Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with SSDT


  • This topic is locked This topic is locked
21 replies to this topic

#1 mcnod

mcnod

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 26 February 2010 - 09:11 AM

While composing an email, I noticed an attachment had been added (not by me).I could not delete the attachment and while trying to do so, I opened it. I deleted that email. I did not send it. Next I noticed that my avaliable free memort on C was going down I looked at defrag and there is a lot of red, that was not there before. Norton sees no infection but now scans a much larger number of objects. Malwarebytes says no infections as well and scans normal number of objects. GMER freezes when I try to save. Happened twice, so I ran it once more, took a photo of the results and copied the results to notepad so I could send it to you.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 22:34:35.31 on Tue 02/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.1010 [GMT -5:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uDefault_Page_URL = hxxp://us10.hpwis.com/
uDefault_Search_URL = hxxp://srch-us10.hpwis.com/
uSearch Bar = hxxp://srch-us10.hpwis.com/
uWindow Title = Microsoft Internet Explorer provided by Comcast
mSearch Bar = hxxp://srch-us10.hpwis.com/
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [BackupNotify] c:\program files\hp\digital imaging\bin\backupnotify.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LTMSG] LTMSG.exe 7
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\spamsu~1.lnk - c:\program files\intermute\spamsubtract\SpamSub.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: aol.com\free
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/56.18/uploader2.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/43.11/uploader2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/NET/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/msn/TrueInstallMSN.exe
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-16 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-16 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-16 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100218.001\IDSXpx86.sys [2010-2-19 329592]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-11-5 214664]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-16 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-15 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100223.033\NAVENG.SYS [2010-2-23 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100223.033\NAVEX15.SYS [2010-2-23 1324720]
S2 mrtRate;mrtRate; [x]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-11-5 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-11-5 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-11-5 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-11-5 40552]

=============== Created Last 30 ================

2010-02-23 21:00:40 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-02-23 13:31:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 13:30:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 13:30:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-16 14:54:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-02-16 07:52:14 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-16 07:52:14 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-16 07:51:59 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-16 07:51:50 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-16 07:51:50 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-16 07:51:50 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-16 07:51:50 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-16 07:51:48 0 d-----w- c:\program files\Symantec
2010-02-16 07:49:21 0 d-----w- c:\windows\system32\drivers\N360
2010-02-16 07:49:18 0 d-----w- c:\program files\Norton Security Suite
2010-02-16 07:49:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-02-16 07:47:22 0 d-----w- c:\program files\NortonInstaller
2010-02-16 07:11:19 4 ----a-w- c:\windows\msoffice.ini
2010-02-02 18:23:35 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-02-02 18:23:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 22:35:36.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:29 PM

Posted 28 February 2010 - 05:07 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 mcnod

mcnod
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 01 March 2010 - 09:29 AM

QUOTE(m0le @ Feb 28 2010, 05:07 PM) View Post
Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif


I am here.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:29 PM

Posted 01 March 2010 - 06:18 PM

Gmer not running is not an isolated incident and shouldn't be taken as malware-related.

I notice you use "SSDT" as the infector. If all the scans have come up clean, can you tell me where you got this name from?
Posted Image
m0le is a proud member of UNITE

#5 mcnod

mcnod
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 01 March 2010 - 06:53 PM

QUOTE(m0le @ Mar 1 2010, 06:18 PM) View Post
Gmer not running is not an isolated incident and shouldn't be taken as malware-related.

I notice you use "SSDT" as the infector. If all the scans have come up clean, can you tell me where you got this name from?


All of the entries were directly from the gmer report, because it would not save, I photographed the gmer screen and then copied it line by line into notepad to send it to you.

#6 mcnod

mcnod
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 01 March 2010 - 06:54 PM

QUOTE(mcnod @ Mar 1 2010, 06:53 PM) View Post
QUOTE(m0le @ Mar 1 2010, 06:18 PM) View Post
Gmer not running is not an isolated incident and shouldn't be taken as malware-related.

I notice you use "SSDT" as the infector. If all the scans have come up clean, can you tell me where you got this name from?


All of the entries were directly from the gmer report, because it would not save, I photographed the gmer screen and then copied it line by line into notepad to send it to you.

the scans were not clean, these are the things that gmer found.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:29 PM

Posted 01 March 2010 - 07:35 PM

Okay, I see. Gmer did run but you didn't get a log.

