Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Can't Get rid of rootkit.tdss


BLUV
 Share

Recommended Posts

i been up all morning trying to get rid of the mbam bug, then the vundo trojan. I think I got it further along, but really will need help making sure and getting rid of this rootkit.tdss thing in Malwarebyts scan. It says it got rid of it, but keeps coming back. I am pasting logs below. Please advise.....

Malwarebytes' Anti-Malware 1.44

Database version: 3528

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

1/9/2010 12:20:56 PM

mbam-log-2010-01-09 (12-20-56).txt

Scan type: Quick Scan

Objects scanned: 125655

Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 12:22:28 PM, on 1/9/2010

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18349)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Symantec AntiVirus\VPTray.exe

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\PC Hardware Manager\PCHardwareManager.exe

C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\hp\support\hpsysdrv.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Windows\system32\schtasks.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\System32\rundll32.exe

C:\Windows\Explorer.EXE

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\hp\kbd\kbd.exe

C:\Windows\system32\mmc.exe

C:\Windows\System32\mobsync.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

C:\Program Files\Internet Explorer\Iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

Hello BLUV

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    %SYSTEMDRIVE%\*.exe

    /md5start

    eventlog.dll

    scecli.dll

    netlogon.dll

    cngaudit.dll

    sceclt.dll

    ntelogon.dll

    logevent.dll

    iaStor.sys

    nvstor.sys

    atapi.sys

    IdeChnDr.sys

    viasraid.sys

    AGP440.sys

    vaxscsi.sys

    nvatabus.sys

    viamraid.sys

    nvata.sys

    nvgts.sys

    iastorv.sys

    ViPrt.sys

    eNetHook.dll

    ahcix86.sys

    KR10N.sys

    nvstor32.sys

    ahcix86s.sys

    nvrd32.sys

    /md5stop

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • Sections

  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Link to post
Share on other sites

the GMER keeps giving me access denied errors.

OTL Extras logfile created on: 1/9/2010 1:43:20 PM - Run 1

OTL by OldTimer - Version 3.1.22.0 Folder = C:\Users\Barron\Desktop\fix

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 60.00% Memory free

7.00 Gb Paging File | 5.00 Gb Available in Paging File | 81.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 456.67 Gb Total Space | 143.02 Gb Free Space | 31.32% Space Free | Partition Type: NTFS

Drive D: | 9.09 Gb Total Space | 1.24 Gb Free Space | 13.66% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive Z: | 1397.26 Gb Total Space | 898.99 Gb Free Space | 64.34% Space Free | Partition Type: NTFS

Computer Name: BARRONHP

Current User Name: Barron

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 0

"UacDisableNotify" = 1

"InternetSettingsDisableNotify" = 1

"AutoUpdateDisableNotify" = 1

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"UpdatesDisableNotify" = 0

"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 1

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0EA4CDF1-37A5-492C-B850-F9EB809350DD}" = lport=2869 | protocol=6 | dir=in | app=system |

"{126EEFCB-01AC-47A1-A67C-8DE427D8E3ED}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{1E69CE0E-4BAC-42FB-A346-A6A0F4B4C8B7}" = lport=2869 | protocol=6 | dir=in | app=system |

"{27783CAE-D4A9-4DE4-8695-9774033977C4}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{33B5AB8B-3469-44B0-920C-EBF83B91E9EF}" = lport=50901 | protocol=6 | dir=in | name=adobe version cue cs3 server |

"{39903167-E774-4A7F-93D4-C91EE5FB3A24}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{4F2E06BD-E532-40E4-81EA-CF22F2D88EDE}" = lport=10243 | protocol=6 | dir=in | app=system |

"{64366C29-1199-4A01-A607-047D1480B467}" = rport=10243 | protocol=6 | dir=out | app=system |

"{7C93EB40-DE4D-4C3E-B675-AD4ECC42AA7D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{81CE40DF-6DDF-4D16-83C8-7DC199CB3CC3}" = lport=50900 | protocol=6 | dir=in | name=adobe version cue cs3 server |

"{9739FC7E-6F81-4651-83DC-DE3B5793C4C2}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{A4FBBE23-9D03-4F57-A706-1E3B11472A0F}" = lport=3703 | protocol=6 | dir=in | name=adobe version cue cs3 server |

"{CFC7F37B-6533-4B06-88BE-A3D5C43F1268}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{EDAE8803-DFA8-4C18-9A55-040D81669D67}" = lport=3704 | protocol=6 | dir=in | name=adobe version cue cs3 server |

"{FAEFD631-E3CD-49F1-B27F-F54DE0D6D943}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0328E534-8BA5-4925-B3BB-823BDCCBFCB5}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{182AC870-6A21-48FD-9064-F6A4E098C6AE}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |

"{244C2AFE-BD45-4CC3-9C24-CEB8F3459490}" = protocol=17 | dir=in | app=c:\users\barron\appdata\roaming\mjusbsp\magicjack.exe |

"{347FA16F-1731-4E74-9427-5C62E2D9028C}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

