mike23 Posted August 25, 2009 ID:114848 Share Posted August 25, 2009 Hi,Recently I've experienced some problems with "Windows Antivirus Pro" popping up on my laptop. Since then, booting windows in normal and safe mode takes me to a black desktop with only the "Documents" folder opening. In normal mode, I cannot do anything as windows will automatically restart in a matter of seconds. In safe mode with networking, I can retreive the desktop by closing explorer.exe in the task manager and reloading it.I've tried the steps to get mbam running but nothing seems to work. Just about every program that scans will quickly close after beginning the scan. I'd really appreciate any help you can give me. Thanks! Link to post Share on other sites More sharing options...
Staff screen317 Posted August 25, 2009 Staff ID:114896 Share Posted August 25, 2009 Hi mike23 and welcome to Malwarebytes.Please download Win32kDiag.exe by AD to your Desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:-screen317 Link to post Share on other sites More sharing options...
mike23 Posted August 25, 2009 Author ID:114905 Share Posted August 25, 2009 Thanks for the help! Here is the report:Log file is located at: C:\Users\Mike\Desktop\Win32kDiag.txtWARNING: Could not get backup privileges!Searching 'C:\Windows'...Found mount point : C:\Windows\AppPatch\Custom\CustomMount point destination : \Device\__max++>\^Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmpMount point destination : \Device\__max++>\^Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D5B.tmp\ZAP5D5B.tmpMount point destination : \Device\__max++>\^Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmpMount point destination : \Device\__max++>\^Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCF8E.tmp\ZAPCF8E.tmpMount point destination : \Device\__max++>\^Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE243.tmp\ZAPE243.tmpMount point destination : \Device\__max++>\^Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmpMount point destination : \Device\__max++>\^Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmpMount point destination : \Device\__max++>\^Found mount point : C:\Windows\assembly\temp\tempMount point destination : \Device\__max++>\^Found mount point : C:\Windows\assembly\tmp\tmpMount point destination : \Device\__max++>\^Cannot access: C:\Windows\bthservsdp.dat[1] 2009-08-24 21:34:59 12 C:\Windows\bthservsdp.dat () Link to post Share on other sites More sharing options...
Staff screen317 Posted August 27, 2009 Staff ID:115441 Share Posted August 27, 2009 Hi mike23,Please delete your copy of Win32kDiag.Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here."%userprofile%\desktop\win32kdiag.exe" -f -r Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
mike23 Posted August 27, 2009 Author ID:115443 Share Posted August 27, 2009 Here's the log from win32kdiag:Log file is located at: C:\Users\Mike\Desktop\Win32kDiag.txtRemoving all found mount points.Attempting to reset file permissions.WARNING: Could not get backup privileges!Searching 'C:\Windows'...Found mount point : C:\Windows\AppPatch\Custom\CustomMount point destination : \Device\__max++>\^Removing mount point : C:\Windows\AppPatch\Custom\CustomFound mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmpFound mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D5B.tmp\ZAP5D5B.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D5B.tmp\ZAP5D5B.tmpFound mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmpFound mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCF8E.tmp\ZAPCF8E.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCF8E.tmp\ZAPCF8E.tmpFound mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE243.tmp\ZAPE243.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE243.tmp\ZAPE243.tmpFound mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmpFound mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmpFound mount point : C:\Windows\assembly\temp\tempMount point destination : \Device\__max++>\^Removing mount point : C:\Windows\assembly\temp\tempFound mount point : C:\Windows\assembly\tmp\tmpMount point destination : \Device\__max++>\^Removing mount point : C:\Windows\assembly\tmp\tmpCannot access: C:\Windows\bthservsdp.datAttempting to restore permissions of : C:\Windows\bthservsdp.dat[1] 2009-08-24 21:34:59 12 C:\Windows\bthservsdp.dat () Link to post Share on other sites More sharing options...
mike23 Posted August 27, 2009 Author ID:115454 Share Posted August 27, 2009 I tried to run ComboFix, but I receieved an error saying that some files could not be created, close all windows, restart and retry the installation. I restarted the computer in safe mode with networking, ran ComboFix, and a blue progress bar appeared after I double clicked the dekstop icon. The bar then went away and the program never loaded.I then tried to run a copy of HJT previously installed, but I receieved the "Windows cannot access the specifiecd path..." error. I then downloaded a new copy, began to scan the computer, and the program like before closed within seconds. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 27, 2009 Staff ID:115529 Share Posted August 27, 2009 Okay thanks for letting me know.Please run a GMER Rootkit scan:Download GMER's application from here:http://www.gmer.net/gmer.zipUnzip it and start the GMER.exeClick the Rootkit tab and click the Scan button.Once done, click the Copy button.This will copy the results to your clipboard.Paste the results in your next reply.Warning ! Please, do not select the "Show all" checkbox during the scan.-screen317 Link to post Share on other sites More sharing options...
mike23 Posted August 27, 2009 Author ID:115537 Share Posted August 27, 2009 Thanks for all of your help screen...I got GMER to scan for several minutes, then all of a sudden the program closed. It seemed to be finding quite a lot, including TDSS and UAC from what I remember. I tried to restart GMER, but I get the "Windows cannot find the specified path" error. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 28, 2009 Staff ID:115927 Share Posted August 28, 2009 Delete your copy of ComboFix.Download the latest version from here to your Desktop, except before you download it, rename it to svchost.exeNext, click Start --> Run, and type in this command exactly as shown:"%userprofile%\desktop\svchost.exe" /killallLet me know if it runs now.-screen317 Link to post Share on other sites More sharing options...
mike23 Posted August 28, 2009 Author ID:115999 Share Posted August 28, 2009 I followed your steps above and ComboFix will still not load. I then tried GMER again and copied as much information as I could before the program closed. Hopefully it's of some use.GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.netRootkit scan 2009-08-27 18:29:06Windows 6.0.6001 Service Pack 1---- Kernel code sections - GMER 1.0.15 ----? win32k.sys:1 The system cannot find the file specified. !? win32k.sys:2 The system cannot find the file specified. !---- Devices - GMER 1.0.15 ----AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)Device \FileSystem\fastfat \Fat 96320A7AAttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)---- Processes - GMER 1.0.15 ----Library \\?\globalroot\Device\__max++>\1F2CE1E9.x86.dll (*** hidden *** ) @ C:\Windows\system32\wininit.exe [520] 0x35670000 Library \\?\globalroot\Device\__max++>\1F2CE1E9.x86.dll (*** hidden *** ) @ C:\Windows\system32\services.exe [596] 0x35670000 Library \\?\globalroot\Device\__max++>\1F2CE1E9.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [820] 0x35670000 Library \\?\globalroot\Device\__max++>\1F2CE1E9.x86.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [920] 0x35670000 Library \\?\globalroot\Device\__max++>\1F2CE1E9.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [944] 0x35670000 Library \\?\globalroot\Device\__max++>\1F2CE1E9.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [992] 0x35670000 Library \\?\globalroot\Device\__max++>\1F2CE1E9.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1100] 0x35670000 Library \\?\globalroot\Device\__max++>\1F2CE1E9.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1188] 0x35670000 Library \\?\globalroot\Device\__max++>\1F2CE1E9.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1288] 0x35670000 ---- Services - GMER 1.0.15 ----Service system32\drivers\kbiwkmsmbnxuwk.sys (*** hidden *** ) [sYSTEM] kbiwkmwoeesrnc <-- ROOTKIT !!!Service system32\drivers\TDSSmbcb.sys (*** hidden *** ) [sYSTEM] TDSSserv.sys <-- ROOTKIT !!!Service system32\drivers\UACcduivyotqb.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!!---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197ed953d0 Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc@start 1Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc@type 1Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc@group file systemReg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc@imagepath \systemroot\system32\drivers\kbiwkmsmbnxuwk.sysReg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\main Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\main@aid 10002Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\main@sid 1Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\main@cmddelay 14400Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\main\delete Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\main\injector Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\main\injector@* kbiwkmwsp.dllReg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\main\tasks Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmsmbnxuwk.sysReg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmrmxibbfm.dllReg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmvudegvsx.datReg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmsrwcrxiv.dllReg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmwoeesrnc\modules@kbiwkm.dat \systemroot\system32\kbiwkmtecgflbp.datReg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmbcb.sysReg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file systemReg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrfpe.dllReg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSnthv.dllReg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSScyfn.logReg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSqycx.dllReg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSqotf.logReg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSsblq.logReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACcduivyotqb.sysReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file systemReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00197ed953d0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc@start 1Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc@type 1Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc@group file systemReg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc@imagepath \systemroot\system32\drivers\kbiwkmsmbnxuwk.sysReg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\main (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\main@aid 10002Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\main@sid 1Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\main@cmddelay 14400Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\main\delete (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\main\injector (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\main\injector@* kbiwkmwsp.dllReg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\main\tasks (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmsmbnxuwk.sysReg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmrmxibbfm.dllReg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmvudegvsx.datReg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmsrwcrxiv.dllReg HKLM\SYSTEM\ControlSet003\Services\kbiwkmwoeesrnc\modules@kbiwkm.dat \systemroot\system32\kbiwkmtecgflbp.datReg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmbcb.sysReg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file systemReg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrfpe.dllReg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSnthv.dllReg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSScyfn.logReg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSqycx.dllReg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSqotf.logReg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSsblq.logReg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACcduivyotqb.sysReg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file systemReg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00197ed953d0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc@start 1Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc@type 1Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc@group file systemReg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc@imagepath \systemroot\system32\drivers\kbiwkmsmbnxuwk.sysReg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\main (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\main@aid 10002Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\main@sid 1Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\main@cmddelay 14400Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\main\delete (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\main\injector (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\main\injector@* kbiwkmwsp.dllReg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\main\tasks (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmsmbnxuwk.sysReg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmrmxibbfm.dllReg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmvudegvsx.datReg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmsrwcrxiv.dllReg HKLM\SYSTEM\ControlSet004\Services\kbiwkmwoeesrnc\modules@kbiwkm.dat \systemroot\system32\kbiwkmtecgflbp.datReg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@start 1Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@type 1Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmbcb.sysReg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@group file systemReg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@TDSSserv Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@TDSSl Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssservers Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssmain Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrfpe.dllReg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSnthv.dllReg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssinit Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSScyfn.logReg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSqycx.dllReg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSqotf.logReg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSsblq.logReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@start 1Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@type 1Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACcduivyotqb.sysReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@group file systemReg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACd Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACc Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs c:\windows\system32\rirupage.dll,avgrsstx.dllReg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@IconServiceLib IconCodecService.dllReg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DdeSendTimeout 0Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DesktopHeapLogging 1Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@ShutdownWarningDialogTimeout -1Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERPostMessageLimit 10000Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@ mnmsrvcReg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yesReg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Link to post Share on other sites More sharing options...
Staff screen317 Posted August 29, 2009 Staff ID:116500 Share Posted August 29, 2009 Hi,Run GMER again.Right click these entries:Service system32\drivers\kbiwkmsmbnxuwk.sys (*** hidden *** ) [sYSTEM] kbiwkmwoeesrnc <-- ROOTKIT !!!Service system32\drivers\TDSSmbcb.sys (*** hidden *** ) [sYSTEM] TDSSserv.sys <-- ROOTKIT !!!Service system32\drivers\UACcduivyotqb.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!!Click Disable Service. Answer yes to any prompts. Click Delete Service and answer yes to any prompts. Click Kill File and press yes to any prompts.Next, delete your copy of ComboFix, download it, save it to your Desktop, then try running it.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted September 6, 2009 Staff ID:121487 Share Posted September 6, 2009 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts