Jump to content

TDSSServ.sys strikes again

hueman84

By hueman84
in Resolved Malware Removal Logs

 Share

Recommended Posts

hueman84

hueman84

Posted
Posted

So recently I got the tdssserv.sys trojan :D which kept directing my google search results to random advertising pages. It also did the other things mentioned with it...not being able to update certain AVS and not being able to install certain AVS, as well as tremendously slowing down my internet. I looked around on the net and found that it was best (at least at the time I thought it was) to disable (not uninstall) tdssserv.sys via going through the Device Manager and then by restarting and running a virus scan. This seemed to work as now my google search results were normal and I could now update my AVS and install malwarebytes. I scanned my computer with malwarebytes and then superantispyware. Malwarebytes found tdssserv.sys and removed it, as well as some other cookies and other moderate/low risk items. However, I am still getting problems with CounterSpy (another virus scanner I use), as it will not update and it still doesn't think I am connected to the internet, and my internet speed does not seem to be at 100% still. I checked my registry with regedit and saw there were traces of tdssserv.sys still there :huh: . So after spending too much time trying to search for the answers myself I decided it was time to come here and ask for help. Here are the MalwareBytes and HiJackThis log, Panda Active Scan is still scanning..will post when it's done:

Malwarebytes' Anti-Malware 1.30

Database version: 1412

Windows 5.1.2600 Service Pack 3

11/19/2008 2:04:43 PM

mbam-log-2008-11-19 (14-04-43).txt

Scan type: Full Scan (C:\|)

Objects scanned: 178396

Time elapsed: 1 hour(s), 36 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 14

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 17

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{875a1348-7674-42aa-adac-b4f36a004a2d} (Adware.AdBand) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\.zix (Rogue.WinZix2) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\WinZix (Trojan.Lop) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\kjbfionl.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xkwizito\Desktop\Stuff\Touch\Install these\Games\68_377183_ad723_pxdxa.ESoft.Interactive.Spot.v1.0.1.ARM.PPC2002.Cracked_COR

EPDA\ESoft.Interactive.Spot.v1.0.1.ARM.PPC2002.Cracked-COREPDA\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xkwizito\Desktop\Stuff\Touch\Install these\Tools\Titan.14.Languages.Speereo.Voice.Translator.v4.0.Multilingual.XScale.WM2003

.Incl.Keygen.Patch-COREPDA\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSbrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSoiqh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSxfum.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xkwizito\Application Data\mouseapp.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xkwizito\Local Settings\Temporary Internet Files\ENCounterSpyConsumer.2.5.1040.0.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xkwizito\Local Settings\Temp\TDSS4c77.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xkwizito\Local Settings\Temp\TDSS4c87.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSStkdu.log (Trojan.TDSS) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:43:59 PM, on 11/19/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\DOCUME~1\Xkwizito\LOCALS~1\Temp\~AceTemp\RootkitRevealer\RootkitRevealer.exe

C:\DOCUME~1\Xkwizito\LOCALS~1\Temp\ZNEOO.exe

C:\Program Files\Ventrilo\Ventrilo.exe

C:\WINDOWS\regedit.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {9D81D933-4870-4A31-AC05-015143379349} - (no file)

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: awttusq - awttusq.dll (file missing)

O20 - Winlogon Notify: kjbfionl - kjbfionl.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: ZNEOO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Xkwizito\LOCALS~1\Temp\ZNEOO.exe

--

End of file - 8311 bytes

I also ran RootkitRevealer and here is the log if it helps.

HKU\.DEFAULT\Control Panel\International 11/18/2007 2:13 PM 0 bytes Security mismatch.

HKU\.DEFAULT\Control Panel\International\Geo 11/18/2007 2:13 PM 0 bytes Security mismatch.

HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Control Panel\International 11/18/2007 2:13 PM 0 bytes Security mismatch.

HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Control Panel\International\Geo 11/18/2007 2:13 PM 0 bytes Security mismatch.

HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Software\Microsoft\Microsoft Management Console\Recent File List\File1 11/19/2008 2:52 PM 64 bytes Windows API length not consistent with raw hive data.

HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Software\Microsoft\Microsoft Management Console\Recent File List\File2 11/19/2008 2:52 PM 66 bytes Windows API length not consistent with raw hive data.

HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey 11/19/2008 10:40 PM 182 bytes Windows API length not consistent with raw hive data.

HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 7/3/2008 1:01 PM 0 bytes Key name contains embedded nulls (*)

HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Software\Valve\Steam\Steam.exe\UpTimeMostRecent 11/19/2008 11:08 PM 4 bytes Data mismatch between Windows API and raw hive data.

HKU\S-1-5-18\Control Panel\International 11/18/2007 2:13 PM 0 bytes Security mismatch.

HKU\S-1-5-18\Control Panel\International\Geo 11/18/2007 2:13 PM 0 bytes Security mismatch.

HKLM\SECURITY\Policy\Secrets\SAC* 8/10/2004 8:23 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 8/10/2004 8:23 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\webcal\URL Protocol 10/12/2005 1:29 AM 13 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 11/19/2008 11:12 PM 80 bytes Data mismatch between Windows API and raw hive data.

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\ovnfhmij.exe 11/10/2008 4:43 PM 47 bytes Data mismatch between Windows API and raw hive data.

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\nnrfmpqw.exe 11/10/2008 4:43 PM 47 bytes Data mismatch between Windows API and raw hive data.

HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 11/18/2007 1:47 PM 0 bytes Access is denied.

HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\ovnfhmij.exe 11/10/2008 4:43 PM 47 bytes Data mismatch between Windows API and raw hive data.

HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\nnrfmpqw.exe 11/10/2008 4:43 PM 47 bytes Data mismatch between Windows API and raw hive data.

C:\Documents and Settings\Xkwizito\Local Settings\Application Data\Mozilla\Firefox\Profiles\8vvr19gg.default\Cache\3B66747Dd01 11/19/2008 10:51 PM 18.77 KB Visible in Windows API, directory index, but not in MFT.

C:\Documents and Settings\Xkwizito\Local Settings\Application Data\Mozilla\Firefox\Profiles\8vvr19gg.default\Cache\86024F33d01 11/19/2008 4:55 PM 114.21 KB Visible in Windows API, MFT, but not in directory index.

C:\Documents and Settings\Xkwizito\Local Settings\Application Data\Mozilla\Firefox\Profiles\8vvr19gg.default\Cache\A8D6BE47d01 11/19/2008 4:55 PM 46.74 KB Visible in Windows API, MFT, but not in directory index.

C:\Documents and Settings\Xkwizito\Local Settings\Temp\~F.tmp 11/19/2008 10:21 PM 238.00 KB Visible in Windows API, but not in MFT or directory index.

Link to post
Share on other sites
hueman84

hueman84

Posted
  • Author
Posted

oops, forgot to post that log as well...here it is :huh:

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-11-20 00:18:04

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xF7B6C4D0] <-- ROOTKIT !!!

SSDT sptd.sys ZwEnumerateKey [0xF7485D48] <-- ROOTKIT !!!

SSDT sptd.sys ZwEnumerateValueKey [0xF74860C0] <-- ROOTKIT !!!

SSDT sptd.sys ZwOpenKey [0xF7485AE2] <-- ROOTKIT !!!

SSDT sptd.sys ZwQueryKey [0xF748618A] <-- ROOTKIT !!!

SSDT sptd.sys ZwQueryValueKey [0xF7486022] <-- ROOTKIT !!!

SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xF7B6C520] <-- ROOTKIT !!!

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 871D10E8

Device \FileSystem\Fastfat \FatCdrom 862280E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 87184C78

Device \Driver\Ftdisk \Device\HarddiskVolume2 87184C78

Device \Driver\NetBT \Device\NetBT_Tcpip_{58A183F2-9112-4055-BBA1-A699A0538C31} 86617220

Device \Driver\Cdrom \Device\CdRom0 865552C8

Device \FileSystem\Rdbss \Device\FsWrap 8635B268

Device \Driver\Cdrom \Device\CdRom1 865552C8

Device \Driver\iastor \Device\Ide\iaStor0 87184808

Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 87184808

Device \Driver\Ftdisk \Device\HarddiskVolume3 87184C78

Device \Driver\Ftdisk \Device\HarddiskVolume4 87184C78

Device \Driver\USBSTOR \Device\00000075 867650E8

Device \Driver\USBSTOR \Device\00000076 867650E8

Device \Driver\NetBT \Device\NetBt_Wins_Export 86617220

Device \Driver\NetBT \Device\NetbiosSmb 86617220

Device \Driver\00000121 \Device\0000005a sptd.sys

Device \Driver\Disk \Device\Harddisk0\DR0 87184550

Device \Driver\Disk \Device\Harddisk1\DR4 87184550

Device \Driver\NetBT \Device\NetBT_Tcpip_{39D7CCCB-FA98-4DB5-823C-926CFECA1967} 86617220

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86638668

Device \FileSystem\MRxSmb \Device\LanmanRedirector 86638668

Device \FileSystem\Npfs \Device\NamedPipe 863DE0E8

Device \Driver\Ftdisk \Device\FtControl 87184C78

Device \FileSystem\Msfs \Device\Mailslot 863E20E8

Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 866AE4F0

Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 866AE4F0

Device \FileSystem\Fastfat \Fat 862280E8

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Cdfs \Cdfs 8658C0E8

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.14 ----

Service system32\drivers\TDSSmqlt.sys (*** hidden *** ) [sYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 902560114

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1272264972

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -2140367873

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x32 0x05 0x93 0x0F ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x6E 0x1E 0x53 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x15 0x74 0xF9 0x51 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDD 0x5C 0x0F 0xE5 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqh.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSbrsr.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdu.log

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x32 0x05 0x93 0x0F ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x6E 0x1E 0x53 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x15 0x74 0xF9 0x51 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDD 0x5C 0x0F 0xE5 ...

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqh.dll

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSbrsr.dll

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdu.log

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x32 0x05 0x93 0x0F ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x6E 0x1E 0x53 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x15 0x74 0xF9 0x51 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDD 0x5C 0x0F 0xE5 ...

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites
hueman84

hueman84

Posted
  • Author
Posted

And here is my Panda ActiveScan:

ANALYSIS: 2008-11-20 02:35:09

PROTECTIONS: 1

MALWARE: 17

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.3007.0 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.trafficmp.com/]

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.trafficmp.com/]

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.casalemedia.com/]

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.casalemedia.com/]

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.casalemedia.com/]

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.casalemedia.com/]

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.atdmt.com/]

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.fastclick.net/]

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.tribalfusion.com/]

00168108 Cookie/Tickle TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Cookies\xkwizito@web.tickle[2].txt

00168108 Cookie/Tickle TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Cookies\xkwizito@web.tickle[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Application Data\Flock\Browser\Profiles\sw4omyju.default\cookies.txt[.advertising.com/]

00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Cookies\xkwizito@uol.com[2].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Cookies\xkwizito@searchportal.information[1].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Cookies\xkwizito@target[1].txt

00255579 Adware/IST.ISTBar Adware No 1 Yes No C:\Program Files\Common Files\Totem Shared\Update\WindowsEx.dll.041

01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\NirCmd.exe

02887532 Cookie/XPAntivirusPro TrackingCookie No 0 Yes No C:\Documents and Settings\Xkwizito\Cookies\xkwizito@www.safenavweb[1].txt

02996446 Spyware/Virtumonde Spyware No 1 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\mljgf.dll.vir

03793785 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\Xkwizito\Desktop\Stuff\Touch\Install these\Media Plugins\RescoRadio1.71.zip[Resco.Pocket.Radio.Keygen.exe]

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1375\A0215886.sys

03898968 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1352\A0205795.exe

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location t

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description t

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.