"{3C968EBA-57A2-4DEA-B9C7-188B114662B1}" = protocol=6 | dir=out | app=system |

"{47406078-2A86-450E-B9FD-9B3C695E9830}" = protocol=17 | dir=in | app=c:\program files\symantec antivirus\rtvscan.exe |

"{4BD05824-F6B5-4E55-BB16-C5A25FCDDA97}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{4DBD05D7-454F-4FA1-80AD-8E94447D6808}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |

"{54F7F4A9-5601-4250-AD84-EAC6B1F52336}" = protocol=6 | dir=in | app=c:\program files\symantec antivirus\rtvscan.exe |

"{60C09EC3-AB74-4957-8683-124095238B03}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{631CD92A-A904-49C3-A55A-9718D16C8164}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |

"{67E3DEB7-FECD-4DE2-A524-FE0A6860EE90}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |

"{68C0063E-F9F6-4AA2-9AAB-39686004B316}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |

"{698299EC-CB35-4B13-9622-63B30672FDAF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{6E45B5F5-F117-4873-B019-4B66776F589E}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\adobe version cue cs3\server\bin\versioncuecs3.exe |

"{73CB3D56-B66B-4EE4-9A62-67460745841D}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |

"{74738D7D-D57E-4847-8123-A2E0514C4A9E}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\adobe version cue cs3\server\bin\versioncuecs3.exe |

"{75EB1E98-4535-41DF-BE83-46BA51A22861}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{7BE77069-C0DE-41A7-9DE0-933D770BB97C}" = protocol=17 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |

"{7C01DB91-90F2-481D-9ACD-A69ACBD4E48A}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |

"{7CDB7FE3-440D-4C57-B35A-032D3A8A27C2}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |

"{87C77762-82F5-470F-B961-DA4809914360}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{8B7C6D18-5753-45C1-A60F-B6747419B9DF}" = protocol=6 | dir=in | app=c:\users\barron\appdata\roaming\mjusbsp\magicjack.exe |

"{8CC9988F-06F2-40D1-9425-8ABA4D722341}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{8F12D447-28C0-4B7F-B632-6371E582F0C2}" = protocol=6 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |

"{969EC665-3CF8-48A3-935E-ADF6592B22DF}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{A6A8FDF0-C341-45F3-8108-328AFBA0FA68}" = dir=in | app=c:\program files\windows live\messenger\livecall.exe |

"{AAC507E2-EB7B-4043-BC65-391F4CF98A4B}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{C6B382AD-E51D-4BDF-A507-FFB7A4900559}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{C8A83726-7E5F-419B-AEFD-CD52421E1088}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{C94A164F-B7A4-4A1E-AFF9-EA87B6CC5284}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |

"{CBA85DE6-CAF1-4811-92D2-C1F62C4F1935}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{D792AD59-3E32-44D3-8B6E-69473D169C92}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |

"{EA64FA37-03A7-4107-8E11-06226AB8B66F}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |

"{F1D56D85-BD7F-4CF4-A8BB-C7EFB2080D44}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{F9F4F967-048A-4BC3-AFBB-D08ACAD80E6D}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"TCP Query User{8EAC525F-1479-4CCF-9212-ABCF35A1A1AD}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |

"UDP Query User{9803B26A-6ED5-49E6-A03F-A0178BC51B4E}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"_{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW® Graphics Suite X4

"_{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW® Graphics Suite X4 - Windows Shell Extension

"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3

"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3

"{029B5901-1F27-4347-9923-E8ACC8F54E15}" = Snapfish Picture Mover

"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools

"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = Bluetooth by hp 6.1.0.1203

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis

"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting

"{0A2C5854-557E-48C8-835A-3B9F074BDCAA}" = Python 2.5

"{0A47BAFF-D4FF-4BD3-96CA-02A22EA62722}" = HP Active Support Library

"{0B99217C-2302-49C2-9429-EC26B66B1B7C}" = HP Photosmart Touch

"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data

"{0DDA7620-4F8B-43B3-8828-CA5EE292FA3B}" = HP Total Care Advisor

"{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}" = Roxio Creator EasyArchive

"{14779493-131D-4BAA-B87F-2999B347F6A9}" = NavisWorks Manage 2009

"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin

"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets

"{196AD67D-9180-4A8C-BE53-E7C68D80AE33}" = NavisWorks Freedom 2009

"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server

"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library

"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java 6 Update 17

"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3

"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine

"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder

"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java SE Runtime Environment 6 Update 1

"{326957C7-83FD-4550-A59A-849B7B4297DE}" = Microsoft Easy Assist v2

"{32A72502-BC2C-4C39-ACEA-BC3D463F0697}" = EN

"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)

"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Roxio Activation Module

"{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend

"{4458C442-7376-4CF9-AF58-E8CEA6722363}" = Adobe Setup

"{44A27085-0616-4181-A0C3-81C7ECA17F73}" = CorelDRAW Graphics Suite X4

"{450063AA-643B-417C-8CF5-405BA3F4EF40}" = Autodesk Design Review 2009

"{4A11206C-4377-49E8-911E-B11548658FF3}" = Revit Architecture 2008

"{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}" = FontNav

"{4FC19392-E4A5-4CCB-B45A-AB7E8126D3C9}" = Microsoft Easy Assist

"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger

"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings

"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3

"{5545EEE1-FA36-4F76-B6BE-5696E7F4E2D6}" = VBA (2627.01)

"{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In

"{5783F2D7-6001-0409-0002-0060B0CE6BBA}" = AutoCAD 2008 - English

"{596717E1-5508-4932-BDFA-8B33CC49295B}" = Windows Mobile 6.1 Professional Emulator Images - USA

"{5E076CF2-EFED-43A2-A623-13E0D62EC7E0}" = Windows Server 2003 Administration Tools Pack

"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3

"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All

"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3

"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files

"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash

"{6D3DB611-D5E8-4E4B-8952-0D3F549F9CC6}" = HP Active Support Library 32 bit components

"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works

"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3

"{716B7BE7-6270-4D64-AB52-1870ED1A47B3}" = HP SmartCenter

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)

"{775B9052-3517-47FA-817D-1BB28363D43A}" = muvee autoProducer 6.0

"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar

"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3

"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3

"{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}" = CorelDRAW Graphics Suite X3

"{7DFC1012-D346-46CE-B03E-FF79125AE029}" = Adobe Fireworks CS3

"{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW Graphics SUite X4 - ICA

"{7F05E704-30A6-421A-97A7-8EEB1C7FF012}" = CorelDRAW Graphics Suite X4 - Capture

"{7F05E704-30A6-421A-97A7-8EEB1C7FF013}" = CorelDRAW Graphics Suite X4 - Draw

"{7F05E704-30A6-421A-97A7-8EEB1C7FF014}" = CorelDRAW Graphics Suite X4 - PP

"{7F05E704-30A6-421A-97A7-8EEB1C7FF016}" = CorelDRAW Graphics Suite X4 - Content

"{7F05E704-30A6-421A-97A7-8EEB1C7FF017}" = CorelDRAW Graphics Suite X4 - Filters

"{7F05E704-30A6-421A-97A7-8EEB1C7FF019}" = CorelDRAW Graphics Suite X4 - FontNav

"{7F05E704-30A6-421A-97A7-8EEB1C7FF100}" = CorelDRAW Graphics Suite X4 - Lang EN

"{7F1B3341-A94E-4F5C-B587-CA0EB964221E}" = Microsoft Money Shared Libraries

"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01

"{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01

"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio

"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles

"{86170243-41F2-4B2E-9BD6-2F404B2C8E46}" = TWC Customer Controls

"{8718DC03-D066-4957-94E5-50C3C5042E8E}" = Adobe Creative Suite 3 Master Collection

"{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}" = Adobe Flash Player 9 Plugin

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A7CAA24-7B23-410B-A7C3-F994B0944160}" = Microsoft Virtual PC 2007

"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3

"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3

"{938B1CD7-7C60-491E-AA90-1F1888168240}" = Roxio MyDVD Basic v9

"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant

"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings

"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes

"{9A346205-EA92-4406-B1AB-50379DA3F057}" = Autodesk DWF Viewer 7

"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3

"{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}" = CorelDRAW Graphics Suite X4 - IPM

"{9DBA770F-BF73-4D39-B1DF-6035D95268FC}" = HP Customer Feedback

"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps

"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific

"{A3A37DA6-70C0-497C-BCB1-148E9EC1D32E}" = Revit Architecture 2009 (AutoCAD Suite)

"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable

"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)

"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer

"{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements

"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings

"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Fran

Link to post
Share on other sites

Yes i tried loading that way as well...still access errors.

Malwarebytes' Anti-Malware 1.44

Database version: 3531

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

1/9/2010 4:16:43 PM

mbam-log-2010-01-09 (16-16-43).txt

Scan type: Quick Scan

Objects scanned: 126049

Time elapsed: 6 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\System32\H8SRTtemmrdsxxp.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\System32\H8SRTtemmrdsxxp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Link to post
Share on other sites

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Link to post
Share on other sites

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

I tried that earlier and I keep gettin:

ComboFix has stopped working

I cant get it to loade for some reason. Also tried run as administrator.

also,

when i rename the file and load, it will say, some files can not be created. Please close all applications...etc...

Link to post
Share on other sites

Are we going to continue? Please advise....
Did you not think I was going to get back to you?

I do other things besides help with malware removal.

I will post to you when I can please be patient.

Download RootRepeal from one of the following locations:

Unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan should not take very long.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

Please copy and paste the report into your Post.

Link to post
Share on other sites

Sir....I haven't a clue what you do or who you are. I asked a question and I appreciate you understand my position. I will be more than happy to pay you for your time. But, don't assume that I know what your schedule is. It's the first time I have posted on this site. My only goal is to fix the issue with you, if you're willing, or with another source.

With that said, I have been running this scan for more than 4 hours. It's still going, but wansn't sureif this is suppose to run this long.. Please advise.

Link to post
Share on other sites

  • 3 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.