Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tdss related infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 jdlordhelmet

jdlordhelmet

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 07 April 2010 - 11:11 PM

I have had a tdss rootkit on another pc before and I ended up reformatting, so I know how it acts and how hard it can be to remove. I am hoping I can actually get rid of this one.

I have always used Avira Antivir and kept it up-to-date, but I am assuming one of the supposedly safe files I downloaded recently and didn't scan were the source of infection. I entered a reboot loop today and had to disable sptd.sys from safemode (renamed the file with .bak), at which point I was able to boot normally. This indicated TDSS to me. I also began noticing the typical redirection in google search links. I ran Malwarebytes full scan and had no threats. I got TDSSkiller and it found 1 infection, atapi.sys, which it said it could not cure.

I stopped there because I knew I had TDSS and couldn't get rid of it myself. I didn't bother with a full AV scan, because I know it won't matter. Please help, I really don't want to reformat this machine. Thank you for your service.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 23:38:22.60 on Wed 04/07/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.230 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
F:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
F:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
f:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
f:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
F:\firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = about:blank
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RemoteCenter] f:\program files\creative\mediasource\remotecontrol\RCMan.EXE
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [NVIDIA nTune] "f:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [SandboxieControl] "f:\program files\sandboxie\SbieCtrl.exe"
mRun: [DeltTray] DeltTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "f:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRunOnce: [Malwarebytes' Anti-Malware] f:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - f:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - f:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\loadou~1.lnk - f:\program files\belkin\nostromo\nost_LM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: Download all by Net Transport - f:\program files\xi\nettransport 2\NTAddList.html
IE: Download by Net Transport - f:\program files\xi\nettransport 2\NTAddLink.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - f:\program files\empirepokermaster\empirepoker\RunEPoker.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: {00000055-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhgax.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\rls13aoy.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: f:\firefox\plugins\NPAdbESD.dll
FF - plugin: f:\firefox\plugins\npgooglevlc.dll
FF - plugin: f:\firefox\plugins\npmozax.dll
FF - plugin: f:\firefox\plugins\npViewpoint.dll
FF - plugin: f:\firefox\plugins\npwinamp.dll
FF - plugin: f:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
FF - plugin: f:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: f:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: f:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - f:\firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.12);user_pref(general.useragent.extra.zencast, f:\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
f:\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
f:\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
f:\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
f:\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
f:\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
f:\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
f:\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
f:\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
f:\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
f:\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
f:\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
f:\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
f:\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
f:\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
f:\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
f:\firefox\greprefs\all.js - pref("html5.enable", false);
f:\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
f:\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
f:\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
f:\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
f:\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
f:\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
f:\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
f:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
f:\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
f:\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
f:\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
f:\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
f:\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
f:\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
f:\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
f:\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
f:\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
f:\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
f:\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
f:\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-23 11608]
R1 SSHDRV79;SSHDRV79;c:\windows\system32\drivers\SSHDRV79.sys [2004-10-29 75264]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-23 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-23 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-23 60936]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 EvoInstallerService;M-Audio Installer;c:\program files\m-audio\install\EvoInst.exe [2006-8-17 90112]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2004-9-19 2560]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2007-9-15 53307]
R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-7-23 22821]
R3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [2009-3-25 2048]
R3 SbieDrv;SbieDrv;f:\program files\sandboxie\SbieDrv.sys [2010-2-3 115432]
S1 oreans32;oreans32;\??\c:\windows\system32\drivers\oreans32.sys --> c:\windows\system32\drivers\oreans32.sys [?]
S2 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\HidCom.sys [2006-5-31 21016]
S2 hpdj00;hpdj00;c:\docume~1\admini~1\locals~1\temp\hpdj00.exe -servicerunning=true -uninstall=hp psc 1310 series -product=aio --> c:\docume~1\admini~1\locals~1\temp\hpdj00.exe -servicerunning=true -uninstall=hp psc 1310 series -product=aio [?]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 Cdellhdns;Cdellhdns;c:\windows\system32\drivers\swenum.sys [2004-8-1 4352]
S3 EVOLUSB;%EVOL_USB.SvcDesc%;c:\windows\system32\drivers\evolusb.sys [2006-8-17 21984]
S3 iMSPQMn;iMSPQMn;\??\c:\docume~1\admini~1\locals~1\temp\imspqmn.sys --> c:\docume~1\admini~1\locals~1\temp\iMSPQMn.sys [?]
S3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys --> c:\windows\system32\drivers\l6dp.sys [?]
S3 L6PODLV;PODxt Live Service;c:\windows\system32\drivers\l6podlv.sys --> c:\windows\system32\drivers\L6PODLV.sys [?]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [2002-9-9 17018]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 341504]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys --> c:\windows\system32\drivers\sbusb.sys [?]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [2005-4-29 245376]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]

=============== Created Last 30 ================

2010-04-08 03:36:46 160 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-04-08 03:21:53 0 d-----w- c:\program files\ESET
2010-04-08 02:44:18 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 02:44:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-08 02:44:05 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 02:21:10 54016 ----a-w- c:\windows\system32\drivers\oxxhhalx.sys
2010-03-28 21:45:13 0 d-----r- C:\Sandbox
2010-03-28 21:43:39 1208 ----a-w- c:\windows\Sandboxie.ini
2010-03-26 22:06:41 0 d-----w- c:\docume~1\admini~1\applic~1\Avira
2010-03-25 23:03:00 0 d-----w- C:\Linksys Driver
2010-03-24 23:01:47 36270 ----a-w- c:\windows\DIIUnin.dat
2010-03-24 23:01:44 94208 ----a-w- c:\windows\DIIUnin.exe
2010-03-24 23:01:44 2829 ----a-w- c:\windows\DIIUnin.pif

==================== Find3M ====================

2010-04-08 01:13:41 13228 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 23:16:19 21840 -c--atw- c:\windows\system32\SIntfNT.dll
2010-03-24 23:16:19 17212 -c--atw- c:\windows\system32\SIntf32.dll
2010-03-24 23:16:19 12067 -c--atw- c:\windows\system32\SIntf16.dll
2010-03-04 01:07:40 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12:17 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-16 17:24:01 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-14 02:19:56 73728 ----a-w- c:\windows\inf\wg111v3\win7x64\SetVistaDrv64.exe
2009-07-31 20:12:18 341504 ----a-w- c:\windows\inf\wg111v3\wg111v3.sys
2009-07-20 23:20:04 65536 ----a-w- c:\windows\inf\wg111v3\win7x86\SetVistaDrv.exe
2009-06-03 15:36:22 74752 ----a-w- c:\windows\inf\wg111v3\SetDrv64.exe
2009-06-03 15:30:26 49152 ----a-w- c:\windows\inf\wg111v3\SetDrv.exe
2009-04-01 14:49:14 57344 ----a-w- c:\windows\inf\wg111v3\SetVistaDrv.exe
2008-12-12 23:13:32 512000 ----a-w- c:\windows\inf\wg111v3\win7x64\DIFxAPI.dll
2008-12-12 22:57:46 313856 ----a-w- c:\windows\inf\wg111v3\win7x86\DIFxAPI.dll
2006-12-15 16:30:36 98304 ----a-w- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 16:30:36 315392 ----a-w- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 16:30:36 212992 ----a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 16:30:36 20480 ----a-w- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 16:30:36 19968 ----a-w- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-03-16 13:24:24 49664 ----a-w- c:\windows\inf\wg111v3\devcon.exe
2005-09-20 14:23:28 10022 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 23:39:42.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jdlordhelmet

jdlordhelmet
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 08 April 2010 - 12:12 PM

Fixed the problem. Used UBCD4WIN to boot and ran SUPERAntiSpyware, then replaced atapi.sys. System seems fine.

#3 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:45 AM

Posted 11 April 2010 - 05:22 PM

Hello jdlordhelmet



Glad you got it fixed and thanks for letting us know.

From looking at your log I would suggest updating Adobe Reader and although your version of Java is not that old I would go ahead and update because Add/Remove shows you still have another older version on your system and they can be used by Malware to exploit your computer.



Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.






Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 19 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.





Good luck in the future. thumbup2.gif
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:45 AM

Posted 15 April 2010 - 01:28 PM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users