Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

rootkit.patched.tdss.gen

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

rootkit.patched.tdss.gen

Unread postby aeiro » April 23rd, 2010, 11:13 pm

Hello my virus protector has detected a virus that is called rootkit.patched.tdss.gen
it says it cannot remove the virus here is my hijack this log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:03:02 PM, on 4/23/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18904)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Charter Security Suite\Common\FSM32.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Program Files\windows defender\MSASCui.exe
    C:\Program Files\Java\jre6\bin\javaws.exe
    C:\Program Files\Java\jre6\bin\javaw.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    R3 - URLSearchHook: MW2 Prestige Lobby Toolbar - {b3cb8480-ba12-4ba3-bc38-e0beea4ec49b} - C:\Program Files\MW2_Prestige_Lobby\tbMW2_.dll
    O1 - Hosts: ::1 localhost
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
    O2 - BHO: MW2 Prestige Lobby Toolbar - {b3cb8480-ba12-4ba3-bc38-e0beea4ec49b} - C:\Program Files\MW2_Prestige_Lobby\tbMW2_.dll
    O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Charter Security Suite\NRS\iescript\baselitmus.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: MW2 Prestige Lobby Toolbar - {b3cb8480-ba12-4ba3-bc38-e0beea4ec49b} - C:\Program Files\MW2_Prestige_Lobby\tbMW2_.dll
    O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Charter Security Suite\NRS\iescript\baselitmus.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter Security Suite\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [MSSMSGS] rundll32.exe winkpb32.rom,gPpjnKMJfi
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &AIM Toolbar Search - C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
    O16 - DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} (GameTap Player) - http://archives.gametap.com/static/cab_ ... Player.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://ercwebcam.engin.umich.edu/active ... ontrol.cab
    O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} (pmjpegcam Class) - http://63.165.41.9/JpegInst.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\iEvony\Skype4COM.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
    O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\Charter Security Suite\Anti-Virus\fsgk32st.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter Security Suite\FWES\Program\fsdfwd.exe
    O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter Security Suite\Common\FSMA32.EXE
    O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Charter Security Suite\ORSP Client\fsorsp.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 11638 bytes
aeiro
Active Member
 
Posts: 3
Joined: April 23rd, 2010, 11:04 pm
Advertisement
Register to Remove

Re: rootkit.patched.tdss.gen

Unread postby askey127 » April 26th, 2010, 4:30 pm

Hi aeiro,
-----------------------------------------------------------
There are some Issues with infections in relation to PunkBuster:
Your computer has installed gaming tools. Some of these, like Punkbuster, use spyware techniques to engage in the anti-piracy battle.
In the process, they take control of much of your PC, and they actually meet the definition of spyware/malware.
They are sometimes designed to prevent orderly removal or modification, and they have only limited respect for retaining the overall security and integrity of your machine.
It is not a certainty that your computer can be cleaned without breaking or removing some of these programs, and this could result in not being able to play the associated games, or corruption of your system.
Since we are dedicated to causing No Harm, we won't normally work on machines with this type of program installed without explicit permission from the owner.
If you want to continue using the machine in this way, you should consider using imaging software like Norton Ghost or Acronis TrueImage, or Terabyte Image, which can put your entire C: drive back into an earlier state whenever the infections or malfunctions get too severe.

If you really want to clean this machine, I will help, but if you so choose, understand there is NO assurance you will be able to do games afterwards.
Not only that, but rootkits are risky to remove. If you want to try, then proceed as follows:
--------------------------------------------
TDSSKiller
  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
Don't do anything with it yet.
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder.
In addition, the list opens in Notepad so you can also save as another name in another location if you wish.
Please paste the contents into your next reply.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: rootkit.patched.tdss.gen

Unread postby aeiro » April 26th, 2010, 5:25 pm

ok i have unzipped the folder to my desktop and here is what you asked
    32 Bit HP CIO Components Installer
    Acrobat.com
    Adobe AIR
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color - Photoshop Specific CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe Color Video Profiles CS CS4
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Drive CS4
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Linguistics CS4
    Adobe Media Player
    Adobe Media Player
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4 Support
    Adobe Reader 9.3.1
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    AHL2 v1.0
    AIM 6
    AIM Toolbar
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    Audacity 1.3.8 (Unicode)
    AVS Audio Converter version 6.1
    AVS Update Manager 1.0
    AVS4YOU Software Navigator 1.3
    Bonjour
    Cache525
    Call of Duty Modern Warfare 2
    Catalyst Control Center - Branding
    Cavaj Java Decompiler
    C-Force
    Charter Security Suite
    Cheat Engine 5.5
    CoD4 Map Grabber
    Connect
    Dell Resource CD
    deskUNPDF 3 Professional
    deskUNPDF 3 Professional
    deskUNPDF 3 Standard
    DiskAid 3.1
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Plus Web Player
    DJ Java Decompiler v.3.11.11.95
    Download Updater (AOL LLC)
    FileZilla Client 3.3.1
    FrostWire 4.18.6
    F-Secure PSC Prerequisites
    GameTap Web Player
    GhostMouse 2.0
    Google AdWords Editor
    Guru's GRE Wordlist 0.2
    Hex Workshop v6
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Customer Participation Program 10.0
    HP Imaging Device Functions 10.0
    HP Photosmart All-In-One Driver Software 10.0 Rel .2
    HP Photosmart Essential 3.5
    HP Solution Center 13.0
    HP Update
    ijji REACTOR
    iTunes
    Java DB 10.4.2.1
    Java(TM) 6 Update 20
    Java(TM) 6 Update 7
    Java(TM) SE Development Kit 6 Update 16
    JCreator LE 4.50
    JCreator Pro 4.50
    JDownloader
    Junk Mail filter update
    kuler
    LimeWire 5.5.6
    MCEBrowser
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office Home and Student 2007
    Microsoft Office Live Add-in 1.4
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Mozilla Firefox (3.5.8)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MW2_Prestige_Lobby Toolbar
    NetBeans IDE 6.7.1
    OCR Software by I.R.I.S. 10.0
    OGA Notifier 2.0.0048.0
    OpenAL
    Pando Media Booster
    PDF Settings CS4
    Photoshop Camera Raw
    PunkBuster Services
    Quake 4 (TM) SDK (remove only)
    QuickTime
    Realtek High Definition Audio Driver
    SCAR Divi CDE 3.22
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB978380)
    Security Update for Microsoft Office Excel 2007 (KB978382)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Shop for HP Supplies
    Spelling Dictionaries Support For Adobe Reader 9
    Steam
    Suite Shared Configuration CS4
    TeamViewer 5
    TouchCopy 09
    Update for 2007 Microsoft Office System (KB967642)
    Update for 2007 Microsoft Office System (KB977724)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 (KB974561)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VC80CRTRedist - 8.0.50727.4053
    Viewpoint Media Player
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    WinPcap 3.1
    WinRAR archiver
    WM Recorder 14
    WM Splitter 1.7.911
    Xfire (remove only)
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar
    Zero Gear Demo
aeiro
Active Member
 
Posts: 3
Joined: April 23rd, 2010, 11:04 pm

Re: rootkit.patched.tdss.gen

Unread postby askey127 » April 26th, 2010, 6:59 pm

aeiro,
-----------------------------------------------
Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programs
It is posted here: http://malwareremoval.com/forum/viewtopic.php?f=11&t=33112
As a condition of receiving our help, I have included the P2P programs Frostwire and Limewire in the removal instructions below, so we are not wasting our time.
You can be fairly confident this is a principal reason your computer is infected
------------------------------------------------
Remove Programs Using Control Panel(Vista)
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click each Entry, as follows, one by one, if it exists, choose Uninstall/Change, and give permission to Continue:

Ask Toolbar
FrostWire 4.18.6
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 16
LimeWire 5.5.6

Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
---------------------------------------------
Run CKScanner
Download CKScanner from HERE
Important - Save it to your desktop.
Right-Click CKScanner.exe, choose Run as administrator and click Search For Files.
After a couple minutes or less, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop, give permission if asked, and copy/paste the contents in your next reply.
--------------------------------------------
TDSSKiller
  • Double-click the tdsskiller Folder on your desktop.
  • Right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy (Ctrl+C) the text in the codebox below.
    Code: Select all
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste (Ctrl+V) the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply
----------------------------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes Anti-Malware by right click and "Run as administrator", click the updates tab and let it update.
  • Once the program has started up again, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents. The logs are listed and named by time/date stamp.

Please post back the CKScanner log, and the logs from TDSSKiller and Malwarebytes Anti-Malware.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: rootkit.patched.tdss.gen

Unread postby aeiro » April 26th, 2010, 9:40 pm

here is the malwarebytes log
    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 4041

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18904

    4/26/2010 8:35:47 PM
    mbam-log-2010-04-26 (20-35-47).txt

    Scan type: Quick scan
    Objects scanned: 187805
    Time elapsed: 14 minute(s), 17 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

here is the tds.txt
    19:09:07:095 3196 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
    19:09:07:095 3196 ================================================================================
    19:09:07:095 3196 SystemInfo:

    19:09:07:095 3196 OS Version: 6.0.6002 ServicePack: 2.0
    19:09:07:095 3196 Product type: Workstation
    19:09:07:095 3196 ComputerName: RICHMJ-D01
    19:09:07:095 3196 UserName: Michael.richardson
    19:09:07:095 3196 Windows directory: C:\Windows
    19:09:07:095 3196 Processor architecture: Intel x86
    19:09:07:095 3196 Number of processors: 4
    19:09:07:095 3196 Page size: 0x1000
    19:09:07:097 3196 Boot type: Normal boot
    19:09:07:097 3196 ================================================================================
    19:09:07:100 3196 UnloadDriverW: NtUnloadDriver error 2
    19:09:07:100 3196 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    19:09:07:174 3196 wfopen_ex: Trying to open file C:\Windows\system32\config\system
    19:09:07:174 3196 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    19:09:07:174 3196 wfopen_ex: Trying to KLMD file open
    19:09:07:174 3196 wfopen_ex: File opened ok (Flags 2)
    19:09:07:192 3196 wfopen_ex: Trying to open file C:\Windows\system32\config\software
    19:09:07:192 3196 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    19:09:07:192 3196 wfopen_ex: Trying to KLMD file open
    19:09:07:192 3196 wfopen_ex: File opened ok (Flags 2)
    19:09:07:193 3196 Initialize success
    19:09:07:193 3196
    19:09:07:193 3196 Scanning Services ...
    19:09:15:650 3196 Raw services enum returned 433 services
    19:09:15:657 3196
    19:09:15:664 3196 Scanning Kernel memory ...
    19:09:15:665 3196 Devices to scan: 7
    19:09:15:665 3196
    19:09:15:665 3196 Driver Name: USBSTOR
    19:09:15:665 3196 IRP_MJ_CREATE : 904FEFC8
    19:09:15:665 3196 IRP_MJ_CREATE_NAMED_PIPE : 81E3EA22
    19:09:15:665 3196 IRP_MJ_CLOSE : 904FF040
