Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit not removed by kaspersky (tdss?)


  • This topic is locked This topic is locked
2 replies to this topic

#1 davesw2

davesw2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 10 April 2010 - 05:54 PM

I got given a netbook to fix by a friend. Obviously it has no cd drive, and my usb one refuses to play ball with it.
Have tried some of the utilities to make bootable usbs but they don't seem to work on it either.

Problem was the usual cannot get to the pages you want, constantly diverting etc.

So, I ran malwarebytes, spybot, and in desperation adaware. Plenty of things removed but the underlying problem remained.
Eventually I decided as a last resort before taking the hard drive out and attempting to restore it from another pc, to install kaspersky antivirus, which has worked miracles for me in the past.
However, kaspersky kept detecting a rootkit (win32.tdss.y in atapi.sys) which it would try to remove, reboot and then find again.

After trying sophos rootkit remover (found 2 in temporary guest files) the problem still persisted.

I then ran combofix (I see now I shouldn't have, but unfortunately I didn't see those warnings till after.

Anyway, the pc is now working fine, except for the junk under the keys stopping me pressing them, so here are the logs if one of you would be so kind as to take a look for me:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Guest User at 23:13:17.09 on 10/04/2010
Internet Explorer: 7.0.5730.13

============== Running Processes ===============

C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MessengerDiscovery 2\MessengerDiscovery 2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
D:\gmer\gmer.exe
D:\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {A033D210-CC15-4509-9408-29A53F46EFA0} = 208.67.222.222,208.67.220.220
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R? fsssvc;Windows Live Family Safety Service
R? gupdate1c99bf225b6ee4a;Google Update Service (gupdate1c99bf225b6ee4a)
R? MEMSWEEP2;MEMSWEEP2
S? AVP;Kaspersky Anti-Virus
S? fssfltr;fssfltr
S? kl1;kl1
S? klbg;Kaspersky Lab Boot Guard Driver
S? KLIF;Kaspersky Lab Driver
S? klim5;Kaspersky Anti-Virus NDIS Filter
S? klmouflt;Kaspersky Lab KLMOUFLT
S? SAVRKBootTasks;Boot Tasks Driver

=============== Created Last 30 ================

2010-04-10 21:08:11 0 d-sha-r- C:\cmdcons
2010-04-10 21:01:52 98816 ----a-w- c:\windows\sed.exe
2010-04-10 21:01:52 77312 ----a-w- c:\windows\MBR.exe
2010-04-10 21:01:52 261632 ----a-w- c:\windows\PEV.exe
2010-04-10 21:01:52 161792 ----a-w- c:\windows\SWREG.exe
2010-04-10 17:12:25 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-04-10 11:16:48 0 d-----w- c:\program files\Sophos
2010-04-09 23:30:38 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-09 23:30:37 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-09 23:28:20 0 d-----w- c:\program files\Kaspersky Lab
2010-04-09 23:28:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-04-09 22:59:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-04-03 22:15:23 0 d-----w- c:\program files\Lavasoft
2010-04-03 13:07:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-02 23:52:30 251 ----a-w- c:\windows\wininit.ini
2010-04-02 22:39:20 120 ----a-w- c:\windows\Ojefuyag.dat
2010-04-02 22:39:20 0 ----a-w- c:\windows\Qtuweqetalaj.bin
2010-04-02 22:35:14 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-13 18:15:58 0 -c--a-w- c:\windows\system32\dllcache\SET5BC.tmp
2010-03-13 18:15:53 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2010-03-13 18:15:47 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2010-03-13 18:15:40 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2010-03-13 18:15:33 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2010-03-13 18:15:26 48768 -c--a-w- c:\windows\system32\dllcache\maestro.sys
2010-03-13 18:15:21 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-03-13 18:15:15 58368 -c--a-w- c:\windows\system32\dllcache\m3091dc.dll
2010-03-13 18:15:09 22848 -c--a-w- c:\windows\system32\dllcache\lwusbhid.sys
2010-03-13 18:15:08 20864 -c--a-w- c:\windows\system32\dllcache\lwadihid.sys
2010-03-13 18:15:02 797500 -c--a-w- c:\windows\system32\dllcache\ltsmt.sys
2010-03-13 18:13:59 19016 -c--a-w- c:\windows\system32\dllcache\ktc111.sys
2010-03-13 18:12:56 38784 -c--a-w- c:\windows\system32\dllcache\io8.sys
2010-03-13 18:11:58 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
2010-03-13 18:10:56 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-03-13 18:10:54 1041536 -c--a-w- c:\windows\system32\dllcache\hsfdpsp2.sys
2010-03-13 18:10:52 685056 -c--a-w- c:\windows\system32\dllcache\hsfcxts2.sys
2010-03-13 18:10:50 32285 -c--a-w- c:\windows\system32\dllcache\hsfcisp2.dll
2010-03-13 18:10:41 220032 -c--a-w- c:\windows\system32\dllcache\hsfbs2s2.sys
2010-03-13 18:10:36 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-03-13 18:10:31 50751 -c--a-w- c:\windows\system32\dllcache\hsf_tone.sys
2010-03-13 18:10:26 73279 -c--a-w- c:\windows\system32\dllcache\hsf_spkp.sys
2010-03-13 18:10:21 44863 -c--a-w- c:\windows\system32\dllcache\hsf_soar.sys
2010-03-13 18:10:15 57471 -c--a-w- c:\windows\system32\dllcache\hsf_samp.sys
2010-03-13 18:10:10 542879 -c--a-w- c:\windows\system32\dllcache\hsf_msft.sys
2010-03-13 18:10:05 391199 -c--a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2010-03-13 18:10:00 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2010-03-13 18:09:55 115807 -c--a-w- c:\windows\system32\dllcache\hsf_fsks.sys
2010-03-13 18:09:50 199711 -c--a-w- c:\windows\system32\dllcache\hsf_faxx.sys
2010-03-13 18:09:45 289887 -c--a-w- c:\windows\system32\dllcache\hsf_fall.sys
2010-03-13 18:09:40 67167 -c--a-w- c:\windows\system32\dllcache\hsf_bsc2.sys
2010-03-13 18:09:35 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys
2010-03-13 18:09:29 19456 -c--a-w- c:\windows\system32\dllcache\hr1w.dll
2010-03-13 18:09:25 5760 -c--a-w- c:\windows\system32\dllcache\hpt4qic.sys
2010-03-13 18:09:20 13312 -c--a-w- c:\windows\system32\dllcache\hpsjmcro.dll
2010-03-13 18:09:15 324608 -c--a-w- c:\windows\system32\dllcache\hpojwia.dll
2010-03-13 18:09:10 25952 -c--a-w- c:\windows\system32\dllcache\hpn.sys
2010-03-13 18:09:05 32768 -c--a-w- c:\windows\system32\dllcache\hpgtmcro.dll
2010-03-13 18:09:00 68608 -c--a-w- c:\windows\system32\dllcache\hpgt53tk.dll
2010-03-13 18:07:58 25600 -c--a-w- c:\windows\system32\dllcache\hidbth.sys
2010-03-13 18:06:58 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2010-03-13 18:06:54 455296 -c--a-w- c:\windows\system32\dllcache\fusbbase.sys
2010-03-13 18:06:50 455680 -c--a-w- c:\windows\system32\dllcache\fus2base.sys
2010-03-13 18:06:44 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2010-03-13 18:06:39 441728 -c--a-w- c:\windows\system32\dllcache\fpcmbase.sys
2010-03-13 18:06:34 444416 -c--a-w- c:\windows\system32\dllcache\fpcibase.sys
2010-03-13 18:06:32 34173 -c--a-w- c:\windows\system32\dllcache\forehe.sys
2010-03-13 18:06:27 71680 -c--a-w- c:\windows\system32\dllcache\fnfilter.dll
2010-03-13 18:06:21 27165 -c--a-w- c:\windows\system32\dllcache\fetnd5.sys
2010-03-13 18:06:09 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2010-03-13 18:06:03 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2010-03-13 18:05:59 16074 -c--a-w- c:\windows\system32\dllcache\fa312nd5.sys
2010-03-13 18:05:55 11850 -c--a-w- c:\windows\system32\dllcache\f3ab18xj.sys
2010-03-13 18:05:50 12362 -c--a-w- c:\windows\system32\dllcache\f3ab18xi.sys
2010-03-13 18:05:40 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
2010-03-13 18:05:33 16998 -c--a-w- c:\windows\system32\dllcache\ex10.sys
2010-03-13 18:05:22 45568 -c--a-w- c:\windows\system32\dllcache\esunib.dll
2010-03-13 18:05:10 45568 -c--a-w- c:\windows\system32\dllcache\esuni.dll
2010-03-13 18:04:56 34816 -c--a-w- c:\windows\system32\dllcache\esuimg.dll
2010-03-13 18:04:34 43008 -c--a-w- c:\windows\system32\dllcache\esucm.dll
2010-03-13 18:04:26 137088 -c--a-w- c:\windows\system32\dllcache\essm2e.sys
2010-03-13 18:04:10 63360 -c--a-w- c:\windows\system32\dllcache\ess.sys
2010-03-13 18:03:43 347550 -c--a-w- c:\windows\system32\dllcache\es56tpi.sys
2010-03-13 18:03:39 594238 -c--a-w- c:\windows\system32\dllcache\es56hpi.sys
2010-03-13 18:03:35 595647 -c--a-w- c:\windows\system32\dllcache\es56cvmp.sys
2010-03-13 18:03:31 174464 -c--a-w- c:\windows\system32\dllcache\es198x.sys
2010-03-13 18:03:27 72192 -c--a-w- c:\windows\system32\dllcache\es1969.sys
2010-03-13 18:03:23 40704 -c--a-w- c:\windows\system32\dllcache\es1371mp.sys
2010-03-13 18:03:20 37120 -c--a-w- c:\windows\system32\dllcache\es1370mp.sys
2010-03-13 18:03:16 61952 -c--a-w- c:\windows\system32\dllcache\eqnloop.exe
2010-03-13 18:03:12 51200 -c--a-w- c:\windows\system32\dllcache\eqnlogr.exe
2010-03-13 18:03:08 53248 -c--a-w- c:\windows\system32\dllcache\eqndiag.exe
2010-03-13 18:03:04 629952 -c--a-w- c:\windows\system32\dllcache\eqn.sys
2010-03-13 18:03:00 114944 -c--a-w- c:\windows\system32\dllcache\epstw2k.sys
2010-03-13 18:01:58 24653 -c--a-w- c:\windows\system32\dllcache\el574nd4.sys
2010-03-13 18:01:55 55999 -c--a-w- c:\windows\system32\dllcache\el556nd5.sys
2010-03-13 18:01:52 44103 -c--a-w- c:\windows\system32\dllcache\el515.sys
2010-03-13 18:01:47 19594 -c--a-w- c:\windows\system32\dllcache\e100isa4.sys
2010-03-13 18:01:45 117760 -c--a-w- c:\windows\system32\dllcache\e100b325.sys
2010-03-13 18:01:42 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2010-03-13 18:01:29 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-03-13 18:01:25 20192 -c--a-w- c:\windows\system32\dllcache\dpti2o.sys
2010-03-13 18:01:19 28062 -c--a-w- c:\windows\system32\dllcache\dp83820.sys
2010-03-13 18:01:16 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys
2010-03-13 18:01:13 8704 -c--a-w- c:\windows\system32\dllcache\dot4scan.sys
2010-03-13 18:01:11 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys
2010-03-13 18:01:10 206976 -c--a-w- c:\windows\system32\dllcache\dot4.sys
2010-03-13 17:59:59 65622 -c--a-w- c:\windows\system32\dllcache\digiasyn.dll
2010-03-13 17:58:58 28672 -c--a-w- c:\windows\system32\dllcache\cyycoins.dll
2010-03-13 17:57:59 45696 -c--a-w- c:\windows\system32\dllcache\cirrus.sys
2010-03-13 17:56:49 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-03-13 17:55:59 11359 -c--a-w- c:\windows\system32\dllcache\atv02nt5.dll
2010-03-13 17:54:59 22400 -c--a-w- c:\windows\system32\dllcache\asc3350p.sys
2010-03-13 17:53:38 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll

==================== Find3M ====================

2010-04-10 12:01:02 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38:54 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 23:01:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2008-05-07 08:34:00 15523560 ----a-w- c:\program files\U1 Setup.exe

============= FINISH: 23:28:16.37 ===============

GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-10 23:51:23
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\GUESTU~1\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xAA251ECA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xAA251F74]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- EOF - GMER 1.0.15 ----

I'm currently running a full kaspersky scan, then will rescan with malwarebytes and spybot as I understand the tdss rootkit can be used to hide malware from these programs.

There are several entries I don't like the look of, so I would be eternally grateful (well, maybe not eternally but not far off it!) if someone could take a look.

Cheers
Dave

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:10 PM

Posted 13 April 2010 - 07:47 AM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:10 PM

Posted 20 April 2010 - 09:38 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users