Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help with rootkit.patched.tdss.gen please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help with rootkit.patched.tdss.gen please

Unread postby FloridaJo » March 25th, 2010, 7:26 pm

Okay, so I got rid of over 500 viruses etc. from a friends computer, installed F-secure but this rootkit keeps coming up, F-secure can't get rid of it.
I've read this forum and uploaded the atapi.sys from the Sytem32\drivers folder
and from the ServicePackFiles\drivers and the System32 shows up as a rootkit, whereas the one in ServicePackFiles does not. I stopped there when I read "Do not use this procedure on another computer". And that's where I am. Any help would be appreciated. Just helping a friend out and have worked on this thing for 5 days now. :(
Thanks ahead of time.

Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:26 PM, on 3/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure\Common\FSHDLL32.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - (no file)
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\ramne.dll, HUI_proc (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\ramne.dll, HUI_proc (User 'Default user')
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1382117273
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://www.tgrthaber.com.tr/CanliYayin/ ... _en_dl.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: 7whfiudhf8s7f3oifhif7syfdhsof - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - (no file)
O22 - SharedTaskScheduler: tokatiluy - {77f79558-9176-4096-8963-d02fbcc298cd} - (no file)
O22 - SharedTaskScheduler: gahurihor - {ef24fa8a-3fc3-4061-93d4-7411f7d57fc9} - (no file)
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\INTERN~2\autocomp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

--
End of file - 6995 bytes


Uninstall list:

Adobe Flash Player 10 ActiveX
Adobe Shockwave Player 11.5
ATI Control Panel
ATI Display Driver
AVI WMV MPEG Converter
BPS Data Shredder 1.0
Canon MultiPASS Suite 4.20a
Conexant SmartHSFi V92 56K Speakerphone PCI Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Support
DivX
DivX Player
DivX Web Player
DVDSentry
F-Secure Internet Security 2010
F-Secure PSC Prerequisites
GiPo@MoveOnBoot 1.9.5
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HyperCam 2
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
Internet Washer Pro 3.2-AC1
InterVideo WinDVD Platinum
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 18
LG USB Modem driver
Lotus Organizer 6.0
Malwarebytes' Anti-Malware
Media Player Codec Pack 3.2.0
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Plus! for Windows XP
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mIRC
Modem Helper
Mozilla Firefox (3.6.2)
MSVCRT
PowerDVD
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Sophos Anti-Rootkit 1.5.0
Sound Blaster Live!
Spybot - Search & Destroy 1.2
TweakNow PowerPack 2009
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
V CAST Music with Rhapsody
Verizon Help and Support Tool
Verizon High Speed Internet
Viewpoint Media Player
VLC media player 0.9.8a
Vz In Home Agent
VZAccess Manager
Web Games Player Plugin
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 2002
WordPerfect Office 2002
Yahoo! Messenger Explorer Bar
FloridaJo
Active Member
 
Posts: 8
Joined: March 25th, 2010, 7:00 pm
Advertisement
Register to Remove

Re: Help with rootkit.patched.tdss.gen please

Unread postby gringo_pr » March 25th, 2010, 7:47 pm

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

GMER:

    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..
    Image
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

information and logs:

    In your next post I need the following

      1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Help with rootkit.patched.tdss.gen please

Unread postby FloridaJo » March 26th, 2010, 9:05 am

Okay, thank you.
I'm having trouble replying to this post on the infected machine. It says 'connection reset'.
Would it be okay to drop those text files onto my stick and then bring the stick over to the non-infected machine,
and post them from this machine?
FloridaJo
Active Member
 
Posts: 8
Joined: March 25th, 2010, 7:00 pm

Re: Help with rootkit.patched.tdss.gen please

Unread postby gringo_pr » March 26th, 2010, 3:55 pm

yes that is fine

gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Help with rootkit.patched.tdss.gen please

Unread postby FloridaJo » March 26th, 2010, 4:13 pm

Okay, here is the DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Boss at 20:17:53.98 on Thu 03/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.311 [GMT -4:00]