The reason I'm asking is that there is TDSS (SSDT backwards) which is a rootkit.

Let's assume the worst and run TDSSKiller, if nothing else it will eliminate it.
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone
    .
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).

Posted Image
m0le is a proud member of UNITE

#8 mcnod

mcnod
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 01 March 2010 - 07:58 PM

QUOTE(m0le @ Mar 1 2010, 07:35 PM) View Post
Okay, I see. Gmer did run but you didn't get a log.

The reason I'm asking is that there is TDSS (SSDT backwards) which is a rootkit.

Let's assume the worst and run TDSSKiller, if nothing else it will eliminate it.
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone
    .
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).

I went back to the camera to confirm that I copied the gmer report correctly and I did. Perhaps I should say that I was recently hit by Antivirus Soft and used Malwarebytes to remove it. Could these entries be something to do with that attack? I will now proceed with your instructions.

#9 mcnod

mcnod
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 01 March 2010 - 08:20 PM

QUOTE(mcnod @ Mar 1 2010, 07:58 PM) View Post
QUOTE(m0le @ Mar 1 2010, 07:35 PM) View Post
Okay, I see. Gmer did run but you didn't get a log.

The reason I'm asking is that there is TDSS (SSDT backwards) which is a rootkit.

Let's assume the worst and run TDSSKiller, if nothing else it will eliminate it.
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone
    .
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).

I went back to the camera to confirm that I copied the gmer report correctly and I did. Perhaps I should say that I was recently hit by Antivirus Soft and used Malwarebytes to remove it. Could these entries be something to do with that attack? I will now proceed with your instructions.

20:17:37:625 2900 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
20:17:37:625 2900 ================================================================================
20:17:37:625 2900 SystemInfo:

20:17:37:625 2900 OS Version: 5.1.2600 ServicePack: 3.0
20:17:37:625 2900 Product type: Workstation
20:17:37:625 2900 ComputerName: DON
20:17:37:625 2900 UserName: Owner
20:17:37:625 2900 Windows directory: C:\WINDOWS
20:17:37:625 2900 Processor architecture: Intel x86
20:17:37:625 2900 Number of processors: 2
20:17:37:625 2900 Page size: 0x1000
20:17:37:625 2900 Boot type: Normal boot
20:17:37:625 2900 ================================================================================
20:17:37:625 2900 UnloadDriverW: NtUnloadDriver error 2
20:17:37:625 2900 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:17:37:796 2900 Initialize success
20:17:37:796 2900
20:17:37:796 2900 Scanning Services ...
20:17:37:796 2900 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:17:37:796 2900 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:17:37:796 2900 wfopen_ex: Trying to KLMD file open
20:17:37:796 2900 wfopen_ex: File opened ok (Flags 2)
20:17:37:796 2900 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:17:37:796 2900 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:17:37:796 2900 wfopen_ex: Trying to KLMD file open
20:17:37:796 2900 wfopen_ex: File opened ok (Flags 2)
20:17:38:281 2900 GetAdvancedServicesInfo: Raw services enum returned 369 services
20:17:38:296 2900 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:17:38:296 2900 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:17:38:296 2900
20:17:38:296 2900 Scanning Kernel memory ...
20:17:38:296 2900 Devices to scan: 13
20:17:38:296 2900
20:17:38:296 2900 Driver Name: Disk
20:17:38:296 2900 IRP_MJ_CREATE : F763DBB0
20:17:38:296 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:296 2900 IRP_MJ_CLOSE : F763DBB0
20:17:38:296 2900 IRP_MJ_READ : F7637D1F
20:17:38:296 2900 IRP_MJ_WRITE : F7637D1F
20:17:38:296 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:296 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:296 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:296 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:296 2900 IRP_MJ_FLUSH_BUFFERS : F76382E2
20:17:38:296 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:296 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:296 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:296 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:296 2900 IRP_MJ_DEVICE_CONTROL : F76383BB
20:17:38:296 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
20:17:38:296 2900 IRP_MJ_SHUTDOWN : F76382E2
20:17:38:296 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:296 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:296 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:296 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:296 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:296 2900 IRP_MJ_POWER : F7639C82
20:17:38:296 2900 IRP_MJ_SYSTEM_CONTROL : F763E99E
20:17:38:296 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:296 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:296 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:312 2900 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
20:17:38:312 2900 sion
20:17:38:312 2900 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:17:38:312 2900
20:17:38:312 2900 Driver Name: Disk
20:17:38:312 2900 IRP_MJ_CREATE : F763DBB0
20:17:38:312 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:312 2900 IRP_MJ_CLOSE : F763DBB0
20:17:38:312 2900 IRP_MJ_READ : F7637D1F
20:17:38:312 2900 IRP_MJ_WRITE : F7637D1F
20:17:38:312 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:312 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:312 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:312 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:312 2900 IRP_MJ_FLUSH_BUFFERS : F76382E2
20:17:38:312 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:312 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:312 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:312 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:312 2900 IRP_MJ_DEVICE_CONTROL : F76383BB
20:17:38:312 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
20:17:38:312 2900 IRP_MJ_SHUTDOWN : F76382E2
20:17:38:312 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:312 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:312 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:312 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:312 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:312 2900 IRP_MJ_POWER : F7639C82
20:17:38:312 2900 IRP_MJ_SYSTEM_CONTROL : F763E99E
20:17:38:312 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:312 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:312 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:312 2900 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
20:17:38:312 2900 sion
20:17:38:328 2900 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:17:38:328 2900
20:17:38:328 2900 Driver Name: Disk
20:17:38:328 2900 IRP_MJ_CREATE : F763DBB0
20:17:38:328 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:328 2900 IRP_MJ_CLOSE : F763DBB0
20:17:38:328 2900 IRP_MJ_READ : F7637D1F
20:17:38:328 2900 IRP_MJ_WRITE : F7637D1F
20:17:38:328 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:328 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:328 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:328 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:328 2900 IRP_MJ_FLUSH_BUFFERS : F76382E2
20:17:38:328 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:328 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:328 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:328 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:328 2900 IRP_MJ_DEVICE_CONTROL : F76383BB
20:17:38:328 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
20:17:38:328 2900 IRP_MJ_SHUTDOWN : F76382E2
20:17:38:328 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:328 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:328 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:328 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:328 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:328 2900 IRP_MJ_POWER : F7639C82
20:17:38:328 2900 IRP_MJ_SYSTEM_CONTROL : F763E99E
20:17:38:328 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:328 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:328 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:328 2900 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
20:17:38:328 2900 sion
20:17:38:328 2900 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:17:38:328 2900
20:17:38:328 2900 Driver Name: Disk
20:17:38:328 2900 IRP_MJ_CREATE : F763DBB0
20:17:38:328 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:328 2900 IRP_MJ_CLOSE : F763DBB0
20:17:38:328 2900 IRP_MJ_READ : F7637D1F
20:17:38:328 2900 IRP_MJ_WRITE : F7637D1F
20:17:38:328 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:328 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:328 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:328 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:328 2900 IRP_MJ_FLUSH_BUFFERS : F76382E2
20:17:38:328 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:328 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:328 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:328 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:328 2900 IRP_MJ_DEVICE_CONTROL : F76383BB
20:17:38:328 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
20:17:38:328 2900 IRP_MJ_SHUTDOWN : F76382E2
20:17:38:328 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:328 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:328 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:328 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:328 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:328 2900 IRP_MJ_POWER : F7639C82
