Jump to content

TDSS Rootkit and Antivirus 2010....


tjames

Recommended Posts

One of my users sent in a laptop where "Microsoft" originially displayed some text saying that the system was infected and that it needed to fix. Of course they clicked Fix. The only other things they were able to tell me was that TDSS.d1 and dwm.exe were referenced ( I suspect from McAfee Total Protection Service which was running on the system ). They state that they cut the laptop off and then it would not boot.

They overnightd the laptop and it would not boot. No error message either. It would POST, and then nothing but a black screen. Did some research on "TDSS" and "no booting" and found that this was most likley the TDSS Rootkit. Found a website that said the rootkit had modified the MBR. They said to run the Recovery Console, then run "fixmbr.exe" and reinstall the OS to get it to boot. I ran RC and fixmbr.exe and when I rebooted the system can up. Logged in as the local administrator and within a few minutes had Antivirus 2010 in my face and taking control. Was able to get our company's licenced version of MBAM on and manually uddated. It took a few scans to get everything, but it seems like Antivirus2010 is gone. At that time I tested I.E. It was blown away and would not even load, so I reinstalled and now find that the browser is hijacked.

I am now following your submission instructions step-by-step.

Here is the DDS Log :

DDS (Ver_10-11-03.01) - NTFSx86

Run by Administrator at 15:16:11.71 on Thu 11/04/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.2426 [GMT -4:00]

AV: Total Protection Service *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\drivers\audio\r213367\stacsv.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k Akamai

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe

c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\OA001Mon.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe

C:\Program Files\Wave Systems Corp\SecureUpgrade.exe

C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe

C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe

C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\System32\mshta.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.amfbakery.com/

uSearch Page = hxxp://www.live.com

uInternet Settings,ProxyServer = http=127.0.0.1:50370

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\managed virusscan\vscan\ScriptSn.20100810081621.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [OA001Mon] c:\windows\OA001Mon.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12

mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe

mRun: [secureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"

mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"

mRun: [uSCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe" /LOGON

mRun: [McAfee Managed Services Tray] "c:\program files\mcafee\managed virusscan\agent\StartMyagtTry.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [nwiz] nwiz.exe /installquiet

mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"

mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [<NO NAME>]

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com\*

Trusted Zone: mcafeeasap.com\betavscan

Trusted Zone: mcafeeasap.com\vs

Trusted Zone: mcafeeasap.com\www

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.811.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 wvauth

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]

R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-11-3 3968]

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-21 214664]

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]

R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-1-22 808296]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-1-22 20840]

R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-4-9 447264]

R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2009-9-21 14144]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-19 304464]

R2 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2009-9-21 144704]

R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2009-9-21 282824]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-7-31 112512]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-7-31 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-7-31 244368]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-19 20952]

R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-9-21 79816]

R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-9-21 35272]

R3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-9-21 34248]

R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2009-7-31 148056]

R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-7-31 133632]

R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-7-31 280096]

R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-7-30 232744]

S0 cerc6;cerc6; [x]

S3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [2009-10-2 86656]

S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832]

S3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [2009-10-2 28928]

S3 DpqUSBV2;DpqUSBV2;c:\windows\system32\drivers\DpqUSBV2.sys [2010-1-7 16768]

S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-9-23 280344]

=============== Created Last 30 ================

2010-11-04 15:26:21 -------- d-----w- c:\docume~1\admini~1\applic~1\Research In Motion

2010-11-04 14:06:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-11-04 14:06:53 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-11-03 20:35:28 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-11-03 20:34:56 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-11-03 20:34:55 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-11-03 20:34:54 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-11-03 20:34:53 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2010-11-03 20:34:40 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll

2010-11-03 20:34:23 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll

2010-11-03 20:34:22 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll

2010-11-03 20:33:06 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-11-03 20:33:03 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-11-03 20:33:03 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-11-03 20:33:02 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-11-03 20:33:02 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-11-03 20:32:54 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-11-03 20:32:52 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-11-03 20:21:52 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache

2010-11-03 20:21:02 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2010-11-03 20:11:58 -------- d-sh--w- c:\documents and settings\administrator\IETldCache

2010-11-03 16:18:41 -------- d-----w- c:\docume~1\admini~1\applic~1\Windows Search

2010-11-03 15:46:16 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys

2010-11-03 15:32:27 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-11-03 15:30:20 0 ----a-w- c:\windows\system32\drivers\vbma9589.sys

2010-11-03 15:27:30 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Adobe

2010-11-03 15:27:00 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\SupportSoft

2010-11-03 14:47:59 9728 -c--a-w- c:\windows\system32\dllcache\rwnh.dll

2010-11-03 14:46:56 45568 -c--a-w- c:\windows\system32\dllcache\browscap.dll

2010-11-03 14:29:26 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2010-11-03 14:29:26 24661 ----a-w- c:\windows\system32\spxcoins.dll

2010-11-03 14:29:26 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2010-11-03 14:29:26 13312 ----a-w- c:\windows\system32\irclass.dll

2010-11-03 14:29:12 16535 ----a-r- c:\windows\SET107.tmp

2010-11-03 14:29:09 1088840 ----a-r- c:\windows\SETFB.tmp

2010-11-03 14:29:07 1296669 ----a-r- c:\windows\SETF8.tmp

2010-11-03 10:17:16 -------- d-----w- c:\windows\Dell

2010-11-02 03:41:14 48128 ---ha-w- c:\windows\system32\bootns64.dll

2010-11-01 21:55:09 103424 --sha-r- c:\windows\system32\qedwipesp.dll

2010-10-26 14:14:10 69632 ----a-w- c:\windows\system32\TIFmtA.dll

2010-10-26 14:14:10 61440 ----a-w- c:\windows\system32\TrackID.DLL

2010-10-26 14:14:10 49152 ----a-w- c:\windows\system32\TIBase64.dll

2010-10-26 14:14:10 221184 ----a-w- c:\windows\system32\RICJC32.DLL

2010-10-26 14:14:09 57344 ----a-w- c:\windows\system32\ricdb32.DLL

2010-10-26 14:14:07 53248 ----a-w- c:\windows\system32\mfricres.DLL

2010-10-26 14:14:07 32768 ----a-w- c:\windows\system32\rc4mon.DLL

2010-10-26 14:14:07 159744 ----a-w- c:\windows\system32\JCUI.EXE

2010-10-26 14:14:07 147456 ----a-w- c:\windows\system32\rc4manNT.DLL

2010-10-26 14:14:07 1294336 ----a-w- c:\windows\system32\MP335dat.DLL

2010-10-11 20:26:49 165141 ----a-w- c:\windows\ComfortAir Uninstaller.exe

2010-10-11 20:26:48 -------- d-----w- c:\program files\Baltik Engineering

2010-10-11 20:26:14 1626656 ----a-w- c:\program files\ComAir40Demo.exe

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

1999-10-07 15:43:50 581632 -c--a-w- c:\program files\convert.exe

============= FINISH: 15:33:41.53 ===============

All other log files are attached. Thank you for you assistance.

Attach.zip

Link to post
Share on other sites

:D

Are you charging this customer or is it a employee unit?

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Next:

Please read carefully and follow these steps.

  • Please download
TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
  • Only if Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now

[*]Copy and paste the log in your next reply

[*]A copy of the log will be saved automatically to the root directory, root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Link to post
Share on other sites

This was an employee of our company.

I apoligize for posting the scan result, however I was just trying to help by following the instructions posted here :

http://forums.malwarebytes.org/index.php?showtopic=9573

At this time, no more assistance is needed as managment was not happy with the time it was taking, so I was forced to reload the system.

Thanks.

Link to post
Share on other sites

Glad we could help. :P

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.