Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 Trojan horse Rootkit-Pakes.U C:\WINDOWS\system32\d


  • This topic is locked This topic is locked
2 replies to this topic

#1 larks42dan...

larks42dan...

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 14 January 2010 - 03:50 AM

I am running windows 7 ultimate 32 bit and i installed avg internet security 9.0. i found this threat in my computer

\"C:\\WINDOWS\\system32\\drivers\\atapi.sys\";\"Tr ojan horse Rootkit-Pakes.U\";\"Object is white-listed (critical/system file that should not be removed)\".

I try to use malwarebytes and is says its clean.. but when i scan with virustotal.com, it detects a trojan... they say that this site can help me fix my problem. i don't now how to remove the trojan....

I tried to follow the steps from your site but PROBLEM ABOUT ROOTREPEAL.. it cant run with my computer it shows DEVICE CONTROL ERROR and i dont know why... so i can only show you my DDS

hope you can HELP me...

thanks....

below are the results of my DDS and Result from my scan with VirusTotal.com


DDS (Ver_09-12-01.01) - NTFSx86
Run by Admin at 14:43:42.50 on Thu 01/14/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Ultimate 6.1.7600.0.874.66.1033.18.2937.1725 [GMT 7:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Back DAN\leftsider103\leftsider.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\conhost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\BitComet\BitComet.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Admin\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://google.atcomet.com/b/
uSearch Bar =
mDefault_Page_URL = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: Download Energy Toolbar: {2bae58c2-79f9-45d1-a286-81f911301c3a} - c:\program files\p2p_energy\tbP2P1.dll
mURLSearchHooks: Download Energy Toolbar: {2bae58c2-79f9-45d1-a286-81f911301c3a} - c:\program files\p2p_energy\tbP2P1.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Download Energy Toolbar: {2bae58c2-79f9-45d1-a286-81f911301c3a} - c:\program files\p2p_energy\tbP2P1.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: &Google Web Accelerator Helper: {69a87b7d-de56-4136-9655-716ba50c19c7} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
TB: Download Energy Toolbar: {2bae58c2-79f9-45d1-a286-81f911301c3a} - c:\program files\p2p_energy\tbP2P1.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [leftsider] c:\back dan\leftsider103\leftsider.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll/206
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\program files\stardock\object desktop\iconpackager\iprepair.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\bd2mwygq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\users\admin\appdata\roaming\mozilla\firefox\profiles\bd2mwygq.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\users\admin\appdata\roaming\mozilla\firefox\profiles\bd2mwygq.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\admin\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrw7x;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSwx.sys [2009-12-18 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-12-18 161800]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2009-12-18 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-18 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-18 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-18 360584]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-2-1 41456]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-18 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-12-18 2303680]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-12-18 5832712]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-12 236368]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-12 1153368]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-11-17 1021256]
R3 AVGIDSDriverw7x;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSDriver.sys [2009-12-18 122376]
R3 AVGIDSFilterw7x;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSFilter.sys [2009-12-18 30216]
R3 AVGIDSShimw7x;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSShim.sys [2009-12-18 21208]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-1-12 19160]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-3-4 48600]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-18 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
S4 Bdbatpubdnps;Bdbatpubdnps; [x]