    19:09:15:665 3196 IRP_MJ_READ : 904FF0B8
    19:09:15:665 3196 IRP_MJ_WRITE : 904FF0B8
    19:09:15:665 3196 IRP_MJ_QUERY_INFORMATION : 81E3EA22
    19:09:15:665 3196 IRP_MJ_SET_INFORMATION : 81E3EA22
    19:09:15:665 3196 IRP_MJ_QUERY_EA : 81E3EA22
    19:09:15:665 3196 IRP_MJ_SET_EA : 81E3EA22
    19:09:15:665 3196 IRP_MJ_FLUSH_BUFFERS : 81E3EA22
    19:09:15:665 3196 IRP_MJ_QUERY_VOLUME_INFORMATION : 81E3EA22
    19:09:15:665 3196 IRP_MJ_SET_VOLUME_INFORMATION : 81E3EA22
    19:09:15:665 3196 IRP_MJ_DIRECTORY_CONTROL : 81E3EA22
    19:09:15:665 3196 IRP_MJ_FILE_SYSTEM_CONTROL : 81E3EA22
    19:09:15:665 3196 IRP_MJ_DEVICE_CONTROL : 904FEBC4
    19:09:15:665 3196 IRP_MJ_INTERNAL_DEVICE_CONTROL : 904F27E4
    19:09:15:665 3196 IRP_MJ_SHUTDOWN : 81E3EA22
    19:09:15:665 3196 IRP_MJ_LOCK_CONTROL : 81E3EA22
    19:09:15:665 3196 IRP_MJ_CLEANUP : 81E3EA22
    19:09:15:665 3196 IRP_MJ_CREATE_MAILSLOT : 81E3EA22
    19:09:15:665 3196 IRP_MJ_QUERY_SECURITY : 81E3EA22
    19:09:15:665 3196 IRP_MJ_SET_SECURITY : 81E3EA22
    19:09:15:665 3196 IRP_MJ_POWER : 904FD59C
    19:09:15:665 3196 IRP_MJ_SYSTEM_CONTROL : 904FA7A2
    19:09:15:665 3196 IRP_MJ_DEVICE_CHANGE : 81E3EA22
    19:09:15:665 3196 IRP_MJ_QUERY_QUOTA : 81E3EA22
    19:09:15:665 3196 IRP_MJ_SET_QUOTA : 81E3EA22
    19:09:15:688 3196 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    19:09:15:688 3196
    19:09:15:688 3196 Driver Name: USBSTOR
    19:09:15:688 3196 IRP_MJ_CREATE : 904FEFC8
    19:09:15:688 3196 IRP_MJ_CREATE_NAMED_PIPE : 81E3EA22
    19:09:15:688 3196 IRP_MJ_CLOSE : 904FF040
    19:09:15:688 3196 IRP_MJ_READ : 904FF0B8
    19:09:15:688 3196 IRP_MJ_WRITE : 904FF0B8
    19:09:15:688 3196 IRP_MJ_QUERY_INFORMATION : 81E3EA22
    19:09:15:688 3196 IRP_MJ_SET_INFORMATION : 81E3EA22
    19:09:15:688 3196 IRP_MJ_QUERY_EA : 81E3EA22
    19:09:15:688 3196 IRP_MJ_SET_EA : 81E3EA22
    19:09:15:688 3196 IRP_MJ_FLUSH_BUFFERS : 81E3EA22
    19:09:15:688 3196 IRP_MJ_QUERY_VOLUME_INFORMATION : 81E3EA22
    19:09:15:688 3196 IRP_MJ_SET_VOLUME_INFORMATION : 81E3EA22
    19:09:15:688 3196 IRP_MJ_DIRECTORY_CONTROL : 81E3EA22
    19:09:15:688 3196 IRP_MJ_FILE_SYSTEM_CONTROL : 81E3EA22
    19:09:15:688 3196 IRP_MJ_DEVICE_CONTROL : 904FEBC4
    19:09:15:688 3196 IRP_MJ_INTERNAL_DEVICE_CONTROL : 904F27E4
    19:09:15:688 3196 IRP_MJ_SHUTDOWN : 81E3EA22
    19:09:15:688 3196 IRP_MJ_LOCK_CONTROL : 81E3EA22
    19:09:15:688 3196 IRP_MJ_CLEANUP : 81E3EA22
    19:09:15:688 3196 IRP_MJ_CREATE_MAILSLOT : 81E3EA22
    19:09:15:688 3196 IRP_MJ_QUERY_SECURITY : 81E3EA22
