Tech Problem Aggregator

Gave remote access, have a TDSS rootkit, at least.

Q: Gave remote access, have a TDSS rootkit, at least.

Hello.  We posted in the Am I Infected? forum previously in this topic.  To recap, there are two people using this account, the PC owner and a neighbor helping out.  The PC owner gave remote access to someone running a tech support scam, the neighbor has been trying to do some scans to figure out what (if any) malicious software may have been left behind and remove it.  One of the performed scans was with TDSSKiller and after we posted the log we were directed to make a topic here.  Logs are still posted in the other topic, but DDS logs were created previously which have not been posted.  We also just ran DDS again, to give you fresher logs to look at, should that make a difference after running SUPERAntiSpyware.  SUPERAntiSpyware found only found tracking cookies, which have been removed.
 
GMER was also suggested by the previous helper, but we have been unable to reach the website to download it, either on the owner's PC or on the neighbor's.   We did not run Malwarebytes AntiMalware a 3rd time (the 2nd time had no detections, the 1st time had maybe 2, but the log wasn't saved before the neighbor could view it).  The other scans which have been attempted were with Microsoft Security Essentials (which found nothing) and an online ESET scan which crashed before its results could be viewed.
 
Here is the newest set of DDS logs.
DDS.txt
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.21.2
Run by Owner at 19:33:44 on 2013-10-08
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1023.258 [GMT -5:00]
.
AV: AVG Internet Security 2014 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: AVG Internet Security 2014 *Enabled*
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2014\avgfws.exe
C:\Program Files\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\loggingserver.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\AVG\AVG2014\avgui.exe
C:\Program Files\AVG SafeGuard toolbar\vprot.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: <No Name>: {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - c:\program files\mapsgalaxy_39\bar\1.bin\39SrcAs.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Toolbar BHO: {1e91a655-bb4b-4693-a05e-2edebc4c9d89} -
BHO: Search Assistant BHO: {71c1d63a-c944-428a-a5bd-ba513190e5d2} - c:\program files\mapsgalaxy_39\bar\1.bin\39SrcAs.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: AVG SafeGuard toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg safeguard toolbar\15.5.0.2\AVG SafeGuard toolbar_toolbar.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: HP View: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: HP View: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: <No Name>:  - LocalServer32 - <no file>
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG SafeGuard toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg safeguard toolbar\15.5.0.2\AVG SafeGuard toolbar_toolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [MapsGalaxy Search Scope Monitor] "c:\progra~1\mapsga~2\bar\1.bin\39srchmn.exe" /m=2 /w /h
mRun: [MapsGalaxy_39 Browser Plugin Loader] c:\progra~1\mapsga~2\bar\1.bin\39brmon.exe
mRun: [AVG_UI] "c:\program files\avg\avg2014\avgui.exe" /TRAYONLY
mRun: [vProt] "c:\program files\avg safeguard toolbar\vprot.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Search - http://buttons.mapsgalaxy.com/one-toolbaredits/menusearch.jhtml?s=202980021&p2=^UX^xdm197^YYA^us&si=107848&a=B3315C7F-E2BE-4E0C-859D-7F3F1C19D59C&n=2013071018&cv=1
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1372296637957
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
TCP: NameServer = 208.67.220.220 208.67.222.222 75.75.75.75
TCP: Interfaces\{4F049D4C-245B-4C05-A5BC-D7DE18687BE7} : NameServer = 208.67.220.220,208.67.222.222
TCP: Interfaces\{4F049D4C-245B-4C05-A5BC-D7DE18687BE7} : DHCPNameServer = 208.67.220.220 208.67.222.222 75.75.75.75
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\15.5.0\ViProtocol.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs= c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-8-22 146232]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-8-22 223032]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-8-20 102200]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-8-1 26936]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 211560]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-8-1 120120]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-8-22 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-8-1 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-8-22 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-8-1 193848]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-9-6 37664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]
R2 avgfws;AVG Firewall;c:\program files\avg\avg2014\avgfws.exe [2013-8-26 1358432]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2013-8-20 300640]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2012-1-12 30944]
R3 MonitorFunction;Driver for Monitor;c:\windows\system32\drivers\TVMonitor.sys [2013-9-6 13304]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2013-8-27 3534896]
S2 mrtRate;mrtRate; [x]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2012-1-12 30944]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-4-8 30192]
S3 S3chipid;S3chipid;\??\c:\docume~1\owner\locals~1\temp\{2b43252c-a1e3-4c47-927c-9f2c276d3515}\s3chipid.sys --> c:\docume~1\owner\locals~1\temp\{2b43252c-a1e3-4c47-927c-9f2c276d3515}\S3chipid.sys [?]
.
=============== File Associations ===============
.
ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
.
=============== Created Last 30 ================
.
2013-10-03 01:35:33 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2013-10-03 01:34:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-10-03 01:34:04 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2013-10-03 01:04:40 27817040 ----a-w- C:\SUPERAntiSpyware.exe
2013-10-02 01:31:39 7328304 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{254233dc-263b-4230-9633-c0d57e12daa3}\mpengine.dll
2013-09-17 01:50:56 688992 ------r- C:\dds.scr
2013-09-17 01:34:02 2237968 ----a-w- C:\tdsskiller.exe
2013-09-15 00:11:29 7166848 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-09-14 01:26:31 -------- d-----w- c:\program files\ESET
2013-09-14 01:05:17 257928 ----a-w- c:\windows\system32\drivers\tmcomm.sys
.
==================== Find3M  ====================
.
2013-10-02 01:48:07 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-02 01:48:07 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-07 22:03:16 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-08-28 00:58:27 1072544 ----a-w- c:\windows\system32\nvdrsdb0.bin
2013-08-28 00:58:27 1 ----a-w- c:\windows\system32\nvdrssel.bin
2013-08-28 00:58:20 1072544 ----a-w- c:\windows\system32\nvdrsdb1.bin
2013-08-23 04:37:18 176952 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-08-23 03:56:56 209208 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-08-23 03:56:16 223032 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-08-23 03:56:16 146232 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-08-09 01:56:45 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-08 06:05:59 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05:59 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05:59 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-08-08 06:05:58 18944 ----a-w- c:\windows\system32\corpol.dll
2013-08-08 01:27:48 1877760 ----a-w- c:\windows\system32\win32k.sys
2013-08-08 00:02:34 385024 ----a-w- c:\windows\system32\html.iec
2013-08-05 13:30:32 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 19:18:38 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-08-01 21:08:52 193848 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2013-08-01 21:06:40 22840 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-08-01 21:06:14 120120 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2013-08-01 21:05:58 26936 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
.
============= FINISH: 19:40:29.73 ===============
 
 
 
Attach.txt
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/7/2009 4:01:19 PM
System Uptime: 10/8/2013 7:13:47 PM (0 hours ago)
.
Motherboard: ASUSTek Computer INC. |  | Kelut
Processor: AMD Athlon™ XP 3200+ | Socket A | 2199/200mhz
.
==== Disk Partitions =========================
.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 9.5.2
Agere Systems PCI Soft Modem
AiO_Scan
AIOMinimal
AiOSoftware
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 2014
AVG SafeGuard toolbar
Blackhawk Striker from Hewlett-Packard Desktops (remove only)
Blasterball 2 from Hewlett-Packard Desktops (remove only)
Bonjour
Bounce Symphony from Hewlett-Packard Desktops (remove only)
CameraDrivers
CleanUp!
Compatibility Pack for the 2007 Office system
CreativeProjects
Crystal Maze from Hewlett-Packard Desktops (remove only)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Easy Internet Sign-up
ERUNT 1.1j
ESET Online Scanner v3
Five Card Frenzy from Hewlett-Packard Desktops (remove only)
getPlus® for Adobe
Google Desktop
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet 3840
HP Deskjet 3840 Series
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Image Zone Plus 3.5
HP Instant Support
HP Officejet 4620 series Basic Device Software
HP Officejet 4620 series Help
HP Organize
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.5
HP Smart Web Printing
HP Update
hpg2436
hpg3970
hpg4600
hpg5530
hpg8200
HPIZ350
hpmdtab
HpSdpAppCoreApp
HPSSupply
HPSystemDiagnostics
I.R.I.S. OCR
InstantShare
IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java 7 Update 21
Java Auto Updater
Java™ 6 Update 35
KBD
Macromedia Shockwave Player
Malwarebytes Anti-Malware version 1.75.0.1300
MapsGalaxy Firefox Toolbar
MapsGalaxy Internet Explorer Toolbar
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Standard 2006
Microsoft Digital Image Standard 2006 Editor
Microsoft Digital Image Standard 2006 Library
Microsoft Encarta Encyclopedia Standard 2006
Microsoft Location Finder
Microsoft Money 2006
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Student 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Standard Edition 2003
Microsoft Office Word MUI (English) 2010
Microsoft Plus! Digital Media Edition
Microsoft Security Client
Microsoft Security Essentials
Microsoft Software Update for Web Folders  (English) 14
Microsoft Streets & Trips 2006
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
NVIDIA Drivers
OpenOffice.org 3.2
Orbital from Hewlett-Packard Desktops (remove only)
Otto from Hewlett-Packard Desktops (remove only)
Overball from Hewlett-Packard Desktops (remove only)
Overland
PC-Doctor for Windows
PhotoGallery
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Hewlett-Packard Desktops (remove only)
PrintScreen
PS2
PSShortcutsP
Python 2.2 combined Win32 extensions
Python 2.2.1
QFolder
QuickBooks Pro 2008
Quicken 2004
QuickProjects
QuickTime
Readme
RealOne Player
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft Excel 2010 (KB2760597) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2760406) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687276) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft Outlook 2010 (KB2794707) 32-Bit Edition
Security Update for Microsoft Publisher 2010 (KB2553147) 32-Bit Edition
Security Update for Microsoft Visio 2010 (KB2810068) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Microsoft Word 2010 (KB2760769) 32-Bit Edition
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2838727)
Security Update for Windows Internet Explorer 8 (KB2846071)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Internet Explorer 8 (KB2862772)
Security Update for Windows Internet Explorer 8 (KB2870699)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB2834904-v2)
Security Update for Windows Media Player (KB2834904)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2839229)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2849470)
Security Update for Windows XP (KB2850851)
Security Update for Windows XP (KB2850869)
Security Update for Windows XP (KB2859537)
Security Update for Windows XP (KB2864063)
Security Update for Windows XP (KB2876217)
Security Update for Windows XP (KB2876315)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shop for HP Supplies
SkinsHP1
SkinsHP2
Slyder from Hewlett-Packard Desktops (remove only)
SmartWebPrintingOC
SUPERAntiSpyware
SupportSoft Assisted Service
Toolkit View(HP)
Tradewinds from Hewlett-Packard Desktops (remove only)
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553157) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589370) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760758) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB2863058)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Updates from HP
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Visual Studio 2012 x86 Redistributables
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinWay Resume Deluxe
Word Symphony from Hewlett-Packard Desktops (remove only)
Works Upgrade
Yahoo! Toolbar
.
==== End Of File ===========================
 
 
And, here is the older set of DDS logs, should they prove useful.
 
Old DDS.txt
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.21.2
Run by Owner at 20:51:46 on 2013-09-16
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1023.422 [GMT -5:00]
.
AV: AVG Internet Security 2014 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: AVG Internet Security 2014 *Enabled*
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2014\avgfws.exe
C:\Program Files\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\loggingserver.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\AVG\AVG2014\avgui.exe
C:\Program Files\AVG SafeGuard toolbar\vprot.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: <No Name>: {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - c:\program files\mapsgalaxy_39\bar\1.bin\39SrcAs.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Toolbar BHO: {1e91a655-bb4b-4693-a05e-2edebc4c9d89} -
BHO: Search Assistant BHO: {71c1d63a-c944-428a-a5bd-ba513190e5d2} - c:\program files\mapsgalaxy_39\bar\1.bin\39SrcAs.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: AVG SafeGuard toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg safeguard toolbar\15.5.0.2\AVG SafeGuard toolbar_toolbar.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: HP View: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: HP View: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: <No Name>:  - LocalServer32 - <no file>
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG SafeGuard toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg safeguard toolbar\15.5.0.2\AVG SafeGuard toolbar_toolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [MapsGalaxy Search Scope Monitor] "c:\progra~1\mapsga~2\bar\1.bin\39srchmn.exe" /m=2 /w /h
mRun: [MapsGalaxy_39 Browser Plugin Loader] c:\progra~1\mapsga~2\bar\1.bin\39brmon.exe
mRun: [AVG_UI] "c:\program files\avg\avg2014\avgui.exe" /TRAYONLY
mRun: [vProt] "c:\program files\avg safeguard toolbar\vprot.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Search - http://buttons.mapsgalaxy.com/one-toolbaredits/menusearch.jhtml?s=202980021&p2=^UX^xdm197^YYA^us&si=107848&a=B3315C7F-E2BE-4E0C-859D-7F3F1C19D59C&n=2013071018&cv=1
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1372296637957
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
TCP: Interfaces\{4F049D4C-245B-4C05-A5BC-D7DE18687BE7} : NameServer = 208.67.220.220,208.67.222.222
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\15.5.0\ViProtocol.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs= c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-8-22 146232]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-8-22 223032]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-8-20 102200]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-8-1 26936]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 211560]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-8-1 120120]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-8-22 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-8-1 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-8-22 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-8-1 193848]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-9-6 37664]
R2 avgfws;AVG Firewall;c:\program files\avg\avg2014\avgfws.exe [2013-8-26 1358432]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2013-8-20 300640]
R2 vToolbarUpdater15.5.0;vToolbarUpdater15.5.0;c:\program files\common files\avg secure search\vtoolbarupdater\15.5.0\ToolbarUpdater.exe [2013-9-7 1643184]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2012-1-12 30944]
R3 MonitorFunction;Driver for Monitor;c:\windows\system32\drivers\TVMonitor.sys [2013-9-6 13304]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2013-8-27 3534896]
S2 MapsGalaxy_39Service;MapsGalaxyService;c:\progra~1\mapsga~2\bar\1.bin\39barsvc.exe [2013-7-10 42504]
S2 mrtRate;mrtRate; [x]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2012-1-12 30944]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-4-8 30192]
S3 S3chipid;S3chipid;\??\c:\docume~1\owner\locals~1\temp\{2b43252c-a1e3-4c47-927c-9f2c276d3515}\s3chipid.sys --> c:\docume~1\owner\locals~1\temp\{2b43252c-a1e3-4c47-927c-9f2c276d3515}\S3chipid.sys [?]
.
=============== File Associations ===============
.
ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
.
=============== Created Last 30 ================
.
2013-09-17 01:50:56 688992 ------r- C:\dds.scr
2013-09-17 01:34:02 2237968 ----a-w- C:\tdsskiller.exe
2013-09-15 00:11:29 7166848 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e44475df-84be-45aa-8a20-bdc485c7c202}\mpengine.dll
2013-09-14 01:26:31 -------- d-----w- c:\program files\ESET
2013-09-14 01:05:17 257928 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-09-13 12:21:49 7166848 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-09-07 22:03:49 -------- d-----w- c:\windows\system32\cache
2013-09-06 20:33:51 -------- d-----w- c:\documents and settings\owner\application data\AVG2014
2013-09-06 20:32:25 -------- d-----w- c:\documents and settings\owner\local settings\application data\AVG SafeGuard toolbar
2013-09-06 20:32:11 -------- d-----w- c:\documents and settings\owner\application data\TuneUp Software
2013-09-06 20:31:55 -------- d-----w- c:\documents and settings\owner\application data\AVG SafeGuard toolbar
2013-09-06 20:31:48 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-09-06 20:31:41 -------- d-----w- c:\program files\common files\AVG Secure Search
2013-09-06 20:31:41 -------- d-----w- c:\documents and settings\all users\application data\AVG SafeGuard toolbar
2013-09-06 20:31:39 -------- d-----w- c:\program files\AVG SafeGuard toolbar
2013-09-06 20:29:05 -------- d--h--w- C:\$AVG
2013-09-06 20:29:05 -------- d-----w- c:\documents and settings\all users\application data\AVG2014
2013-09-06 20:28:06 -------- d-----w- c:\program files\AVG
2013-09-06 20:23:57 -------- d-----w- c:\documents and settings\owner\local settings\application data\MFAData
2013-09-06 20:23:57 -------- d-----w- c:\documents and settings\owner\local settings\application data\Avg2014
2013-09-06 20:23:56 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2013-09-06 19:33:12 -------- d-----w- c:\documents and settings\owner\local settings\application data\LogMeIn Rescue Applet
2013-09-06 18:45:29 13304 ----a-w- c:\windows\system32\drivers\TVMonitor.sys
2013-09-06 18:05:46 -------- d-----w- c:\documents and settings\owner\application data\TeamViewer
2013-08-28 00:58:20 1072544 ----a-w- c:\windows\system32\nvdrsdb1.bin
2013-08-28 00:58:20 1072544 ----a-w- c:\windows\system32\nvdrsdb0.bin
2013-08-28 00:58:19 1 ----a-w- c:\windows\system32\nvdrssel.bin
2013-08-28 00:57:41 -------- d-----w- c:\program files\NVIDIA Corporation
2013-08-28 00:35:04 453152 ----a-w- c:\windows\system32\nvudisp.exe
2013-08-28 00:35:04 -------- d-----w- c:\windows\nview
2013-08-28 00:32:45 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
2013-08-23 04:37:18 176952 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-08-23 03:56:56 209208 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-08-23 03:56:16 223032 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-08-23 03:56:16 146232 ----a-w- c:\windows\system32\drivers\avgidshx.sys
.
==================== Find3M  ====================
.
2013-09-14 01:48:41 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-14 01:48:40 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-09 01:56:45 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-08 06:05:59 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05:59 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05:59 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-08-08 06:05:58 18944 ----a-w- c:\windows\system32\corpol.dll
2013-08-08 01:27:48 1877760 ----a-w- c:\windows\system32\win32k.sys
2013-08-08 00:02:34 385024 ----a-w- c:\windows\system32\html.iec
2013-08-05 13:30:32 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 19:18:38 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-08-01 21:08:52 193848 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2013-08-01 21:06:40 22840 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-08-01 21:06:14 120120 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2013-08-01 21:05:58 26936 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-07-10 10:37:53 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 02:59:11 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-19 02:50:08 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 20:52:52.26 ===============
 
