Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Win32.TDSS.rtk/reg
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 09-02-2009, 02:56 PM   #1 (permalink)
Registered User
 
cadge's Avatar
 
Join Date: Apr 2006
Location: Scotland
Posts: 151
OS: Ubuntu 9.04 (Jaunty Jackalope)


Win32.TDSS.rtk/reg
Hey, after Spybot completed its scheduled scans I noticed that it found two types of infection; 'Win32.TDSS.rtk' and 'Win32.TDSS.reg', both of which were removed succesfully.

However, later on that evening, I decided to have a look on Google for information regarding the two infections, just to make sure I was clean and Spybot hadn't missed anything.

After reading more about the rtk infection, I couldn't find any of the registry keys or files mentioned on my system, however, looking through the manual removal guide located on Spybot's forums for the reg infection (http://forums.spybot.info/showthread.php?t=49714 ) I notcied that "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uacd.sys\" still existed in my registry, however, I'm not 100% sure whether the actual key needs to be deleted itself, or whetherjust the various values on the aforementioned list need removed.

Looking through the values that Spybot removed, they all reside in 'ControlSet001', and looking through 'ControlSet002-4' I can't find any traces of the keys and values mentioned in the guide.

I've not noticed any signs of infection at all, and wouldn't of considered my computer to have been infected, were it not for the results of the Spybot scan.

It's possible that the infections have both been completely removed, but I'm still a bit paranoid, so would like an expert opinion, please.

Thanks

DDS.txt:


DDS (Ver_09-07-30.01) - NTFSx86
Run by pcuser at 21:32:22.39 on 02/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.958.252 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\vmnat.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Elantech\Ktp.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\pcuser\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rangers.co.uk/
uInternet Settings,ProxyServer = 193.1.160.183:3128
uURLSearchHooks: mySyncCell Toolbar: {d46d0a6c-fab1-45a4-997e-030450e41de5} - c:\program files\mysynccell\tbmySy.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {ca4eedb3-5719-4e27-a478-8d13f761c28d} - No File
TB: mySyncCell Toolbar: {d46d0a6c-fab1-45a4-997e-030450e41de5} - c:\program files\mysynccell\tbmySy.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Google Update] "c:\documents and settings\pcuser\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [KTPWare] c:\program files\elantech\Ktp.exe
mRun: [CHotkey] mHotkey.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\windows\system32\qttask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [SnoopFreeUI] SnoopFreeUI.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\pcuser\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125845110031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

============= SERVICES / DRIVERS ===============

R0 SnoopFree;SnoopFree Driver;c:\windows\system32\drivers\SnopFree.sys [2009-5-18 9472]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-23 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-23 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-23 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-3 353672]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-23 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-23 298776]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-3-26 54960]
R3 HSFHWVIA;HSFHWVIA;c:\windows\system32\drivers\HSFHWVIA.sys [2005-9-4 218752]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [2005-9-4 25984]
S3 EPWDIPUF;EPWDIPUF;c:\docume~1\pcuser\locals~1\temp\epwdipuf.exe --> c:\docume~1\pcuser\locals~1\temp\EPWDIPUF.exe [?]
S3 FW;FW;c:\docume~1\pcuser\locals~1\temp\fw.exe --> c:\docume~1\pcuser\locals~1\temp\FW.exe [?]
S3 GSEUJN;GSEUJN;c:\docume~1\pcuser\locals~1\temp\gseujn.exe --> c:\docume~1\pcuser\locals~1\temp\GSEUJN.exe [?]
S3 HGYKPA;HGYKPA;c:\docume~1\pcuser\locals~1\temp\hgykpa.exe --> c:\docume~1\pcuser\locals~1\temp\HGYKPA.exe [?]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-2-5 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-2-5 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-2-5 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-2-5 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-2-5 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-2-5 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-2-5 117672]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]

=============== Created Last 30 ================

2009-08-28 02:43 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-08-28 02:29 <DIR> --d----- c:\program files\Sports Interactive
2009-08-28 02:29 <DIR> --d-h--- c:\program files\Zero G Registry
2009-08-28 02:28 <DIR> --d-h--- c:\documents and settings\pcuser\InstallAnywhere
2009-08-18 00:58 <DIR> --d----- c:\docume~1\pcuser\applic~1\StreamTorrent
2009-08-18 00:58 <DIR> --d----- c:\program files\StreamTorrent 1.0
2009-08-13 16:06 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-13 16:03 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-07 14:43 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-07 03:34 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-07 03:32 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 03:32 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 03:32 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-07 03:32 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 03:32 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 03:32 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-07 03:32 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-07 03:32 <DIR> --d----- C:\f796ddb38cc150898b0b6fb5c3447d6b
2009-08-05 10:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-19 04:36 119,120 a------- c:\windows\dxsdkuninst.exe
2009-06-17 20:32 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 13:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 15:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-01-06 22:56 47,360 a------- c:\docume~1\pcuser\applic~1\pcouffin.sys
2007-11-05 08:54 3,564,584 a------- c:\program files\procexp.exe

============= FINISH: 21:33:54.79 ===============
Attached Files
File Type: txt ark.txt.txt (7.5 KB, 6 views)
File Type: txt Attach.txt.txt (13.2 KB, 1 views)
cadge is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 09-03-2009, 03:02 AM   #2 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,273
OS: Windows 7 Premium x64

My System

Re: Win32.TDSS.rtk/reg
Howdy there and welcome to TSF Forums

I'm Steve and I will be helping you thoughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial post then thread will be closed.

We need to disable your TeaTimer as it may interfere with the fixes that we need to make.

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

After all of the fixes are complete it is very important that you enable TeaTimer again, I will let you know when it is safe to do so.

A Tutorial for Tea Timer can be found here -> http://russelltexas.com/malware/teatimer.htm

==========================

Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-03-2009, 01:17 PM   #3 (permalink)
Registered User
 
cadge's Avatar
 
Join Date: Apr 2006
Location: Scotland
Posts: 151
OS: Ubuntu 9.04 (Jaunty Jackalope)


Re: Win32.TDSS.rtk/reg
Hi, thanks for the speedy response!

Below is the contents of the Como Fix log:

ComboFix 09-09-03.02 - pcuser 03/09/2009 19:42.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.958.499 [GMT 1:00]
Running from: c:\documents and settings\pcuser\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1c912b.msp
c:\windows\Installer\2ae0fb.msp
c:\windows\Installer\3d9cbde.msp
c:\windows\Installer\67cb2.msi

.
((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-08-28 01:43 . 2009-08-28 01:43 -------- d--h--r- c:\documents and settings\pcuser\Application Data\SecuROM
2009-08-28 01:43 . 2009-08-28 01:43 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-28 01:29 . 2009-08-28 01:51 -------- d-----w- c:\program files\Sports Interactive
2009-08-28 01:29 . 2009-08-28 01:43 -------- d--h--w- c:\program files\Zero G Registry
2009-08-28 01:28 . 2009-08-28 01:28 -------- d--h--w- c:\documents and settings\pcuser\InstallAnywhere
2009-08-17 23:58 . 2009-08-17 23:58 -------- d-----w- c:\documents and settings\pcuser\Application Data\StreamTorrent
2009-08-17 23:58 . 2009-08-17 23:58 -------- d-----w- c:\program files\StreamTorrent 1.0
2009-08-13 15:03 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-08 14:39 . 2009-08-08 14:40 -------- d-----w- c:\documents and settings\pcuser\Application Data\Move Networks
2009-08-07 02:34 . 2009-08-07 02:34 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-07 02:34 . 2009-08-07 02:34 -------- d-----w- c:\program files\MSBuild
2009-08-07 02:33 . 2009-08-07 02:33 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 02:32 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 02:32 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-07 02:32 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 02:32 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 02:32 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-07 02:32 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 02:32 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-07 02:32 . 2009-08-07 02:33 -------- d-----w- C:\f796ddb38cc150898b0b6fb5c3447d6b
2009-08-07 02:23 . 2009-08-07 02:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 18:52 . 2009-02-26 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-09-03 18:32 . 2009-04-23 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-03 18:32 . 2009-04-23 23:11 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-09-03 18:26 . 2006-11-07 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-02 23:45 . 2006-11-07 21:07 -------- d-----w- c:\program files\SpywareGuard
2009-09-02 23:42 . 2009-05-18 15:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-02 23:42 . 2006-11-07 21:19 -------- d-----w- c:\program files\SpywareBlaster
2009-09-01 21:22 . 2009-05-18 15:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 00:31 . 2008-11-23 21:07 -------- d-----w- c:\program files\Veetle
2009-08-28 02:05 . 2009-06-19 02:39 -------- d-----w- c:\documents and settings\pcuser\Application Data\Sports Interactive
2009-08-28 01:50 . 2005-09-04 13:11 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-21 21:16 . 2009-01-22 22:27 -------- d-----w- c:\documents and settings\pcuser\Application Data\dvdcss
2009-08-07 13:40 . 2006-09-19 11:05 48664 ----a-w- c:\documents and settings\pcuser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 22:29 . 2006-10-31 17:55 -------- d-----w- c:\program files\Java
2009-08-03 12:36 . 2009-05-18 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 12:36 . 2009-05-18 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 18:00 . 2006-11-07 21:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-26 00:16 . 2009-07-26 00:14 -------- d-----w- c:\program files\Mixxx
2009-07-25 04:23 . 2009-01-09 23:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-19 03:36 . 2009-06-19 03:36 119120 ----a-w- c:\windows\dxsdkuninst.exe
2009-06-17 19:32 . 2008-08-23 03:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-17 19:32 . 2008-08-23 03:20 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-17 19:32 . 2008-08-23 03:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-17 19:32 . 2008-08-23 03:20 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2005-11-04 05:51 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2007-11-05 07:54 . 2007-12-06 22:40 3564584 ----a-w- c:\program files\procexp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d46d0a6c-fab1-45a4-997e-030450e41de5}"= "c:\program files\mySyncCell\tbmySy.dll" [2008-08-20 1780248]

[HKEY_CLASSES_ROOT\clsid\{d46d0a6c-fab1-45a4-997e-030450e41de5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d46d0a6c-fab1-45a4-997e-030450e41de5}"= "c:\program files\mySyncCell\tbmySy.dll" [2008-08-20 1780248]

[HKEY_CLASSES_ROOT\clsid\{d46d0a6c-fab1-45a4-997e-030450e41de5}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D46D0A6C-FAB1-45A4-997E-030450E41DE5}"= "c:\program files\mySyncCell\tbmySy.dll" [2008-08-20 1780248]

[HKEY_CLASSES_ROOT\clsid\{d46d0a6c-fab1-45a4-997e-030450e41de5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\pcuser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-10 133104]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KTPWare"="c:\program files\Elantech\Ktp.exe" [2005-04-04 253952]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-17 1947928]
"QuickTime Task"="c:\windows\system32\qttask.exe" [2009-01-06 98304]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-03-26 64048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-01-10 143360]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-23 77824]
"CHotkey"="mHotkey.exe" - c:\windows\mHotkey.exe [2001-12-26 472576]
"SnoopFreeUI"="SnoopFreeUI.exe" - c:\windows\SnoopFreeUI.exe [2009-05-18 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\pcuser\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-17 19:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/08/2008 04:20 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/08/2008 04:20 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [23/08/2008 04:20 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [23/08/2008 04:20 298776]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [26/03/2009 22:58 54960]
R3 HSFHWVIA;HSFHWVIA;c:\windows\system32\drivers\HSFHWVIA.sys [04/09/2005 15:38 218752]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [04/09/2005 15:40 25984]
S3 EPWDIPUF;EPWDIPUF;c:\docume~1\pcuser\LOCALS~1\Temp\EPWDIPUF.exe --> c:\docume~1\pcuser\LOCALS~1\Temp\EPWDIPUF.exe [?]
S3 FW;FW;c:\docume~1\pcuser\LOCALS~1\Temp\FW.exe --> c:\docume~1\pcuser\LOCALS~1\Temp\FW.exe [?]
S3 GSEUJN;GSEUJN;c:\docume~1\pcuser\LOCALS~1\Temp\GSEUJN.exe --> c:\docume~1\pcuser\LOCALS~1\Temp\GSEUJN.exe [?]
S3 HGYKPA;HGYKPA;c:\docume~1\pcuser\LOCALS~1\Temp\HGYKPA.exe --> c:\docume~1\pcuser\LOCALS~1\Temp\HGYKPA.exe [?]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [05/02/2009 00:22 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [05/02/2009 00:22 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [05/02/2009 00:22 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [05/02/2009 00:22 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [05/02/2009 00:22 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [05/02/2009 00:22 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [05/02/2009 00:22 117672]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-840674332-3347718586-3918493275-1006Core.job
- c:\documents and settings\pcuser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-10 17:10]

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-840674332-3347718586-3918493275-1006UA.job
- c:\documents and settings\pcuser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-10 17:10]

2009-09-03 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-11-07 14:31]

2009-09-03 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-08-24 14:31]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{ca4eedb3-5719-4e27-a478-8d13f761c28d} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rangers.co.uk/
uInternet Settings,ProxyServer = 193.1.160.183:3128
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 19:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-09-03 19:56
ComboFix-quarantined-files.txt 2009-09-03 18:56
ComboFix2.txt 2009-05-21 17:48

Pre-Run: 19,277,795,328 bytes free
Post-Run: 19,248,848,896 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,3,4,5
209 --- E O F --- 2009-09-02 23:42
cadge is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-03-2009, 01:39 PM   #4 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,273
OS: Windows 7 Premium x64

My System

Re: Win32.TDSS.rtk/reg
Hi there

I notice this is not the first time combofix has been run.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post back with the resulting log
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-03-2009, 03:57 PM   #5 (permalink)
Registered User
 
cadge's Avatar
 
Join Date: Apr 2006
Location: Scotland
Posts: 151
OS: Ubuntu 9.04 (Jaunty Jackalope)


Re: Win32.TDSS.rtk/reg
I've ran Combo Fix previously to take care of an infection under supervision on here, after which my machine was declared clean.

Below is the result of your instruction:

2009-09-03 18:54:34 . 2009-09-03 18:54:34 130 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{ca4eedb3-5719-4e27-a478-8d13f761c28d}.reg.dat
2009-09-03 18:50:42 . 2009-09-03 18:50:42 10,134 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-09-03 18:39:52 . 2009-09-03 18:39:53 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-05-01 14:49:44 . 2009-05-01 14:49:44 4,328,960 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\3d9cbde.msp.vir
2008-07-08 09:09:30 . 2008-07-08 09:09:30 11,887,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\2ae0fb.msp.vir
2007-07-27 08:03:06 . 2007-07-27 08:03:06 119,977,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\1c912b.msp.vir
2007-02-10 13:20:26 . 2007-02-10 13:20:26 6,646,272 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\67cb2.msi.vir
cadge is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2009, 01:05 AM   #6 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,273
OS: Windows 7 Premium x64

My System

Re: Win32.TDSS.rtk/reg
Thanks for the clarification on combofix cadge

Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/410448-win32-tdss-rtk-reg.html#post2325456

Collect::
C:\windows\system32\drivers\UACbrprumoqoehhlnq.sys

Driver::
EPWDIPUF
FW
GSEUJN
HGYKPA



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2009, 07:23 AM   #7 (permalink)
Registered User
 
cadge's Avatar
 
Join Date: Apr 2006
Location: Scotland
Posts: 151
OS: Ubuntu 9.04 (Jaunty Jackalope)


Re: Win32.TDSS.rtk/reg
Did the above and Combo Fix gave me this log:

ComboFix 09-09-03.02 - pcuser 04/09/2009 13:56.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.958.442 [GMT 1:00]
Running from: c:\documents and settings\pcuser\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pcuser\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EPWDIPUF
-------\Legacy_FW
-------\Legacy_GSEUJN
-------\Legacy_HGYKPA
-------\Service_EPWDIPUF
-------\Service_FW
-------\Service_GSEUJN
-------\Service_HGYKPA


((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-08-28 01:43 . 2009-08-28 01:43 -------- d--h--r- c:\documents and settings\pcuser\Application Data\SecuROM
2009-08-28 01:43 . 2009-08-28 01:43 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-28 01:29 . 2009-08-28 01:51 -------- d-----w- c:\program files\Sports Interactive
2009-08-28 01:29 . 2009-08-28 01:43 -------- d--h--w- c:\program files\Zero G Registry
2009-08-28 01:28 . 2009-08-28 01:28 -------- d--h--w- c:\documents and settings\pcuser\InstallAnywhere
2009-08-17 23:58 . 2009-08-17 23:58 -------- d-----w- c:\documents and settings\pcuser\Application Data\StreamTorrent
2009-08-17 23:58 . 2009-08-17 23:58 -------- d-----w- c:\program files\StreamTorrent 1.0
2009-08-13 15:03 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-08 14:39 . 2009-08-08 14:40 -------- d-----w- c:\documents and settings\pcuser\Application Data\Move Networks
2009-08-07 02:34 . 2009-08-07 02:34 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-07 02:34 . 2009-08-07 02:34 -------- d-----w- c:\program files\MSBuild
2009-08-07 02:33 . 2009-08-07 02:33 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 02:32 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 02:32 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-07 02:32 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 02:32 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 02:32 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-07 02:32 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 02:32 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-07 02:32 . 2009-08-07 02:33 -------- d-----w- C:\f796ddb38cc150898b0b6fb5c3447d6b
2009-08-07 02:23 . 2009-08-07 02:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 13:11 . 2009-04-23 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-04 13:11 . 2009-04-23 23:11 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-09-04 07:54 . 2009-02-26 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-09-03 20:09 . 2006-11-07 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-02 23:45 . 2006-11-07 21:07 -------- d-----w- c:\program files\SpywareGuard
2009-09-02 23:42 . 2009-05-18 15:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-02 23:42 . 2006-11-07 21:19 -------- d-----w- c:\program files\SpywareBlaster
2009-09-01 21:22 . 2009-05-18 15:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 00:31 . 2008-11-23 21:07 -------- d-----w- c:\program files\Veetle
2009-08-28 02:05 . 2009-06-19 02:39 -------- d-----w- c:\documents and settings\pcuser\Application Data\Sports Interactive
2009-08-28 01:50 . 2005-09-04 13:11 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-21 21:16 . 2009-01-22 22:27 -------- d-----w- c:\documents and settings\pcuser\Application Data\dvdcss
2009-08-07 13:40 . 2006-09-19 11:05 48664 ----a-w- c:\documents and settings\pcuser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 22:29 . 2006-10-31 17:55 -------- d-----w- c:\program files\Java
2009-08-03 12:36 . 2009-05-18 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 12:36 . 2009-05-18 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 18:00 . 2006-11-07 21:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-26 00:16 . 2009-07-26 00:14 -------- d-----w- c:\program files\Mixxx
2009-07-25 04:23 . 2009-01-09 23:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-19 03:36 . 2009-06-19 03:36 119120 ----a-w- c:\windows\dxsdkuninst.exe
2009-06-17 19:32 . 2008-08-23 03:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-17 19:32 . 2008-08-23 03:20 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-17 19:32 . 2008-08-23 03:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-17 19:32 . 2008-08-23 03:20 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2005-11-04 05:51 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2007-11-05 07:54 . 2007-12-06 22:40 3564584 ----a-w- c:\program files\procexp.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_18.53.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-04 13:11 . 2009-09-04 13:11 16384 c:\windows\Temp\Perflib_Perfdata_854.dat
+ 2009-09-04 07:48 . 2009-09-04 07:48 16384 c:\windows\Temp\Perflib_Perfdata_424.dat
+ 2009-09-04 13:13 . 2009-09-04 13:13 16384 c:\windows\Temp\Perflib_Perfdata_3e0.dat
+ 2009-09-04 13:10 . 2009-09-04 13:10 16384 c:\windows\Temp\Perflib_Perfdata_2e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d46d0a6c-fab1-45a4-997e-030450e41de5}"= "c:\program files\mySyncCell\tbmySy.dll" [2008-08-20 1780248]

[HKEY_CLASSES_ROOT\clsid\{d46d0a6c-fab1-45a4-997e-030450e41de5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d46d0a6c-fab1-45a4-997e-030450e41de5}"= "c:\program files\mySyncCell\tbmySy.dll" [2008-08-20 1780248]

[HKEY_CLASSES_ROOT\clsid\{d46d0a6c-fab1-45a4-997e-030450e41de5}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D46D0A6C-FAB1-45A4-997E-030450E41DE5}"= "c:\program files\mySyncCell\tbmySy.dll" [2008-08-20 1780248]

[HKEY_CLASSES_ROOT\clsid\{d46d0a6c-fab1-45a4-997e-030450e41de5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\pcuser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-10 133104]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KTPWare"="c:\program files\Elantech\Ktp.exe" [2005-04-04 253952]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-17 1947928]
"QuickTime Task"="c:\windows\system32\qttask.exe" [2009-01-06 98304]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-03-26 64048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-01-10 143360]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-23 77824]
"CHotkey"="mHotkey.exe" - c:\windows\mHotkey.exe [2001-12-26 472576]
"SnoopFreeUI"="SnoopFreeUI.exe" - c:\windows\SnoopFreeUI.exe [2009-05-18 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\pcuser\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-17 19:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/08/2008 04:20 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/08/2008 04:20 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [23/08/2008 04:20 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [23/08/2008 04:20 298776]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [26/03/2009 22:58 54960]
R3 HSFHWVIA;HSFHWVIA;c:\windows\system32\drivers\HSFHWVIA.sys [04/09/2005 15:38 218752]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [04/09/2005 15:40 25984]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [05/02/2009 00:22 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [05/02/2009 00:22 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [05/02/2009 00:22 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [05/02/2009 00:22 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [05/02/2009 00:22 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [05/02/2009 00:22 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [05/02/2009 00:22 117672]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-840674332-3347718586-3918493275-1006Core.job
- c:\documents and settings\pcuser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-10 17:10]

2009-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-840674332-3347718586-3918493275-1006UA.job
- c:\documents and settings\pcuser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-10 17:10]

2009-09-03 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-11-07 14:31]

2009-09-03 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-08-24 14:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rangers.co.uk/
uInternet Settings,ProxyServer = 193.1.160.183:3128
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 14:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3680)
c:\windows\system32\WININET.dll
c:\windows\SnoopFreeDll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\SnoopFreeSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-04 14:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-04 13:18
ComboFix2.txt 2009-09-03 18:56
ComboFix3.txt 2009-05-21 17:48

Pre-Run: 19,218,370,560 bytes free
Post-Run: 19,082,838,016 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
249 --- E O F --- 2009-09-02 23:42
cadge is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2009, 08:45 AM   #8 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,273
OS: Windows 7 Premium x64

My System

Re: Win32.TDSS.rtk/reg
Hi there

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

Link 1
Link 2

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.
    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Objects Only << Selected
  • At the bottom of the page
    • Hidden Objects Only << Selected
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.

The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2009, 10:51 AM   #9 (permalink)
Registered User
 
cadge's Avatar
 
Join Date: Apr 2006
Location: Scotland
Posts: 151
OS: Ubuntu 9.04 (Jaunty Jackalope)


Re: Win32.TDSS.rtk/reg
Hi, thanks once again for your help withthis!

Below is the log from SysProt:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: srescan.sys
Service Name: srescan
Module Base: F7231000
Module End: F7245000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F4D99000
Module End: F4DB1000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7A22000
Module End: F7A24000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwConnectPort
Address: F4F50FC0
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateFile
Address: F4F4DC80
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateKey
Address: F4F68170
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreatePort
Address: F4F51580
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcess
Address: F4F65900
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcessEx
Address: F4F65B10
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSection
Address: F4F69B10
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateWaitablePort
Address: F4F51670
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteFile
Address: F4F4E210
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteKey
Address: F4F689F0
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteValueKey
Address: F4F687A0
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDuplicateObject
Address: F4F65280
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey
Address: F4F68F10
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey2
Address: F4F68F90
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenFile
Address: F4F4E070
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenProcess
Address: F4F67180
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenThread
Address: F4F66F40
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRenameKey
Address: F4F696F0
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwReplaceKey
Address: F4F69150
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRequestWaitReplyPort
Address: F4F50BE0
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRestoreKey
Address: F4F69540
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSecureConnectPort
Address: F4F51190
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetInformationFile
Address: F4F4E440
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetValueKey
Address: F4F684E0
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSystemDebugControl
Address: F4F66200
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwTerminateProcess
Address: F4F66080
Driver Base: F4F2F000
Driver End: F4F9A000
Driver Name: \SystemRoot\System32\vsdatant.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found
cadge is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-04-2009, 11:01 AM   #10 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,273
OS: Windows 7 Premium x64

My System

Re: Win32.TDSS.rtk/reg
Hi there

So far so good, all that was detected in the SysProt are legit items.

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

----------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Please note that this may take some time to complete

**Vista users - right click IE/Firefox icon and run as administrator

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the results of the kaspersky scan along with an update on how things are running now
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2009, 08:55 AM   #11 (permalink)
Registered User
 
cadge's Avatar
 
Join Date: Apr 2006
Location: Scotland
Posts: 151
OS: Ubuntu 9.04 (Jaunty Jackalope)


Re: Win32.TDSS.rtk/reg
Ran Kaspersky and it didn't find any infections, here is the exact text of the report:

KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, September 5, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, September 04, 2009 20:13:41
Records in database: 2746310

Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\

Scan statistics
Objects scanned 97896
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 03:20:50

No threats found. Scanned area is clean.
Selected area has been scanned.
cadge is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2009, 10:08 AM   #12 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,273
OS: Windows 7 Premium x64

My System

Re: Win32.TDSS.rtk/reg
Hi there

All is looking good, the only thing that concerns me is the where abouts of a file, it was picked up in your initial GMER scan when you first posted but does not show in your logs afterwards, I just want you to run a second GMER scan for me to confirm whether it is still present or not.

Double click GMER to open the program
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop and copy and paste this in your next reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 09:05 AM   #13 (permalink)
Registered User
 
cadge's Avatar
 
Join Date: Apr 2006
Location: Scotland
Posts: 151
OS: Ubuntu 9.04 (Jaunty Jackalope)


Re: Win32.TDSS.rtk/reg
Here is my latest GMER log:

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-07 16:04:42
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF50E2FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF50DFC80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xF50FA170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF50E3580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF50F7900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF50F7B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF50FBB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF50E3670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF50E0210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xF50FA9F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xF50FA7A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF50F7280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF50FAF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF50FAF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF50E0070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF50F9180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF50F8F40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF50FB6F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF50FB150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF50E2BE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF50FB540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF50E3190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF50E0440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xF50FA4E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF50F8200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xF50F8080]

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbhub \Device\00000084 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000085 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000086 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000087 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbehci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACbrprumoqoehhlnq.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uaclog
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACproc
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacurls
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacerrors

---- EOF - GMER 1.0.15 ----
cadge is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 09:49 AM   #14 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,273
OS: Windows 7 Premium x64

My System

Re: Win32.TDSS.rtk/reg
Hi there cadge

All is looking clear, the file I was concerned about is no longer a concern.

Now that you appear to be free from malware lets help you stay that way!

IMPORTANT

The following will uninstall combofix and implement some cleanup procedures as well as reset System Restore points:

Windows XP Users: Click Start > Select Run and copy/paste the following bolded text below into the Run box and click OK:

Windows Vista Users: Press the Windows key and r to bring up the run dialogue, copy and paste the text below into the run box and click OK:

ComboFix /u

Update windows on a regular basis - If you do not have automatic updates enabled then visit Microsoft's Update Page and update your computer from there.

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Safer Browsing
Use software such as Web of Trust to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

NB: Please note that although your browser may be more secure without active x it will not throw a ring of steel around your computer. If you purposly visit sites that are dubious in nature then infection will prevail.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy can help you stay clear. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware- Please note that these products can also be run as free without a licience as a scan on demand scanner.

Secure your router
Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 11:07 AM   #15 (permalink)
Registered User
 
cadge's Avatar
 
Join Date: Apr 2006
Location: Scotland
Posts: 151
OS: Ubuntu 9.04 (Jaunty Jackalope)


Re: Win32.TDSS.rtk/reg
Thank you once again for all the help you've given me in dealing with this infection.

I have read the above, uninstalled Combo Fix, installed Web of Trust and the new CCleaner you linked to.

I already have the other applications and almost exclusively use Opera and Google Chrome as opposed to IE.

Thanks again!
cadge is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 11:51 AM   #16 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,273
OS: Windows 7 Premium x64

My System

Re: Win32.TDSS.rtk/reg
Not a problem, only too glad to lend a hand

As this issue is now resolved I will now stop monitoring this thread for any further replies and request for the topic to be moved to the resolved section of the forum. Should you require any further assistance please start a new topic in the relevant section of the forums

Good luck and happy safe surfing!
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:45 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85