=============== Created Last 30 ================

2010-01-14 06:42:24 0 d-----w- c:\program files\Trend Micro
2010-01-13 19:09:12 0 d-----w- c:\programdata\F-Secure
2010-01-13 16:08:59 0 d-----w- c:\users\admin\dwhelper
2010-01-13 15:02:34 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-01-13 14:39:22 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 14:39:22 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 14:50:35 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-12 14:50:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-12 11:06:18 0 d-----w- c:\users\admin\appdata\roaming\Malwarebytes
2010-01-12 11:06:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 11:06:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 11:06:12 0 d-----w- c:\programdata\Malwarebytes
2010-01-12 11:06:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 15:00:22 65536 --sha-w- c:\users\admin\ntuser.dat{98cc1629-fde4-11de-a51f-00238b534d32}.TM.blf
2010-01-10 15:00:22 524288 --sha-w- c:\users\admin\ntuser.dat{98cc1629-fde4-11de-a51f-00238b534d32}.TMContainer00000000000000000002.regtrans-ms
2010-01-10 15:00:22 524288 --sha-w- c:\users\admin\ntuser.dat{98cc1629-fde4-11de-a51f-00238b534d32}.TMContainer00000000000000000001.regtrans-ms
2010-01-10 14:04:35 0 d-----w- C:\AAAA
2010-01-07 14:52:42 58792 ------w- c:\windows\system32\wbload.dll
2010-01-07 14:52:41 42672 ------w- c:\windows\system32\wbsys.dll
2010-01-06 11:30:16 0 dc-h--w- c:\programdata\{B98A2B83-8BB0-42E7-AA1D-D6FA6E7C8F31}
2010-01-06 07:11:49 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-06 07:11:49 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-06 07:11:17 0 d-----w- c:\program files\iPod
2010-01-06 07:11:16 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-06 07:11:16 0 d-----w- c:\program files\iTunes
2010-01-05 08:09:35 0 d-----w- c:\programdata\Apple Computer
2010-01-05 07:57:37 65536 --sha-w- c:\users\admin\ntuser.dat{a0de1cdb-f9c2-11de-8ccd-00238b534d32}.TM.blf
2010-01-05 07:57:37 524288 --sha-w- c:\users\admin\ntuser.dat{a0de1cdb-f9c2-11de-8ccd-00238b534d32}.TMContainer00000000000000000002.regtrans-ms
2010-01-05 07:57:37 524288 --sha-w- c:\users\admin\ntuser.dat{a0de1cdb-f9c2-11de-8ccd-00238b534d32}.TMContainer00000000000000000001.regtrans-ms
2010-01-02 18:19:12 0 d-----w- c:\program files\Bonjour
2010-01-02 18:18:57 0 d-----w- c:\programdata\Apple
2010-01-01 16:00:50 88 ----a-w- c:\windows\Launcher.ini
2010-01-01 15:57:57 30 ----a-w- c:\windows\RESULT.QTW
2010-01-01 15:55:06 0 d-----w- C:\Estate
2010-01-01 15:53:38 306688 ----a-w- c:\windows\IsUninst.exe
2009-12-31 13:56:54 0 d-----w- C:\Downloads
2009-12-31 13:56:11 0 d-----w- c:\program files\BitComet
2009-12-29 16:21:55 0 d-----w- c:\users\admin\appdata\roaming\LimeWire
2009-12-29 16:21:46 0 d-----w- c:\program files\LimeWire
2009-12-29 15:27:32 0 d-----w- c:\program files\P2P_Torrent
2009-12-29 14:31:49 0 d-----w- c:\users\admin\Incomplete
2009-12-29 14:30:56 0 d-----w- c:\program files\P2P_Energy
2009-12-29 14:30:51 0 d-----w- c:\users\admin\appdata\roaming\LimeWireTurbo
2009-12-27 12:41:25 398848 ----a-w- c:\windows\system32\TVWizudlg.exe
2009-12-27 12:41:25 121232 ----a-w- c:\windows\system32\IScrNB.bmp
2009-12-27 12:41:24 140288 ----a-w- c:\windows\system32\igfxtvcx.dll
2009-12-27 12:41:24 0 d-----w- c:\windows\system32\Lang
2009-12-27 12:37:59 1002008 ----a-w- c:\windows\system32\igxpun.exe
2009-12-27 12:37:59 0 d-----w- c:\windows\system32\x64
2009-12-27 08:37:52 219 ----a-w- c:\windows\system32\MRT.INI
2009-12-26 20:10:17 20 ----a-w- c:\windows\system32\SYSTEM
2009-12-26 20:04:27 0 d-----w- c:\program files\Ashampoo
2009-12-26 18:56:21 0 d-----w- c:\program files\Conduit
2009-12-26 17:47:30 0 d-----w- c:\program files\Ask.com