 
Old Attach.txt
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/7/2009 4:01:19 PM
System Uptime: 9/15/2013 9:32:59 PM (23 hours ago)
.
Motherboard: ASUSTek Computer INC. |  | Kelut
Processor: AMD Athlon™ XP 3200+ | Socket A | 2199/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 144 GiB total, 106.927 GiB free.
D: is FIXED (FAT32) - 5 GiB total, 0.622 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP2531: 6/18/2013 3:34:56 AM - Software Distribution Service 3.0
RP2532: 6/18/2013 2:05:20 PM - Software Distribution Service 3.0
RP2533: 6/19/2013 3:35:57 AM - Software Distribution Service 3.0
RP2534: 6/19/2013 2:05:00 PM - Software Distribution Service 3.0
RP2535: 6/20/2013 3:36:42 AM - Software Distribution Service 3.0
RP2536: 6/20/2013 2:03:24 PM - Software Distribution Service 3.0
RP2537: 6/21/2013 3:35:45 AM - Software Distribution Service 3.0
RP2538: 6/21/2013 2:05:27 PM - Software Distribution Service 3.0
RP2539: 6/22/2013 3:39:30 AM - Software Distribution Service 3.0
RP2540: 6/22/2013 2:05:02 PM - Software Distribution Service 3.0
RP2541: 6/23/2013 3:35:47 AM - Software Distribution Service 3.0
RP2542: 6/23/2013 1:49:29 PM - Software Distribution Service 3.0
RP2543: 6/24/2013 7:57:32 AM - Software Distribution Service 3.0
RP2544: 6/26/2013 8:32:57 PM - Software Distribution Service 3.0
RP2545: 6/26/2013 8:40:42 PM - Software Distribution Service 3.0
RP2546: 6/27/2013 2:25:23 PM - Software Distribution Service 3.0
RP2547: 6/27/2013 8:57:49 PM - Software Distribution Service 3.0
RP2548: 6/28/2013 2:25:06 PM - Software Distribution Service 3.0
RP2549: 6/28/2013 8:57:52 PM - Software Distribution Service 3.0
RP2550: 6/29/2013 2:25:12 PM - Software Distribution Service 3.0
RP2551: 6/29/2013 8:57:51 PM - Software Distribution Service 3.0
RP2552: 6/30/2013 2:24:38 PM - Software Distribution Service 3.0
RP2553: 6/30/2013 8:57:52 PM - Software Distribution Service 3.0
RP2554: 7/1/2013 2:25:24 PM - Software Distribution Service 3.0
RP2555: 7/1/2013 8:57:49 PM - Software Distribution Service 3.0
RP2556: 7/2/2013 2:23:23 PM - Software Distribution Service 3.0
RP2557: 7/2/2013 8:58:01 PM - Software Distribution Service 3.0
RP2558: 7/3/2013 2:23:24 PM - Software Distribution Service 3.0
RP2559: 7/3/2013 8:57:40 PM - Software Distribution Service 3.0
RP2560: 7/4/2013 2:24:26 PM - Software Distribution Service 3.0
RP2561: 7/4/2013 8:57:38 PM - Software Distribution Service 3.0
RP2562: 7/5/2013 2:24:28 PM - Software Distribution Service 3.0
RP2563: 7/5/2013 8:57:43 PM - Software Distribution Service 3.0
RP2564: 7/6/2013 2:24:30 PM - Software Distribution Service 3.0
RP2565: 7/6/2013 8:56:30 PM - Software Distribution Service 3.0
RP2566: 7/7/2013 2:24:31 PM - Software Distribution Service 3.0
RP2567: 7/7/2013 8:58:49 PM - Software Distribution Service 3.0
RP2568: 7/8/2013 2:36:38 PM - Software Distribution Service 3.0
RP2569: 7/8/2013 8:57:53 PM - Software Distribution Service 3.0
RP2570: 7/9/2013 2:25:21 PM - Software Distribution Service 3.0
RP2571: 7/9/2013 8:57:52 PM - Software Distribution Service 3.0
RP2572: 7/10/2013 2:26:25 PM - Software Distribution Service 3.0
RP2573: 7/10/2013 11:42:13 PM - Software Distribution Service 3.0
RP2574: 7/11/2013 11:03:59 AM - Software Distribution Service 3.0
RP2575: 7/11/2013 2:21:40 PM - Software Distribution Service 3.0
RP2576: 7/12/2013 12:08:46 PM - Software Distribution Service 3.0
RP2577: 7/12/2013 2:25:55 PM - Software Distribution Service 3.0
RP2578: 7/13/2013 12:09:05 PM - Software Distribution Service 3.0
RP2579: 7/13/2013 2:21:05 PM - Software Distribution Service 3.0
RP2580: 7/14/2013 12:08:39 PM - Software Distribution Service 3.0
RP2581: 7/14/2013 2:19:53 PM - Software Distribution Service 3.0
RP2582: 7/15/2013 12:07:28 PM - Software Distribution Service 3.0
RP2583: 7/16/2013 12:08:43 PM - Software Distribution Service 3.0
RP2584: 7/16/2013 2:20:54 PM - Software Distribution Service 3.0
RP2585: 7/17/2013 12:08:35 PM - Software Distribution Service 3.0
RP2586: 7/18/2013 12:10:52 PM - Software Distribution Service 3.0
RP2587: 7/18/2013 2:21:50 PM - Software Distribution Service 3.0
RP2588: 7/19/2013 12:09:27 PM - Software Distribution Service 3.0
RP2589: 7/19/2013 2:21:02 PM - Software Distribution Service 3.0
RP2590: 7/20/2013 12:09:22 PM - Software Distribution Service 3.0
RP2591: 7/20/2013 2:21:24 PM - Software Distribution Service 3.0
RP2592: 7/21/2013 12:10:08 PM - Software Distribution Service 3.0
RP2593: 7/21/2013 2:21:30 PM - Software Distribution Service 3.0
RP2594: 7/22/2013 12:08:50 PM - Software Distribution Service 3.0
RP2595: 7/23/2013 12:10:56 PM - Software Distribution Service 3.0
RP2596: 7/23/2013 2:20:53 PM - Software Distribution Service 3.0
RP2597: 7/24/2013 3:00:16 AM - Software Distribution Service 3.0
RP2598: 7/24/2013 12:09:10 PM - Software Distribution Service 3.0
RP2599: 7/24/2013 2:19:29 PM - Software Distribution Service 3.0
RP2600: 7/25/2013 12:10:15 PM - Software Distribution Service 3.0
RP2601: 7/25/2013 2:20:43 PM - Software Distribution Service 3.0
RP2602: 7/26/2013 12:08:45 PM - Software Distribution Service 3.0
RP2603: 7/26/2013 2:21:29 PM - Software Distribution Service 3.0
RP2604: 7/27/2013 12:08:42 PM - Software Distribution Service 3.0
RP2605: 7/27/2013 2:20:39 PM - Software Distribution Service 3.0
RP2606: 7/28/2013 12:08:43 PM - Software Distribution Service 3.0
RP2607: 7/29/2013 12:08:42 PM - Software Distribution Service 3.0
RP2608: 7/29/2013 2:21:28 PM - Software Distribution Service 3.0
RP2609: 7/30/2013 12:10:10 PM - Software Distribution Service 3.0
RP2610: 7/30/2013 2:22:14 PM - Software Distribution Service 3.0
RP2611: 7/31/2013 12:08:51 PM - Software Distribution Service 3.0
RP2612: 8/1/2013 12:08:23 PM - Software Distribution Service 3.0
RP2613: 8/1/2013 2:20:41 PM - Software Distribution Service 3.0
RP2614: 8/2/2013 12:10:21 PM - Software Distribution Service 3.0
RP2615: 8/2/2013 2:22:20 PM - Software Distribution Service 3.0
RP2616: 8/3/2013 12:07:06 PM - Software Distribution Service 3.0
RP2617: 8/3/2013 2:21:02 PM - Software Distribution Service 3.0
RP2618: 8/4/2013 12:08:12 PM - Software Distribution Service 3.0
RP2619: 8/4/2013 2:20:58 PM - Software Distribution Service 3.0
RP2620: 8/5/2013 12:08:23 PM - Software Distribution Service 3.0
RP2621: 8/5/2013 2:21:15 PM - Software Distribution Service 3.0
RP2622: 8/6/2013 12:08:05 PM - Software Distribution Service 3.0
RP2623: 8/7/2013 12:08:08 PM - Software Distribution Service 3.0
RP2624: 8/8/2013 12:10:54 PM - Software Distribution Service 3.0
RP2625: 8/8/2013 2:21:17 PM - Software Distribution Service 3.0
RP2626: 8/9/2013 12:08:13 PM - Software Distribution Service 3.0
RP2627: 8/9/2013 2:21:43 PM - Software Distribution Service 3.0
RP2628: 8/10/2013 12:08:39 PM - Software Distribution Service 3.0
RP2629: 8/10/2013 2:21:29 PM - Software Distribution Service 3.0
RP2630: 8/11/2013 12:08:34 PM - Software Distribution Service 3.0
RP2631: 8/11/2013 2:21:26 PM - Software Distribution Service 3.0
RP2632: 8/12/2013 12:08:35 PM - Software Distribution Service 3.0
RP2633: 8/12/2013 2:21:05 PM - Software Distribution Service 3.0
RP2634: 8/13/2013 12:08:45 PM - Software Distribution Service 3.0
RP2635: 8/13/2013 2:21:07 PM - Software Distribution Service 3.0
RP2636: 8/14/2013 12:10:09 PM - Software Distribution Service 3.0
RP2637: 8/14/2013 2:22:44 PM - Software Distribution Service 3.0
RP2638: 8/15/2013 3:00:35 AM - Software Distribution Service 3.0
RP2639: 8/27/2013 7:32:30 PM - Software Distribution Service 3.0
RP2640: 8/27/2013 7:46:20 PM - Software Distribution Service 3.0
RP2641: 8/27/2013 7:54:13 PM - Software Distribution Service 3.0
RP2642: 8/28/2013 1:47:00 PM - Software Distribution Service 3.0
RP2643: 8/29/2013 2:49:32 PM - Software Distribution Service 3.0
RP2644: 8/30/2013 8:13:10 PM - Software Distribution Service 3.0
RP2645: 8/31/2013 8:46:27 PM - Software Distribution Service 3.0
RP2646: 9/1/2013 1:54:53 PM - Software Distribution Service 3.0
RP2647: 9/6/2013 1:09:27 PM - Software Distribution Service 3.0
RP2648: 9/6/2013 3:28:04 PM - Installed AVG 2014
RP2649: 9/6/2013 3:28:48 PM - Installed AVG 2014
RP2650: 9/7/2013 1:15:05 PM - Software Distribution Service 3.0
RP2651: 9/7/2013 2:27:47 PM - Software Distribution Service 3.0
RP2652: 9/8/2013 2:59:16 PM - Software Distribution Service 3.0
RP2653: 9/9/2013 3:20:38 PM - System Checkpoint
RP2654: 9/11/2013 9:17:49 PM - System Checkpoint
RP2655: 9/13/2013 7:21:41 AM - Software Distribution Service 3.0
RP2656: 9/14/2013 6:08:26 AM - Software Distribution Service 3.0
RP2657: 9/14/2013 7:11:18 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 9.5.2
Agere Systems

A: Gave remote access, have a TDSS rootkit, at least.

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.   Scan with Malwarebytes Anti-RootkitPlease download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.Be sure to print out and follow the instructions provided on that same page.Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.Double click the mbar.zip file to open it, then 'Extract all files'.Double click the mbar folder to open it, then double click mbar.exe to start the tool.Check for Updates, then Scan your system for malwareIf malware is found, do NOT press the Cleanup button yet. Click EXIT.I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.