    19:09:15:688 3196 IRP_MJ_SET_SECURITY : 81E3EA22
    19:09:15:688 3196 IRP_MJ_POWER : 904FD59C
    19:09:15:688 3196 IRP_MJ_SYSTEM_CONTROL : 904FA7A2
    19:09:15:688 3196 IRP_MJ_DEVICE_CHANGE : 81E3EA22
    19:09:15:688 3196 IRP_MJ_QUERY_QUOTA : 81E3EA22
    19:09:15:688 3196 IRP_MJ_SET_QUOTA : 81E3EA22
    19:09:15:710 3196 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    19:09:15:710 3196
    19:09:15:710 3196 Driver Name: USBSTOR
    19:09:15:710 3196 IRP_MJ_CREATE : 904FEFC8
    19:09:15:710 3196 IRP_MJ_CREATE_NAMED_PIPE : 81E3EA22
    19:09:15:710 3196 IRP_MJ_CLOSE : 904FF040
    19:09:15:710 3196 IRP_MJ_READ : 904FF0B8
    19:09:15:710 3196 IRP_MJ_WRITE : 904FF0B8
    19:09:15:710 3196 IRP_MJ_QUERY_INFORMATION : 81E3EA22
    19:09:15:710 3196 IRP_MJ_SET_INFORMATION : 81E3EA22
    19:09:15:710 3196 IRP_MJ_QUERY_EA : 81E3EA22
    19:09:15:710 3196 IRP_MJ_SET_EA : 81E3EA22
    19:09:15:710 3196 IRP_MJ_FLUSH_BUFFERS : 81E3EA22
    19:09:15:710 3196 IRP_MJ_QUERY_VOLUME_INFORMATION : 81E3EA22
    19:09:15:710 3196 IRP_MJ_SET_VOLUME_INFORMATION : 81E3EA22
    19:09:15:710 3196 IRP_MJ_DIRECTORY_CONTROL : 81E3EA22
    19:09:15:710 3196 IRP_MJ_FILE_SYSTEM_CONTROL : 81E3EA22
    19:09:15:711 3196 IRP_MJ_DEVICE_CONTROL : 904FEBC4
    19:09:15:711 3196 IRP_MJ_INTERNAL_DEVICE_CONTROL : 904F27E4
    19:09:15:711 3196 IRP_MJ_SHUTDOWN : 81E3EA22
    19:09:15:711 3196 IRP_MJ_LOCK_CONTROL : 81E3EA22
    19:09:15:711 3196 IRP_MJ_CLEANUP : 81E3EA22
    19:09:15:711 3196 IRP_MJ_CREATE_MAILSLOT : 81E3EA22
    19:09:15:711 3196 IRP_MJ_QUERY_SECURITY : 81E3EA22
    19:09:15:711 3196 IRP_MJ_SET_SECURITY : 81E3EA22
    19:09:15:711 3196 IRP_MJ_POWER : 904FD59C
    19:09:15:711 3196 IRP_MJ_SYSTEM_CONTROL : 904FA7A2
    19:09:15:711 3196 IRP_MJ_DEVICE_CHANGE : 81E3EA22
    19:09:15:711 3196 IRP_MJ_QUERY_QUOTA : 81E3EA22
    19:09:15:711 3196 IRP_MJ_SET_QUOTA : 81E3EA22
    19:09:15:725 3196 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    19:09:15:725 3196
    19:09:15:725 3196 Driver Name: USBSTOR
    19:09:15:725 3196 IRP_MJ_CREATE : 904FEFC8
    19:09:15:725 3196 IRP_MJ_CREATE_NAMED_PIPE : 81E3EA22
    19:09:15:725 3196 IRP_MJ_CLOSE : 904FF040
    19:09:15:725 3196 IRP_MJ_READ : 904FF0B8
    19:09:15:725 3196 IRP_MJ_WRITE : 904FF0B8
    19:09:15:725 3196 IRP_MJ_QUERY_INFORMATION : 81E3EA22
    19:09:15:725 3196 IRP_MJ_SET_INFORMATION : 81E3EA22
    19:09:15:725 3196 IRP_MJ_QUERY_EA : 81E3EA22
    19:09:15:725 3196 IRP_MJ_SET_EA : 81E3EA22
    19:09:15:725 3196 IRP_MJ_FLUSH_BUFFERS : 81E3EA22
    19:09:15:725 3196 IRP_MJ_QUERY_VOLUME_INFORMATION : 81E3EA22
    19:09:15:725 3196 IRP_MJ_SET_VOLUME_INFORMATION : 81E3EA22
    19:09:15:725 3196 IRP_MJ_DIRECTORY_CONTROL : 81E3EA22
    19:09:15:725 3196 IRP_MJ_FILE_SYSTEM_CONTROL : 81E3EA22
    19:09:15:726 3196 IRP_MJ_DEVICE_CONTROL : 904FEBC4
    19:09:15:726 3196 IRP_MJ_INTERNAL_DEVICE_CONTROL : 904F27E4
    19:09:15:726 3196 IRP_MJ_SHUTDOWN : 81E3EA22
    19:09:15:726 3196 IRP_MJ_LOCK_CONTROL : 81E3EA22
    19:09:15:726 3196 IRP_MJ_CLEANUP : 81E3EA22
    19:09:15:726 3196 IRP_MJ_CREATE_MAILSLOT : 81E3EA22
    19:09:15:726 3196 IRP_MJ_QUERY_SECURITY : 81E3EA22
    19:09:15:726 3196 IRP_MJ_SET_SECURITY : 81E3EA22
    19:09:15:726 3196 IRP_MJ_POWER : 904FD59C
    19:09:15:726 3196 IRP_MJ_SYSTEM_CONTROL : 904FA7A2
    19:09:15:726 3196 IRP_MJ_DEVICE_CHANGE : 81E3EA22
    19:09:15:726 3196 IRP_MJ_QUERY_QUOTA : 81E3EA22
    19:09:15:726 3196 IRP_MJ_SET_QUOTA : 81E3EA22
    19:09:15:736 3196 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    19:09:15:736 3196
    19:09:15:736 3196 Driver Name: USBSTOR
    19:09:15:736 3196 IRP_MJ_CREATE : 904FEFC8
    19:09:15:736 3196 IRP_MJ_CREATE_NAMED_PIPE : 81E3EA22
    19:09:15:736 3196 IRP_MJ_CLOSE : 904FF040
    19:09:15:736 3196 IRP_MJ_READ : 904FF0B8
    19:09:15:736 3196 IRP_MJ_WRITE : 904FF0B8
    19:09:15:736 3196 IRP_MJ_QUERY_INFORMATION : 81E3EA22
    19:09:15:736 3196 IRP_MJ_SET_INFORMATION : 81E3EA22
    19:09:15:736 3196 IRP_MJ_QUERY_EA : 81E3EA22
    19:09:15:736 3196 IRP_MJ_SET_EA : 81E3EA22
    19:09:15:736 3196 IRP_MJ_FLUSH_BUFFERS : 81E3EA22
    19:09:15:736 3196 IRP_MJ_QUERY_VOLUME_INFORMATION : 81E3EA22
    19:09:15:736 3196 IRP_MJ_SET_VOLUME_INFORMATION : 81E3EA22
    19:09:15:736 3196 IRP_MJ_DIRECTORY_CONTROL : 81E3EA22
    19:09:15:736 3196 IRP_MJ_FILE_SYSTEM_CONTROL : 81E3EA22
    19:09:15:736 3196 IRP_MJ_DEVICE_CONTROL : 904FEBC4
    19:09:15:736 3196 IRP_MJ_INTERNAL_DEVICE_CONTROL : 904F27E4
    19:09:15:737 3196 IRP_MJ_SHUTDOWN : 81E3EA22
    19:09:15:737 3196 IRP_MJ_LOCK_CONTROL : 81E3EA22
    19:09:15:737 3196 IRP_MJ_CLEANUP : 81E3EA22
    19:09:15:737 3196 IRP_MJ_CREATE_MAILSLOT : 81E3EA22
    19:09:15:737 3196 IRP_MJ_QUERY_SECURITY : 81E3EA22
    19:09:15:737 3196 IRP_MJ_SET_SECURITY : 81E3EA22
    19:09:15:737 3196 IRP_MJ_POWER : 904FD59C
    19:09:15:737 3196 IRP_MJ_SYSTEM_CONTROL : 904FA7A2
    19:09:15:737 3196 IRP_MJ_DEVICE_CHANGE : 81E3EA22
    19:09:15:737 3196 IRP_MJ_QUERY_QUOTA : 81E3EA22
    19:09:15:737 3196 IRP_MJ_SET_QUOTA : 81E3EA22