2009-12-26 17:39:19 0 d-----w- c:\program files\uTorrent
2009-12-26 17:39:02 0 d-----w- c:\users\admin\appdata\roaming\uTorrent
2009-12-25 17:45:27 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-12-25 17:42:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-25 17:35:55 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-12-25 17:25:01 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-12-25 17:25:01 507568 ----a-w- c:\windows\system32\winload.exe
2009-12-25 17:25:01 442920 ----a-w- c:\windows\system32\winresume.exe
2009-12-25 17:25:01 293888 ----a-w- c:\windows\system32\atmfd.dll
2009-12-25 17:25:01 2613248 ----a-w- c:\windows\explorerold.exe
2009-12-25 17:25:01 2613248 ----a-w- c:\windows\explorer.exe
2009-12-25 17:25:01 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-12-25 17:25:00 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-12-25 16:35:29 0 d-----w- c:\windows\system32\SDA
2009-12-25 16:35:29 0 d-----w- c:\program files\O2Micro Flash Memory Card Driver
2009-12-25 16:34:44 0 d-----w- c:\users\admin\appdata\roaming\WinBatch
2009-12-22 11:43:27 0 d-----w- C:\Back DAN
2009-12-22 10:59:38 0 d-----w- c:\program files\RocketDock
2009-12-22 06:14:16 249856 ----a-w- c:\windows\system32\uxtheme.dll.backup
2009-12-22 06:14:12 2755072 ----a-w- c:\windows\system32\themeui.dll.backup
2009-12-22 06:14:04 37376 ----a-w- c:\windows\system32\themeservice.dll.backup
2009-12-22 01:53:43 65536 --sha-w- c:\users\admin\ntuser.dat{b4f18eef-ee9c-11de-acb0-0022fa0b5c9a}.TM.blf
2009-12-22 01:53:43 524288 --sha-w- c:\users\admin\ntuser.dat{b4f18eef-ee9c-11de-acb0-0022fa0b5c9a}.TMContainer00000000000000000002.regtrans-ms
2009-12-22 01:53:43 524288 --sha-w- c:\users\admin\ntuser.dat{b4f18eef-ee9c-11de-acb0-0022fa0b5c9a}.TMContainer00000000000000000001.regtrans-ms
2009-12-21 12:15:38 0 d-----w- c:\program files\Stardock
2009-12-18 17:12:50 0 d-----w- c:\windows\system32\appmgmt
2009-12-18 16:35:16 0 d-----w- c:\programdata\Google
2009-12-18 16:18:03 0 d-----w- c:\users\admin\appdata\roaming\Runiter
2009-12-18 16:17:44 0 d-----w- c:\program files\Graphing Calculator 3D
2009-12-18 09:50:25 0 d-----w- C:\MFT 372
2009-12-18 09:48:56 0 d-----w- C:\MFT 279
2009-12-18 05:30:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-18 04:26:02 0 d-----w- c:\users\admin\appdata\roaming\AVG9
2009-12-18 04:09:09 0 d--h--w- C:\$AVG
2009-12-18 04:09:08 25608 ----a-w- c:\windows\system32\drivers\AVGIDSwx.sys
2009-12-18 04:09:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-18 04:09:07 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-12-18 04:09:03 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-18 04:08:58 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-18 04:08:54 0 d-----w- c:\windows\system32\drivers\Avg
2009-12-18 04:08:53 0 d-----w- c:\programdata\AVG Security Toolbar
2009-12-18 04:08:20 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2009-12-18 04:08:20 0 d-----w- c:\program files\AVG
2009-12-18 04:08:19 0 d-----w- c:\programdata\avg9
2009-12-18 03:31:02 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2009-12-18 03:30:58 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2009-12-18 03:30:58 21320 ----a-w- c:\windows\system32\authuitu.dll
2009-12-18 03:30:37 0 d-----w- c:\program files\TuneUp Utilities 2010
2009-12-18 03:30:08 0 d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2009-12-17 15:36:23 0 d-----w- c:\users\admin\appdata\roaming\TuneUp Software
2009-12-17 15:36:19 0 d-----w- c:\programdata\TuneUp Software
2009-12-16 14:24:38 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-12-16 13:56:34 0 d-----w- c:\programdata\SpeedBit
2009-12-16 13:56:16 0 d-----w- c:\program files\DAP
2009-12-16 13:56:13 0 d-----w- c:\program files\SpeedBit Video Downloader