22 more replies
Answer Match 81.48%

I went to Symantecs web site for tech support on my virus product and they asked for remote access for my computer and I allowed it. Well it took them 2 hours to fix a 45 minute problem. The person wasnt paying attention to me and I did most of the work fixing my problem and so when the company sent out the survey on tech support I complained and gave out the persons name. Ever since then My computer has lost the cd rom in which i finally got back and then it lost the scanner and I am working on recovering its drivers and such. Now when I email people it take forever to type a line and every time i turn on MSN messenger I have to type in my info even after I have clicked save all information. I have attached my hijack log. and I am aware of silentbug, i have it to watch my childrens activities online lol
 

More replies
Answer Match 81.48%

Hello.  This account is being used by two people: the PC owner and a neighbor who is trying to help.  The PC owner had a cold call at the beginning of September which claimed to be able to tell that the PC owner was sending infected files.  A week later, the neighbor heard about this and recognized this as a tech support scam.  The neighbor was able to determine that the tech support scammer had installed the free version of AVG AntiVirus, but not much else. 
 
The neighbor attempted to run a few free tools to find out if any malicious software was left behind, but due to problems with saving the logs or virus scanners apparently crashing, the neighbor and the PC owner never found any conclusive results for most of those.  The neighbor was following some advice given on a different forum to the victim of a similar scam (link), so dds logs have already been created, but the neighbor would rather have someone who understands them take a look at them. 
 
The neighbor also ran TDSSKiller, but set to Verify Driver Digital Signature and Detect TDLFS file system.  No actions were taken to remove anything using this tool, but a TDSS file system was detected; we don't know what is on it, yet.
 
The scammers apparently used TeamViewer to access the PC owner's computer, and maybe LogMeIn Rescue.  An empty folder was left for LogMeIn Rescue, but program files remained for TeamViewer.  The neighbor copied... Read more

A:Gave remote access, might have malware.

Hello,And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.Malwarebytes Anti-Malware Please download Malwarebytes Anti-Malwareand save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Full Scan" option is selected.Then click o... Read more

5 more replies
Answer Match 81.48%

Boy do I feel stupid, I was having trouble with figuring out my new outlook email. I got frustrated looking online for information and called what I thought was a Microsoft tech help ctr. The person on the phone told me she would connect me with a tech. thru a chat window at chat123.us. I proceeded to follow prompts and began chat with the tech. the tech stated I was probably infected with third party spyware and my email was hacked.During the process the tech asked to check some things. she pulled up a command prompt window and started looking at my ip address, she also got my start-up window open. When done she said I was infected and showed me where. She said she could fix for a fee. Already suspicious I declined and logged off. I ran my avira free antivirus and it came up clean and my computer seems to be ok but I fear I may have compromized my system. What now?
Thank you, Jim

A:I gave someone remote access, am I infected?

From what I've read online that chat123.us uses LogMeIn Rescue to remotely connect to your
computer.
 
Link to LogMeIn: How LogMeIn Rescue Works: Remote Computer Support Solution | LogMeIn Rescue
 
QUOTE: With the customer's permission, this small .exe file automatically downloads to the remote PC. It's the interface through which technicians communicate with Customers and conduct remote support. The applet automatically removes itself from the remote PC at session conclusion.
The applet provides remote Customers with:
Interactive Chat and detailed Session History
Prompts to permit or deny technician access to all functions
File Transfer to the technician
Ability to stop Remote Control or disconnect at any time
You could do a search for LogMeIn on your computer to verify that it is no longer installed.

3 more replies
Answer Match 78.54%

I got a pop up that was loud and wouldn't let me close it saying, "your computer has been infected call Microsoft" and I did because I turned it off and it was still yelling st me when I turned it back on. I gave the tech remote access and he said I had a tiny something trojan virus. Well I didn't fall for paying, got off the phone, held power button down and turned computer off. Am able to use it fine now with no more warning but am I safe after giving the remote access? I was on the phone for about 30 mins while he was going around to different areas in my computer telling me what all of the "problems" were.

A:Gave remote access to a "Microsoft tech support" am I safe?

It wasn't Microsoft, it was a scam.   I suggest you have a look here and create a new post asking for assistance to ensure your computer has not been compromised .

1 more replies
Answer Match 78.54%

Hello,
 
My father saw a pop-up that said his computer had an error and was infected with malware.  The pop-up had a phone number to call.  He talked to someone who said he was a certified Microsoft technician and got my dad scared about the Zeus virus.  My dad gave him access to his computer and they did a remote session.
 
The person did not ask for a credit card number, he asked to be mailed a check but wasn't too worried about getting paid. 
 
I know that my dad should not have done what he did  But now I'm trying to clean the computer from what may be compromised.  I am currently running SpyHunter and it has already found 217 threats detected.  It looks like the scary one is HawkEye keylogger and there is also Conduit Search/Toolbar and FindYourMaps Toolbar.  I'm 70% done.  
 
I'd love to know what to do next and if someone could please walk me through all the things I need to make sure and take care of to keep my dad safe.  Thank you for your help and support!

More replies
Answer Match 69.72%

My browser(s) have started being redirected when I try to access antivirus/malware sites. I have advertisement audio that randomly plays over my speakers. Malware bytes & Spybot S&D show a clean scan when run. Any help you can give me will be greatly appreciated!Here is my DDS log file. I cannot run GMER since it crashes everytime.DDS (Ver_10-03-17.01) - NTFSx86 Run by Boutwell at 22:25:35.21 on Tue 04/06/2010Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_18Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3069.1603 [GMT -5:00]SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\system32\Ati2evxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\Ati2evxx.exeC:\Windows\system32\svchost.exe -k LocalServiceC:... Read more

A:tdss rootkit infection...."driver adapti infected by tdss rootkit"

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

43 more replies
Answer Match 68.04%

Hello,

I am suffering from redirects from search engines ( mainly google )and windows will not install updates, i have run McAfee Internet Security and it found a rootkit called tdss.d.rootkit, have also ran CCleaner which found nothing and SUPERantispyware which found nothing, on running McAfee a second time it found a rootkit called TDSS.e!rootkit, i still have the same problems of google redirects and windows not installing updates. When I clicked on gmer.exe it immediately began the scan before I could adjust the parameters, but only the IAT/EAT box was unchecked. I then unchecked the IAT/EAT box and ran the scan again saving the ark.txt file.

Here is the DDS log

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.6001.18000
Run by Big Andy at 12:03:16 on 2011-07-24
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.44.1033.18.1915.860 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF&... Read more

A:Infected with TDSS.d!rootkit & TDSS.e!rootkit & Google keeps redirecting

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

14 more replies
Answer Match 65.52%

Hi, I have a strong suspicion my system has been compromised. So far I have done a hard rive wipe with dban, re-flashed my bios and reinstalled windows. A second opinion would be much appreciated.
 
FRST.txt log below: 
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-05-2015
Ran by Ed (administrator) on ZOOM on 02-05-2015 20:48:30
Running from C:\Users\Ed\Desktop\Security
Loaded Profiles: Ed (Available profiles: Ed)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
() C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsusFanControlService\1.04.02\AsusFanControlService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\nis.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.16\ccSvcHst.exe
(Sa... Read more

A:Remote access - possible rootkit

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/575075 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

2 more replies
Answer Match 65.1%

Hi there, thanks for taking the time to help!Firstly, I'm running a Toshiba Satellite with Vista Home Premium 32-bit and sp2..About a week ago I started experiencing redirects when clicking on links through Google. I understood from searches this was the dreaded TDSS Rootkit which seems to be sweeping the nation at the moment. Fortunately I seemed to have been able to remove it, as my searches are no longer tainted (though for the life of me I don't remember what i did, so many different things tried!). Unfortunately, I now seem to be having a seperate issue which I'm unsure whether it is a result of me 'fiddling' with system settings too much or the TDSS still has a hold on me.Average 6 out of 10 times in the past week, when shutting down my computer, it has hung at the Logging Off or Shutting Down screen and will not shut down. In the same instances where this is happening, when trying to install/uninstall a program I receive an error from Windows Installer stating "The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.". Clearly a very helpful message if you work in an office with a deicated IT department!I searched this on Google and found this could be a problem with the entry in Services.msc and could be amended simply by changing the setting to 'Manual'. The unfortunate part is when attempting to access Servi... Read more

More replies
Answer Match 63.42%

I need to find out how to stop him. I am suspecting a firmware bootkit at this point. I have reformatted C drive. Deleted D drive and F drive then even changed Internet providers. Changed all my passwords. And this guy is back. He got the new password immediately to my Skype account. I caught him logged in using the /showplaces It said I had 3 endpoints: 2 android phones and my laptop. Well I only have one android phone. I sent him a message telling him off on his Skype account then I only had 2 endpoints the next check. Its him. I have 2 fbi reports out. They dont return my calls. I am not pressing charges then I will have to hand over the only laptop I have to connect to the internet with and go through tons of hassle. I just want my peace of mind back. I have used all the scanners under the sun nothing is detecting anything. I used GMER and MALWAREBYTES rootkit. I used RougeKiller. Nothing detects anything but hes still in here. He disabled my webcam program ManyCam I had to reinstall it. I wasnt sure it was him. So then I logged into a chat program called Paltalk and turned my cam on in there. It kept dropping and dropping immediately then I tried to log back in..invalid password. He is having a field day with my laptop HELP! Yes I also reset MBR by doing the bootrec /fixmbr bootrec /fixboot HE still came back! I used MAC filtration to only allow my cellphone to connect in my router settings but he still got in. Maybe he is cloning my cellphone MAC address since he has it... Read more

More replies
Answer Match 63.42%

Hello; this is my first post to this forum so I hope I am following all of the rules properly. Somehow, my computer was recently hit by a blast of viruses - I have no idea what happened. Suddenly .exe files were closing themselves and I was getting false virus alerts from something that desperately wanted me to install it. Then AVG alerted me to a keylogger and several of my online accounts were compromised.I've run MBAM and Trojan Remover but neither detect any problems. TDSS Killer identifies the infection, and supposedly "deletes" it, but it is still infected upon reboot. Other than google redirects and slow browsing I have not experienced any problems but many of the other programs I received in this fun "bundle" were particularly malicious, so I'm worried. Below are the relevant logs:DDS (Ver_10-03-17.01) - NTFSx86 Run by Derk at 2:21:45.29 on Mon 05/17/2010Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2746 [GMT -7:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AVG\AVG9\avgchsvx.ex... Read more

A:TDSS-like rootkit; google redirect, reinstall after TDSS-Killer

Hello and welcome to Bleeping Computer.My name is km2357 and I will be helping you to remove any infection(s) that you may have.I will be giving you a series of instructions that need to be followed in the order in which I give them to you.If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.Please do not start another thread or topic, I will assist you at this thread until we solve your problems.Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.Sorry for the delay in replying, the forum is very busy. If you still need help, please post fresh DDS Logs (DDS and Attach.txt)

3 more replies
Answer Match 62.58%

Hi !I seem to have a TDSS Rootkit infecting my Atapi.sys file. Tried the TDSSKiller from kaspersky, and it detects the rootkit, but while it says reboot to delete, its detected anyway after the reboot.In safe mode, as well as safe mode with command prompt, it does not detect any TDSS rootkit at all.The machine is a Toshiba Satellite laptop dualbooting Vista and Ubuntu Linux (9.10 Karmic)Currently I have AVG 9.0, Avira, SpyBot SD and MBAM installed. Windows Vista Firewall has always been on.I usually spend about 40% of my time in Windows, with 60% in Ubuntu, going online through both.My system is not exhibiting any of the more severe symptoms I read in the forums - redirected search results, blocked AV updates, etc. I only checked for rootkits because Chrome wouldnt do anything. Further on, though, I was getting warnings and errors from MBAM as well as Avira every some time, on various trojans, etc.However, since detecting this rootkit, and reading through your forums and guidelines, I turned off my laptop's WiFi switch when in Windows, going online only through my Ubuntu boot. I am assuming(correctly, I hope) that my Ubuntu system is safe, and immune to the rootkit, so I can use it to go online as well as do other work. With the WiFi turned off in Windows, I haven't got any warnings from MBAM or Avira.I put up this problem initially in the "Am I infected? What do I do?" forum, where I have been directed by boopme to send in my DDS and Gmer logs. DDS log below. Do you need th... Read more

A:TDSS Rootkit infection. TDSS Killer failed.

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.1.Please do not run any other tool untill instructed to do so!2.Please reply to this thread, do not start another!3.Please tell me about any problems that have occurred during the fix.4.Please tell me of any other symptoms you may be having as these can help also.5.Please try as much as possible not to run anything while executing a fix.If you follow these instructions, everything should go smoothly.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OKDeFogger may ask you to reboot the machine, if it does - click OKDo not re-enable these drivers until otherwise instructed.IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.GmerDownload GMER Rootkit Scanner from here.Double click the .exe file. If asked to allow gmer.sys driver to load, please consentIf it gives you a warning about rootkit activity and asks if you want to run scan...click on NOIn the right panel, you will see several boxes that have been checked. Uncheck the following ...IAT/EATDrives/Partition other than Systemdrive (typically C:&... Read more

3 more replies
Answer Match 61.32%

Hello,
Firstly thanks to all you dedicated folks in this forum!

Here's the issue i'm facing:
1) Earlier today i started getting a message when i was opening firefox that said : jqsnotify.exe-Entry Point Not Found. and further: The procedure entry point [email protected]@Z could not be located in the dynamic link library msvcrt.dll

2) Thinking it's a java issue i removed previous versions of java and java files with the help of javara

3) Now, i do not get the jqsnotify message but when the computer is rebooted, firefox - my default browser - automatically comes on and a newspedia website gets loaded automatically. At times an additional website called bizrumours comes on automatically too.

4) the fonts of other webpages also seem altered - the google search box, for sure

5) Along with this are frequent crashes (the blue screen with the windows 'serious error' warning)

6) i ran malawarebytes' quick scan and it showed quite a few problems: The location of the rootkit.tdss files are in windows\systems32. trojan.tdss are in the temp folders in the local settings folder within documents & settings. Finally one trojan agent withing winlogon\taskman

7) lastly, i do not know if this is related but i find google progams/applications like google reader/gmail to be non-functional when i use firefox. Google reader works fine if i use IE but not with firefox.

As required, i'm :
a) pasting the contents of dds.txt below
b) attaching attach.zip which contains attac... Read more

A:rootkit.tdss, trojan.tdss, newspedia

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financia... Read more

19 more replies
Answer Match 59.64%

Hello,I have been working on cleaning this system(Desktop PC: Dell Optiplex 7500: Windows XP SP3)for a few days now after discovering an old partially removed infection of Paladin Antivirus. Ran the usual removal tools, MBAM, Combofix, Avast Boot Scan, and F-Secure Online scans, and all show up clean now; however, the Avast real time behavior scanned is still flagging a latent Rootkit service: SVC:PRAGMApxevsticxr. Of course when avast asks what I want to do I choose delete, and it recommends boot scan which comes up clean, and the avast process starts again. Knowing I was still infected, I decided to go to the ever trusty, but lengthy ESET online scanner which found: C:\WINDOWS\PRAGMApxevsticxr\PRAGMAc.dll a variant of Win32/Kryptik.EXT trojan cleaned by deleting - quarantinedC:\WINDOWS\PRAGMApxevsticxr\PRAGMAd.sys a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantinedC:\WINDOWS\PRAGMApxevsticxr\trz1D.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantinedC:\WINDOWS\PRAGMApxevsticxr\trz3.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantinedC:\WINDOWS\PRAGMApxevsticxr\trz7.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantinedand then in a subsequent ESET scan: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0000075.dll a variant of Win32/Krypt... Read more

More replies
Answer Match 59.64%

On Feb 14th, I posted about a rootkit that is on my system HERE in the 'Am I infected" section. It has been a very long time since I have been here, but I believe you used to have to post there first and only ended up here once someone started helping you, but I truely can't recall. Should I leave that where it is and wait for a reply there? or can that post be moved here? can the topics be merged? or should I repost my issue here and delete that post? I apologize that I am so out of touch with forum protocol here, but on the other hand, I don't want to waste anyone's time by posting in the wrong place and clogging up the wrong queue.I do have a nasty version PRAGMA Rootkit (Win32/Rootkit.Kryptik.AZ trojan) TDSS Variant. All other infections have been removed, and I believe the bulk of the rootkit has been disabled. I *think* I just need to drop a custom script into ComboFix or Avenger2 to finish the removal; however, I am not sure because I haven't seen a piece of malware this resiliant in years.The following scans have been run and their logs are saved and available for posting:DDSGMERRkillCombofixRootRepealHijackThisMBAMESET Online ScanFSecure Online ScanSuperAntiSpywareAvast Boot ScanAs well as a manually created record of all self deleted registry keys related to PRAGMA.The bulk of the pertinent information (at least what I *think* is pertinent) is in the original thread linked above with the exception of the GMER info on the rootkit.Please advis... Read more

A:PRAGMA Rootkit (Win32/Rootkit.Kryptik.AZ trojan) TDSS Variant

Post removed due to Crossposts

28 more replies
Answer Match 59.64%

I would really appreciate some help from someone with experience with this matter.

Introduction:

Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence.

Presentation: Installed a 2nd HDD (Exclusively for daily backups - ironic!) I did manage to fire off one Backup with win 7 backup including an image, but I doubt it is clean. Then next morning the computer was no longer in WIN7 environment but had rebooted to System Repair Panel, and despite a week of working on the problem with lots of pro and sub-pro advice online and offline, I could not get the startup repair to stop reporting that my code integrety file"C:\ci.dll" was corrupt and it could not help me. I was locked in a loop [boot start->system repair]. Safe mode, bios changes/resets, drive removals rearrangments, win7 orig DVD repair, triple startup repair cycle, replacing ci.dll w/ correct sized version (which simply reverted to "corrupt size on reboot"), restore points, using the one imagefile i had made .... no help - all roads lead to the sys rec panel.

B.T.W. SafeMode would halt boot at driver #5 "CLFS.sys" to enter system recovery console.

Positive (hopefully) Headway I've Made: I researched the details of the component library ci.dll and looked for a vulenerability or weakness I could exploit to avoid the error, and I learned it doesn't lend it's function set during kernel debug mode and unsigned d... Read more

A:Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough

Mike,

You need Jacee and/or Corinne's help with this - they are our resident security MVP's. No doubt they will see this, but I'll drop them a message and ask them to have a look at this for you.

Regards,
Golden

9 more replies
Answer Match 59.64%

Hi,Since Friday my computer started to run slow and kept crashing. I also noticed it would redirect Google searches to various webpages and not the actual link it was meant to...I have McAfee Security Centre (updated daily), so ran a scan. It revealed some trojans, namely "Spy-Agent.bw!mem, DNSChanger!ba and Generic FakeAlert!cd". Some of it was removed/quarantined while 1 or 2 files couldnt be fixed by McAfee.I then ran MBAM which managed to clear everything. Here is the log from then (28th Aug):[/color][/color]-----------------------------------------------------------------------------------------------------------------------------------------------Malwarebytes' Anti-Malware 1.40Database version: 2709Windows 5.1.2600 Service Pack 328/08/2009 18:07:25mbam-log-2009-08-28 (18-07-25).txtScan type: Full Scan (C:\|)Objects scanned: 165024Time elapsed: 36 minute(s), 47 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 6Registry Values Infected: 1Registry Data Items Infected: 2Folders Infected: 1Files Infected: 12Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\C... Read more

A:Infected with Google redirect & Rootkit TDSS and Rootkit.Agent/Gen-Rustock[KBI]

UPDATE:Did an online scan with Eset, it reported the following: C:\Documents and Settings\Amit Sinha\Application Data\Sun\Java\Deployment\cache\6.0\56\3c28cc78-2a20046a probably a variant of Win32/Agent trojan deleted - quarantinedSo lloks like there are still some remanents...Anyone?===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are... Read more

4 more replies
Answer Match 59.22%

I have Spyware Doctor and I keep getting pop-ups that threats from these infections are being blocked. I also keep getting error messages for invalid windows images: globalroot/systemroot/system32/UAChwmptxj.dll and /UACkvstwgpm.dll. Please Help!
DDS (Ver_09-03-16.01) - NTFSx86
Run by SDS at 18:31:39.15 on Mon 03/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.124 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated)
FW: Symantec Endpoint Protection *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\fjscan32\FJTWMKSV.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\... Read more

A:Rootkit.TDSS!sd6 and Trojan.TDSS!sd6

Hello.Rootkit ThreatUnfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC F... Read more

3 more replies
Answer Match 58.8%

64 bit, Windows 7I was having issues with youtube. Streaming was very slow and would often times stop altogether. At first, I thought I had an issue with flash player and so I uninstalled it, installed it again, and checked on updates. I still had the same issues.I ran Spyware Doctor and Malwarebytes to see if the issue was malware. Previously, when I ran either program, it would show a lot of infections, but now there were none. I then thought that it could be a browser issue so I downloaded Google Chrome. Though it downloaded, Google Chrome would not open any sites. I got an error code. This is what it says:"This webpage is not available. The webpage at http://google.com/ might be temporarily down or it may have been moved permanently to a new web address. Error 102 (net::ERR_CONNECTION_REFUSED): Unknown error."It said a couple of times that I wasn't connected to the server, but to me that didn't make sense because I was online and surf the web with Firefox.I downloaded other types of anti virus and malware programs to see if it would help. This is a list: spybots, ad aware, bitdefender, avg, kaspersky.None downloaded. I received messages saying that the files were corrupted. There would be a bunch of programs opening while doing this. They were moving so fast so I couldn't catch any of them.I tried to do online scans. Those didn't work either. Same message.I tried to download these programs in safe mode with networks. They did not download. I trie... Read more

More replies
Answer Match 57.54%

G'day,Having some malware issues - I assume the TDSS rootkit.Symptoms are:*Redirecting IE and Firefox results from google*At any given time, 2xIE processes running (they come up again when closed)*The other day before this all happened, another bit of malware snuck up (fake notifier) - possibly leading to the download of this?*I kept getting "Hard Drive Failure" messages with the previous issue. When I rebooted, everything form the start menu was gone, as well as the desktop. It has all restored back to normal, but half of my files scattered through my computer have transparent icons (as if they're hidden)*I ran memtest (from unix GRUB) and used computer management to check the health of my hard drive - A-OK apparently.I foolishly didn't have any other protection on my system as a while ago AVG failed upon install and i never got around to it again.Steps taken so far:*Firewall was already on (Windows) - didn't reinstall zonealarm which was stupid of me.*Run AVG Thorough Scan + Anti-Rootkit, Kapersky antivirus, TDSSKiller, Spybot and as expected, nothing came up besides cookies, a couple of temp files, etc.*Used DeFogger, and got all the logs, and will paste below.Any help is greatly appreciated all! Thankyou very much =============================================================================================================================.DDS (Ver_2011-06-03.01) - NTFSx86 Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20Run by Aa... Read more

A:Rootkit issue - assumedly TDSS.rootkit

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

3 more replies
Answer Match 57.54%

One of my friends managed to install this nasty rootkit on to my Vista Ultimate machine and I have had nothing but problems since. First It redirected search engines, then it installed win police pro, then it killed access to all windows executable unless you ran them in administrator mode. The rootkit was identified as a Rootkit.TDSS by Malware bytes, and Spyware Doctor, but it was identified as Rootkit.Rustock[KBI] by SuperAntispyware. Spyware Doctor and SuperAntispyware failed to rid me of the pest, but Malware bytes managed to remove most of it. Right now im stuck with 4 TDSS regkeys that wont delete. Malware detects them, but will not remove them. I've tried manual removal, and checked the added approprite registry permissions. The just wont go away and im afraid I havent removed the infection. Although, the computer appears to work perfectly.

Malwarebytes' Anti-Malware 1.40
Database version: 2723
Windows 6.0.6000
Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmfqnmkfeu (Rootkit.TDSS) -> Delete on reboot.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmlhphykoy (Rootkit.TDSS) -> Delete on reboot.

I can view these 2 keys but not delete them, they are where the injector is held. Although, i did manage to delete SOME of the files contained in there.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ytasfwqespetxa (Rootkit.TDSS) -> Quara... Read more

A:Rootkit.TDSS or Rootkit.Rustock[KBI] Trouble

We Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check only the Files box: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

2 more replies
Answer Match 57.54%

Rootkit.TDSS Hacktool.rootkit

just showed up, have not had a problem for a few months. Please Help with removal. and is someone hacking me or is this common virus floating around? THANKS!

A:another virus Rootkit.TDSS Hacktool.rootkit

bump

11 more replies
Answer Match 56.28%

Howdy,

I need to set up my Win7 desktop so I can access it (and my home cloud) from the road with my Win7 Laptop. Should be pretty simple...except, the Remote Access Functions DO NOT APPEAR on the [System Properties] pop-up on the [Remote] Tab

See pic attached..

Cannot fill in the form, if the form ain't there.

Heeeep, please.
 

A:Remote Access: SystemProp>Remote>NO Remote Functions Visible

What version of Windows 7 is installed on your computer?


 

9 more replies
Answer Match 55.44%

Referred from here: http://www.bleepingcomputer.com/forums/t/264741/another-virus-rootkittdss-hacktoolrootkit/ ~ OBRootkit.TDSS Hacktool.rootkit ROOTREPEAL ? AD, 2007-2009==================================================Scan Start Time: 2009/10/17 23:25Program Version: Version 1.3.5.0Windows Version: Windows XP SP2==================================================Drivers-------------------Name: dump_atapi.sysImage Path: C:\WINDOWS\System32\Drivers\dump_atapi.sysAddress: 0xEE661000 Size: 98304 File Visible: No Signed: -Status: -Name: dump_WMILIB.SYSImage Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYSAddress: 0xF7BBB000 Size: 8192 File Visible: No Signed: -Status: -Name: mchInjDrv.sysImage Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sysAddress: 0xF7D44000 Size: 2560 File Visible: No Signed: -Status: -Name: rootrepeal.sysImage Path: C:\WINDOWS\system32\drivers\rootrepeal.sysAddress: 0xEDFD0000 Size: 49152 File Visible: No Signed: -Status: -Hidden/Locked Files-------------------Path: C:\hiberfil.sysStatus: Locked to the Windows API!SSDT-------------------#: 047 Function Name: NtCreateProcessStatus: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xee8ec794#: 048 Function Name: NtCreateProcessExStatus: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xee8ecf1e#: 257 Function Name: NtTerminateProcessStatus: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xee8ebd0a#: 277 Function Name: NtWriteVirtualMemoryStatus: Hooked by "C:\WIN... Read more

A:Rootkit.TDSS Hacktool.rootkit

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

5 more replies
Answer Match 55.44%

AVG had been detecting several threats and there were numerous browser redirects in Firefox for a while (not sure about IE, because I don't like using it). Afterwards, AVG had been disabled for a few days and there were still numerous browser redirects in Firefox, which lead me to download Avira, and a complete system scan from it in Safe Mode resulted in detections of the Zero Access Rootkit (tdx.sys). After removing everything that Avira detected (a couple of the other files detected were Seaport.exe, Avira's own scheduler file, SupServ.exe, and other files detected as FakeRean. I cannot really remember everything else.) I found that I could no longer connect to the internet because of tdx.sys having been removed. I shut the laptop down and hit the F8 key and used System Restore to restore to an earlier point. AVG was still disabled although I remember AVG being functional at that point, but I could connect to the internet now. I have not seen any more browser redirects. I have logs for DDS and GMER below.


.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_22
Run by Brian at 12:33:15 on 2011-09-04
Microsoft Windows 7 Professional 6.1.7601.1.950.852.1033.18.2039.932 [GMT -6:00]
.
AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1AC... Read more

A:TDSS Rootkit or some other rootkit problem

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. P2P - I see you have P2P software (Vuze) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete. Download TDSSKiller.zip and extract TDSSKiller.exe to your desktopExecute TDSSKiller.exe by doubleclicking on it.Press Start Scan
If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"Then click Continue > Reboot now
Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_lo... Read more

30 more replies
Answer Match 54.18%

Updated PCs running Trend Micro's Antivirus on Windows can be hijacked, infected with malware, or wiped clean by any website, thanks to a vulnerability in the security software.
The design blunders were discovered by Google Project Zero bod Tavis Ormandy. A patch is now available to address the remote-code execution flaw, so Trend Micro users should update their software as soon as possible.
Ormandy, who has been auditing widely used security packages, analyzed a component in Trend's AV software dubbed the Password Manager. He found that multiple HTTP RPC ports for handling API requests were accessible.
"It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute()," he wrote in a bug report to Trend.
This means that any webpage visited by a victim could run a script that uses Trend Micro's AV to run commands directly on the machine – such as RD C:\ /S /Q to wipe the system drive, or commands to download and install malware. As another example, this code uninstalls Trend Micro's security software on a PC without the owner's knowledge or consent.
 

Article
 
The software has been patched via an update but I am surprised Trend Micro let this get through.

A:Trend Micro AV gave any website command-line access to Windows PCs

Not surprised of this at all. Hell, they don't even include signature based detections for Cryptoware if you're not on the latest version of their product and they don't warn you at all about it. It's when you directly ask them that they finally answer. Seriously, TrendMicro isn't worth using at all, at home like at work.

2 more replies
Answer Match 52.92%

A few days ago I came to my computer and I noticed I had this program "Antivirus Pro 2010" or something along those lines. I have had infections before, but it was fairly easy to get rid of them, but this wasn't the case this time. I went to open Malwarebytes Antimalware to scan, it started to scan and then shut off immediately. Whenever I tried to open it again it gives me an error that says:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the items.

This was the case for MBAM, Trend Micro Antivirus Plus AntiSpyware, and Spybot. The only program that the scanning works is "Spyware Doctor" which I got off a recommendation, but as you probably know it costs money for the program to remove infections. I have tried using Hijack This to make logs, so I could get help in the HJT forums, but just like the other programs it shut off immediately after I started to scan. I have also tried scanning with Root Repeal, but it causes my computer to reboot after scanning for about 5 minutes.

Here is what showed up in the Spyware Doctor scan:

Adware.Agent.ZO

RogueAntiSpyware.XP.Antispyware

Rootkit.TDSS

RogueAntiSpyware.AntivirusPro

Trojan.FakeAlert

I don't know how helpful that is, but I really don't have any idea where to go from here. Any help would be greatly appreciated.

A:Rootkit.TDSS

Someone please help.

3 more replies
Answer Match 52.92%

Started getting those pop ups about having a virus and need to download protection etc. Don't know how I got infected becasue I usually "x" those things out and run all of my mcafee, MBAM etc. But ended up with it. MBAM came up with the Rogue.Installer and Rootkit which it said it removed. Ran it again multiple times and it keeps coming up with the rootkit. I also keep getting messages about the c drive being corrupt. It won't let me save my files and at this point that is OK. Most of my important stuff I have saved. Just worried about losing an applicaiton that I got from my last employer that I wanted to keep, but oh well.I have followed the directions the best I could and will be attaching the required logs, however, I did have an issue with RootRepeal. It wouldn't run and I got this:ROOTREPEAL CRASH REPORT-------------------------Windows Version: Windows Vista SP2Exception Code: 0xc0000005Exception Address: 0x00422bf2Attempt to read from address: 0x00000004Yesterday I did go over to the malwarebytes forum and started following thier directions and was able to get a ark file, so I am going to post that too.Thanks,RobinDDS (Ver_09-12-01.01) - NTFSx86 NETWORK Run by Robin at 8:28:02.05 on Sun 01/17/2010Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_14Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.2037.1592 [GMT -5:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Runni... Read more

A:Rootkit.TDSS

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.[We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEnetsvcsmsconfigsafebootminimalsafebootnetworkactivexdrivers32%systemroot%&#... Read more

25 more replies
Answer Match 52.92%

Hi i am running windows xp sp3 and have kaspersky internet security 2010. When i perform a full system scan Kaspersky 2010 says my system memory is infected with Rootkit.WIN.TDSS.d.However it is unable to delete or disinfect it.I posted a topic in the kaspersky forum 5 days ago and they have been unable to help. Their entire forum is full of users who have been infected with the same malware. Now my problem has got worse as well as my system memory being infected with Rootkit.WIN.TDSS.d.I can now not access the Windows update webpage. Some time when i click on a link my browser gets redirected to phising sites.Kaspersky now regularly shuts down my browser saying:07/04/2010 12:44:16 Detected: Trojan-Downloader.JS.Agent.fce [malicious URL] Generic Host Process for Win32 Services07/04/2010 12:44:55 Detected: Exploit.JS.Pdfka.bul [malicious URL] Generic Host Process for Win32 Services07/04/2010 12:57:46 Denied:[malicious URL] (analysis according to the base of phishing web addresses) [malicious URL] URL found in the base Firefox I also have a svchost.exe trojan that keeps reappearing in oddly named folders after Kaspersky deletes it. For example:c:\windows\temp\mseh.tmp\svchost.exe.This is my hijack this log
 hijackthis.log   7.07KB
  0 downloadsMy Attach log
 Attach.txt   14.68KB
  1 downloadsMy GMER Log
 gmer.log   25.81KB
  2 downloadsmy combo fix log
 cmbflog.txt   20... Read more

A:Please help me get rid of rootkit.win.32.tdss.d.

it is constantly crashing now and i have a few deadlines in the coming weeks. Can anybody help?===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our MRT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.We ask that once you have posted your log and are waiting, please DO NOT "bump" you... Read more

2 more replies
Answer Match 52.92%

I am so embarrass. I am a security and forensic specialist and I got hit with this bugger and I can't seem to find out how.

Getting rid if it is a bugger and I am sure someone has a tread here on how to fit this.

Can some one please point to the thread and I will take my beating like a man and be scolded like I should be.

Thanks

Jim
 

More replies
Answer Match 52.92%

Hello everyone,My computer recently started displaying odd messages about my hard drive and needing to reboot the computer. I thought it was somewhat off so I scanned with McAfee and it found TDSS.e!RootKit. It was removed but upon reboot the desktop was blank, the start menu was empty, and Windows functions (like Task Manager) were 'locked by the administrator'. I managed to restore my access to most Windows functions such as the Task Manager, recover the desktop, and the start menu.Now however, iexplore.exe will load on start up (just the process not a window) and begin to play audio ads for seemingly random things. To counter this I set my firewall to block iexplore.exe from having access to the Internet (I use Firefox). It obviously still starts the process but the annoying audio is gone. When the process is closed or it crashes, it automatically reloads by itself within a few minutes.I've tried a system restore from several different restore points, but it always posts that Windows was unable to restore to this point and asks if I would like to try again.TDSS.e!RootKit is restored upon every reboot and McAfee keeps detecting/deleting it. Deleting it doesn't seem to change anything as iexplore.exe keeps opening, the computer is still really slow, etc.I have tried using a few programs to get rid of it such as malewarebytes or TDSSKiller but the programs aren't allowed to open (in Safe Mode or otherwise) or they don't manage to fix the... Read more

A:TDSS.e!RootKit

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

12 more replies
Answer Match 52.92%

my google search results redirect me to (1 through 7>dayoftheweek.com where the number corresponds to the day of the week and a friend of mine and myself believe the virus had overwritten some core windows files ie winsock and winsock2 at the least until i did a system restore and half way thragh it restarted and told me it failed to restore but those files were fixed. now the only problem i am aware of is the google redirects and the process <9o4412549:2o5954o426.exe>
o represents zero, my keyboard is broken. that is constantly running that i cant close. i couldnt make the gmer log because as it was scanning as soon as it detected something bad <red fonted item in the scan results> it closed out on its own. no error message or anything. also i cant install any anti virus or anti malware tools. and the few that actually do install dont function properly or do so until encountering the virus. please help me!

A:TDSS Rootkit

Hi,Please do the following:Download ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\C... Read more

14 more replies
Answer Match 52.92%

Rootkit name derived from Malware Bytes scans. Also I was not able to get a rootrepeal log as it gives me an error code on trying to scan. Running vista 32 bit.I grabbed this a few days ago by accident along with a bunch of bad malware and a trojan.vundo. After a bunch of different anti-virus's, and some manual deletion in safe mode, I'm down to just this rootkit. On startup, I can (sometimes) get to my files, but after about three minutes, everything just... locks up. IE, explorer, any launched programs. I can't actually get a connection. Malware bytes shows an infected registry key that keeps coming back, other than that, everything is telling me I have no problems. Most of the time on startup, it brings up a message telling me access is denied to C:\users\myuser\desktop\. The only location I have access to is C:\users\myuser\.DDS (Ver_09-07-30.01) - NTFSx86 NETWORK Run by Tyler at 0:07:43.02 on Sat 09/12/2009Internet Explorer: 7.0.6000.16890 BrowserJavaVersion: 1.6.0_10Microsoft? Windows Vista? Home Premium 6.0.6000.0.1252.1.1033.18.2046.1332 [GMT -4:00]AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}AV: AVG 7.5.524 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}AV: BitDefender Antivirus *On-access scanning enabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}SP: BitDefender Antispyware *enabled* (Outdated) {8B2012EC-32D4-494F-BC03-832DB... Read more

A:Rootkit.tdss

After a standard scan with malware bytes, the infection is no longer showing. I am still blocked out of all my files, though.

3 more replies
Answer Match 52.92%
A:rootkit.tdss gah!

Hello,I am moving this to Am I Infected from Vista.You caompleted an Nalwarebytes scan but now you cannot?A word about TDDS,which is a backdoor trojan.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.Next run ATF and SAS:Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.Note: On Vista, "Windows Temp" is di... Read more

1 more replies
Answer Match 52.92%

I used Malwarebytes,A-squared, Spybot,Avira,Hijack this and my pages are still being redirected,I am at the point to do a clean reinstall. The same page which carries the worm keeps recycling. My question is, is it possible to get this Trojan through a wireless game? like the WII or a bad you tube page? also even though I have got a firewall,antivirus and all of these tools, is there a way to block the script from loading to the computer and should I remove the windows update before working on the Trojan? I really do want to do a clean install but if I can remove it I won't bother because I already had to do that 8 months ago. I still have the log file and I did remove two items, I also had to do a system restore and now I cannot get to the windows update, it would be the same reason I reformatted before, after a Trojan. I have had at least 3 Trojans in the last week. I have Windows xp pro. I saved the hijack log ,should I post it here.

A:rootkit.tdss

Hello i do not know which TDDS this is so I will say this about the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:What danger is presented by rootkits?Rootkits and how to combat themr00tkit Analysis: What Is A RootkitIf your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected ... Read more

1 more replies
Answer Match 52.92%

Ran Malwarebytes and discovered i have rootkit.tdss on my computer, along with other infections. Need help to get this off my computer. I followed the other forum on this but the programs on there said they werent compatible with my OS.

Also, when i run MB, it will go through the scan, but when i try to remove, it does the, "MalwareBytes has stopped working" thing.

A:rootkit.tdss

Rootkits must be handled in the HJT forum. There you will have the best chance of a clean computer .Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible.

1 more replies
Answer Match 52.92%

Got a nasty set of Malware a few days ago on my Alienware m9700 running Windows XP Professional SP3 that presented initially as popups by AntiMalware doctor, porn site icons appearing on the desktop, and unsolicted browser tabs opening in Firefox. Not sure what the initial infection was or whether it came as a package deal, but as soon as it manifested, there appeared to be more than one piece of malware operating on the system at the same time.I immediately removed the computer from the network and tried to regain some control of things. Found that my Norton Antivirus had been disabled and I was unable to restart it even after doing a complete removal and reinstall. Task Manager could not be opened, giving a text box that it "had been disabled by administrator". The older existing copies of MalwareBytes (mbam) and Spybot S&D I already had on the machine would not run (double clicking on their executables would do nothing). Also noted that something had scheduled tasks to be run every hour on the hour and deleted all those tasks. Internet Explorer was also now set to the default browser instead of firefox. Downloaded the latest copies of MalwareBytes mbam and Spybot S&D on a clean machine, put them on a CD and used the CD to install on the affected system. The new versions also would not run. Could not boot the machine in safe mode either as it would get to a point, hit some kind of error and then restart the boot process again.Had to install and rename mbam ... Read more

A:TDSS rootkit?

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

13 more replies
Answer Match 52.92%

I'm having url redirects and then everyone in awhile a random virus will pop in. I use Malwarebytes to kill the smaller virus but the TDSS won't go away.A friend of mine recommended this forum for help.Here is my Root Repeal LogROOTREPEAL © AD, 2007-2009==================================================Scan Start Time: 2009/08/03 16:27Program Version: Version 1.3.3.0Windows Version: Windows XP SP2==================================================Hidden/Locked Files-------------------Path: C:\hiberfil.sysStatus: Locked to the Windows API!Path: C:\WINDOWS\system32\hjgruiersajodb.dllStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\hjgruiixnqxbnv.datStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\hjgruilaauknwe.dllStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\hjgruipqmjrayk.datStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\drivers\hjgruirpacasrs.sysStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\drivers\hjgruirpacasrs.sys.sysStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\drivers\hjgruirpacasrs.sys.txtStatus: Invisible to the Windows API!Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090702.005\EraserUtilRebootDrv.sysStatus: Locked to the Windows API!Path: c:\prog... Read more

A:Please Help! Rootkit TDSS - Won't Go Away

One thing you should know:You have been infected by a nasty rootkit {TDSS Variant}. This rootkit may steal personal information from your computer and can monitor traffic as you surf. If you do on-line banking. shopping, or other financial transactions, you need to contact your bank to monitor your account -and- change all passwords immediately. I also recommend changing the password on your router - if applicable. Do to the nature of rootkits, some members elect to reformat their computer, verses trying to clean it. If you wish to do that, please let me know.We continue:1st - update Malwarebytes. Do not run it yet...Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:C:\WINDOWS\system32\hjgruiersajodb.dllC:\WINDOWS\system32\hjgruiixnqxbnv.datC:\WINDOWS\system32\hjgruilaauknwe.dllC:\WINDOWS\system32\hjgruipqmjrayk.datC:\WINDOWS\system32\drivers\hjgruirpacasrs.sysC:\WINDOWS\system32\drivers\hjgruirpacasrs.sys.sysC:\WINDOWS\system32\drivers\hjgruirpacasrs.sys.txtThen use your mouse to highlight it in the Rootrepeal window.Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.Update and rerun Malwarebytes in full mode. - Let me know if you need any help with these steps.

15 more replies
Answer Match 52.92%

Hi,I am running Windows XP SP3.The problem first manifested itself shortly after browsing the megaupload.com website. There was a popup in the background I did not notice. Twenty minutes later, Avira Antivir guard detected an infection and reported the following:Is the TR/Crypt.ZPACK.Gen Trojan C:\documents and settings\HP_administrator\local settings\temp\srcwenmoax.tmpIs the TR/Crypt.ZPACK.Gen Trojan C:\documents and settings\HP_administrator\local settings\temp\rwcoeansmx.tmpAs I prepared to have Avira updated to perform a more complete scan of my system, I noticed that something started to take up all my system resources. Since things were running slowly, I opted to restart my computer. As expected, it didn't shut down very quickly. A few strange close program popups appeared before Windows shut down. I recall one program being titled something like hiddenfax... sorry, I don't remember the others; probably should have paid closer attention to them.Anyways, my computer appeared to be restarting. Then when it hit the windows loading screen, I encountered the BSOD, a screen very similar to the one on this page: http://www.symantec.com/connect/blogs/tidserv-and-ms10-015 . There was an error with the atapi.sys file. I tried restarting using the last known good configuration and safe mode, and still the same BSOD. I finally found some instructions on this page http://www.myfixes.com/articles/system that allowed me to... Read more

A:Rootkit.tdss??

That certainly matches the M.O. of TDSS so I'm going to ask you to follow this guide here. It will instruct you on how to generate some logs using the DDS and GMER analysis tools and how to post them to the Malware Logs Analyses forum. These logs will provide much more detailed and pertinent information than HijackThis is capable of and will assist the Malware Removal Team member who responds to your post to craft the necessary fixes to clean your system.

3 more replies
Answer Match 52.92%

Hi,

I posted about my situation in the Am I Infected section of the forum and was advised by Andrew to follow up here. Here is the link to the thread housing my earlier post and his instructions: http://www.bleepingcomputer.com/forums/topic401626.html . The problem first showed up around June 3, 2011, 6:20PM PST.

I have some additional information since my last post if it helps. End Program dialogs have continued to pop up when I shut down Windows. Not sure, however, if these are the same ones that appeared originally. I also cannot tell you whether these are legitimate programs that are no longer working properly or programs that are part of an infection. They are titled HiddenFaxWindow, MCI command handling window, connections tray.

I have followed the steps posted in the preparation guide here: http://www.bleepingcomputer.com/forums/topic34773.html

At what I believed was the end of the GMER rootkit scan (at least a 7 hour scan), there was a Windows - Fatal Application Exit error. The message was Kerio Personal Firewall Driver: ApiInsertEventIntoQueue Unable to allocate memory for event struct. My computer locked up after that so I had to do a hard reboot.

Below is the log file generated by DDS, and attached are the DDS attach.txt output and GMER ark.txt output.

Thank you!!

------

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Run by HP_Administrator at 23:32:49 on 2011-06-03
Microsoft Windows XP Professi... Read more

A:Rootkit.tdss

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

27 more replies
Answer Match 52.92%

Hi there.My computer is infected with something called Rootkit.TDSSThe whole infection reads as: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetehqobwwy (Rootkit.TDSS)I guess it's an infected registry key?When I do a MalwareBytes scan it says it has been quarantined and deleted successfully, but once my computer is turned off and then back on, there is the rootkit again! I really don't know what this is or how to get rid of it, so if someone could please help me out, I would very much appreciate it.Here is the scan log from my MBAM quickscan.Malwarebytes' Anti-Malware 1.40Database version: 2765Windows 5.1.2600 Service Pack 39/10/2009 1:32:59 PMmbam-log-2009-09-10 (13-32-59).txtScan type: Quick ScanObjects scanned: 111885Time elapsed: 7 minute(s), 37 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetehqobwwy (Rootkit.TDSS) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)And here is the log from HijackThis (which ... Read more

A:Rootkit.TDSS --- please help?