20:17:38:328 2900 IRP_MJ_SYSTEM_CONTROL : F763E99E
20:17:38:328 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:328 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:328 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:328 2900 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
20:17:38:328 2900 sion
20:17:38:328 2900 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:17:38:328 2900
20:17:38:328 2900 Driver Name: USBSTOR
20:17:38:328 2900 IRP_MJ_CREATE : F7814218
20:17:38:328 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:328 2900 IRP_MJ_CLOSE : F7814218
20:17:38:328 2900 IRP_MJ_READ : F781423C
20:17:38:328 2900 IRP_MJ_WRITE : F781423C
20:17:38:328 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:328 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:328 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:328 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:328 2900 IRP_MJ_FLUSH_BUFFERS : 804F9759
20:17:38:328 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:328 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:328 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:328 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:328 2900 IRP_MJ_DEVICE_CONTROL : F7814180
20:17:38:328 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F780F9E6
20:17:38:328 2900 IRP_MJ_SHUTDOWN : 804F9759
20:17:38:328 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:328 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:328 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:328 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:328 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:328 2900 IRP_MJ_POWER : F78135F0
20:17:38:328 2900 IRP_MJ_SYSTEM_CONTROL : F7811A6E
20:17:38:328 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:328 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:328 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:343 2900 siohd: 0
20:17:38:343 2900 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
20:17:38:343 2900
20:17:38:343 2900 Driver Name: USBSTOR
20:17:38:343 2900 IRP_MJ_CREATE : F7814218
20:17:38:343 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:343 2900 IRP_MJ_CLOSE : F7814218
20:17:38:343 2900 IRP_MJ_READ : F781423C
20:17:38:343 2900 IRP_MJ_WRITE : F781423C
20:17:38:343 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:343 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:343 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:343 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:343 2900 IRP_MJ_FLUSH_BUFFERS : 804F9759
20:17:38:343 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:343 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:343 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:343 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:343 2900 IRP_MJ_DEVICE_CONTROL : F7814180
20:17:38:343 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F780F9E6
20:17:38:343 2900 IRP_MJ_SHUTDOWN : 804F9759
20:17:38:343 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:343 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:343 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:343 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:343 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:343 2900 IRP_MJ_POWER : F78135F0
20:17:38:343 2900 IRP_MJ_SYSTEM_CONTROL : F7811A6E
20:17:38:343 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:343 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:343 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:343 2900 siohd: 0
20:17:38:343 2900 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
20:17:38:343 2900
20:17:38:343 2900 Driver Name: USBSTOR
20:17:38:343 2900 IRP_MJ_CREATE : F7814218
20:17:38:343 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:343 2900 IRP_MJ_CLOSE : F7814218
20:17:38:343 2900 IRP_MJ_READ : F781423C
20:17:38:343 2900 IRP_MJ_WRITE : F781423C
20:17:38:343 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:343 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:343 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:343 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:343 2900 IRP_MJ_FLUSH_BUFFERS : 804F9759
20:17:38:343 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:343 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:343 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:343 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:343 2900 IRP_MJ_DEVICE_CONTROL : F7814180
20:17:38:343 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F780F9E6
20:17:38:343 2900 IRP_MJ_SHUTDOWN : 804F9759
20:17:38:343 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:343 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:343 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:343 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:343 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:343 2900 IRP_MJ_POWER : F78135F0
20:17:38:343 2900 IRP_MJ_SYSTEM_CONTROL : F7811A6E
20:17:38:343 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:343 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:343 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:359 2900 siohd: 0
20:17:38:359 2900 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
20:17:38:359 2900
20:17:38:359 2900 Driver Name: USBSTOR
20:17:38:359 2900 IRP_MJ_CREATE : F7814218
20:17:38:359 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:359 2900 IRP_MJ_CLOSE : F7814218
20:17:38:359 2900 IRP_MJ_READ : F781423C
20:17:38:359 2900 IRP_MJ_WRITE : F781423C
20:17:38:359 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:359 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:359 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:359 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:359 2900 IRP_MJ_FLUSH_BUFFERS : 804F9759
20:17:38:359 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:359 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:359 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:359 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:359 2900 IRP_MJ_DEVICE_CONTROL : F7814180
20:17:38:359 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F780F9E6
20:17:38:359 2900 IRP_MJ_SHUTDOWN : 804F9759
20:17:38:359 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:359 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:359 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:359 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:359 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:359 2900 IRP_MJ_POWER : F78135F0
20:17:38:359 2900 IRP_MJ_SYSTEM_CONTROL : F7811A6E
20:17:38:359 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:359 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:359 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:359 2900 siohd: 0
20:17:38:359 2900 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
20:17:38:359 2900
20:17:38:359 2900 Driver Name: Disk
20:17:38:359 2900 IRP_MJ_CREATE : F763DBB0
20:17:38:359 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:359 2900 IRP_MJ_CLOSE : F763DBB0
20:17:38:359 2900 IRP_MJ_READ : F7637D1F
20:17:38:359 2900 IRP_MJ_WRITE : F7637D1F
20:17:38:359 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:359 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:359 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:359 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:359 2900 IRP_MJ_FLUSH_BUFFERS : F76382E2
20:17:38:359 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:359 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:359 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:359 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:359 2900 IRP_MJ_DEVICE_CONTROL : F76383BB