AV: Paladin Antivirus *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: F-Secure Internet Security 2010 10.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2010 10.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\F-Secure\Common\FSLAUNCH.EXE
C:\Documents and Settings\Boss\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dellnet.com
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Settings,ProxyOverride = hxxp://localhost;
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - No File
BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - c:\program files\f-secure\nrs\iescript\baselitmus.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - c:\program files\f-secure\nrs\iescript\baselitmus.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {850CD0B8-DA33-4558-A8C8-95D7908E37A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [F-Secure Manager] "c:\program files\f-secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\f-secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [Remote System Protection] rundll32.exe c:\windows\system32\ramne.dll, HUI_proc
mPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - c:\lotus\organize\bandobjs.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\f-secure\fsps\program\FSLSP.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... mv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 1382117273
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/C ... 5567476852
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://www.tgrthaber.com.tr/CanliYayin/ ... _en_dl.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - No File
STS: {77f79558-9176-4096-8963-d02fbcc298cd} - No File
STS: {ef24fa8a-3fc3-4061-93d4-7411f7d57fc9} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\boss\applic~1\mozilla\firefox\profiles\w680v9w6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\f-secure\nrs\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2010-3-23 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2010-3-23 80000]
R1 26F77o8;26F77o8;c:\windows\system32\drivers\26F77o8.sys [2002-8-29 753792]
R1 393T9D1;393T9D1;c:\windows\system32\drivers\393T9D1.sys [2002-8-29 752768]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure\hips\drivers\fshs.sys [2010-3-23 68064]
R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2003-7-16 55168]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure\anti-virus\fsgk32st.exe [2010-3-23 215648]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure\anti-virus\minifilter\fsgk.sys [2010-3-23 107104]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2008-3-9 36224]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure\orsp client\fsorsp.exe [2010-3-23 55992]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\135.tmp --> c:\windows\system32\135.tmp [?]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [2010-1-15 10112]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure\anti-virus\win2k\fsfilter.sys [2010-3-23 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure\anti-virus\win2k\fsrec.sys [2010-3-23 25184]