    19:09:15:762 3196 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    19:09:15:762 3196
    19:09:15:762 3196 Driver Name: USBSTOR
    19:09:15:762 3196 IRP_MJ_CREATE : 904FEFC8
    19:09:15:762 3196 IRP_MJ_CREATE_NAMED_PIPE : 81E3EA22
    19:09:15:762 3196 IRP_MJ_CLOSE : 904FF040
    19:09:15:762 3196 IRP_MJ_READ : 904FF0B8
    19:09:15:762 3196 IRP_MJ_WRITE : 904FF0B8
    19:09:15:762 3196 IRP_MJ_QUERY_INFORMATION : 81E3EA22
    19:09:15:762 3196 IRP_MJ_SET_INFORMATION : 81E3EA22
    19:09:15:762 3196 IRP_MJ_QUERY_EA : 81E3EA22
    19:09:15:762 3196 IRP_MJ_SET_EA : 81E3EA22
    19:09:15:762 3196 IRP_MJ_FLUSH_BUFFERS : 81E3EA22
    19:09:15:762 3196 IRP_MJ_QUERY_VOLUME_INFORMATION : 81E3EA22
    19:09:15:762 3196 IRP_MJ_SET_VOLUME_INFORMATION : 81E3EA22
    19:09:15:762 3196 IRP_MJ_DIRECTORY_CONTROL : 81E3EA22
    19:09:15:762 3196 IRP_MJ_FILE_SYSTEM_CONTROL : 81E3EA22
    19:09:15:762 3196 IRP_MJ_DEVICE_CONTROL : 904FEBC4
    19:09:15:762 3196 IRP_MJ_INTERNAL_DEVICE_CONTROL : 904F27E4
    19:09:15:762 3196 IRP_MJ_SHUTDOWN : 81E3EA22
    19:09:15:762 3196 IRP_MJ_LOCK_CONTROL : 81E3EA22
    19:09:15:762 3196 IRP_MJ_CLEANUP : 81E3EA22
    19:09:15:762 3196 IRP_MJ_CREATE_MAILSLOT : 81E3EA22
    19:09:15:762 3196 IRP_MJ_QUERY_SECURITY : 81E3EA22
    19:09:15:762 3196 IRP_MJ_SET_SECURITY : 81E3EA22
    19:09:15:762 3196 IRP_MJ_POWER : 904FD59C
    19:09:15:762 3196 IRP_MJ_SYSTEM_CONTROL : 904FA7A2
    19:09:15:762 3196 IRP_MJ_DEVICE_CHANGE : 81E3EA22
    19:09:15:762 3196 IRP_MJ_QUERY_QUOTA : 81E3EA22
    19:09:15:762 3196 IRP_MJ_SET_QUOTA : 81E3EA22
    19:09:15:795 3196 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    19:09:15:795 3196
    19:09:15:795 3196 Driver Name: atapi
    19:09:15:795 3196 IRP_MJ_CREATE : 853DDAC8
    19:09:15:795 3196 IRP_MJ_CREATE_NAMED_PIPE : 853DDAC8
    19:09:15:795 3196 IRP_MJ_CLOSE : 853DDAC8
    19:09:15:795 3196 IRP_MJ_READ : 853DDAC8
    19:09:15:795 3196 IRP_MJ_WRITE : 853DDAC8
    19:09:15:795 3196 IRP_MJ_QUERY_INFORMATION : 853DDAC8
    19:09:15:795 3196 IRP_MJ_SET_INFORMATION : 853DDAC8
    19:09:15:795 3196 IRP_MJ_QUERY_EA : 853DDAC8
    19:09:15:795 3196 IRP_MJ_SET_EA : 853DDAC8
    19:09:15:795 3196 IRP_MJ_FLUSH_BUFFERS : 853DDAC8
    19:09:15:795 3196 IRP_MJ_QUERY_VOLUME_INFORMATION : 853DDAC8
    19:09:15:795 3196 IRP_MJ_SET_VOLUME_INFORMATION : 853DDAC8
    19:09:15:795 3196 IRP_MJ_DIRECTORY_CONTROL : 853DDAC8
    19:09:15:795 3196 IRP_MJ_FILE_SYSTEM_CONTROL : 853DDAC8
    19:09:15:795 3196 IRP_MJ_DEVICE_CONTROL : 853DDAC8
    19:09:15:795 3196 IRP_MJ_INTERNAL_DEVICE_CONTROL : 853DDAC8