Hi,First of all, please update MalwareBytes, because the databaseversion and program is outdated. It's 1.41 now.Start MalwareBytes and click the Update tab. There click "Check for updates"Once the updates are downloaded, perform a quick scan again.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

4 more replies
Answer Match 52.92%

I'm stuck with a rootkit that Mbam detects but apparently can't remove. It installed an antivirus center and basically just hogs all my resources, if I can even get to the log-on screen without it hanging on a black one. I come to you for help.


DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
Run by Beef at 23:16:21.72 on Thu 09/17/2009
Internet Explorer: 7.0.6001.18000
Microsoft? Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1915.1617 [GMT -5:00]

AV: eEye Digital Security Blink Anti-Virus *On-access scanning disabled* (Updated) {C4821238-EFD9-4B79-B2A5-40CE68D50E68}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: eEye Digital Security Blink AntiSpyware *disabled* (Updated) {10884AE1-E5DE-4DF5-9E39-CF47F8736F04}
FW: eEye Digital Security Blink Firewall *disabled* {AC6BB248-92AF-4E26-A70A-6E5FDB75C144}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windo... Read more

A:Rootkit.TDSS

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Answer Match 52.92%

Hi, Upon running a quick scan with Malwarebytes Anti Malware, many infections were found and subsequently quarantined, however, when i restart the pc (right aftr the scan), there is a balloon that pops up saying that Windows Startup is blocking a prog. ....and that prog. is mbam.Again running a quick scan, detects 1 infection: which is C:\Users\hp\AppData\Local\Temp\ic.exe (Rootkit.TDS). It is quarantined and system is restarted and again the balloon pops up. However, as soon as i start surfing the net (Google Crome); and run mbam quick scan again, the same infection is found again. I'm posting the mbam log and hjt log below; kindly suggest future course of action:MBAM LOG:Malwarebytes' Anti-Malware 1.41Database version: 2848Windows 6.0.6002 Service Pack 29/23/2009 5:10:10 PMmbam-log-2009-09-23 (17-10-10).txtScan type: Quick ScanObjects scanned: 100797Time elapsed: 15 minute(s), 8 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Users\hp\AppData\Local\Temp\... Read more

A:Rootkit.TDSS

there is another virus that keeps coming back....the file name is "googledownload.exe" and its also located in my AppData directory, its being shown as a Trojan.

SOMEONE PLZ ADVISE.

4 more replies
Answer Match 52.92%

I've tried PC tools spyware doctor - it finds the rootkit and says it removes it, but it always come back up next scan (after rebooting).

Thanks for the help.

I think my problem might be identical to this one:
http://www.bleepingcomputer.com/forums/topic427163.html

A:Rootkit.tdss.v3 won't go away!

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us1.Do not run any other tool untill instructed to do so!doing so will only at best cause you unneeded worry as it finds our backups and may even list our toolsand at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback It does not need to be long but just something so I know how things are going it can be something likeI am still getting redirectedThe computer is running as it shouldDon't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anythingPay special attention to the Notes** I have put inThese are things I have found that happen allot and can be taken care of easily just by reading the Notes**Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Plea... Read more

40 more replies
Answer Match 52.92%

Hello, the past week my monitor would randomly hang, my computer stops responding a few seconds later. I checked all my hardware and made sure nothing was overheating, checked capacitors, the works.

Someone told me to use malwarebytes to scan for viruses.

I went into safe mode and ran a fully updated version of malwarebytes. It founds rootkid.TDSS, here is the log.


Quote:




Malwarebytes' Anti-Malware 1.41
Database version: 2877
Windows 5.1.2600 Service Pack 2 (Safe Mode)

9/30/2009 206 PM
mbam-log-2009-09-30 (14-06-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 280405
Time elapsed: 1 hour(s), 34 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfull... Read more

A:Rootkit.TDSS

DDS logs


Quote:




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/16/2005 11:38:25 AM
System Uptime: 9/30/2009 7:16:58 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | 'P4SD-LA'
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | CPU 1 | 2800/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | CPU 1 | 2800/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 105 GiB total, 59.59 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 2.398 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\45E5D3E01800
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\45E5D3E01800
Service: NIC1394

==== System Restore Points ===================

RP1635: 9/21/2009 7:35:37 AM - System Checkpoint
RP1636: 9/24/2009 8:57:57 AM - System Checkpoint
RP1637: 9/25/2009 1:05:08 PM - System Checkpoint
RP1638: 9/27/2009 11:48:42 AM - Installed S4 League_EU
RP1639: 9/28/2009 1:24:29 AM - Removed Medieval II Total War
RP1640: 9/28/2009 1:25:30 AM - Removed Windows Live Messenger
RP1641: 9/2... Read more

19 more replies
Answer Match 52.92%

My husband's 2006 XP was taken over by some vicious malware about ten days ago. I've been working with wonderful boopme to try to fix it, at http://www.bleepingcomputer.com/forums/ind...p;#entry1727416.Essentially: SuperAntiSpyware, Malwarebytes, and Vipre all say Jerry's computer has no problem. It does, if you don't like unwanted advertisements along with AV7 telling you you have dozens of malwares it will "fix" for you. ESET-online told me Jerry's computer has:S/Exploit.Pdfka.NXB trojanJS/Exploit.Agent.NBB trojanNext, boopme told me to obtain and run Dr. Web. EVERY time I run Dr. Web on Jerry's computer, after roughly six minutes it tells me it has found and eradicated BackDoor.Tdss.565, and EVERY time both Dr. Web AND the computer immediately freeze.boopme told me to obtain and run TdssKiller. EVERY time I ran it, it told me it had found and eradicated one TDSS (1/0/0, 0/0/0, 1/0/1), and I must now reboot, and EVERY time the reboot failed to eradicate the infection in question. The final time I ran it, I did NOT reboot, and AFTER this, the program told me Jerry's "atapi" driver has been "infected by TDSSKiller rootkit." boopme then directed me to your page on how to prepare to post in THIS section. I managed to run DDS all right. As requested in your prep guide, the non-Attach report appears below and the Attach report is attached. "10d23" stands for "April 23, 2010."I managed to download GMER a... Read more

A:It's PROBABLY Tdss in my rootkit

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

15 more replies
Answer Match 52.92%

Hi All,I have been fighting the UAC/TDSS rootkit for a few hours now to no avail. I've ran Malwarebytes, but that has not helped in the removal of the virus.Please help as I have photos due in a few hours Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:43:25 PM, on 7/21/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\Explorer.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\CTHELPER.EXEC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\UltraMon\UltraMon.exeC:\Program Files\UltraMon\UltraMonTaskbar.exeC:\Program Files\iPod\bin\iP... Read more

A:UAC/TDSS Rootkit

Hello Carnage5 my name is Sempai and welcome to Bleeping Computer.*We apologize for the delay. Forum have been busy.*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.*You must reply within 5 days otherwise this topic will be closed.1. We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply here:OTListIt.txt Will be openedExtra.txt Will be minimized2. Please download GMER from one of the following locations and save it to your desktop:Main Mirror
This version will download a randomly named file (Recommended)Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.Double-click on the randomly named GM... Read more

12 more replies
Answer Match 52.92%

Hi,

I seem to having trouble removing a Rootkit.TDSS that spyware doctor detects. I've tried running Malwarebytes antimalware(both in safe mode and normal), Super antispyware, Spy bot search and destroy and Ad-aware. None of them seem to be picking up the 'Rootkit.TDSS' that spyware doctor seems to be detecting. Any advice?

Toshiba laptop
Windows Vista Sp1
32bit- 3GB RAM
2.10 GHz processor.

Any help would be much appreciated.

HJT log,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:32:04, on 14/04/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter3.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TECO\TEco.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\Micro... Read more

A:Rootkit.TDSS

16 more replies
Answer Match 52.92%

Hello:

I've been referred to this forum by a tech friend. I sent him the following e-mail and he sent me to you:

This morning [August 24] my laptop was acting funny, e.g. logging me out of gmail and then opening a different website (poker something, I think). I ran my anti-malware, Cyberdefender, but it didn't find anything so I ran malwarebytes and it found rootkit.tdss.gen but could only clean 2of 3 files [I don't have the log from malwarebytes].

I have malwarebyte running now and it blocks it anytime a redirection is attempted but it no longer finds the third file and I'm confused by the on-line advice to clean my system.

Since August 24th I have not been able to use my laptop. It boots up but I can't do anything after it has booted, i.e. I can't open files, run software, open a browser, etc. I am able to boot into safe mode but I am at a loss as to where to proceed from here.

Please help. Thank you,

Debbie

A:rootkit.tdss.gen

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEmsconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5st... Read more

6 more replies
Answer Match 52.92%

I have tried to follow some of the threads here around removal of rootkit.tdss. Malware bytes mbam detects the tdlwsp.dll but I have not been able to locate it. I have windows XP SP2. Maybe a new strain of rootkit. Any help would be appreciated. I have combofix and windows retore already installed.Edit: Moved topic from XP to the more appropriate forum. ~ Animal

A:Rootkit.TDSS - Need help

In your situation you should probably go ahead and reinstall windows xp and sp 3 with all the updates.Your machine is running in the dark ages and you are going to be much more prone to attacks without the latest updates.Just backup your stuff and keep your computer so a reinstall isn't going to be devastating.Just my opinion some one will be right along I'm sure

13 more replies
Answer Match 52.92%

rootkit.tdss wa found on my computer and some web sites wont load how can i make sure it is gone
 

A:rootkit.tdss

Hello starlight. Run these.  Please download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:Flush DNSReport IE Proxy SettingsReset IE Proxy SettingsReport FF Proxy SettingsReset FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory size.Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.Note: When using "Reset FF Proxy Settings" option Firefox should be closed.   Download TDSSKiller and save it to your desktop.Extract (unzip) its contents to your desktop.Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here....Please download AdwCleaner by Xplode and save to your Desktop.Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 user... Read more

2 more replies
Answer Match 52.92%

Hi! I am new to this forum and I looking through, I wish I had found it much earlier! I currently am struggling with a rootkit problem that I would really appreciate any help with.

Here's my situation so far:

Last week, I got a TDSS rootkit, and started getting the regular symtoms of computer slowdown and google redirects. After that, I scanned with AVG and MalwareBytes, and they found some trojans that were supposedly removed. However, the google redirects persisted. I downloaded the TDSSKiller from Kaspersky, and renamed it, but it wouldn't run.

As a result, I downloaded and ran Combofix (I wish I hadn't! I wish I saw the rules on your forum first!); however, after nearing the end of the scan, Combofix popped up with an error message that told me to uninstall AVG first. I had disabled it, but I guess it needed it uninstalled. So I uninstalled it with CCleaner, and then rebooted my computer.

At that point, a BSOD flashed and then a Windows Error screen started up and said there was an error booting my computer. It asked me if I wanted to start the Windows Recovery, and I did. However, that didn't help and I tried system restore, which didn't help either.

I haven't tried anything since then, and I would greatly appreciate any help you could give me. If anything, I would like to get some of my personal documents and files off the computer first before I have to reformat it, if it comes to that. However, right now I can't even g... Read more

A:TDSS Rootkit

Hi Ben,Don't you worry at all. At the very least you'll be able to get everything you need from the drive, but there's also a good chance we can get you up and running normally again, without losing anything. Can you please tell me if you've tried to boot into Safe Mode? I see you said you booted into recovery, but that's different. Also, was there any message at all with the error? You said a bsod flashed....did you happen to see the error message there?tea

29 more replies
Answer Match 52.92%

I have been trying to restore a friends computer for about 8 hours now.

I have removed move of the malware that got installed. The malware that started this whole mess was AV360.

Now I'm left with a functioning system except for some major anomalies.

First off, I cannot browse to ANY well know security related web site. This is the root of most of the problems.

I checked to see if I can ping the sites, and they to work. However, on all the sites that seem to not load in my browsers, they come back with a round-trip time of 1<ms. This I know is impossible. So I ran rootketrevealer from sysinternals.com. I found entries to TDSS in the scan.

Oh, almost forgot. I cannot seem to run or install ANY well known anti-malware software. Windows loads the executable image to memory and then the process seems to be suspended.

I am running Windows XP Pro with SP3 and all latest updates. I also have IE 7 with latest updates and the latest version of Firefox 3.

So I'm wondering what to do next. Any help on this matter would be greatly appreciated.

P.S. I have noticed that the people that give assistance tend to avoid dealing with this rootkit as it's 'really hard to remove' or 'very damaging to the system'. I just need help ripping it from this system, I can fix the system after very easily.

A:I may have the TDSS rootkit

If mbam won't installSome types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.------------------------------------------------------------------The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from ... Read more

4 more replies
Answer Match 52.92%

I have been experiencing a problem when trying to do a search in Google. I get redirected to sites other than the one I selected. I've read that this is a TDSS rootkit infection. I have downloaded Combofix but I'm afraid to use it without someone watching over me. What steps should I take before I use it? I have used Spyware Doctor and malwarebytes and they came up clean. I have avast anti-virus. I did a scan with that and it also came up clean. Any help would be most appreciated. Thanks in advance.

Here is the log file from DDDS (Ver_10-03-17.01) - FAT32x86
Run by Audrey at 9:14:57.53 on Sun 05/16/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.256 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! antivirus 4.8.1356 [VPS 100516-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
SVCH... Read more

A:TDSS Rootkit

Hi,

Please post the GMER results, thanks

(the attached file just contained Attach.txt)

19 more replies
Answer Match 52.92%

I posted already about a problem I have been having with this tdss rootkit problem and removing it. I followed the guide on what to do and I know that it said to be patient but I am a little worried about this and if it has compromised anything that I should really be worried about. I want to know if this could be some sort of key logger or something that will steal important information that could cause me financial harm. If anyone can give me a heads up on what might be happening I would really appreciate it.

A:TDSS Rootkit

Your topic is here: http://www.bleepingcomputer.com/forums/t/255130/infected-with-tdss-rootkit/I know it's frustrating to wait, but with the vast numbers of people requesting assistance, that cannot be avoided. We work with hundreds of logs every day. Because of this, we have devised a means of seeing only the unanswered HiJack This topics. At present, there are nearly 800 of them; the oldest dated Wed Aug 26, 2009 6:20 am Eastern Daylight Savings time. Your topic is dated Sept. 4, 2009, 12:02 PM using the same time zone.While we try to take the oldest topics first, for various reasons, newer topics also get responses. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.Orange Blossom

2 more replies
Answer Match 52.92%

I was informed to post this information here in my previous thread, you can see what steps I have taken so far there:http://www.bleepingcomputer.com/forums/t/252757/stubborn-trojantdss-and-redirector/Also as requested here is the DDS log, the other is attached as a .zip file.DDS LogDDS (Ver_09-07-30.01) - NTFSx86 Run by Administrator at 11:22:11.20 on Thu 08/27/2009Internet Explorer: 6.0.2900.5512Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.119 [GMT -5:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Administrator\Desktop\dds.scr============== Pseudo HJT Report =======... Read more

A:Help with TDSS rootkit.

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.Please download ComboFix from one of these locations:Link 1Link 2Link 3Important!You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Make sure that you save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow ... Read more

1 more replies
Answer Match 52.92%

Hi there, please someone help!

I got this malware (tdss rootkit), the symptoms are that my google searches are being hijacked, I tried the following anti malware packages:
ad-aware
malwarebytes
hitman-pro-3.5

I also have avg 9.0 (resident anti-virus) as well as I scanned the system with trendmicro HouseCall. None of the tools listed above found anything. Yet, I was still getting google search results redirected to random sites.

Then I downloaded tdsskiller and it found the malware, promised to clean it on reboot but after reboot it's till here (:

What do I do? Just spent few hours searching the net, no clear instructions exist.
Several ppl advised to use ComboFix, but under supervision.

What would be the next step for me?

A:TDSS RootKit

Follow the instructions given here, starting at Step 7:http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

3 more replies
Answer Match 52.92%

I got the RootKit.Tdss problem.
Help please.
I've read another post on it that worked using ComboFix , but I'm not sure whether I should launch myself into a ComboFix unattended.

Yesterday I had The PITA called Windows Police Pro and got rid of it on my own after an emabarrassingly large number of hours of effort. I tried StopZilla. Had problems with it. Then did a lot of manual stuff before I got hold of MalwareBytes' Anti-Malware program and ran it. Finally, the Windows Police Pro problem appeared to have been licked, but then I started having BSOD crashes.

I did a system restore tonight, but it was only from a point after I had removed the Windows Police Pro problem and had tried to uninstall StopZilla.

Next I ran MalwareBytes's Anti-Malware and it is finding the RootKit.tdss.
After some Google time I found ComboFix descriptions and this forum.

So, Now I am here... Any takers???? Please???

thanks,
fabjr [newbie]

A:Rootkit.tdss -- help please

Welcome to BCLet's see what we can do to produce some logsWe Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

9 more replies
Answer Match 52.92%

It's called rootkit.TDSS!sd6 according to Spyware Doctor's list of "blocked" threats or whatever.I cant access the file in sys32, I'm thinking it's hidden. I'm not a computer wiz by any means, so any help in lamens terms would be greatly appreciated. I'm afraid it's some sort of keylogger. I was watching some streaming anime and my computer just instantly started detecting threats, so I'm not really sure how it got onto my PC, but I'd like to get it off asap.I'm on another computer at the moment because it's not connecting to the internet anymore (or it might just be taking a really long time.)followed the instructions at the bottom of the page from boopme here, http://www.bleepingcomputer.com/forums/t/205344/how-do-i-get-rid-of-tdss-virus/But when I was in Safe Mode and tried to run SUPERAntiSpyware it just said error running or whatever with the send an error report button.I'm really running out of ideas here. This is a nasty piece of work and I'm really trying to avoid reformatting.

A:Rootkit.TDSS!sd6 -- please help

If you have a TDSS infection, I would recommend moving directly to the HJT forum. They have mopre advanced tools that must be used to remove this infection. I also need to warning you about rootkits...IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? Although the rootkit was identifie... Read more

3 more replies
Answer Match 52.92%

Hi, A few days ago I had a huge malware problem which involved my search result links re-directing me to an ad site, random tabs being added to my browser without me adding them which also loads ad sites, and a firefox problem where I keep getting the warning: "Warning: Unresponsive Script" which causes my laptop to freeze and perform really really slow for a few minutes. I posted my problem on the "Am I Infected?" forum, and the person advising me concluded that my scan results were okay. I also thought my laptop was already fine, since tabs weren't randomly being added and my google searches were back to normal. However my firefox problem was still there even though I've already updated it to the latest version as per suggested. The person who kindly helped me didn't indicate if it was a malware problem, and suggested me to post my firefox problem on another sub-forum. I did post my problem on another sub-forum, and the person there asked me if I resolved my malware infections. I wasn't sure what to answer. I did some googling that morning, and about 1-2 times the search results re-directed me to ad-sites. Unfortunately I wasn't really paying attention, I'm not sure if the ads were set up by the website (like some sites do, they re-direct you to an ad for a couple of seconds and reloads you back to the original page) or if it were those malware redirects. Subsequent google searches hasn't redirected me on that day, but it may also be very possible it's me limiting myself a ... Read more

A:TDSS rootkit

Please download The Avenger by Swandog46 and unzip it to your DesktopPlease open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..CODEBegin copying here:Drivers to disable:ohnrdwDrivers to delete:ohnrdwFiles to delete:C:\WINDOWS\system32\bxjixnsp.dllc:\windows\system32\eqi7XXdJXr.dllFolders to delete:c:\documents and settings\travelmate\local settings\application data\wiyosjNote: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.Now, click on Execute. Just say Yes at every promptedThe Avenger will automatically do the following:It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)On reboot, it will briefly open a black command window on your desktop, this is normal.After the restart, it creates a log file that should open with the results of Avenger?s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.Please copy/paste the content of c:\avenger.txt into your reply.Then run GMER once again and post the log here

16 more replies
Answer Match 52.92%

Hi,

My daughters laptop is running Windows XP and has been acting rather strangely, playing feeds from radio stations etc. without warning.

I have installed Spyware Doctor and it has cleaned a number of viruses etc. but it appears that the laptop is infected with Rootkit.TDSS.sd6

I am trying to download WIndows XP Service Pack 3 but it is failing to load file advapi32.dll, and the Spyware Doctor is constantly blocking a threat.

I am unsure of whether or not to cancel the installation as a warning is telling me that windows may not work correctly if I do.

The laptop is running extremely slowly. I have removed a number of programs to try to speed things up, and have managed to run a clean, defrag and disc space consolidation using PC tools Disk suite, which has improved things.

I am also getting a warning coming up at start up telling me that various files are "bad images".

Your help and advice will be appreciated

A:Rootkit.TDSS!sd6

Hi can you try getting the scanlogs from these 2 applicationsRun MBAMPlease download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.alternate download link 1alternate download link 2If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from
here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer,
copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or
CD and then copy it to the infected machine.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on ... Read more

15 more replies
Answer Match 52.92%

I repair computers for a living and I am seeing a huge increase in the amount of computers with Rootkit.TDSS. Is there anyone else seeing this? I mean this rootkit is hitting every MBR that it comes in contact with.

uByte

A:Rootkit.TDSS

TDSSKiller.exe and everything is OK!

12 more replies
Answer Match 52.92%

m infected with ROOTKIT.TDSS........... can someone plz tell me how to remove it
 

More replies
Answer Match 52.92%

I scanned the computer with MaleWareBytes and found 14 files that malewarebytes calls "Rootkit.TDSS" files and it removed them after a reboot, However, when I scanned the computer again after reboot, it found this in the registry:

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmuxusnfts (Rootkit.TDSS) -> Quarantined and deleted successfully.

After rebooting and scanning AGAIN, it found the same thing! I tried to manually remove the entry in the registry with no success. Even if I gave administrator permissions to the key in regedit, I could not remove it. I have attached the appropriate log files from DDS and RootRepeal as the instructions requested.

PLEASE HELP!

DDS.TXT Log:
DDS (Ver_09-07-30.01) - NTFSx86
Run by Jim at 8:36:06.71 on Thu 09/03/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.338 [GMT -5:00]

AV: Charter Security Suite 8.02 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Charter Security Suite 8.02 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\Program Files\USB Safely Remove\USBSRService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32... Read more

A:Rootkit.TDSS

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.*If you have since resolved the original problem you were having, we would appreciate you letting us know. *If not please perform the following steps below so we can have a look at the current condition of your machine. *If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.**If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.----------------------------*-------------------------------We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is ne... Read more

2 more replies
Answer Match 52.92%

Rootkit.TDSS.Gen appears randomly using malwarebytes:but still getting odd redirect in both IE and firefox, windows update wont work.DDS (Ver_10-03-17.01) - NTFSx86 Run by HP_Owner at 14:15:36.34 on Sun 05/30/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.355 [GMT -7:00]AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exec:\Program Files\Microsoft Security Essentials\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Microsoft Security Essentials\msseces.exeC:\Program Files\iTunes\iTunesHelper.exesvchost.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Raxco\PerfectDisk\PDAgent.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\TeamViewer\Version5\TeamViewer_Service.exeC:\Program Files\TeamViewer\Version5\Te... Read more

A:Rootkit.TDSS.Gen

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.1.Please do not run any other tool untill instructed to do so!2.Please reply to this thread, do not start another!3.Please tell me about any problems that have occurred during the fix.4.Please tell me of any other symptoms you may be having as these can help also.5.Please try as much as possible not to run anything while executing a fix.If you follow these instructions, everything should go smoothly.Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.:run combofix:Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable ... Read more

10 more replies
Answer Match 52.92%

I was wondering if anyone else that fixes computers for a living is haveing the same Rootkit.TDSS symptoms as I am. It seems that I keep getting computers in the shop with this blinking cursor on boot. Every time it ends up being this rootkit.tdss. I have been reinstalling the OS 99% of the time. Sometimes running a repair sometimes does it. I have tried everything from Dr. Web Cureit but everytime I end up reformatting and reinstalling. My questions are has anyone else been riddled with this rootkit or is it just me? Also what are you doing to fix it?uByteEdit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum, since no logs included and a general malware tool question. ~ Animal

More replies
Answer Match 52.92%

Hi guys, a couple of days ago I was browsing through some sites I usually browse through when suddenly Spyware Protect 2009 popped up on my screen and said I had a virus. I immediately knew it was fake because it wouldn't let me get out of it nor would it let me end the process. Anyways, I began looking up ways to get rid of it on my laptop, which I'm using now, because all my anti-malware programs were blocked by the virus. I tried using MalwareBytes, Spybot, and Spyhunter, but still to no avail. I finally got my hands on Spyware Doctor and Registry Mechanic and was able to do a scan on my computer. It removed a lot of infected files, but for some reason the icon for Spyware Protect was still on my taskbar. I looked up some file names and a few sites said to delete sysguard.exe from my WINDOWS folder, which I did and it removed the Spyware Protect Program. However, I am still unable to go online and every program I open I get an error message saying Bad Image and that the file UACYQMUPESR.DLL was corrupt or something. Spyware Doctor is constantly blocking the Rootkit.TDSS!sd6 but I am unable to delete it permanently. Please help, I'm running out of options and right now reformatting doesn't look too bad. Here is the scan results from DDS:
DDS (Ver_09-02-01.01) - NTFSx86
Run by Benny at 1:00:09.28 on Mon 03/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.485 [GMT -8:00]

AV: ESET NO... Read more

A:Rootkit.TDSS!sd6

Help please?

4 more replies
Answer Match 52.92%

I have spent the better part of my birthday today manually removing malware files, along with a final blow of combofix. My problems are all gone, but McAfee can't pick up this rootkit, and I know it will come back. However, I cannot remove the registry files that the rootkit is in, so I figured after all this time I should probably leave it up to people who know much more about this than I do.
DDS (Ver_09-07-30.01) - NTFSx86
Run by Gerri at 20:05:55.70 on Wed 08/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.629 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe... Read more

A:Rootkit.TDSS

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

10 more replies
Answer Match 52.5%

DDS (Ver_09-02-01.01) - NTFSx86
Run by markT at 13:07:38.69 on Fri 27/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.64.1033.18.2015.1334 [GMT 13:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\avgagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Intel\NCS\P... Read more

A:How to get rid of virus Rootkit.TDSS!sd6

Welcome Thank you for using our forums. I am reviewing your log. In the meantime, please address the following:* Have you have posted this issue on another forum? If so, please provide a link to the topic.* If you are an employee and this system is owned by your employer, do you have permission to make changes to it?* If you are using any cracked (illegal) software, please uninstall that. * If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.That includes BitTorrent, uTorrent, and similar programs. There is a list here: http://spywarehammer.com/simplemachinesfor...php?topic=110.0* Please understand it is very important that you follow the instructions given to you during the cleaning of malware. This can sometimes be a tricky process and often requires things be done in a certain sequence to be effective. Please do not wait days between steps in this process. It is requested you respond at least within 48 hours. Any longer and it becomes necessary to update all information and start over. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.Please follow all instructions in sequence. Do ... Read more

2 more replies
Answer Match 52.5%

I have been struggling to remove the remnants of a TDSS Rootkit infection. Someone tried to help me in the "Am I infected?" forum and they referred me here. In that process, I have already used Malwarebites, TDSS Rootkit Removal Tool, Norman Malware Cleaner, ESET Online Anti-Virus, and Kaspersky Virus Removal Tool.

Please see this thread for everything that has been tried so far: http://www.bleepingcomputer.com/forums/topic365699.html

Here is my DDS log, I'd appreciate any help:
DDS (Ver_10-12-05.01) - NTFSx86
Run by rmurphy at 9:39:09.97 on Fri 12/10/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1005 [GMT -5:00]

AV: AVG Internet Security Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning disabled* (Outdated) {778F2BE5-86B9-4382-A259-B6D4C9A113AD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\PRO... Read more

A:TDSS Rootkit Issue

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

15 more replies
Answer Match 52.5%

I could not open any antimalware programs, av scans were clean, but was getting redirected to weird sites and google page looked odd, so I knew something was up. Did some research online and ran a program called combofix which identified a rootkit. Since running combofix I can now scan with malware bytes. That detected Rootkit TDSS. My system seems to be ok now. The only issue I am having is that I cannot download security updates from windows. A friend of mine suggested I post logs as this is a nasty infection and he said I would need help cleaning it up. My one question is if I should just reformat. I read that rootkits almost always leave residual effects and make it easier for the system to be compormised in the future. DDS logs follow. Thank you, Kristi

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 16:06:31.95 on Thu 03/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.261 [GMT -4:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\nvsvc32.exe
C:&... Read more

A:Trojan and Rootkit TDSS

Hello.Yes, you should format.Rootkit ThreatUnfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, ... Read more

6 more replies
Answer Match 52.5%

Hey,
I'm having quite a few problems with my computer right now. I think some of it may be associated with Rootkit.TDSS but im not totally positive. None of the standard problems of Rootkit.TDSS are there. I have Spyware Doctor running, and about every minute Intelligaurd finds a threat and adds it to the History. It always says under history the following-

Threat Name-Rootkit.TDSS
Details-Spyware Doctor has blocked an application attempting to access a file.
Risk Level- High
Infection-C:\WINDOWS\SYSTEM32\KBIWKMIPXXMBCE.DLL

OR

Threat Name-Rootkit.TDSS
Details-Spyware Doctor has blocked an application attempting to access a file.
Risk Level- High
Infection-C:\WINDOWS\SYSTEM32\KBIWKMNWMRFIPR.DLL
In addition to this problem, most of my application files have been renamed to have a .exe at the end that was nver there before now. When I try to run Malwarebytes' Anti-Walware, it says "Windows cannot access the specified device,path,or file. You may not have the appropriate permissions to access them." Also, the .exe file doesnt have the mbam icon.

