

Press any key to continue . . .


DDS (Ver_09-12-01.01) - NTFSx86
Run by twilby at 11:11:05.10 on Mon 01/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1167 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Documents and Settings\twilby\Desktop\dds.scr
C:\PROGRA~1\McAfee\MSC\mcsvrcnt.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3081021
uSearchMigratedDefaultURL =

hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program

files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program

files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web

printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program

files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web

printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [COMMUNICATOR] "c:\program files\microsoft office communicator\Communicator.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickBooksDB18] c:\program files\intuit\quickbooks enterprise solutions 8.0\qbdbmgrn.exe -n qb_trex038_18 -qs

-gd all -gk all -gp 4096 -gu all -ch 512m -c 256m -x tcpip(broadcastlistener=no;port=10180) -ti 0 -ec simple -ct-

-qi -qw -tl 120 -oe "c:\documents and settings\twilby\local settings\application

data\intuit\quickbooks\log\DBStartup.log" -y
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital

imaging\bin\hpqtra08.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital

imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} -

hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -

hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5846/mcfscan.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks enterprise

solutions 8.0\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program

files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\twilby\applic~1\mozilla\firefox\profiles\98hld9l8.default\
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-2 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-2 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-2 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-2 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-2 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-2 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-2 40552]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-10-21 48472]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-10-21 43480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S0 iwxt;iwxt;c:\windows\system32\drivers\gjkbnp.sys --> c:\windows\system32\drivers\gjkbnp.sys [?]
S2 0323311262452884mcinstcleanup;McAfee Application Installer Cleanup

(0323311262452884);c:\docume~1\twilby\locals~1\temp\032331~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini

-cleanup -nolog -service --> c:\docume~1\twilby\locals~1\temp\032331~1.exe

c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 qcmdmxp;HTC Proprietary USB Driver;c:\windows\system32\drivers\qcmdmxp.sys [2009-10-5 103424]
S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys [2009-10-5 103424]

=============== Created Last 30 ================

2010-01-02 17:26:51 7953 ----a-w- c:\windows\system32\Config.MPF
2010-01-02 17:21:30 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-01-02 17:21:30 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-01-02 17:21:30 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-02 17:21:28 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-01-02 17:21:05 0 d-----w- c:\program files\McAfee.com
2010-01-02 17:21:05 0 d-----w- c:\program files\common files\McAfee
2010-01-02 17:20:54 0 d-----w- c:\program files\McAfee
2010-01-02 17:17:18 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-01-02 16:35:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-02 16:35:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-02 03:49:36 524288 ----a-w- c:\temp\special.scr
2010-01-01 16:32:38 0 d-----w- c:\temp\tdsskiller
2010-01-01 16:19:32 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-01 02:18:48 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-01 02:18:31 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 02:18:31 0 d-----w- c:\docume~1\twilby\applic~1\SUPERAntiSpyware.com
2010-01-01 02:18:16 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-31 18:27:19 608344 ----a-w- c:\temp\MCPR.exe
2009-12-31 17:07:18 0 d-----w- c:\docume~1\twilby\applic~1\Malwarebytes
2009-12-31 17:03:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 17:03:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 17:03:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 17:03:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-31 04:41:24 0 d-----w- c:\windows\system32\LogFiles
2009-12-31 04:26:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-31 02:22:09 0 d-----w- C:\vdefs
2009-12-31 01:51:17 262144 ---ha-w- c:\documents and settings\twilby\ntuser.dat.LOG1
2009-12-31 01:51:17 0 ---ha-w- c:\documents and settings\twilby\ntuser.dat.LOG2
2009-12-31 01:36:52 0 d-----w- c:\docume~1\twilby\applic~1\Tific
2009-12-31 00:37:20 0 d-----w- c:\windows\system32\drivers\NAV
2009-12-31 00:35:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2009-12-31 00:03:53 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-12-30 15:08:18 0 d-sh--w- c:\documents and settings\twilby\IECompatCache
2009-12-30 14:29:03 0 d-----w- c:\windows\McAfee.com
2009-12-29 23:50:40 0 d-----w- c:\windows\Intuit
2009-12-23 22:13:52 0 d-----w- c:\windows\system32\QuickTime
2009-12-23 22:13:51 0 d-----w- c:\program files\3ivx
2009-12-23 22:13:43 0 d-----w- c:\program files\Flip Video
2009-12-23 22:13:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Flip Video
2009-12-16 19:10:55 77375 ----a-w- c:\windows\hpqins05.dat

==================== Find3M ====================

2009-11-30 15:39:22 69417 ----a-w- c:\windows\hpoins05.dat
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 11:11:52.57 ===============

Attached Files


Edited by Orange Blossom, 06 January 2010 - 12:17 AM.
Merged topics. ~ OB


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:21 AM

Posted 10 January 2010 - 06:39 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:21 AM

Posted 16 January 2010 - 10:51 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users