Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unknown infection

  • This topic is locked This topic is locked
6 replies to this topic

#1 MexiBrit


  • Members
  • 6 posts
  • Local time:06:43 AM

Posted 25 March 2010 - 11:14 AM

A continuation from the AII forum:
LINK: http://www.bleepingcomputer.com/forums/top...ml#entry1687330

Followed the instructions here.
Have not been able to run GMER as described. Within 30 seconds or so of starting up GMER, the machine reboots automatically.
However, I did manage to save off some log information from GMER after it performs it's initial checks after start up.
I'll keep trying and see if I can get it to complete.

DDS (Ver_10-03-17.01) - NTFSx86
Run by jkitchen at 10:13:22.11 on Thu 03/25/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3574.2955 [GMT -5:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {8E5F28CD-2564-41EB-9009-D88A93C03E10}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {3DF822A2-6D9B-4530-9280-048A10AED5CE}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {667D78BC-F85B-4C67-A79A-4E86882F3161}
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {667D78BC-F85B-4C67-A79A-4E86882F3161}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\jkitchen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://jnet.jda.corp.local/DocCenter/JDAWelcome/Pages/i2%20On-boarding.aspx
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [iihgfdsys] rundll32.exe "ddaxvt.dll",DllRegisterServer
mPolicies-system: consentpromptbehavioradmin = 0 (0x0)
mPolicies-system: enablelua = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_16\bin\npjpi150_16.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://jda.tenroxhosting.com/TEnterprise/download/smsx.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {3E059DAB-6894-435C-B758-2977F014D734} - hxxps://jda.tenroxhosting.com/TEnterprise/download/TClientProc.CAB
DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} - hxxps://extranet.i2.com/nortel_cacheable/NetDirect.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {9CF0560E-8FDC-45DB-8FBB-E7C9AE50BCE9} - hxxps://jda.tenroxhosting.com/TEnterprise/Download/TWorkflowMapX.cab
DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} - hxxps://extranet.i2.com/nortel_cacheable/iewiper.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://extranet.i2.com/https/i2CorpMail22.i2.com/dwa7W.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://attwm.webex.com/client/T25L10NSP41EP15-attwm/webex/ieatgpc.cab
DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} - hxxp://dlwsis02.i2.com/aspnet_client/Altiris_AppWeaver/6_0_sp3/lib/AeXClipboard.CAB
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 ddaxvt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jkitchen\applic~1\mozilla\firefox\profiles\xi3mdt8m.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-19 64288]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-11 343664]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2009-8-31 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-25 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-8-31 146448]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-10-15 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-9-11 70728]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-3-1 24521]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-11 91672]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-11 43288]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-14 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1263728]
S3 admin51-serv;iPlanet Administration Server 5.1;c:\iplanet\servers\bin\https\bin\ns-httpd.exe [2008-12-5 36864]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\i2 vpn access\Extranet_serv.exe [2007-2-28 811008]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-3-1 155184]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-9-11 65448]
S3 NetDirect;TAP-Win32 NetDirect Adapter;c:\windows\system32\drivers\netdirect.sys --> c:\windows\system32\drivers\NetDirect.sys [?]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-7-6 34064]
S3 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;c:\oracle\11g\bin\tnslsnr --> c:\oracle\11g\bin\TNSLSNR [?]
S3 OracleServiceORCL;OracleServiceORCL;c:\oracle\11g\bin\oracle.exe orcl --> c:\oracle\11g\bin\ORACLE.EXE ORCL [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 slapd-d620ngdmm1c1;iPlanet Directory Server 5 (d620ngdmm1c1);c:\iplanet\servers\bin\slapd\server\ns-slapd.exe [2008-12-5 20480]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-2-28 315408]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\oracle\11g\bin\extjob.exe orcl --> c:\oracle\11g\bin\extjob.exe ORCL [?]

=============== Created Last 30 ================

2010-03-25 04:55:06 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-25 04:55:06 0 d-----w- c:\docume~1\jkitchen\applic~1\SUPERAntiSpyware.com
2010-03-25 04:54:37 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-24 22:25:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 22:25:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 22:25:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 23:19:26 0 d--h--w- c:\documents and settings\jkitchen\InstallAnywhere
2010-03-23 22:30:59 0 d-----w- c:\documents and settings\jkitchen\.sqldeveloper
2010-03-23 00:57:30 0 d-----w- c:\program files\Trend Micro
2010-03-22 22:15:01 0 d-----w- c:\documents and settings\jkitchen\Tracing
2010-03-22 19:42:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-22 19:42:51 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-20 00:37:02 0 d-----w- C:\ProcessExplorer
2010-03-19 15:25:37 0 d-----w- c:\docume~1\jkitchen\applic~1\Windows Search
2010-03-19 15:23:11 0 d-----w- c:\docume~1\jkitchen\applic~1\Windows Desktop Search
2010-03-19 15:22:41 0 d-----w- c:\program files\Windows Desktop Search
2010-03-19 07:00:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-19 05:48:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-19 05:48:55 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-19 05:37:58 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-19 05:37:44 0 d-----w- c:\program files\Lavasoft
2010-03-18 15:52:29 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-18 05:38:19 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-18 05:38:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-17 04:15:00 0 d-----w- C:\PortQryUI
2010-03-17 03:22:46 0 d-----w- c:\docume~1\jkitchen\applic~1\Malwarebytes
2010-03-16 20:38:52 0 d-----w- c:\docume~1\jkitchen\applic~1\Trillian
2010-03-16 18:59:02 0 d-----w- c:\docume~1\jkitchen\applic~1\McAfee
2010-02-28 07:11:41 0 d-----w- c:\program files\EZ@Home

==================== Find3M ====================

2010-03-25 14:51:40 2344 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-03-23 00:26:58 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-13 00:53:16 98304 ----a-w- c:\windows\system32\atonecli.dll
2010-01-13 00:53:16 49152 ----a-w- c:\windows\system32\WbxRMenu.dll
2010-01-13 00:53:16 196608 ----a-w- c:\windows\system32\atonres.dll
2010-01-13 00:53:16 131072 ----a-w- c:\windows\system32\WbxMSAI.dll
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-09-03 01:48:35 80 --sh--r- c:\windows\system32\A9F94B7F08.dll

============= FINISH: 10:14:37.65 ===============

Attached Files

Edited by Net_Surfer, 25 March 2010 - 03:49 PM.

BC AdBot (Login to Remove)


#2 Net_Surfer


  • Banned
  • 2,154 posts
  • Gender:Male
  • Local time:04:43 AM

Posted 25 March 2010 - 02:43 PM

Hello again MexiBrit, busy.gif

welcome.gif to Bleeping Computer Virus, Trojan, Spyware, and Malware Removal Logs Forum.

My Nick is Net_Surfer I'll be glad to help you with your computer problems. I will be working on your Malware issues, this may or may not solve other issues you may have with your machine. whistling.gif

Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Please take note of the following which will make our fix go more smoothly:
    1. The cleaning process is not instant. Very seldom can we remove the entire infection in one go. Many of today's infections install other infections and for the most part they do not like to go quietly. Please continue to review my answers until I tell you your machine is clean. Just because a symptom "disappears" does not mean your system is clean.
    2. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.
    3. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post. Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
    4. If you are running P2P file sharing program(s). My recommendation is you uninstall it/them.
    5. Do NOT run any extra scans or fix programs not requested by me as it could change the results in the reports I request.
    6. If there's anything that you don't understand, stop and ask your question(s) before proceeding with the fixes.
    7. The forum is busy and we need to have replies as soon as possible. After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you have circumstances that you are aware of that will delay your response, then please let me know. This is to ensure that your topic remains open and I don't close it to start a new post.
NOTE: In the upper right hand corner of the topic you will see a button called Options. If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification, followed by clicking Proceed, you will be advised when I respond to your topic. This facilitates the cleaning procedure.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.
Please reply using the button in the lower right hand corner of your screen. Do not start a new topic.
If you can do these things, everything should go smoothly. thumbup2.gif

Found your problem!!!

Please read on and I will be back with more instructions for you to follow in a few minutes.

Device -> \Driver\atapi \Device\Harddisk0\DR0 8B0F1CA1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Malware writers are now sending a "catch me, if you can" message to antivirus companies in a hide-and-seek game where rootkit techniques are always a step ahead to security countermeasures and they open wide the road to every other malware which don't mind using even old and known tricks - they are just invisible to everyone, they are free to do as they please. Key word is: money.

Tdss rootkit 3rd variant is the last member of Tdss rootkit family that is quickly spreading around the world. While a number of rootkits are just developed as a proof of concept, this is not the case. Tdss rootkit is well known to antivirus companies because of its goal to get total control of the infected PCs and using them as zombies for its botnet.

During these years it has always shown a team of skilled people behind it, who always applied advanced techniques often able to bypass antirootkit softwares. Actually, this last variant could be easily named as the stealthiest rootkit in the wild.

This infection is bringing all together the best of MBR rootkit, the best of Rustock.C and the experience of old Tdss variants. Result is an infection that is quickly spreading on the net and it is undetected by almost every security software and 3rd party anti rootkit software.

The infection comes from the usual dropper spread by peer to peer networks or by crack and keygen websites, and it needs administrator privileges to run its payload. If UAC is disabled or the user voluntarily gives admin permissions, this infection can run even on Windows Vista and Windows 7. This is likely to be the usual scenario, where a user looks for specific cracks and don't mind if UAC warnings him, he gives admin privileges to the wanted crack.

Tdss rootkit is indeed a really worrying infection, it is in the wild and it's quickly spreading without being intercepted and detected by almost anyone. Some antiviruses may throw up a warning about the presence of tdlcmd.dll or tdlwsp.dll, without being able to do anything. Most of times users won't be warned at all, they just don't know their PC is part of a botnet and it is under the control of malware writers which can use their PC as they please.

We heartily recommend to not download and use cracks or keygens, they are often vector for very nasty infections.

Despite the complexity of the infection we are able to detect and clean the infection if you follow the steps we provide and it is real important that you perform the steps in the way given without skipping them.

I will post back shortly with some steps for you to folllow.

Kind regards


#3 Net_Surfer


  • Banned
  • 2,154 posts
  • Gender:Male
  • Local time:04:43 AM

Posted 25 March 2010 - 03:30 PM

Hello again MexiBrit, busy.gif

Please read on and take a note:

We need to give you the standard "compromised system" schpeel before we go on:

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read "How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?"

Although we MIGHT be able to remove the rootkit, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that IF the rootkit can be removed the computer will then be secure.

In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

*If you wish to proceed please follow my next set of steps:


Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

Please disable Windows Defender's real-time protection as it will interfere with the fix. you can re-enable it when we're finished the cleanup.
  • Open Windows Defender
  • Click on "Tools"
  • Click on "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on Real-time protection (recommended)"
  • Click "Save"
    After all of the fixes are complete it is very important that you enable Real-time Protection again.

OK, MexiBrit... let's do the following:

If you can not download and run the following tools, then I would like for you to try another approach:

If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.
Be sure you put them on the desktop of the infected computer.

**Note: In the event you already have old versions of Combofix I need you to delete them, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

  • For Internet Explorer:
    o Choose to save, not open the file
    o When prompted - save the file to your desktop, and rename it to CFscan with .exe extension on the end.

step1.gif Please download Combofix from any of the links below but rename it to CFscan before saving it to your desktop.
Link 1
Link 2

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

step2.gif Please insert your flash drive and all usb-drives before running Combofix
    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
  • Close any open browsers.
    WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
  • Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

step3.gif Double click on the renamed on your desktop & follow the prompts.
If you are unsure how to run ComboFix tool, please visit this webpage for instructions: How-to-use-combofix
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.

    NOTE: If you have Windows XP: Combofix may ask you to install the Recovery Console, please allow it to do so.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
*** When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review.***

A word of advise if you are a lurker: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.

step4.gif * MBAM

You already have Malwarebytes' Anti-Malware installed.
  • Open MBAM
  • Go to the updates tab, and click Update to update to the latest version
  • Once the program has updated, select Perform a quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

    * Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
MBAM Tutorial if needed

step5.gif * Re-Scan with DDS and post the log.

Make sure, you re-enable your security programs, when you're done with Combofix.

Summary of the logs I will need in your next reply:
  • The report log of combofix C:\combofix.text
  • The report log of MBAM
  • The report log of DDS
And a description of any remaining problems.

How are things your end MexiBrit???.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards

#4 MexiBrit

  • Topic Starter

  • Members
  • 6 posts
  • Local time:06:43 AM

Posted 25 March 2010 - 10:17 PM

I think I'm just going to wipe the hard drive and reinstall the OS.
I am unable to disable McAfee On-Access scanning (everything grayed out) so when I try to save the combofix it is detected as a virus.

#5 Net_Surfer


  • Banned
  • 2,154 posts
  • Gender:Male
  • Local time:04:43 AM

Posted 25 March 2010 - 11:34 PM

Hello MexiBrit, busy.gif

I need you to completely remove McAfee from your computer then run combofix.

You can re-install it again after we are done with your fix.....or follow the instructions to disable if you want to try that first.

Please do this steps to help you with that:

step1.gif Firstly, please make sure the Windows firewall is turned on to protect you when you uninstall McAfee (Start > Control Panel > Windows Firewall).

step2.gif Download: McAfee Consumer Product Removal tool.

step3.gif Then go to Add/Remove Programs and uninstall McAfee.

step4.gif Then run the McAfee removal tool to clean any remains of it.

step5.gif Now you can run combofix and get rid of your headaches!

Please let me know how it went.


To disable McAfee Virusscan:
Please navigate to the system tray on the bottom right hand corner and look for a sign.
  • right-click it -> chose "Change Settings."
  • Turn everything OFF from within "Advanced" option button.
  • Next, select never for "When to re-enable real time scanning" and click OK.
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.
Here is a screenshot to help you on how disable it.

#6 MexiBrit

  • Topic Starter

  • Members
  • 6 posts
  • Local time:06:43 AM

Posted 27 March 2010 - 11:51 AM

Just an update on this. I had to reimage the laptop. I was no longer able to run any executable on the system from the UI - looks like something modified the registry. Thanks for the help on this though.

#7 Net_Surfer


  • Banned
  • 2,154 posts
  • Gender:Male
  • Local time:04:43 AM

Posted 27 March 2010 - 03:57 PM

Since this problem seems to be resolved by user then this Topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users