=============== Created Last 30 ================

2010-03-26 00:04:08 0 ----a-w- c:\documents and settings\boss\defogger_reenable
2010-03-25 23:11:13 0 d-----w- c:\program files\Trend Micro
2010-03-25 22:38:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-25 19:59:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-25 19:46:19 0 d-----w- c:\documents and settings\boss\.SunDownloadManager
2010-03-25 18:10:00 0 d-----w- c:\program files\Sophos
2010-03-25 17:06:21 0 d-----w- c:\windows\system32\scripting
2010-03-25 17:06:16 0 d-----w- c:\windows\l2schemas
2010-03-25 17:06:14 0 d-----w- c:\windows\system32\en
2010-03-25 17:00:16 0 d-----w- c:\windows\network diagnostic
2010-03-24 14:29:54 2 --shatr- c:\windows\winstart.bat
2010-03-24 14:28:56 0 d-----w- c:\program files\UnHackMe
2010-03-23 20:53:43 0 d-----w- c:\docume~1\boss\applic~1\f-secure
2010-03-23 20:40:31 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-03-23 20:39:43 80000 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2010-03-23 20:38:35 0 d-----w- c:\program files\F-Secure
2010-03-23 20:11:05 0 d-----w- c:\docume~1\alluse~1\applic~1\fssg
2010-03-23 17:40:25 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-03-23 14:52:16 0 d-----w- c:\program files\GiPo@Utilities
2010-03-23 14:52:16 0 d-----w- c:\program files\common files\Gibinsoft Shared
2010-03-23 13:56:24 0 d--h--w- c:\windows\PIF
2010-03-22 21:04:49 0 d-----w- c:\program files\TweakNow PowerPack 2009
2010-03-22 21:04:49 0 d-----w- c:\docume~1\boss\applic~1\TweakNow PowerPack 2009
2010-03-22 19:36:58 0 d-sh--w- c:\documents and settings\boss\PrivacIE
2010-03-22 17:03:05 0 d-----w- c:\docume~1\boss\applic~1\Malwarebytes
2010-03-22 17:01:03 0 d-sh--w- c:\documents and settings\boss\IETldCache
2010-03-22 16:17:23 0 d-----w- C:\!KillBox
2010-03-22 16:16:30 92672 ----a-w- C:\KillBox.exe
2010-03-22 16:15:32 401720 ----a-w- C:\HijackThis.exe
2010-03-22 15:59:05 0 d-----w- c:\windows\system32\MpEngineStore
2010-03-22 14:16:41 0 d-----w- c:\program files\common files\ODBC
2010-03-21 22:30:18 0 d-----w- c:\program files\AVG
2010-03-21 20:16:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-03-21 18:31:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-21 18:31:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 18:31:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 18:31:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-21 14:27:35 0 d--h--w- c:\windows\system32\GroupPolicy
2010-03-21 14:02:10 2 ----a-w- c:\windows\msoffice.ini
2010-03-20 19:46:38 0 d-----w- c:\windows\system32\NtmsData
2010-03-13 18:56:36 10752 ----a-w- c:\windows\DCEBoot.exe
2010-03-05 09:24:22 42496 ----a-w- c:\windows\system32\zojetiru.exe
2010-03-04 13:59:07 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-26 01:48:15 53 ----a-w- c:\windows\system32\4DW4R3sv.dat
2010-02-26 01:48:14 0 ----a-w- c:\windows\system32\drivers\fualfyp.sys
2010-02-26 01:47:22 8 ----a-w- c:\docume~1\alluse~1\applic~1\mswintmp.dat

==================== Find3M ====================

2010-03-25 19:59:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-15 16:07:38 28032 ----a-w- c:\windows\system32\ssmirrdr.dll
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
1601-01-01 00:03:28 69632 --sha-w- c:\windows\system32\fazotene.exe
1601-01-01 00:03:28 7400 --sha-w- c:\windows\system32\reranavu.exe
1601-01-01 00:03:28 42496 --sha-w- c:\windows\system32\zijokomo.exe

============= FINISH: 20:19:34.03 ===============




*********************************************
Here is the GMER

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-26 08:45:11
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Boss\LOCALS~1\Temp\axtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcess [0xF86A8CD6]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcessEx [0xF86A8CF0]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateThread [0xF86A7E8C]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwLoadDriver [0xF86A81BC]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwMapViewOfSection [0xF86A7BCC]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwOpenSection [0xF86A85EE]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwRenameKey [0xF86A988C]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSetSystemInformation [0xF86A843E]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendProcess [0xF86A7A4C]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendThread [0xF86A7EC0]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSystemDebugControl [0xF86A8042]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateProcess [0xF86A79A6]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateThread [0xF86A7B06]
SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwWriteVirtualMemory [0xF86A7F86]

Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 832E5A9A

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
**********************************
Here is the attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/11/2003 3:02:11 PM
System Uptime: 3/25/2010 6:42:23 PM (2 hours ago)

Motherboard: Dell Computer Corp. | | 0H0678
Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | Microprocessor | 2651/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 38.468 GiB free.
D: is Removable
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Direct Parallel
Device ID: ROOT\MS_PTIMINIPORT\0000
Manufacturer: Microsoft
Name: Direct Parallel
PNP Device ID: ROOT\MS_PTIMINIPORT\0000
Service: Raspti

