<_<Did get everything removed?

Malfeitor · November 13, 2008

On 11-11-08 I was reading a PDF file I downloaded about Taxes and my SuperAntiSpyware poped up with a red message and my pc immediatly shut down. When it restarted SuperAntiSpyware wouldn't load at all to scan or even see what it said before the pc restarted. Internet Explorer wouldnt let me go to certain sites and the pages it did let me go to looked off somehow. Then my Symantec Antivirus CE poped up telling me I had a Hacktool.rootkit infection. I did a scan and it removed it. I went to a clean pc to find out what was happening and downloaded, Malewarebytes, SDFix, RootkitRevealer, and HiJackThis. RootkitRevealer showed I had some things to worry about. SDfix made it possible for me to even install Malewarebytes. After everything was removed and Malewarebytes, SuperAntiSpyware, and Symantec Antivirus CE said everything was clean. RootkitRevealer still has a couple of things show up. Is everything removed or are there still traces of something in here? My latest HijackThis, Malewarebytes, and RootkitRevealer are as follows:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:09:14 AM, on 11/13/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lewrockwell.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Warped Soul

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Converter 4\cnvres_eng.dll /100

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/T...nx.1.0.0.87.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://128.97.43.214/activex/AMC.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7A678017-54AE-46DD-8F8C-28B467753298}: NameServer = 204.127.203.135,216.148.225.135

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: QRCNOD - Unknown owner - C:\DOCUME~1\Edward\LOCALS~1\Temp\QRCNOD.exe (file missing)

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: YLX - Unknown owner - C:\DOCUME~1\Edward\LOCALS~1\Temp\YLX.exe (file missing)

--

End of file - 6473 bytes

Malwarebytes' Anti-Malware 1.30

Database version: 1395

Windows 5.1.2600 Service Pack 2

11/13/2008 10:01:30 AM

mbam-log-2008-11-13 (10-01-30).txt

Scan type: Full Scan (C:\|)

Objects scanned: 95385

Time elapsed: 45 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

RootKitReveal Text.

HKU\S-1-5-21-2000478354-1275210071-725345543-1003\Software\WinRAR\General\Toolbar\Layout\Band0 11/13/2008 11:02 AM 56 bytes Data mismatch between Windows API and raw hive data.

HKU\S-1-5-21-2000478354-1275210071-725345543-1003\Software\WinRAR\General\Toolbar\Layout\Band1 11/13/2008 11:02 AM 56 bytes Data mismatch between Windows API and raw hive data.

HKU\S-1-5-21-2000478354-1275210071-725345543-1003\Software\WinRAR\General\Toolbar\Layout\Band2 11/13/2008 11:02 AM 56 bytes Data mismatch between Windows API and raw hive data.

HKLM\SECURITY\Policy\Secrets\SAC* 4/6/2006 1:50 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 4/6/2006 1:50 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 11/10/2008 7:25 AM 0 bytes Hidden from Windows API.

JeanInMontana · November 13, 2008

Hi and welcome to Malwarebytes. Please get the following tool and post the resutlts from the scan with it to be sure your clean. With a rootkit you can never be sure your clean, and you must immediately contact any banks, credit cards, etc, change all passwords to those institutions and to any websites you belong to. A reformat is the only sure way to be clean.

OK let's go for another special scan tool.

Download GMER get the zip file and save to your desktop.

Just run gmer.exe. All required files ( gmer.dll and gmer.sys ) will by copied to the system during the first lanuch. .

Do not click scan.Use the copy button to copy to your clipboard. Post the log in your next reply.

Malfeitor · November 14, 2008

Hi and welcome to Malwarebytes. Please get the following tool and post the resutlts from the scan with it to be sure your clean. With a rootkit you can never be sure your clean, and you must immediately contact any banks, credit cards, etc, change all passwords to those institutions and to any websites you belong to. A reformat is the only sure way to be clean.
OK let's go for another special scan tool.
Download GMER get the zip file and save to your desktop.
Just run gmer.exe. All required files ( gmer.dll and gmer.sys ) will by copied to the system during the first lanuch. .
Do not click scan.Use the copy button to copy to your clipboard. Post the log in your next reply.

Here is the Gmer results.

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-11-13 20:34:03

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF75B22A8]

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF75BD910]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 89A77400

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \Fat 88B38950

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Modules - GMER 1.0.14 ----

Module _________ F7474000-F748C000 (98304 bytes)

---- Services - GMER 1.0.14 ----

Service system32\drivers\TDSSpqlt.sys (*** hidden *** ) [sYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

JeanInMontana · November 15, 2008

OK your infected with a rootkit. You may never be totally cleaned without a reformat. I need to tell you this so you can choose to go forward or to reformat. Either way you must change all passwords, notify all banks, credit cards and any other sensitive areas of information that may be on your machine or that you have accessed.

If you decide to go forward please follow these instructions:

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Please get this file below:

Author: Option^Explicit Download Location

License: Freeware [urlhttp://download.bleepingcomputer.com/spyware/KillBox.exe] KillBox Download Link

Operating System: Windows

File Description:

Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.

Usage Information:

Download this file and run the killbox.exe file. When it loads type the full path or copy and paste the path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

system32\drivers\TDSSpqlt.sys Paste that file path into Killbox. Reboot

Update MBAM run a quick scan post the log and a new HJT log. Please post MBAM log before HJT.

Malfeitor · November 15, 2008

Ok I did that and here are the Malwarebytes and HiJackThis logs.

Malwarebytes' Anti-Malware 1.30

Database version: 1399

Windows 5.1.2600 Service Pack 2

11/14/2008 8:27:43 PM

mbam-log-2008-11-14 (20-27-43).txt

Scan type: Full Scan (C:\|)

Objects scanned: 89654

Time elapsed: 18 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:28:35 PM, on 11/14/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\sol.exe

C:\WINDOWS\system32\NOTEPAD.EXE