==================== Find3M ====================

2010-01-09 10:26:12 22077952 ----a-w- c:\windows\system32\imageres.dll
2009-12-22 06:14:16 249856 ----a-w- c:\windows\system32\uxtheme.dll
2009-12-22 06:14:12 2755072 ----a-w- c:\windows\system32\themeui.dll
2009-12-22 06:14:04 37376 ----a-w- c:\windows\system32\themeservice.dll
2009-12-11 12:33:15 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-12-11 12:33:14 505128 ----a-w- c:\windows\system32\msvcp71.dll
2009-12-11 12:33:14 353576 ----a-w- c:\windows\system32\msvcr71.dll
2009-12-11 12:13:34 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-11 11:40:37 409088 ----a-w- c:\windows\system32\systemcpl.dll
2009-11-02 13:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 14:44:38.53 ===============



This is the result of my VirusTotal

Antivirus Version Last Update Result
a-squared 4.5.0.48 2010.01.13 Rootkit.Win32.TDSS!IK
AhnLab-V3 5.0.0.2 2010.01.12 Win-Trojan/Patched.X
AntiVir 7.9.1.134 2010.01.12 TR/Patched.Gen
Antiy-AVL 2.0.3.7 2010.01.12 -
Authentium 5.2.0.5 2010.01.12 -
Avast 4.8.1351.0 2010.01.12 Win32:Patched-LF
AVG 9.0.0.725 2010.01.12 Rootkit-Pakes.U
BitDefender 7.2 2010.01.13 Rootkit.TDSS.AH
CAT-QuickHeal 10.00 2010.01.13 -
ClamAV 0.94.1 2010.01.13 -
Comodo 3565 2010.01.13 Virus.Win32.Olmarik.OF0
DrWeb 5.0.1.12222 2010.01.13 BackDoor.Tdss.565
eSafe 7.0.17.0 2010.01.12 -
eTrust-Vet 35.2.7234 2010.01.13 -
F-Prot 4.5.1.85 2010.01.12 -
F-Secure 9.0.15370.0 2010.01.13 Trojan:W32/TDSS.gen!Z
Fortinet 4.0.14.0 2010.01.13 -
GData 19 2010.01.13 Rootkit.TDSS.AH
Ikarus T3.1.1.80.0 2010.01.13 Rootkit.Win32.TDSS
Jiangmin 13.0.900 2010.01.13 Rootkit.TDSS.ctw
K7AntiVirus 7.10.944 2010.01.11 -
Kaspersky 7.0.0.125 2010.01.13 Rootkit.Win32.TDSS.u
McAfee 5859 2010.01.12 Patched-SYSFile
McAfee+Artemis 5859 2010.01.12 Patched-SYSFile
McAfee-GW-Edition 6.8.5 2010.01.13 Heuristic.LooksLike.Trojan.Patched.H
Microsoft 1.5302 2010.01.13 Virus:Win32/Alureon.A
NOD32 4765 2010.01.12 Win32/Olmarik.OF
Norman 6.04.03 2010.01.12 W32/TDSS.drv.gen4.A
nProtect 2009.1.8.0 2010.01.13 Trojan/W32.Rootkit.21584
Panda 10.0.2.2 2010.01.12 Trj/CI.A
PCTools 7.0.3.5 2010.01.13 Backdoor.Tidserv
Prevx 3.0 2010.01.13 High Risk Rootkit
Rising 22.30.02.01 2010.01.13 -
Sophos 4.49.0 2010.01.13 Mal/TDSSPack-V
Sunbelt 3.2.1858.2 2010.01.13 Trojan.Win32.Olmarik.of!damaged (V)
Symantec 20091.2.0.41 2010.01.13 Backdoor.Tidserv.H!inf
TheHacker 6.5.0.3.148 2010.01.13 -
TrendMicro 9.120.0.1004 2010.01.13 Cryp_TIDIES-12
VBA32 3.12.12.1 2010.01.13 Rootkit.Win32.TDSL
ViRobot 2010.1.13.2133 2010.01.13 -
VirusBuster 5.0.21.0 2010.01.12 Rootkit.Alureon.Gen!Pac.7
Additional information
File size: 21584 bytes
MD5...: 0978022ca6bec9fe7fc4c28ff9187cd4
SHA1..: e4812c7bf7ba150496692533eb5ad40583e2ba34
SHA256: 86cf4c77ecf01f08617fbc1b9be166aa2c765df996ff4045f5c502ff64adf23d
ssdeep: 384:iN+KUt2BtUXbyTHoCtGRZjNVAsRMNSChq3BrLQu5VpBjbOjBMmhyMD:KdUty
tUXbyTICtGjNMNbcxAudkMmwMD
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7000
timedatestamp.....: 0x4a5bbf13 (Mon Jul 13 23:11:15 2009)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2472 0x2600 6.22 9b9f242740c0a1c2494b23ae50935e6d
.rdata 0x4000 0xae 0x200 1.54 1833a5650ae0f8256ba78bf8ed79d6e1
.data 0x5000 0xc 0x200 0.18 7c80b151582aa6280e754b477343e54e
INIT 0x6000 0x38c 0x400 4.66 392ce67c807da67e018ad9cf892fde4c
.rsrc 0x7000 0x3f0 0x400 5.35 939aa0f7636513af755445a05f2c200d
.reloc 0x8000 0xd2 0x200 2.47 035f51da8bf9893e51952ac185994f14

( 2 imports )
> ataport.SYS: AtaPortNotification, AtaPortQuerySystemTime, AtaPortReadPortUchar, AtaPortStallExecution, AtaPortWritePortUchar, AtaPortWritePortUlong, AtaPortGetPhysicalAddress, AtaPortConvertPhysicalAddressToUlong, AtaPortGetScatterGatherList, AtaPortGetParentBusType, AtaPortRequestCallback, AtaPortWritePortBufferUshort, AtaPortGetUnCachedExtension, AtaPortCompleteRequest, AtaPortCopyMemory, AtaPortEtwTraceLog, AtaPortCompleteAllActiveRequests, AtaPortReleaseRequestSenseIrb, AtaPortBuildRequestSenseIrb, AtaPortReadPortBufferUshort, AtaPortInitialize, AtaPortGetDeviceBase, AtaPortDeviceStateChange
> NTOSKRNL.exe: KeTickCount

( 0 exports )
RDS...: NSRL Reference Data Set
-
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=59EE877C50775149547100E34977E000E31C7318' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=59EE877C50775149547100E34977E000E31C7318</a



HERE IS ALSO A RESULT FROM F-SECURE ONLINE

Scanning Report

Thursday, January 14, 2010 02:18:57 - 02:21:47

Computer name: ADMIN-PC
Scanning type: Scan target for malware, spyware and rootkits
Target: C:\Windows\System32\drivers

2 malware found

Trojan:W32/TDSS.gen!Z (spyware)
System (Disinfected)
Trojan:W32/TDSS.gen!Z (virus)
C:\Windows\System32\drivers\atapi.sys (Not cleaned & Submitted)
Statistics

Scanned:
Files: 5128
System: 4701
Not scanned: 0
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
Not cleaned: 1
Submitted: 1
Options

Scanning engines:
Scanning options:
Scan all files
Scan inside archives
Use advanced heuristics
Copyright 1998-2009 Product support | Send virus sample to F-Secure








Thanks for your help

Larks42Dan

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:43 PM

Posted 20 January 2010 - 04:25 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:43 PM

Posted 25 January 2010 - 08:53 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users