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


Adobe Flash Player 10 ActiveX
Adobe Shockwave Player 11.5
ATI Control Panel
ATI Display Driver
AutoUpdate
AVI WMV MPEG Converter
BPS Data Shredder 1.0
Canon MultiPASS Suite 4.20a
Conexant SmartHSFi V92 56K Speakerphone PCI Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Support
DivX
DivX Player
DivX Web Player
DVDSentry
F-Secure Internet Security 2010
F-Secure PSC Prerequisites
GiPo@MoveOnBoot 1.9.5
Google Earth
Google Toolbar for Internet Explorer
Help and Support Customization
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HyperCam 2
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
Internet Washer Pro 3.2-AC1
InterVideo WinDVD Platinum
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 18
LG USB Modem driver
Lotus Organizer 6.0
Malwarebytes' Anti-Malware
Media Player Codec Pack 3.2.0
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Plus! for Windows XP
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mIRC
Modem Helper
Mozilla Firefox (3.6.2)
MSVCRT
PowerDVD
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Sophos Anti-Rootkit 1.5.0
Sound Blaster Live!
Spybot - Search & Destroy 1.2
TweakNow PowerPack 2009
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
V CAST Music with Rhapsody
Verizon Help and Support Tool
Verizon High Speed Internet
Viewpoint Media Player
VLC media player 0.9.8a
Vz In Home Agent
VZAccess Manager
Web Games Player Plugin
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 2002
Yahoo! Messenger Explorer Bar

==== Event Viewer Messages From Past Week ========

3/25/2010 5:58:41 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\atapi.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
3/25/2010 3:26:33 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file atapi.sys. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.2180, the version of the system file is 5.1.2600.5512.
3/23/2010 6:50:55 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\drivers\atapi.sys could not be copied into the DLL cache. The specific error code is 0x00000000 [The operation completed successfully. ]. This file is necessary to maintain system stability.
3/23/2010 6:48:11 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\atapi.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2180.
3/23/2010 4:56:35 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
3/23/2010 4:53:35 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
3/23/2010 4:51:42 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
3/23/2010 4:51:42 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
3/23/2010 4:51:36 PM, error: Service Control Manager [7000] - The My Web Search Service service failed to start due to the following error: The system cannot find the path specified.
3/23/2010 3:32:34 PM, error: F-Secure Standalone Minifilter [1] -
3/23/2010 10:35:57 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/23/2010 10:34:00 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/22/2010 8:28:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
3/22/2010 8:10:36 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gusvc with arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
3/22/2010 5:45:05 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007f01e: Windows XP Service Pack 3 (KB936929).
3/22/2010 3:46:44 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service YahooAUService with arguments "" in order to run the server: {90AFF435-B544-4F94-A0C2-CC020EACA4E3}
3/22/2010 3:36:49 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service YahooAUService with arguments "" in order to run the server: {3D369E3A-9EDF-46C4-B4BC-47BF3304BF7C}
3/22/2010 10:04:19 AM, error: Service Control Manager [7000] - The McAfee.com Personal Firewall Service service failed to start due to the following error: The system cannot find the path specified.
3/21/2010 7:46:12 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024002d: Office XP Service Pack 3.
3/21/2010 4:21:34 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error message: The referenced assembly is not installed on your system. .
3/21/2010 4:21:34 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\AvastUI.exe. Reference error message: The operation completed successfully. .
3/21/2010 4:21:34 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
3/21/2010 4:21:10 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\avastUI.exe. Reference error message: The operation completed successfully. .
3/21/2010 4:20:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
3/21/2010 4:20:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
3/21/2010 3:45:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/20/2010 3:45:19 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

==== End Of File ===========================
FloridaJo
Active Member
 
Posts: 8
Joined: March 25th, 2010, 7:00 pm

Re: Help with rootkit.patched.tdss.gen please

Unread postby gringo_pr » March 26th, 2010, 11:04 pm

Hello

There are infections showing in your logs. To take care of these infections do the following.

if you have to download it from a good computer and move it to the infected one

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

uninstall some programs:

    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. click on the icon add or remove programs
    click on the following programs

    HyperCam 2
    J2SE Runtime Environment 5.0 Update 6


    and click on remove

Run Combofix:

    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:

      The Recovery Console was successfully installed.
    Please continue as follows:

    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"

    In your next post I need the following

    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Help with rootkit.patched.tdss.gen please

Unread postby FloridaJo » March 27th, 2010, 12:57 pm

Okay, here is the Combofix log:

ComboFix 10-03-26.02 - Boss 03/27/2010 12:26:36.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.239 [GMT -4:00]
Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
AV: F-Secure Internet Security 2010 10.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2010 10.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\mswintmp.dat
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\Downloaded Program Files\temp
c:\windows\Readme.txt
c:\windows\system32\4DW4R3sv.dat
c:\windows\system32\cd_clint.dll
c:\windows\system32\Data
c:\windows\system32\drivers\26F77o8.sys
c:\windows\system32\drivers\393T9D1.sys
c:\windows\system32\fazotene.exe
c:\windows\SYSTEM32\ntSVc.ocx
c:\windows\system32\reranavu.exe
c:\windows\system32\setup.ini
c:\windows\system32\Temp
c:\windows\Tasks\gtldibpp.job

----- BITS: Possible infected sites -----

hxxp://85.12.18.119
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_SYSTEMDRIVER
-------\Legacy_26F77o8
-------\Legacy_393T9D1
-------\Service_26F77o8
-------\Service_393T9D1


((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-25 23:11 . 2010-03-25 23:11 -------- d-----w- c:\program files\Trend Micro
2010-03-25 22:38 . 2010-03-25 22:38 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-25 20:00 . 2010-03-25 20:00 503808 ----a-w- c:\documents and settings\Boss\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-677591a5-n\msvcp71.dll
2010-03-25 20:00 . 2010-03-25 20:00 348160 ----a-w- c:\documents and settings\Boss\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-677591a5-n\msvcr71.dll
2010-03-25 20:00 . 2010-03-25 20:00 499712 ----a-w- c:\documents and settings\Boss\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-677591a5-n\jmc.dll
2010-03-25 19:59 . 2010-03-25 19:59 61440 ----a-w- c:\documents and settings\Boss\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4bbacad9-n\decora-sse.dll
2010-03-25 19:59 . 2010-03-25 19:59 12800 ----a-w- c:\documents and settings\Boss\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4bbacad9-n\decora-d3d.dll
2010-03-25 19:46 . 2010-03-25 19:56 -------- d-----w- c:\documents and settings\Boss\.SunDownloadManager
2010-03-25 18:10 . 2010-03-25 18:10 -------- d-----w- c:\program files\Sophos
2010-03-25 17:06 . 2010-03-25 17:06 -------- d-----w- c:\windows\system32\scripting
2010-03-25 17:06 . 2010-03-25 17:06 -------- d-----w- c:\windows\l2schemas
2010-03-25 17:06 . 2010-03-25 17:06 -------- d-----w- c:\windows\system32\en
2010-03-24 15:33 . 2010-03-24 15:33 -------- d-----w- c:\documents and settings\Boss\Application Data\vlc
2010-03-24 14:29 . 2010-03-24 14:29 2 --shatr- c:\windows\winstart.bat
2010-03-24 14:28 . 2010-03-25 16:40 -------- d-----w- c:\program files\UnHackMe
2010-03-23 20:53 . 2010-03-23 20:53 -------- d-----w- c:\documents and settings\Boss\Application Data\f-secure
2010-03-23 20:40 . 2010-03-23 20:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2010-03-23 20:40 . 2010-03-23 20:57 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-03-23 20:39 . 2009-07-09 09:33 80000 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2010-03-23 20:38 . 2010-03-23 22:24 -------- d-----w- c:\program files\F-Secure
2010-03-23 20:11 . 2010-03-23 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2010-03-23 17:40 . 2010-03-23 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-03-23 14:52 . 2010-03-23 14:52 -------- d-----w- c:\program files\GiPo@Utilities
2010-03-23 14:52 . 2010-03-23 14:52 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2010-03-23 13:56 . 2010-03-23 13:56 -------- d--h--w- c:\windows\PIF
2010-03-23 00:33 . 2010-03-23 00:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2010-03-23 00:32 . 2010-03-23 00:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-03-22 21:04 . 2010-03-22 21:13 -------- d-----w- c:\program files\TweakNow PowerPack 2009
2010-03-22 21:04 . 2010-03-22 21:04 -------- d-----w- c:\documents and settings\Boss\Application Data\TweakNow PowerPack 2009
2010-03-22 20:16 . 2010-03-22 20:16 -------- d-----w- c:\documents and settings\Boss\Local Settings\Application Data\Mozilla
2010-03-22 19:36 . 2010-03-22 19:36 -------- d-sh--w- c:\documents and settings\Boss\PrivacIE
2010-03-22 19:36 . 2010-03-22 20:45 -------- d-----w- c:\documents and settings\Boss\Application Data\Yahoo!
2010-03-22 17:03 . 2010-03-22 17:03 -------- d-----w- c:\documents and settings\Boss\Application Data\Malwarebytes
2010-03-22 17:01 . 2010-03-22 17:01 -------- d-sh--w- c:\documents and settings\Boss\IETldCache
2010-03-22 16:17 . 2010-03-22 16:17 -------- d-----w- C:\!KillBox
2010-03-22 16:16 . 2010-03-22 16:00 92672 ----a-w- C:\KillBox.exe
2010-03-22 16:15 . 2010-03-22 16:02 401720 ----a-w- C:\HijackThis.exe
2010-03-22 15:59 . 2010-03-22 15:59 -------- d-----w- c:\windows\system32\MpEngineStore
2010-03-21 22:30 . 2010-03-21 22:30 -------- d-----w- c:\program files\AVG
2010-03-21 20:16 . 2010-03-21 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-21 18:31 . 2010-03-21 18:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-21 18:31 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-21 18:31 . 2010-03-21 18:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 18:31 . 2010-03-21 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-21 18:31 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 18:23 . 2010-03-21 18:23 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-03-21 18:22 . 2010-03-21 18:22 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-21 14:27 . 2010-03-21 14:27 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-03-20 19:46 . 2010-03-22 21:57 -------- d-----w- c:\windows\system32\NtmsData
2010-03-13 18:56 . 2010-03-13 18:56 10752 ----a-w- c:\windows\DCEBoot.exe
2010-03-05 09:24 . 2010-03-05 09:24 42496 ----a-w- c:\windows\system32\zojetiru.exe
2010-03-04 13:59 . 2010-03-10 23:39 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-02 01:34 . 2010-03-02 01:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-03-02 01:32 . 2010-03-02 01:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-01 12:51 . 2010-03-01 12:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-26 01:48 . 2010-02-26 03:19 0 ----a-w- c:\windows\system32\drivers\fualfyp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 20:03 . 2009-07-09 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-25 20:01 . 2005-01-09 03:57 -------- d-----w- c:\program files\Common Files\Java
2010-03-25 19:59 . 2009-07-04 23:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-25 19:59 . 2005-01-09 03:59 -------- d-----w- c:\program files\Java
2010-03-23 21:58 . 2009-07-15 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-23 21:58 . 2008-04-27 14:02 -------- d-----w- c:\program files\Norton Security Scan
2010-03-23 19:47 . 2003-03-15 03:40 -------- d-----w- c:\program files\Canon
2010-03-22 22:14 . 2003-03-06 15:39 -------- d-----w- c:\program files\EarthLink 5.0
2010-03-22 21:24 . 2005-04-01 00:17 -------- d-----w- c:\program files\Yahoo!
2010-03-22 20:46 . 2008-05-18 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-03-22 18:38 . 2003-07-12 18:35 -------- d-----w- c:\program files\Common Files\BTLINK
2010-03-22 15:18 . 2003-03-06 15:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-21 15:01 . 2009-07-23 01:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-21 13:58 . 2005-06-04 19:52 -------- d-----w- c:\program files\3D Home Architect
2010-03-19 01:28 . 2008-03-21 13:47 -------- d-----w- c:\program files\Verizon
2010-03-19 01:25 . 2009-04-02 14:09 -------- d-----w- c:\program files\Common Files\Motive
2010-03-13 18:44 . 2003-03-13 22:02 -------- d-----w- c:\program files\Internet Washer Pro
2010-02-14 18:00 . 2010-02-13 21:03 -------- d-----w- c:\program files\Common Files\supportdotcom
2010-02-13 23:47 . 2010-02-13 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\support.com
2010-02-11 02:56 . 2006-03-05 13:38 -------- d-----w- c:\program files\DivX
2010-02-08 02:59 . 2010-02-08 02:59 -------- d-----w- c:\program files\Common Files\Canon
2010-01-15 16:07 . 2010-01-15 16:07 28032 ----a-w- c:\windows\system32\ssmirrdr.dll
2010-01-15 16:07 . 2010-01-15 16:07 10112 ----a-w- c:\windows\system32\drivers\ssmirrdr.sys
2009-12-31 16:50 . 2002-08-29 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\SYSTEM32\zijokomo.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2009-07-09 199264]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2009-07-09 2349664]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
backup=c:\windows\pss\Lotus Organizer EasyClip.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2001-09-04 22:24 28672 -c--a-w- c:\windows\SYSTEM32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2002-09-25 04:00 290816 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
2002-04-03 07:01 135264 -c--a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"SCardSvr"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"MpfService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\WinDVD4PR\\WinDVD.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\alex666666\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"=
"c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 fsbts;fsbts;c:\windows\SYSTEM32\DRIVERS\fsbts.sys [3/23/2010 4:40 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\SYSTEM32\DRIVERS\fsdfw.sys [3/23/2010 4:39 PM 80000]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [3/23/2010 4:38 PM 68064]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [3/23/2010 4:38 PM 107104]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [3/23/2010 4:38 PM 55992]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [3/9/2008 1:55 PM 36224]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\135.tmp --> c:\windows\system32\135.tmp [?]
S3 ssmirrdr;ssmirrdr;c:\windows\SYSTEM32\DRIVERS\ssmirrdr.sys [1/15/2010 12:07 PM 10112]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [3/23/2010 4:38 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [3/23/2010 4:38 PM 25184]
.
Contents of the 'Scheduled Tasks' folder

2010-03-27 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-Secure\ANTI-V~1\fsav.exe [2010-03-23 09:31]

2010-03-27 c:\windows\Tasks\User_Feed_Synchronization-{73F31DCE-96D3-4D62-B3C7-54E0B649D8D0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Settings,ProxyOverride = hxxp://localhost;
IE: {{B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - c:\lotus\organize\bandobjs.dll
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Boss\Application Data\Mozilla\Firefox\Profiles\w680v9w6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\F-Secure\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKU-Default-Run-Remote System Protection - c:\windows\system32\ramne.dll
SharedTaskScheduler-{77f79558-9176-4096-8963-d02fbcc298cd} - (no file)
SharedTaskScheduler-{ef24fa8a-3fc3-4061-93d4-7411f7d57fc9} - (no file)
MSConfigStartUp-AdaptecDirectCD - c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
MSConfigStartUp-asg984jgkfmgasi8ug98jgkfgfb - c:\docume~1\ALEXCR~1\LOCALS~1\Temp\mdm.exe
MSConfigStartUp-asr64_ldm - c:\docume~1\ALEXCR~1\LOCALS~1\Temp\asr64_ldm.exe
MSConfigStartUp-ConMgr - c:\program files\EarthLink 5.0\conmgr.exe
MSConfigStartUp-MCAgentExe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-Paladin Antivirus - c:\program files\Paladin Antivirus\pav.exe
MSConfigStartUp-TOY5KNQ8OC - c:\docume~1\ALEXCR~1\LOCALS~1\Temp\Qrh.exe
MSConfigStartUp-uishf9wuifwuh387fh3wufinhjfdwefe - c:\docume~1\ALEXCR~1\LOCALS~1\Temp\js8bnlthba.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-Window Washer - c:\program files\Webroot\Washer\wwDisp.exe
AddRemove-mIRC - c:\windows\system32\win\systr.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 12:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\135.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,ed,46,82,ba,8f,75,4a,a0,c2,c6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,ed,46,82,ba,8f,75,4a,a0,c2,c6,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(740)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL

- - - - - - - > 'explorer.exe'(520)
c:\windows\system32\WININET.dll
c:\program files\F-Secure\Spam Control\fsscoepl.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\program files\f-secure\scanner-interface\fsgkiapi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\CTsvcCDA.exe
c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure\Common\FSMA32.EXE
c:\program files\F-Secure\Anti-Virus\FSGK32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\F-Secure\Common\FSHDLL32.EXE
c:\program files\Canon\MultiPASS4\MPSERVIC.EXE
c:\windows\System32\MsPMSPSv.exe
c:\program files\F-Secure\FWES\Program\fsdfwd.exe
c:\windows\system32\wscntfy.exe
c:\program files\F-Secure\Anti-Virus\fssm32.exe
c:\program files\F-Secure\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2010-03-27 12:53:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-27 16:53

Pre-Run: 41,282,600,960 bytes free
Post-Run: 41,230,069,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 1932E682EAE6AC64B44B3A5A4C2A711C
FloridaJo
Active Member
 
Posts: 8
Joined: March 25th, 2010, 7:00 pm

Re: Help with rootkit.patched.tdss.gen please

Unread postby FloridaJo » March 27th, 2010, 3:28 pm

Okay, so did a F-secure scan, Found one 'Riskware' in the Kazaa folder. Just deleted the whole folder.
Did repeat scan, clean.
Is that it? Did we do it?

If so thank you so much for your help.
FloridaJo
Active Member
 
Posts: 8
Joined: March 25th, 2010, 7:00 pm

Re: Help with rootkit.patched.tdss.gen please

Unread postby gringo_pr » March 28th, 2010, 12:06 am

Hello

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
c:\windows\DCEBoot.exe
c:\windows\system32\zojetiru.exe
c:\windows\system32\ssmirrdr.dll
c:\windows\system32\drivers\ssmirrdr.sys
c:\windows\SYSTEM32\zijokomo.exe

Driver::
ssmirrdr


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

please let me have the new log please


Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Help with rootkit.patched.tdss.gen please

Unread postby FloridaJo » March 30th, 2010, 6:43 pm

I was thinking we were done so I gave it back to my friend.
Is it not complete yet?
F-secure didn't find anything.
Let me know please.
Thanks a bunch.
FloridaJo
Active Member
 
Posts: 8
Joined: March 25th, 2010, 7:00 pm

Re: Help with rootkit.patched.tdss.gen please

Unread postby gringo_pr » March 30th, 2010, 7:29 pm

no we are not done that was only the first pass

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Help with rootkit.patched.tdss.gen please

Unread postby FloridaJo » March 30th, 2010, 8:46 pm

Okay, I will go back to his computer in a day or two.
Thanks.
FloridaJo
Active Member
 
Posts: 8
Joined: March 25th, 2010, 7:00 pm

Re: Help with rootkit.patched.tdss.gen please

Unread postby gringo_pr » April 2nd, 2010, 2:15 pm

Hello FloridaJo

how are we doing with this?


gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Help with rootkit.patched.tdss.gen please

Unread postby FloridaJo » April 2nd, 2010, 2:36 pm

I'm going over there tonight to get back on their computer.

Thanks
FloridaJo
Active Member
 
Posts: 8
Joined: March 25th, 2010, 7:00 pm

Re: Help with rootkit.patched.tdss.gen please

Unread postby gringo_pr » April 5th, 2010, 1:54 pm

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware