Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

rootkit.patched.tdss.gen

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: rootkit.patched.tdss.gen

Unread postby melboy » May 3rd, 2010, 2:42 pm

Ok, no problem. Thanks for letting me know.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: rootkit.patched.tdss.gen

Unread postby brandonatutsa » May 3rd, 2010, 7:14 pm

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4063

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/3/2010 6:09:34 PM
mbam-log-2010-05-03 (18-09-34).txt

Scan type: Quick scan
Objects scanned: 138617
Time elapsed: 10 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





File oxcjtk.sys received on 2010.05.03 23:10:52 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/41 (2.44%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.03 -
AhnLab-V3 2010.05.03.00 2010.05.03 -
AntiVir 8.2.1.224 2010.05.03 -
Antiy-AVL 2.0.3.7 2010.04.30 -
Authentium 5.2.0.5 2010.05.03 -
Avast 4.8.1351.0 2010.05.03 -
Avast5 5.0.332.0 2010.05.03 -
AVG 9.0.0.787 2010.05.03 -
BitDefender 7.2 2010.05.03 -
CAT-QuickHeal 10.00 2010.05.03 -
ClamAV 0.96.0.3-git 2010.05.04 -
Comodo 4754 2010.05.04 -
DrWeb 5.0.2.03300 2010.05.04 -
eSafe 7.0.17.0 2010.05.03 -
eTrust-Vet 35.2.7466 2010.05.03 -
F-Prot 4.5.1.85 2010.05.03 -
F-Secure 9.0.15370.0 2010.05.04 -
Fortinet 4.0.14.0 2010.05.03 -
GData 21 2010.05.03 -
Ikarus T3.1.1.80.0 2010.05.03 -
Jiangmin 13.0.900 2010.05.03 -
Kaspersky 7.0.0.125 2010.05.03 -
McAfee 5.400.0.1158 2010.05.04 -
McAfee-GW-Edition 6.8.5 2010.05.04 Heuristic.BehavesLike.Exploit.CodeExec.FFMA
Microsoft 1.5703 2010.05.03 -
NOD32 5083 2010.05.03 -
Norman 6.04.12 2010.05.03 -
nProtect 2010-05-03.01 2010.05.03 -
Panda 10.0.2.7 2010.05.03 -
PCTools 7.0.3.5 2010.05.03 -
Prevx 3.0 2010.05.04 -
Rising 22.45.04.03 2010.04.30 -
Sophos 4.53.0 2010.05.04 -
Sunbelt 6253 2010.05.03 -
Symantec 20091.2.0.41 2010.05.03 -
TheHacker 6.5.2.0.275 2010.05.03 -
TrendMicro 9.120.0.1004 2010.05.03 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.04 -
VBA32 3.12.12.4 2010.05.03 -
ViRobot 2010.5.3.2301 2010.05.04 -
VirusBuster 5.0.27.0 2010.05.03 -
Additional information
File size: 792064 bytes
MD5...: 8de33a1e11d7956a3968b7694a5d3a3c
SHA1..: 8dbc85f84d7ebb0cc119443886202cee39f97d82
SHA256: 8ec49a3ebc4c0ffb5e092480e9ee7faf565ef1626620be11ced2c6fb62c2ab69
ssdeep: 24576:lXTtJNCrTYZjFX5RZKUpoJBar27PCa29af4:lZ7yT+xX53K8oJcrS29ag