    19:09:15:795 3196 IRP_MJ_SHUTDOWN : 853DDAC8
    19:09:15:795 3196 IRP_MJ_LOCK_CONTROL : 853DDAC8
    19:09:15:795 3196 IRP_MJ_CLEANUP : 853DDAC8
    19:09:15:795 3196 IRP_MJ_CREATE_MAILSLOT : 853DDAC8
    19:09:15:795 3196 IRP_MJ_QUERY_SECURITY : 853DDAC8
    19:09:15:795 3196 IRP_MJ_SET_SECURITY : 853DDAC8
    19:09:15:795 3196 IRP_MJ_POWER : 853DDAC8
    19:09:15:795 3196 IRP_MJ_SYSTEM_CONTROL : 853DDAC8
    19:09:15:795 3196 IRP_MJ_DEVICE_CHANGE : 853DDAC8
    19:09:15:795 3196 IRP_MJ_QUERY_QUOTA : 853DDAC8
    19:09:15:795 3196 IRP_MJ_SET_QUOTA : 853DDAC8
    19:09:15:795 3196 Driver "atapi" infected by TDSS rootkit!
    19:09:15:826 3196 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
    19:09:15:826 3196 File "C:\Windows\system32\drivers\atapi.sys" infected by TDSS rootkit ... 19:09:15:826 3196 Processing driver file: C:\Windows\system32\drivers\atapi.sys
    19:09:19:712 3196 vfvi6
    19:09:19:810 3196 dsvbh1
    19:09:24:392 3196 fdfb1
    19:09:24:392 3196 Backup copy found, using it..
    19:09:24:724 3196 will be cured on next reboot
    19:09:24:724 3196 Reboot required for cure complete..
    19:09:24:921 3196 Cure on reboot scheduled successfully
    19:09:24:921 3196
    19:09:24:921 3196 Completed
    19:09:24:921 3196
    19:09:24:922 3196 Results:
    19:09:24:922 3196 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
    19:09:24:922 3196 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    19:09:24:923 3196 File objects infected / cured / cured on reboot: 1 / 0 / 1
    19:09:24:923 3196
    19:09:24:923 3196 fclose_ex: Trying to close file C:\Windows\system32\config\system
    19:09:24:924 3196 fclose_ex: Trying to close file C:\Windows\system32\config\software
    19:09:24:924 3196 UnloadDriverW: NtUnloadDriver error 1
    19:09:24:925 3196 KLMD(ARK) unloaded successfully

and here is the ckfiles.txt

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.MN.11
    ----- EOF -----
aeiro
Active Member
 
Posts: 3
Joined: April 23rd, 2010, 11:04 pm

Re: rootkit.patched.tdss.gen

Unread postby askey127 » April 27th, 2010, 6:33 am

aeiro,
-------------------------------------------------
Please download GMER Rootkit Scanner from Here.
  • Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.
---------------------------------------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: rootkit.patched.tdss.gen

Unread postby askey127 » April 30th, 2010, 3:19 pm

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 64 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware