mlmorg

Great, thanks again Maurice.

Thanks Maurice for the quick reply. I'll definitely let her know to format and install a new os -- I set up cobian to backup her user directory to another drive in the computer but it's not a full mirror so the format would be the best option -- the backups have been running since she got the rootkit, however, so do you think this would be an issue when I format the C: and move her documents, pics etc. back to the C: from the E:? As for the logins, I let her know to change those all today from another computer -- is that enough? Should she be worried about any of the other information in her doc files? Thanks again, Matt

sorry I think I forgot the attachment attached.zip Attach.txt UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-12-01.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 1/5/2009 6:01:52 PM System Uptime: 2/28/2010 5:49:48 AM (6 hours ago) Motherboard: ASUSTeK Computer INC. | | A8N-SLI DELUXE Processor: AMD Athlon 64 Processor 3200+ | Socket 939 | 2010/200mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 186 GiB total, 99.652 GiB free. D: is CDROM () E: is FIXED (NTFS) - 37 GiB total, 31.536 GiB free. ==== Disabled Device Manager Items ============= Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: PCI Memory Controller Device ID: PCI\VEN_10DE&DEV_005E&SUBSYS_815A1043&REV_A3\3&2411E6FE&0&00 Manufacturer: Name: PCI Memory Controller PNP Device ID: PCI\VEN_10DE&DEV_005E&SUBSYS_815A1043&REV_A3\3&2411E6FE&0&00 Service: Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: SM Bus Controller Device ID: PCI\VEN_10DE&DEV_0052&SUBSYS_815A1043&REV_A2\3&2411E6FE&0&09 Manufacturer: Name: SM Bus Controller PNP Device ID: PCI\VEN_10DE&DEV_0052&SUBSYS_815A1043&REV_A2\3&2411E6FE&0&09 Service: Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Ethernet Controller Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&13699180&0&6048 Manufacturer: Name: Ethernet Controller PNP Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&13699180&0&6048 Service: Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Device ID: ACPI\ATK0110\1010110 Manufacturer: Name: PNP Device ID: ACPI\ATK0110\1010110 Service: ==== System Restore Points =================== RP344: 1/12/2010 8:06:13 PM - System Checkpoint RP345: 1/13/2010 8:16:55 PM - System Checkpoint RP346: 1/14/2010 10:22:03 PM - System Checkpoint RP347: 1/15/2010 8:05:36 PM - Installed Google SketchUp Pro 7 RP348: 1/16/2010 8:34:48 PM - System Checkpoint RP349: 1/17/2010 10:33:22 PM - System Checkpoint RP350: 1/18/2010 11:21:49 PM - System Checkpoint RP351: 1/20/2010 3:29:52 AM - System Checkpoint RP352: 1/21/2010 4:37:27 AM - System Checkpoint RP353: 1/22/2010 1:01:36 PM - System Checkpoint RP354: 1/23/2010 1:36:04 PM - System Checkpoint RP355: 1/24/2010 2:39:50 PM - System Checkpoint RP356: 1/25/2010 3:26:53 PM - System Checkpoint RP357: 1/26/2010 3:57:03 PM - System Checkpoint RP358: 1/27/2010 4:08:23 PM - System Checkpoint RP359: 1/28/2010 4:58:14 PM - System Checkpoint RP360: 1/29/2010 5:03:22 PM - System Checkpoint RP361: 1/30/2010 6:06:49 PM - System Checkpoint RP362: 1/31/2010 7:03:55 PM - System Checkpoint RP363: 2/1/2010 8:06:42 PM - System Checkpoint RP364: 2/2/2010 8:41:20 PM - System Checkpoint RP365: 2/3/2010 8:50:09 PM - System Checkpoint RP366: 2/4/2010 11:44:51 PM - System Checkpoint RP367: 2/6/2010 12:20:18 AM - System Checkpoint RP368: 2/7/2010 9:44:24 AM - System Checkpoint RP369: 2/7/2010 3:33:30 PM - Installed Windows XP -- Software Updates KB952011. RP370: 2/8/2010 3:41:29 PM - System Checkpoint RP371: 2/9/2010 4:12:28 PM - System Checkpoint RP372: 2/10/2010 4:31:11 PM - System Checkpoint RP373: 2/11/2010 5:40:15 PM - System Checkpoint RP374: 2/12/2010 6:28:45 PM - System Checkpoint RP375: 2/13/2010 6:29:50 PM - System Checkpoint RP376: 2/14/2010 10:04:11 AM - Unsigned driver install RP377: 2/15/2010 10:07:45 AM - System Checkpoint RP378: 2/16/2010 11:08:34 AM - System Checkpoint RP379: 2/17/2010 11:58:38 AM - System Checkpoint RP380: 2/18/2010 2:54:14 PM - System Checkpoint RP381: 2/18/2010 6:56:52 PM - Installed SUPERAntiSpyware Free Edition RP382: 2/19/2010 7:41:51 PM - System Checkpoint RP383: 2/20/2010 2:41:09 PM - Removed Symantec AntiVirus RP384: 2/20/2010 7:15:20 PM - Installed Windows XP WgaNotify. RP385: 2/21/2010 8:35:41 PM - System Checkpoint RP386: 2/22/2010 9:03:37 PM - System Checkpoint RP387: 2/23/2010 9:06:28 PM - System Checkpoint RP388: 2/24/2010 9:59:43 PM - System Checkpoint RP389: 2/25/2010 10:03:59 PM - System Checkpoint RP390: 2/26/2010 11:39:20 PM - System Checkpoint RP391: 2/27/2010 10:44:21 AM - Removed Symantec AntiVirus ==== Installed Programs ======================

Hi all, My mother's computer seems to have been infected with TDSS. I told her to follow the instructions on this page: http://community.norton.com/t5/Norton-Inte...SServ/m-p/46674 and run SDFix. She never was able to find the drivers in step 1 but she went through the instructions twice and after doing, programs that used to not open (like symantec) would now work. So she ran symantec antivirus, malwarebytes and super antispyware. Symantec was unhelpful in deleting anything but the other two programs found and deleted many different issues she said; however, she ran them multiple times and each time they would find something new. She also got symantec endpoint and installed ran that and that did a little better than her older symantec program The main issue she's having now is certain sites are being blocked/redirected and the malware programs continue to find new issues. Below is the dds.txt contents and I've attached ark.txt and attach.txt. My first question is, is there anything we can do from here? Also, she's thinking of formatting and installing windows 7, would this be any better? And finally, if in the end she does reformat and goes back to XP or gets Windows 7, should she change all of her passwords on sites, get new credit cards, etc. or is that taking it too far? She's also wary because she has a few doc files on her comp with passwords, credit card numbers, maybe even SSN's... Thanks a bunch for any help, Matt DDS (Ver_09-12-01.01) - NTFSx86 Run by Barbara Morgan at 11:07:48.63 on Sun 02/28/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1191 [GMT -5:00] AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Symantec AntiVirus\Smc.exe C:\WINDOWS\Explorer.EXE svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe C:\WINDOWS\System32\M-AudioTaskBarIcon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Cobian Backup 9\Cobian.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Cobian Backup 9\cbInterface.exe C:\Program Files\Symantec AntiVirus\SmcGui.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Symantec AntiVirus\SymCorpUI.exe C:\Program Files\Symantec AntiVirus\SavUI.exe C:\Documents and Settings\Barbara Morgan\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Cobian Backup 9] "c:\program files\cobian backup 9\Cobian.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [soundMan] SOUNDMAN.EXE mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mPolicies-system: EnableLUA = 0 (0x0) IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab TCP: NameServer = 93.188.163.39,93.188.161.101 TCP: {34E2B6B8-CE46-4A24-90D5-AC19F214FE85} = 93.188.163.39,93.188.161.101 Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ============= SERVICES / DRIVERS =============== R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-16 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-16 108392] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-12-16 2477304] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100227.025\NAVENG.SYS [2010-2-28 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100227.025\NAVEX15.SYS [2010-2-28 1324720] R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-12-16 23888] S3 MAUSBRI;M-Audio Fast Track Ultra Service;c:\windows\system32\drivers\mausbftu.sys [2009-5-21 135944] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664] S3 sonydcam;Generic 1394 Desktop Camera;c:\windows\system32\drivers\sonydcam.sys [2008-4-13 25344] S4 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592] S4 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968] =============== Created Last 30 ================ 2010-02-20 19:47:54 0 ------w- c:\documents and settings\barbara morgan\defogger_reenable 2010-02-20 19:44:57 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys 2010-02-20 19:43:31 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys 2010-02-18 23:57:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2010-02-18 23:56:53 0 d-----w- c:\program files\SUPERAntiSpyware 2010-02-18 23:56:53 0 d-----w- c:\docume~1\barbar~1\applic~1\SUPERAntiSpyware.com 2010-02-18 23:56:17 0 d-----w- c:\docume~1\barbar~1\applic~1\Malwarebytes 2010-02-18 23:56:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-18 23:56:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-18 23:56:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-18 23:56:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-02-15 20:16:46 0 d-----w- c:\windows\ERUNT 2010-02-15 20:01:38 0 d-----w- C:\SDFix ==================== Find3M ==================== 2010-02-27 15:44:15 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-02-27 15:44:15 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-02-27 15:44:15 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-02-27 15:44:15 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2009-12-16 19:58:00 89600 ----a-w- c:\windows\system32\atl71.dll 2009-12-16 19:58:00 87368 ----a-w- c:\windows\system32\FwsVpn.dll 2009-12-16 19:58:00 625032 ----a-w- c:\windows\system32\SymNeti.dll 2009-12-16 19:58:00 357704 ----a-w- c:\windows\system32\sysfer.dll 2009-12-16 19:58:00 242056 ----a-w- c:\windows\system32\SymRedir.dll 2009-12-16 19:58:00 107848 ----a-w- c:\windows\system32\SymVPN.dll 2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr 2009-12-02 04:53:50 695578 ----a-w- c:\windows\system32\unins000.exe 2006-07-05 10:33:24 472000 ----a-w- c:\windows\inf\wg311t\WG311T13.sys 2004-10-20 00:58:28 35232 ----a-w- c:\windows\inf\wg311t\ME_INST.EXE 2004-10-20 00:58:28 26112 ----a-w- c:\windows\inf\wg311t\install.exe ============= FINISH: 11:08:17.39 ===============