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned





Uninstall List:
2Wire Wireless Client
ABBYY FineReader 6.0 Sprint
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player
AOL Instant Messenger
AOLIcon
Apple Mobile Device Support
Apple Software Update
AVG Anti-Spyware 7.5
Bonjour
CardRd81
CCHelp
CCScore
Compatibility Pack for the 2007 Office system
Corel Photo Album 6
CR2
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support Center
DellSupport
DesignPro 5 Lite Edition
DesignPro 5.4 Limited Edition
Digital Content Portal
DivX
DivX Converter
DivX Player
Dr.STIKA PLUS
EducateU
ESPNMotion
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTUTOR
ESSvpaht
ESSvpot
GemMaster Mystic
High Definition Audio Driver Package - KB835221
HLPCCTR
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
iLumina Gold Starter Edition
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 19
Java(TM) SE Runtime Environment 6 Update 1
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
Lexmark 1200 Series
Lexmark Fax Solutions
Lexmark Photo Center
Lexmark Z700-P700 Series
Macromedia Flash Player
Malwarebytes' Anti-Malware
MathMagic Personal 3.52
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.17)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
Notifier
OTtBP
OTtBPSDK
PCDLNCH
Picasa 2
PowerDVD 5.5
QuickBooks Simple Start Special Edition
QuickTime
RealPlayer
Samsung CamCorder Driver
Samsung SMP4 Video Codec Uninstall
Samsung USB Driver
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SFR
SFR2
Sketchpad
SmartSound Quicktracks Plugin
Sonic DLA
Sonic Encoders
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
TestDrive Client
TrueSwitch Wizard SBC
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Update Rollup 2 for Windows XP Media Center Edition 2005
VCAMCEN
Viewpoint Media Player
VPRINTOL
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinSCP 4.1.5
WordPerfect Office 12
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar for Internet Explorer
brandonatutsa
Regular Member
 
Posts: 16
Joined: April 19th, 2010, 7:10 pm

Re: rootkit.patched.tdss.gen

Unread postby melboy » May 4th, 2010, 6:55 pm

Hi

It looks like what I thought was false positive from MBAM has been fixed already, as it wasn't detected again.



COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?p=521038#p521038
    
    File::
    c:\windows\Sjugodamape.bin
    
    Collect::
    c:\documents and settings\NetworkService\Application Data\capmfe.dat
    c:\documents and settings\NetworkService\Application Data\glchvt.dat
    c:\windows\Ijuwu.dat
    
    Suspect::
    c:\windows\system32\drivers\yohfpzum.sys
    c:\windows\system32\drivers\oxcjtk.sys
    
    DDS::
    Trusted Zone: plaxo.com\www
    Trusted Zone: musicmatch.com\online
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

===========
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: rootkit.patched.tdss.gen

Unread postby brandonatutsa » May 4th, 2010, 11:16 pm

ComboFix 10-05-04.04 - Melinda 05/04/2010 22:00:10.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.182 [GMT -5:00]
Running from: c:\documents and settings\Melinda\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Melinda\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\Sjugodamape.bin"

file zipped: c:\documents and settings\NetworkService\Application Data\capmfe.dat
file zipped: c:\documents and settings\NetworkService\Application Data\glchvt.dat
file zipped: c:\windows\Ijuwu.dat
file zipped: c:\windows\system32\drivers\oxcjtk.sys
file zipped: c:\windows\system32\drivers\yohfpzum.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\capmfe.dat
c:\documents and settings\NetworkService\Application Data\glchvt.dat
c:\program files\WindowsUpdate
c:\windows\Ijuwu.dat
c:\windows\Sjugodamape.bin

.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-04-30 01:30 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 01:30 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 22:49 . 2004-08-10 11:00 1677824 ----a-w- c:\windows\system32\dllcache\chsbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 838144 ----a-w- c:\windows\system32\dllcache\chtbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2010-04-28 22:49 . 2004-08-10 11:00 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-04-28 22:49 . 2004-08-10 11:00 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-04-28 22:47 . 2004-08-10 11:00 57398 ----a-w- c:\windows\system32\dllcache\imjpdadm.exe
2010-04-17 23:51 . 2010-04-17 23:51 96512 ----a-w- c:\windows\system32\drivers\yohfpzum.sys
2010-04-17 20:49 . 2010-04-17 23:51 -------- d-----w- c:\windows\system32\MpEngineStore
2010-04-15 23:32 . 2010-04-15 23:34 -------- d-----w- c:\documents and settings\Melinda\Application Data\U3
2010-04-15 02:05 . 2010-01-06 05:51 307672 ----a-w- c:\documents and settings\Melinda\Application Data\Yahoo!\Mail\attach\firefox[4].exe
2010-04-15 01:37 . 2010-01-06 05:51 307672 ----a-w- c:\documents and settings\Melinda\Application Data\Yahoo!\Mail\attach\firefox[1].exe
2010-04-15 01:37 . 2010-01-06 05:51 307672 ----a-w- c:\documents and settings\Melinda\Application Data\Yahoo!\Mail\attach\firefox[0].exe
2010-04-15 01:36 . 2010-01-06 05:51 307672 ----a-w- c:\documents and settings\Melinda\Application Data\Yahoo!\Mail\attach\firefox.exe
2010-04-13 22:20 . 2010-04-30 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-04-13 22:20 . 2010-04-13 22:20 -------- d-----w- c:\program files\BitDefender
2010-04-13 22:15 . 2010-04-30 01:20 -------- d-----w- c:\program files\Common Files\BitDefender
2010-04-13 03:07 . 2010-04-28 22:13 -------- d-----w- c:\documents and settings\Melinda\Local Settings\Application Data\Temp
2010-04-13 03:06 . 2010-04-13 03:07 -------- d-----w- c:\documents and settings\Melinda\Local Settings\Application Data\Deployment
2010-04-11 06:28 . 2010-04-11 06:28 -------- d-----w- c:\documents and settings\Melinda\Application Data\Yahoo!
2010-04-10 21:41 . 2010-04-10 21:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-10 19:47 . 2010-04-10 19:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-10 19:44 . 2010-04-10 19:44 -------- d-----w- c:\program files\ESPNMotion
2010-04-10 19:44 . 2010-04-10 19:44 -------- d-----w- c:\program files\DIGStream
2010-04-10 19:44 . 2010-04-10 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2010-04-10 19:43 . 2010-04-10 19:44 -------- d-----w- c:\program files\Picasa2
2010-04-10 19:43 . 2010-04-10 19:43 -------- d-----w- c:\program files\Sketchpad
2010-04-10 19:42 . 2010-04-10 19:42 -------- d-----w- c:\documents and settings\Melinda\Application Data\Grisoft
2010-04-10 19:42 . 2010-04-10 19:42 -------- d-----w- c:\program files\Dr.STIKA PLUS
2010-04-10 19:39 . 2010-04-10 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-06 14:47 . 2010-04-06 14:47 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 14:47 . 2010-04-28 02:25 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 09:10 . 2010-04-10 19:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 01:30 . 2010-03-06 22:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 01:11 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-17 18:00 . 2005-11-15 16:10 -------- d-----w- c:\program files\Intel
2010-04-13 03:06 . 2005-12-28 03:34 158040 ----a-w- c:\documents and settings\Melinda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-10 19:46 . 2005-11-15 16:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-10 19:44 . 2008-04-25 20:09 -------- d-----w- c:\program files\MathMagic Personal Edition
2010-04-10 19:44 . 2005-11-28 03:41 -------- d-----w- c:\documents and settings\Melinda\Application Data\Aim
2010-04-10 19:44 . 2005-11-19 19:48 -------- d-----w- c:\program files\AIM
2010-04-10 19:44 . 2006-01-14 21:08 -------- d-----w- c:\program files\iLuminaStarter
2010-04-10 19:43 . 2005-11-19 20:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-10 19:24 . 2005-11-19 19:49 -------- d-----w- c:\program files\Yahoo!
2010-04-10 16:15 . 2005-11-15 16:07 -------- d-----w- c:\program files\Common Files\Java
2010-04-10 16:11 . 2005-11-15 16:07 -------- d-----w- c:\program files\Java
2010-03-10 04:33 . 2005-08-16 10:18 1509888 ----a-w- c:\windows\system32\shdocvw(2)(2).dll
2010-03-09 11:09 . 2005-08-16 10:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 23:16 . 2010-03-06 23:16 -------- d-----w- c:\documents and settings\Melinda\Application Data\Malwarebytes
2010-03-06 22:41 . 2010-03-06 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 02:55 . 2010-03-04 02:41 792064 ----a-w- c:\windows\system32\drivers\oxcjtk.sys
2010-02-26 05:43 . 2005-08-16 10:18 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2005-08-16 10:18 667136 ----a-w- c:\windows\system32\wininet(2)(2).dll
2010-02-26 05:43 . 2005-08-16 10:18 627712 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2010-02-26 05:43 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2005-11-15 15:49 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-08-16 10:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-08-16 10:18 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-08-16 10:18 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-07-13 15:36 . 2005-12-26 19:00 104 --sh--r- c:\windows\system32\2642E71EC2.sys
2009-07-13 15:36 . 2006-01-27 00:50 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-20 3084288]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SmileboxTray"="c:\documents and settings\Melinda\Application Data\Smilebox\SmileboxTray.exe" [2009-12-07 266888]
"Google Update"="c:\documents and settings\Melinda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-13 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]
"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2004-10-04 327769]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-30 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-30 136768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-3-10 757760]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2005-11-15 917611]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [9/11/2006 10:06 PM 72672]
S3 FZPGQOWYV;FZPGQOWYV;c:\docume~1\Melinda\LOCALS~1\Temp\FZPGQOWYV.exe --> c:\docume~1\Melinda\LOCALS~1\Temp\FZPGQOWYV.exe [?]
S3 STGXZAXWU;STGXZAXWU;c:\docume~1\Melinda\LOCALS~1\Temp\STGXZAXWU.exe --> c:\docume~1\Melinda\LOCALS~1\Temp\STGXZAXWU.exe [?]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [11/15/2005 11:08 AM 57344]
.
Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1112748904-2215562131-1854604127-1006Core.job
- c:\documents and settings\Melinda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-13 03:07]

2010-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1112748904-2215562131-1854604127-1006UA.job
- c:\documents and settings\Melinda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-13 03:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Melinda\Application Data\Mozilla\Firefox\Profiles\kyw9vy6g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_ve ... yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 22:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-04 22:13:28
ComboFix-quarantined-files.txt 2010-05-05 03:13
ComboFix2.txt 2010-04-28 03:04

Pre-Run: 48,775,815,168 bytes free
Post-Run: 48,738,119,680 bytes free

- - End Of File - - 6EABBC6DD82E886A3F0992229FB99826
Upload was successful
brandonatutsa
Regular Member
 
Posts: 16
Joined: April 19th, 2010, 7:10 pm

Re: rootkit.patched.tdss.gen

Unread postby melboy » May 5th, 2010, 6:19 pm

HI

Thanks for that



SystemLook

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
     :dir
    c:\windows\system32\MpEngineStore /s
    
    :file
    c:\windows\system32\drivers\yohfpzum.sys
    c:\windows\system32\drivers\oxcjtk.sys
    
    :service
    FZPGQOWYV
    STGXZAXWU
     

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



Uninstall Programs
  • click on start
  • Click on control panel
  • Double click the icon add/remove programs
  • click on the program below and click Remove
    AVG Anti-Spyware 7.5



Update Adobe Reader

Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 9.3 to your PC's desktop.
  • Uninstall via Start > Control Panel > Add/Remove Programs:
    Adobe Reader 8.1.3
  • Install the new downloaded updated software.
  • Then using the internal updater update the software to the current increment 9.3.2
    • Open Adobe Reader go to > Help > Check for updates and allow the updater to check.
    • If updates are found click Show Details and check the boxes to click to download and install any necessary updates.



Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 20.

  • Go to Sun Java
  • Scroll down to where it says "JDK 6 Update 20 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • In the Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u20-windows-i586.exe" and save the downloaded file to your desktop.
  • Uninstall all old versions of Java via Start > Control Panel > Add/Remove Programs:
    J2SE Runtime Environment 5.0 Update 10
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 19
    Java(TM) SE Runtime Environment 6 Update 1
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer



TFC

    (you should still have this on your desktop)
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!



In your next reply:
  1. Eset Online Scan log
  2. SystemLook.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: rootkit.patched.tdss.gen

Unread postby brandonatutsa » May 7th, 2010, 6:30 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ac67110fab39734596a40de9f6b1509c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-05-06 05:45:10
# local_time=2010-05-06 12:45:10 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 140125865 140125865 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=85480
# found=9
# cleaned=0
# scan_time=9225
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1530\A0162558.dll a variant of Win32/Kryptik.DNB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1531\A0165703.dll a variant of Win32/Kryptik.DNB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1532\A0165738.dll a variant of Win32/Kryptik.DNB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1532\A0166080.dll a variant of Win32/Kryptik.DNB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1563\A0168603.dll a variant of Win32/Kryptik.DQM trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1566\A0169736.dll a variant of Win32/Kryptik.DQM trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1567\A0170525.dll a variant of Win32/Kryptik.DQM trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1567\A0170933.dll a variant of Win32/Kryptik.DNB trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1567\A0170934.dll a variant of Win32/Kryptik.DNB trojan 00000000000000000000000000000000 I





SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:46 on 05/05/2010 by Melinda (Administrator - Elevation successful)

========== dir ==========

c:\windows\system32\MpEngineStore - Parameters: "/s"

---Files---
None found.

c:\windows\system32\MpEngineStore\History d----- [23:51 17/04/2010]

c:\windows\system32\MpEngineStore\History\Reboot d----- [23:51 17/04/2010]
ActBEC50F8EEF4FF86D7EE8AFAA20E7F2368B437FA0.dat --a--- 246 bytes [23:51 17/04/2010] [23:51 17/04/2010]

========== file ==========

c:\windows\system32\drivers\yohfpzum.sys - File found and opened.
MD5: 9F3A2F5AA6875C72BF062C712CFA2674
Created at 23:51 on 17/04/2010
Modified at 23:51 on 17/04/2010
Size: 96512 bytes
Attributes: --a---
FileDescription: IDE/ATAPI Port Driver
FileVersion: 5.1.2600.5512 (xpsp.080413-2108)
ProductVersion: 5.1.2600.5512
OriginalFilename: atapi.sys
InternalName: atapi.sys
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\windows\system32\drivers\oxcjtk.sys - File found and opened.
MD5: 8DE33A1E11D7956A3968B7694A5D3A3C
Created at 02:41 on 04/03/2010
Modified at 02:55 on 04/03/2010
Size: 792064 bytes
Attributes: --a---
No version information available.

========== service ==========

FZPGQOWYV
FZPGQOWYV
(No Description)
Current Status: Stopped
Startup Type: Demand
Error Control: Critical
Binary: C:\DOCUME~1\Melinda\LOCALS~1\Temp\FZPGQOWYV.exe
Group: (none)
SafeBoot:
Dependencies:
(none)
Dependant Services:
(none)

STGXZAXWU
STGXZAXWU
(No Description)
Current Status: Stopped
Startup Type: Demand
Error Control: Critical
Binary: C:\DOCUME~1\Melinda\LOCALS~1\Temp\STGXZAXWU.exe
Group: (none)
SafeBoot:
Dependencies:
(none)
Dependant Services:
(none)

-=End Of File=-
brandonatutsa
Regular Member
 
Posts: 16
Joined: April 19th, 2010, 7:10 pm

Re: rootkit.patched.tdss.gen

Unread postby melboy » May 8th, 2010, 7:23 am

Hi

We shouldn't be far off getting finished now.


Please delete your current copy of combofix from your desktop and download a fresh copy from here, saving it to your desktop.

Then continue with the instructions below:


Check a file

  • Go to VirusTotal or Jotti's
    c:\windows\system32\drivers\yohfpzum.sys

    ActBEC50F8EEF4FF86D7EE8AFAA20E7F2368B437FA0.dat
  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
    NOTE: if you receive a message stating:
    • File has already been analyzed,(VirusTotal) click Reanalyze file Now.
    • File has been scanned before(Jotti), click Scan again.
  • After a while, a window will open, with details of what the scans found.
  • Copy and paste the results into your next reply.



    COMBOFIX-Script

    A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code: Select all
      File:: 
      c:\windows\system32\drivers\oxcjtk.sys
      c:\docume~1\Melinda\LOCALS~1\Temp\FZPGQOWYV.exe
      c:\docume~1\Melinda\LOCALS~1\Temp\STGXZAXWU.exe 
      
      Driver:: 
      FZPGQOWYV
      STGXZAXWU
      

    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      Image
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • If you need help to disable your protection programs see here.
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: rootkit.patched.tdss.gen

Unread postby melboy » May 10th, 2010, 7:58 am

Are you still with us brandonatutsa?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: rootkit.patched.tdss.gen

Unread postby brandonatutsa » May 10th, 2010, 7:52 pm

File yohfpzum.sys received on 2010.05.10 23:50:23 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/41 (2.44%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 -
AhnLab-V3 2010.05.11.00 2010.05.10 -
AntiVir 8.2.1.236 2010.05.10 -
Antiy-AVL 2.0.3.7 2010.05.10 -
Authentium 5.2.0.5 2010.05.11 -
Avast 4.8.1351.0 2010.05.10 -
Avast5 5.0.332.0 2010.05.10 -
AVG 9.0.0.787 2010.05.11 -
BitDefender 7.2 2010.05.11 -
CAT-QuickHeal 10.00 2010.05.10 -
ClamAV 0.96.0.3-git 2010.05.10 -
Comodo 4819 2010.05.11 -
DrWeb 5.0.2.03300 2010.05.11 -
eSafe 7.0.17.0 2010.05.10 Win32.Rootkit
eTrust-Vet 35.2.7478 2010.05.10 -
F-Prot 4.5.1.85 2010.05.10 -
F-Secure 9.0.15370.0 2010.05.10 -
Fortinet 4.1.133.0 2010.05.10 -
GData 21 2010.05.11 -
Ikarus T3.1.1.84.0 2010.05.10 -
Jiangmin 13.0.900 2010.05.10 -
Kaspersky 7.0.0.125 2010.05.11 -
McAfee 5.400.0.1158 2010.05.11 -
McAfee-GW-Edition 2010.1 2010.05.10 -
Microsoft 1.5703 2010.05.11 -
NOD32 5103 2010.05.10 -
Norman 6.04.12 2010.05.10 -
nProtect 2010-05-10.01 2010.05.10 -
Panda 10.0.2.7 2010.05.10 -
PCTools 7.0.3.5 2010.05.10 -
Prevx 3.0 2010.05.11 -
Rising 22.47.00.04 2010.05.10 -
Sophos 4.53.0 2010.05.11 -
Sunbelt 6288 2010.05.11 -
Symantec 20091.2.0.41 2010.05.10 -
TheHacker 6.5.2.0.277 2010.05.10 -
TrendMicro 9.120.0.1004 2010.05.10 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.11 -
VBA32 3.12.12.4 2010.05.06 -
ViRobot 2010.5.10.2308 2010.05.10 -
VirusBuster 5.0.27.0 2010.05.10 -
Additional information
File size: 96512 bytes
MD5...: 9f3a2f5aa6875c72bf062c712cfa2674
SHA1..: a719156e8ad67456556a02c34e762944234e7a44
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb
DD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x159f7
timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708
.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3e0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab
.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress
> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: IDE/ATAPI Port Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
brandonatutsa
Regular Member
 
Posts: 16
Joined: April 19th, 2010, 7:10 pm

Re: rootkit.patched.tdss.gen

Unread postby brandonatutsa » May 10th, 2010, 8:37 pm

ComboFix 10-05-10.02 - Melinda 05/10/2010 19:04:40.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.189 [GMT -5:00]
Running from: c:\documents and settings\Melinda\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Melinda\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\docume~1\Melinda\LOCALS~1\Temp\FZPGQOWYV.exe"
"c:\docume~1\Melinda\LOCALS~1\Temp\STGXZAXWU.exe"
"c:\windows\system32\drivers\oxcjtk.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\oxcjtk.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FZPGQOWYV
-------\Legacy_STGXZAXWU
-------\Service_FZPGQOWYV
-------\Service_STGXZAXWU


((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-06 03:00 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-06 02:58 . 2010-05-06 02:58 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-05-06 02:55 . 2010-05-06 02:55 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-30 01:30 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 01:30 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 22:49 . 2004-08-10 11:00 1677824 ----a-w- c:\windows\system32\dllcache\chsbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 838144 ----a-w- c:\windows\system32\dllcache\chtbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2010-04-28 22:49 . 2004-08-10 11:00 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-04-28 22:49 . 2004-08-10 11:00 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-04-28 22:47 . 2004-08-10 11:00 57398 ----a-w- c:\windows\system32\dllcache\imjpdadm.exe
2010-04-17 23:51 . 2010-04-17 23:51 96512 ----a-w- c:\windows\system32\drivers\yohfpzum.sys
2010-04-17 20:49 . 2010-04-17 23:51 -------- d-----w- c:\windows\system32\MpEngineStore
2010-04-15 23:32 . 2010-04-15 23:34 -------- d-----w- c:\documents and settings\Melinda\Application Data\U3
2010-04-13 22:20 . 2010-04-30 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-04-13 22:20 . 2010-04-13 22:20 -------- d-----w- c:\program files\BitDefender
2010-04-13 22:15 . 2010-04-30 01:20 -------- d-----w- c:\program files\Common Files\BitDefender
2010-04-13 03:07 . 2010-04-28 22:13 -------- d-----w- c:\documents and settings\Melinda\Local Settings\Application Data\Temp
2010-04-13 03:06 . 2010-04-13 03:07 -------- d-----w- c:\documents and settings\Melinda\Local Settings\Application Data\Deployment
2010-04-11 06:28 . 2010-04-11 06:28 -------- d-----w- c:\documents and settings\Melinda\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 03:06 . 2008-12-06 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-06 03:02 . 2005-11-15 16:07 -------- d-----w- c:\program files\Java
2010-05-06 02:58 . 2005-11-19 20:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-06 02:54 . 2010-05-06 02:54 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-30 01:30 . 2010-03-06 22:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 02:25 . 2010-04-06 14:47 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-18 01:11 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-17 18:00 . 2005-11-15 16:10 -------- d-----w- c:\program files\Intel
2010-04-13 03:06 . 2005-12-28 03:34 158040 ----a-w- c:\documents and settings\Melinda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-10 19:46 . 2005-11-15 16:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-10 19:44 . 2008-04-25 20:09 -------- d-----w- c:\program files\MathMagic Personal Edition
2010-04-10 19:44 . 2005-11-28 03:41 -------- d-----w- c:\documents and settings\Melinda\Application Data\Aim
2010-04-10 19:44 . 2005-11-19 19:48 -------- d-----w- c:\program files\AIM
2010-04-10 19:44 . 2010-04-10 19:44 -------- d-----w- c:\program files\ESPNMotion
2010-04-10 19:44 . 2010-04-10 19:44 -------- d-----w- c:\program files\DIGStream
2010-04-10 19:44 . 2010-04-10 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2010-04-10 19:44 . 2006-01-14 21:08 -------- d-----w- c:\program files\iLuminaStarter
2010-04-10 19:44 . 2010-04-10 19:43 -------- d-----w- c:\program files\Picasa2
2010-04-10 19:43 . 2010-04-10 19:43 -------- d-----w- c:\program files\Sketchpad
2010-04-10 19:42 . 2010-04-10 19:42 -------- d-----w- c:\program files\Dr.STIKA PLUS
2010-04-10 19:39 . 2010-04-10 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-10 19:24 . 2005-11-19 19:49 -------- d-----w- c:\program files\Yahoo!
2010-04-10 16:15 . 2005-11-15 16:07 -------- d-----w- c:\program files\Common Files\Java
2010-04-06 14:47 . 2010-04-06 14:47 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-10 04:33 . 2005-08-16 10:18 1509888 ----a-w- c:\windows\system32\shdocvw(2)(2).dll
2010-03-09 11:09 . 2005-08-16 10:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 05:43 . 2005-08-16 10:18 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2005-08-16 10:18 667136 ----a-w- c:\windows\system32\wininet(2)(2).dll
2010-02-26 05:43 . 2005-08-16 10:18 627712 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2010-02-26 05:43 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2005-11-15 15:49 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-08-16 10:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-08-16 10:18 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-08-16 10:18 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-07-13 15:36 . 2005-12-26 19:00 104 --sh--r- c:\windows\system32\2642E71EC2.sys
2009-07-13 15:36 . 2006-01-27 00:50 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-20 3084288]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SmileboxTray"="c:\documents and settings\Melinda\Application Data\Smilebox\SmileboxTray.exe" [2009-12-07 266888]
"Google Update"="c:\documents and settings\Melinda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-13 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]
"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2004-10-04 327769]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-30 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-30 136768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-3-10 757760]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2005-11-15 917611]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [9/11/2006 10:06 PM 72672]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [11/15/2005 11:08 AM 57344]
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2010-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1112748904-2215562131-1854604127-1006Core.job
- c:\documents and settings\Melinda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-13 03:07]

2010-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1112748904-2215562131-1854604127-1006UA.job
- c:\documents and settings\Melinda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-13 03:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Melinda\Application Data\Mozilla\Firefox\Profiles\kyw9vy6g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_ve ... yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 19:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1928)
c:\docume~1\Melinda\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\windows\system32\lxczcoms.exe
c:\windows\system32\LxrSII1s.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\stsystra.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-10 19:35:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-11 00:35
ComboFix2.txt 2010-05-05 03:14
ComboFix3.txt 2010-04-28 03:04

Pre-Run: 48,589,725,696 bytes free
Post-Run: 48,452,702,208 bytes free

- - End Of File - - B130AFA13B769FA7C9FB0D61E5D10165
brandonatutsa
Regular Member
 
Posts: 16
Joined: April 19th, 2010, 7:10 pm

Re: rootkit.patched.tdss.gen

Unread postby melboy » May 11th, 2010, 3:47 pm

Hi

Ok looks good! How are things running? One last check and we should be done - well done!


Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.


============================


Please post back with the MBAM log, a fresh HijackThis log (Do a system scan and save a log file) and a description of how the computer is running now.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: rootkit.patched.tdss.gen

Unread postby brandonatutsa » May 13th, 2010, 12:03 am

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4094

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/12/2010 11:00:38 PM
mbam-log-2010-05-12 (23-00-38).txt

Scan type: Quick scan
Objects scanned: 139565
Time elapsed: 9 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:01:11 PM, on 5/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\Melinda\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Melinda\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Melinda\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Melinda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2426925751
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 10171 bytes
brandonatutsa
Regular Member
 
Posts: 16
Joined: April 19th, 2010, 7:10 pm

Re: rootkit.patched.tdss.gen

Unread postby melboy » May 13th, 2010, 8:10 am

Hi

Did you uninstall BitDefender? If so, please reinstall it or install one of the alternatives below. (Don't do both)


No Antivirus
Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for non-commercial users.
3) Microsoft Security Essentials - Free anti-malware solution that helps protect against viruses, spyware, and other malicious software

[Please note that trial pay is not needed to get any product for free.]

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts, system instability and false virus alerts.


=================================================


Your log now appears to be clean.

Your computer was infected with a ROOTKIT. In particular, the TDL3 rootkit, also known as Win32/Alureon. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

Due to its rootkit functionality, it's impossible to tell what may have been done when the system was compromised.

Therefore it may be prudent to:

  1. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts.
  2. Change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password)

What are rootkits from Wikipedia

How do I respond to a possible identity theft and how do I prevent it

========================

This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are. If not, please follow the instructions below:



Uninstall Combofix
We Need to Remove ComboFix
  1. Please go to Start -> Run
  2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
    Image
  3. Press OK (Or hit enter).
  4. Allow ComboFix to remove itself.



OTC by OldTimer

Download OTC by Old Timer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


=====================================================


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  • Make Internet Explorer More Secure
    Internet Explorer 8 <<< Recommended Version
    For older versions please read and follow the recommendations at this site
    Internet Explorer7
    Internet Explorer6


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. (TIP: Cleaning out temp files can reduce scanning times.)
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera
  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
    Suggestions:

[Please note that trial pay is not needed to get any product for free.]


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: rootkit.patched.tdss.gen

Unread postby brandonatutsa » May 13th, 2010, 7:17 pm

you're awesome man!!!! thanks for all the help
brandonatutsa
Regular Member
 
Posts: 16
Joined: April 19th, 2010, 7:10 pm

Re: rootkit.patched.tdss.gen

Unread postby melboy » May 13th, 2010, 7:20 pm

You're most welcome! :)
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware