Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Rootkit infection. TDSS Killer failed.


  • This topic is locked This topic is locked
3 replies to this topic

#1 arachnic

arachnic

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 11 May 2010 - 06:55 AM

Hi !

I seem to have a TDSS Rootkit infecting my Atapi.sys file. Tried the TDSSKiller from kaspersky, and it detects the rootkit, but while it says reboot to delete, its detected anyway after the reboot.

In safe mode, as well as safe mode with command prompt, it does not detect any TDSS rootkit at all.

The machine is a Toshiba Satellite laptop dualbooting Vista and Ubuntu Linux (9.10 Karmic)
Currently I have AVG 9.0, Avira, SpyBot SD and MBAM installed. Windows Vista Firewall has always been on.
I usually spend about 40% of my time in Windows, with 60% in Ubuntu, going online through both.

My system is not exhibiting any of the more severe symptoms I read in the forums - redirected search results, blocked AV updates, etc. I only checked for rootkits because Chrome wouldnt do anything. Further on, though, I was getting warnings and errors from MBAM as well as Avira every some time, on various trojans, etc.

However, since detecting this rootkit, and reading through your forums and guidelines, I turned off my laptop's WiFi switch when in Windows, going online only through my Ubuntu boot. I am assuming(correctly, I hope) that my Ubuntu system is safe, and immune to the rootkit, so I can use it to go online as well as do other work. With the WiFi turned off in Windows, I haven't got any warnings from MBAM or Avira.

I put up this problem initially in the "Am I infected? What do I do?" forum, where I have been directed by boopme to send in my DDS and Gmer logs. DDS log below. Do you need the Attach.txt ? Running Gmer starts the scan, but gets hung at some point.

So, please have a look, and let me know what I need to do next.

Thanks
Arachnic

Original Post (with more detailed info on how it all began) : http://www.bleepingcomputer.com/forums/t/314587/tdss-rootkit-infection-tdsskiller-fails/

DDS Log :

DDS (Ver_10-03-17.01) - NTFSx86

Run by Calyp at 11:13:52.36 on 11-05-2010

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_19

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1405.379 [GMT 5.5:30]



AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

SP: AVG Anti-Virus Free *enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}



============== Running Processes ===============



C:\Windows\system32\wininit.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Windows\system32\lsm.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\Dwm.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Toshiba\Power Saver\TPwrMain.exe

C:\Program Files\Toshiba\SmoothView\SmoothView.exe

C:\Program Files\Toshiba\Utilities\KeNotify.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

C:\Program Files\AVG\AVG9\avgtray.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Windows\System32\WTClient.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Toshiba\IVP\ISM\pinger.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Windows\system32\svchost.exe -k imgsvc

c:\Toshiba\IVP\swupdate\swupdtmr.exe

C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe

C:\Windows\system32\TODDSrv.exe

C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\System32\Drivers\WTSRV.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\___anti rootkit measures\dds.scr

C:\Windows\system32\wbem\wmiprvse.exe



============== Pseudo HJT Report ===============



uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

uStart Page = hxxp://www.mirostart.com/?cfg=2-73-0-w30

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

mStart Page = hxxp://www.yahoo.com/

mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

uURLSearchHooks: H - No File

mURLSearchHooks: H - No File

BHO: AutorunsDisabled - No File

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {259F616C-A300-44F5-B04A-ED001A26C85C} - No File

BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Google Update] "c:\users\calyp\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL

mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe

mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe

mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [WTClient] WTClient.exe

StartupFolder: c:\users\calyp\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm

IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

TCP: {157C0471-379F-4EEE-8DA7-BFA5E257A277} = 59.185.3.10,59.185.3.11

TCP: {2A3B97A0-29F2-405A-A4BC-AB3909E3D86D} = 59.185.0.23,203.94.227.70,59.185.0.50,203.94.243.70

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

AppInit_DLLs: avgrsstx.dll c:\progra~1\google\google~1\GOEC62~1.DLL

STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll

Hosts: 127.0.0.1 www.spywareinfo.com



================= FIREFOX ===================



FF - ProfilePath - c:\users\calyp\appdata\roaming\mozilla\firefox\profiles\jbc2y76e.ultralite\

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\calyp\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\users\calyp\appdata\roaming\mozilla\plugins\npgoogletalk.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}



---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);



============= SERVICES / DRIVERS ===============



R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-22 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-22 29512]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-17 242896]

R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-9-25 574808]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-29 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-29 267432]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-24 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-24 308064]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-8 60936]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-12-20 1153368]

R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [2007-6-7 18944]

S2 gupdate1c9b83438cc32e2;Google Update Service (gupdate1c9b83438cc32e2);c:\program files\google\update\GoogleUpdate.exe [2009-4-8 133104]

S3 CSMI;CSMI;c:\users\calyp\appdata\local\temp\csmi.exe --> c:\users\calyp\appdata\local\temp\CSMI.exe [?]

S3 CYW;CYW;c:\users\calyp\appdata\local\temp\cyw.exe --> c:\users\calyp\appdata\local\temp\CYW.exe [?]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-9-9 9728]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-9-9 3072]

S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-13 30192]

S3 MT;MT;c:\users\calyp\appdata\local\temp\mt.exe --> c:\users\calyp\appdata\local\temp\MT.exe [?]

S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [2007-4-23 10752]

S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2007-4-23 83208]

S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2007-4-23 15112]

S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2007-4-23 108680]

S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2007-4-23 100488]

S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2007-4-23 98568]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]

S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]



=============== Created Last 30 ================



2010-05-11 05:30:21 0 ----a-w- c:\users\calyp\defogger_reenable

2010-05-10 00:30:40 54156 ---ha-w- c:\windows\QTFont.qfn

2010-05-10 00:30:40 1409 ----a-w- c:\windows\QTFont.for

2010-05-09 10:36:58 0 d-----w- C:\_recovered books

2010-05-08 14:30:02 0 d-----w- c:\users\calyp\appdata\roaming\Avira

2010-05-08 07:17:24 0 d-----w- c:\programdata\AppData

2010-05-08 07:16:55 0 d-----w- c:\program files\TABLET SOFTWARE

2010-05-08 07:07:35 0 d-----w- c:\windows\system32\TabletPmt

2010-05-08 07:07:34 0 d-----w- c:\program files\TABLET

2010-05-04 06:11:45 178000 ----a-w- C:\TDSSKiller.exe

2010-05-03 14:48:10 0 d-----w- c:\program files\uTorrent

2010-05-03 13:19:16 0 d-----w- c:\program files\Synergy

2010-04-29 14:51:00 0 d-----w- c:\programdata\Avira

2010-04-29 14:51:00 0 d-----w- c:\program files\Avira

2010-04-25 02:15:41 0 d-----w- c:\users\calyp\appdata\roaming\Malwarebytes

2010-04-25 02:15:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-25 02:15:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-25 02:15:01 0 d-----w- c:\programdata\Malwarebytes

2010-04-25 02:15:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-24 15:33:03 0 d--h--w- C:\$AVG

2010-04-24 15:30:36 0 d-----w- c:\programdata\avg9

2010-04-24 07:21:24 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys



==================== Find3M ====================



2010-05-09 03:53:51 21560 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-05-08 07:12:34 86016 ----a-w- c:\windows\inf\infpub.dat

2010-05-08 07:12:34 143360 ----a-w- c:\windows\inf\infstrng.dat

2010-05-08 07:12:31 143360 ----a-w- c:\windows\inf\infstor.dat

2010-04-24 15:32:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-04-24 15:32:26 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-24 15:32:24 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-08 22:58:20 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-08 18:50:45 106752 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-02-24 04:46:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr

2008-07-10 08:39:55 665600 ----a-w- c:\windows\inf\drvindex.dat

2008-03-23 22:00:16 174 --sha-w- c:\program files\desktop.ini

2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-08 15:00:44 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009060820090609\index.dat

2009-06-13 13:35:28 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009061320090614\index.dat

2009-06-24 03:45:04 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009062420090625\index.dat



============= FINISH: 11:14:55.87 ===============


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:15 AM

Posted 11 May 2010 - 10:04 PM


Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Gmer

Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.

information and logs:
    In your next post I need the following
      1.log from GMER
      2.let me know of any problems you may have had

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:15 AM

Posted 14 May 2010 - 01:00 PM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:15 AM

Posted 17 May 2010 - 01:39 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users