20:17:38:359 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
20:17:38:359 2900 IRP_MJ_SHUTDOWN : F76382E2
20:17:38:359 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:359 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:359 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:359 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:359 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:359 2900 IRP_MJ_POWER : F7639C82
20:17:38:359 2900 IRP_MJ_SYSTEM_CONTROL : F763E99E
20:17:38:359 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:359 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:359 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:359 2900 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
20:17:38:359 2900 sion
20:17:38:359 2900 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:17:38:359 2900
20:17:38:359 2900 Driver Name: MXOPSWD
20:17:38:359 2900 IRP_MJ_CREATE : BAF8407A
20:17:38:359 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:359 2900 IRP_MJ_CLOSE : BAF8407A
20:17:38:359 2900 IRP_MJ_READ : 804F9759
20:17:38:359 2900 IRP_MJ_WRITE : 804F9759
20:17:38:359 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:359 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:359 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:359 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:359 2900 IRP_MJ_FLUSH_BUFFERS : 804F9759
20:17:38:359 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:359 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:359 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:359 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:375 2900 IRP_MJ_DEVICE_CONTROL : BAF85712
20:17:38:375 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAF856E6
20:17:38:375 2900 IRP_MJ_SHUTDOWN : 804F9759
20:17:38:375 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:375 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:375 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:375 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:375 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:375 2900 IRP_MJ_POWER : BAF84B6A
20:17:38:375 2900 IRP_MJ_SYSTEM_CONTROL : BAF85746
20:17:38:375 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:375 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:375 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:375 2900 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
20:17:38:375 2900 sion
20:17:38:375 2900 C:\WINDOWS\system32\DRIVERS\mxopswd.sys - Verdict: Clean
20:17:38:375 2900
20:17:38:375 2900 Driver Name: Disk
20:17:38:375 2900 IRP_MJ_CREATE : F763DBB0
20:17:38:375 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:375 2900 IRP_MJ_CLOSE : F763DBB0
20:17:38:375 2900 IRP_MJ_READ : F7637D1F
20:17:38:375 2900 IRP_MJ_WRITE : F7637D1F
20:17:38:375 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:375 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:375 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:375 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:375 2900 IRP_MJ_FLUSH_BUFFERS : F76382E2
20:17:38:375 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:375 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:375 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:375 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:390 2900 IRP_MJ_DEVICE_CONTROL : F76383BB
20:17:38:390 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
20:17:38:390 2900 IRP_MJ_SHUTDOWN : F76382E2
20:17:38:390 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:390 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:390 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:390 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:390 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:390 2900 IRP_MJ_POWER : F7639C82
20:17:38:390 2900 IRP_MJ_SYSTEM_CONTROL : F763E99E
20:17:38:390 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:390 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:390 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:390 2900 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
20:17:38:390 2900 sion
20:17:38:390 2900 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:17:38:390 2900
20:17:38:390 2900 Driver Name: Disk
20:17:38:390 2900 IRP_MJ_CREATE : F763DBB0
20:17:38:390 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:390 2900 IRP_MJ_CLOSE : F763DBB0
20:17:38:390 2900 IRP_MJ_READ : F7637D1F
20:17:38:390 2900 IRP_MJ_WRITE : F7637D1F
20:17:38:390 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:390 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:390 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:390 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:390 2900 IRP_MJ_FLUSH_BUFFERS : F76382E2
20:17:38:390 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:390 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:390 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:390 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:390 2900 IRP_MJ_DEVICE_CONTROL : F76383BB
20:17:38:390 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
20:17:38:390 2900 IRP_MJ_SHUTDOWN : F76382E2
20:17:38:390 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:390 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:390 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:390 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:390 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:390 2900 IRP_MJ_POWER : F7639C82
20:17:38:390 2900 IRP_MJ_SYSTEM_CONTROL : F763E99E
20:17:38:390 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:390 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:390 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:390 2900 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
20:17:38:390 2900 sion
20:17:38:390 2900 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:17:38:390 2900
20:17:38:390 2900 Driver Name: atapi
20:17:38:390 2900 IRP_MJ_CREATE : F74CA6F2
20:17:38:390 2900 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
20:17:38:390 2900 IRP_MJ_CLOSE : F74CA6F2
20:17:38:390 2900 IRP_MJ_READ : 804F9759
20:17:38:390 2900 IRP_MJ_WRITE : 804F9759
20:17:38:390 2900 IRP_MJ_QUERY_INFORMATION : 804F9759
20:17:38:390 2900 IRP_MJ_SET_INFORMATION : 804F9759
20:17:38:390 2900 IRP_MJ_QUERY_EA : 804F9759
20:17:38:390 2900 IRP_MJ_SET_EA : 804F9759
20:17:38:390 2900 IRP_MJ_FLUSH_BUFFERS : 804F9759
20:17:38:390 2900 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
20:17:38:390 2900 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
20:17:38:390 2900 IRP_MJ_DIRECTORY_CONTROL : 804F9759
20:17:38:390 2900 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
20:17:38:390 2900 IRP_MJ_DEVICE_CONTROL : F74CA712
20:17:38:390 2900 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74C6852
20:17:38:390 2900 IRP_MJ_SHUTDOWN : 804F9759
20:17:38:390 2900 IRP_MJ_LOCK_CONTROL : 804F9759
20:17:38:390 2900 IRP_MJ_CLEANUP : 804F9759
20:17:38:390 2900 IRP_MJ_CREATE_MAILSLOT : 804F9759
20:17:38:390 2900 IRP_MJ_QUERY_SECURITY : 804F9759
20:17:38:390 2900 IRP_MJ_SET_SECURITY : 804F9759
20:17:38:390 2900 IRP_MJ_POWER : F74CA73C
20:17:38:390 2900 IRP_MJ_SYSTEM_CONTROL : F74D1336
20:17:38:390 2900 IRP_MJ_DEVICE_CHANGE : 804F9759
20:17:38:390 2900 IRP_MJ_QUERY_QUOTA : 804F9759
20:17:38:390 2900 IRP_MJ_SET_QUOTA : 804F9759
20:17:38:406 2900 siohd: 0
20:17:38:406 2900 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
20:17:38:406 2900
20:17:38:406 2900 Completed
20:17:38:406 2900
20:17:38:406 2900 Results:
20:17:38:406 2900 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
20:17:38:406 2900 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:17:38:406 2900 File objects infected / cured / cured on reboot: 0 / 0 / 0
20:17:38:406 2900
20:17:38:406 2900 KLMD(ARK) unloaded successfully


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:29 PM

Posted 01 March 2010 - 08:28 PM

Clean log for TDSS. smile.gif


I see from the Gmer log that it stalled on Devices.

Please rerun Gmer but uncheck Devices first

If that fails then try RootRepeal, a similar program.
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


Posted Image
m0le is a proud member of UNITE

#11 mcnod

mcnod
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 01 March 2010 - 08:36 PM

QUOTE(m0le @ Mar 1 2010, 08:28 PM) View Post
Clean log for TDSS. smile.gif


I see from the Gmer log that it stalled on Devices.

Please rerun Gmer but uncheck Devices first

If that fails then try RootRepeal, a similar program.
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Should I uncheck Sections and IAT/EAT as well again before running gmer?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:29 PM

Posted 01 March 2010 - 08:36 PM

No, just Devices.

Wait a minute, I've just spotted where the SSDT name is coming from on the Gmer log. That isn't malware that stands for Site Selection Diversity Transmission and is a legitimate process.

The Gmer or RootRepeal scan should be able to confirm that there is nothing wrong with your PC.

Edited by m0le, 01 March 2010 - 08:37 PM.

Posted Image
m0le is a proud member of UNITE

#13 mcnod

mcnod
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 01 March 2010 - 08:43 PM

Ok, be back when gmer finishes, thanks.

#14 mcnod

mcnod
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 02 March 2010 - 04:45 PM

Ok, here is last night's gmer. I was able to save it this time without things freezing up.

Attached Files

  • Attached File  ark.txt   4.92KB   2 downloads


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:29 PM

Posted 02 March 2010 - 06:22 PM

Gmer is clean though it doesn't like sunkfilt.sys.

This file appears to be legit but there are malicious copies which are trojans. We should check this file with a scan.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\System32\Drivers\sunkfilt.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users