On some programs, like firefox, when i try to open it itgives me the error "globalroot\systemroot\system32\kbiwkmnwmrfipr.dll is either not designated to run on windows or its contains an error. Try installing the program again using the original instillation media or contact your systeam administrator or the software vendor." AND with the KBIWKMIPXXMBCE.DLL after that one. After i push okay on both of ... Read more

A:.EXE Problems/ RootKit.TDSS

Please post this issue on this board for expert help, yes you are infected.

http://forums.techguy.org/windows-vista-7/54-malware...jackthis-logs/

Welcome to TSGF.
 

1 more replies
Answer Match 52.5%

The desktop is blank and i am getting a generic host process for win32 services encountered a problem and needs to close.

Error Signature -
szAppName - svchost.exe
DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 9:12:54.10 on Mon 12/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.793 [GMT -8:00]

AV: PC Tools AntiVirus Free *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:�... Read more

A:Rootkit.TDSS.Gen Infection

Good evening. Take a trip to this webpage for download links and instructions for running Combofix by sUBs.* Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start. When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply. Let me know how the PC is behaving.* There are two points to note from the instructions page:1) The Recovery Console.It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.2) Disabling your Anti-Virus.CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

4 more replies
Answer Match 52.5%

My PC is infected with that rootkit that I've found a lot of complaints about but not many solutions. Kaspersky AV detected it but does not remove it. After an automatic windows update a couple days ago my outlook crashes before I can do anything, I don't know if they're related. For a while my google result links would redirect on me.

Also, I cannot run gmer, the program freezes my entire PC. I did run the DDS log though.


DDS (Ver_10-03-17.01) - NTFSx86
Run by RTCILL at 16:54:43.76 on Tue 04/27/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.84 [GMT -4:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {728531... Read more

A:Rootkit.win32.tdss.d

Hello & Welcome to TSF

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.


++++++++++++++++++++++


Did you previously run ComboFix? Can you please post the contents of the log (C:\ComboFix.txt).

2 more replies
Answer Match 52.5%

I was infected with a rootkit about a week ago and was informed by Spyware Doctor. A message popped up saying that a high threat was blocked called Rootkit.tdss. I'm sorry if I'm not too detailed about this part. Ever since i received this rookit, i haven't gone on the computer because i was a little scared. But now i decided to do something about it and this seems like the best place to get help. Right before I posted this, my computer was infected with Windows Antivirus Pro but I successfully removed it with Malwarebytes' Anti-Malware. After I rebooted my computer, Spyware Doctor popped up with the message to block rootkit. If you can tell me what programs to run so you can look at the logs, that would be great. I just want to know if rootkit installed a backdoor on my computer. Thank you. Also, a few months ago, way before getting this rootkit, I kept getting and still am, a message that says "The application or DLL C:\Windows\system32\yugovuji.dll is not a valid Windows image. Please check this against your installation diskette." If could get help fixing this too, I would greatly appreciate it.

I also have some questions about my infection. Has there been any times when a rootkit has not installed a backdoor on a computer? And if there is no backdoor, can the rootkit be removed 100%? Can a system restore remove a rootkit? Please help and thanks a lot.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 17:37:58.93 on Sun 08/16/2009
Internet Exp... Read more

A:Infected with Rootkit.tdss

Hello icekoldkilla94 , If you still need help then please do the following Download and run RootRepeal Please download RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorUnzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.Physically disconnect your machine from the internet as your system will be unprotected.Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...Click the tab at the bottom. Now press the button.A box will pop up, check the boxes beside All Seven options/scan area
Now click OK.Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.The scan will take a little while to run, so let it go unhindered.Once it is done, click the Save Report button. Save it as RepealScan and save it to your desktopReconnect to the internet.Post the contents of that log in your reply please.Post those logs back in your next reply.

6 more replies
Answer Match 52.5%

Hello everyone,

Does anyone have any thoughts with regards to a computer being infected with TDSS rootkit? I have billy helping me out and doing a great job (thank you, thank you, thank you), however, after it is cleaned out, is the computer really trustworthy?

I have heard conflicting stories about this infection....I have a firewall running (now...but before I only used MS firewall, I thought it was enough), I also use a D-Link router (which I understand is a hard firewall)...however, if I use this machine for banking and important stuff, do you think I should be able to trust this machine again?

Any thoughts would be great
Thanks

A:Anyone have any thoughts on the TDSS rootkit

Please follow all Billy 3's instructions.

Thereafter, I would change all logins and passwords. Call such to start the process? Or write directly?

1 more replies
Answer Match 52.5%

Hi, I've been reading a lot of posts on this website. I'm am first very thankful as my hosted IT solution group was less than great with this issue. Microsoft also remoted into my computer for over 5 hours and didn't fix it either.

My issue started 2 weeks ago when I noticed I was being redirected to ad websites from Google. I'd click on a Forbes article and end up at Stopzilla.com. I have an amazing appetite for research and logged a plethora of sites I was redirected to. Complimentarygiftcards.com, trackimizer.com, 123.fluxads.com, once even yellowpages.com...although it did not load fully. Usually a redirect went through admarketplace.com and meta.7search.com.

I have run a number of cleaners, all from reading this site, done some uninstalls (because I thought it might be helpful), and now I can no longer find any more symptoms. However, I'm not 100% sure I have cleaned my machine. I'm thinking about going ahead and reinstalling my whole operating system, however, I don't have the boot disks and they are on backorder currently from HP.

Here are the details of my computer/problem:
Problem: Redirecting from Google to adsites. Pretty sure a rootkit.
Computer OS: Microsoft XP Professional Service Pack 3
Browser used: Firefox 4

Programs I have run:
Malwarebytes, Combofix, CCleaner, Spybot Search and Destroy, Microsoft Safety Scanner, TPS, Esetscanner (that revealed that java was infected so I cleaned and then uninstalled java - have ... Read more

A:TDSS rootkit virus

Good evening. As HijackThis has not been seriously updated by Trend Micro in some time, it is now no longer considered to be an effective tool for malware removal. You will need to go here, follow steps 6, 7 and 8 and post accordingly into this thread.

9 more replies
Answer Match 52.5%

Hi, I'm brand new at using a forum and/or trying to fix my computer, so I'm really hoping you guys can help. This is the infection I believe my computer has: Info from the window that comes up when I go to my home page Charter.net. (I use the F-Secure that comes with the Charter package). MALICE CODE FOUND IN FILE C:\Windows\System32\gaopdxqtdpyk.dll. INFECTION: Rootkit.Win32.TDSS.gxu ACTION: THE FILE WAS RENAMED. My computer has been acting wacky for about two month and then I started getting message that it wouldn't update. Then next the Symatics/Norton stopped being able to update, ( I uninstalled it and changed back to F-Secure ). Lots of "redirecting" I believe is the term you use and lots of pop-ups and on and on... I did some searching on-line for answers and you folks came up as the top, so again I'm hoping you can help. Thank You. PS. I have Vista as my OS.

A:Rootkit.Win32.TDSS.gxu

Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will... Read more

1 more replies
Answer Match 52.5%

Hi,I have recently been experiencing a lot of computer trouble. First my internet browsers started crashing (ie, opera, and firefox). Then I found that links to porn sites (complete with custom icons!) had been placed on my desktop. I hadn't noticed it, but since I upgraded my AVG free from 8 to 9 it had stopped appearing in the taskbar. I thought that the program was still running in the background and that not appearing in the taskbar was a new feature... Anyway, the point is that I may have been going without anti-virus software for some time before I noticed these symptoms. I tried to remove AVG and install a student version of McAfee, but I'm not sure if I completely installed McAfee or even completely removed AVG. A scan with Malwarebytes showed that I had some instance of the TDSS rootkit. I used Kaspersky's TDSSkiller program to remove it, but my computer is still acting finnicky. It is very sluggish when starting up and I am getting access denied errors when trying to end processes in the task manager. I also am unable to reinstall, uninstall, or disable McAfee.Here is my DDS log:DDS (Ver_09-12-01.01) - NTFSx86 Run by preston at 19:51:28.92 on Wed 01/20/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.170 [GMT -5:00]AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: Malware Defense *On-access scanning e... Read more

A:Recovering From TDSS rootkit

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

14 more replies
Answer Match 52.5%

I have Kaspersky 2010 onboard and it told me that I was infected with RootKit.Win32.TDSS.d. From a little research I guess this is a really nasty virus. It is also affecting FireFox, IE: I get a Kaspersky window saying that "browser" contains a link that tries to steal passwords, etc and that the attempt has been denied. System is now getting unstable. HELP!!!Here is the DDS file.DDS (Ver_10-03-17.01) - NTFSx86 Run by robin at 11:51:50.50 on Wed 05/19/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.991.307 [GMT -4:00]AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\PnkBstrB.exeC:\WINDOWS\system32\igfxtray.exeC:\Program Files\Digital Media Reader\shwicon2k.exeC:\Program Files\Synaptics\Syn... Read more

A:RootKit. Win32.TDSS.d

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens. Somethings to remember while we are working together.1.Please do not run any other tool untill instructed to do so!2.Please reply to this thread, do not start another!3.Please tell me about any problems that have occurred during the fix.4.Please tell me of any other symptoms you may be having as these can help also.5.Please try as much as possible not to run anything while executing a fix.If you follow these instructions, everything should go smoothly.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Scan With RKUnHookerPlease Download Rootkit Unhooker Save it to your desktop.Now double-click on RKUnhookerLE.exe to run it.Click the Report tab, then click Scan.Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.Wait till the scanner has finished and then click File, Save Report.Save the report somewhere where you can find it. Click Close.Copy the entire contents of the report and paste it in a reply here.Gringo

17 more replies
Answer Match 52.5%

Have had help in other forums on bc, on scanning with mbam, atf cleaner and sas, it showed i had Vundo, Alureon WD and the dreaded tdss, which is why i have been referred here. I had tdss before and am wondering if we didnt get it all before, (removed manually using ubuntu/linux with a sophos tech) or i'm just plain unlucky and have it again.
All scans come back that everything has been quarantined and deleted successfully, although the mbam found files are still in its quarantine folder. I also ran a sophos linux/tdss detect and fix disc and that also came back clear.
I have now run the DDS scan as it says at the top of this forum i should do...and have included the DDS.txt below. and would now be OOOOBER grateful for any help in trying to kick this out the backdoor it came in !!!

Many thanx in advance

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 13:43:03.81 on 12/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.135 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\... Read more

A:Tdss nasty rootkit

please please please can someone advise me what to do next ...my daughter has her final A2 IT exam in a couple weeks and needs to take the work on our pc into school...which I cant allow untill i'm clean.....and since last post i ran dr.web in safe mode and it dleted 2 killapp ...TERRIFIC ...thanx in advance===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use ano... Read more

26 more replies
Answer Match 52.5%

Okay, I have search and destroy and it found Trojan Win32/Alureon.DB (also trojan droppers,backdoor.bot,trojan fake alert, backdoor. prorat,and rootkit tdss). so ive been fighting with it for about 6 hours now and could really use some help. I used Smitfraudfix to get rid of the annoying pop ups that this was causing but I cant seem to find a way to remove the Rootkit.tdss I went to some posts and downloaded Spydoctor turns out it is a big tease and only finds what is in youre computer but wont remove it unless you pay for it. I would really appreciate it if any of you could tell me what to do to remove it or what free software there is to remove it. It has been causing me problems a lot of problems. For example i cant always open task manager. it gives me an error saying "taskmgr.exe Bad Image" and I usually have to restart my computer to open it. Ive installed hijackthis and ran the scan a lot came up but i don't know what any of it means so I didnt delete any of it. Please help me and thank you
Avast has been telling me its Win32:Rootkit-gen [Rtk] and a lot of other programs say its .tdss

I just ran RootRepeal and this is what i got
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Josh\Local Settings\Temp\uac42b8.tmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Josh\Local Settings\Temp\uac4410.tmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Josh\Local Settings\Temp\uac... Read more

More replies
Answer Match 52.5%

I am certain my laptop has been infected with a rootkit or malware.  It's possible it's a hard drive failure but I don't believe that is the case. 
 
I have used several types of cleaner programs and all have failed.  I have tried clean installs of the OS, I have wiped the drive securely using Darik's Boot and Nuke, I have used Hirens Boot CD and tried everything I could get to work - all to no avail.  I have yet to get the Seagate harddrive to even be recognized using Seagate hard disk tools.  On this last install of the OS I used Rogue Killer and it again flagged the same found registry keys.  I have run DDS and while I am not an expert it looks F'd up to me.  I have updated Windows after this last install this morning and I'm ready to get after this problem. 
 
Help!  I will be donating to whoever helps me with this problem.  I am eager to donate.  I need this laptop to work.  I cant take on this problem myself after having tried.  TDSS Killer comes up with nothing. From reading about some of the stuff that has been flagged I get the impression this is an MBR rootkit?   Using one program in Hirens Boot CD I was told I have a virus in memory.  Whatever it is, it won't go away.
 
Thanks.
 
My DDS log follows.  Attached is my other DDS log and my Rogue Killer report. 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10... Read more

A:Infected with TDSS or MBR Rootkit

Hello and welcome.  Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click   Download and save it to a flash drive.  Note: You need the 64 bit versionPlug the flashdrive into the infected PC.Enter System Recovery Options.To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click... Read more

9 more replies
Answer Match 52.5%

Original post with problems and attempted solutions, then redirected here.Essentially, though, I have a rootkit (malwarebytes calls it H8SRT (Rootkit.TDSS)). The symptoms include audio sounds randomly coming through my speakers, and "Two other oddities - normally when I click links or go to another page, there's a sound click. The click sound is gone, though sound still works in general. Also, now IE saves my searches (you know, when you type in y all the searches you did that started with y show up), a feature I never had nor want (and I don't know how to turn it off)." With that thread that I posted, I was able to rid of a lot of bad stuff on my computer (all the logs I ran all posted there), but these symptoms are still present. Another thing that might be useful ---"So here's the thing - I run malwarebytes, and Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.That gets quarantined and deleted. I run it again, and it finds nothing. Browser is still auto-saving the results on my IE search tool bar, though. The audio sounds aren't frequent, so I never know if they're gone. But whenever I restart my computer and run Malwarebytes again, it finds the same thing (shown above)."And now logs I'm supposed to post here -----------------------------------DDS (Ver_09-12-01.01) - NTFSx86 Run by user at 18:16:54.57 on Thu 12/17/2009Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_01Microsoft Windows XP Professio... Read more

A:H8SRT (Rootkit.TDSS)

Please download The Comedian.exe by Rorschach112 to your desktopPlease disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..Double click the program to run it. It will only take around several minutes to run.It will do a series of tasks and tell you when each one is finished.You will be prompted to press any key after each stepWhen it is done it will close and exit itself automatically.You can delete The_Comedian.exe once it is finishedSTOP! if you can't complete this step.. Tell me more about it..Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running our fixes.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download this program by sUBs and save it to your Desktop. Then after you disable all security programs, simply run it (double-click it)If the program asked you to install Recovery Console, please do so.. It will be your best interest..When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..Note: DON'T do anything with your computer while the program is running.. Just let it finishes..

8 more replies
Answer Match 52.5%

Hi All,

Got this Rootkit but sure is a bugger to remove. (no pun intended) I ran RootRepeal and here is the log. What files do I wipe?

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/12/24 14:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\H8SRTdlsqjqkiku.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTmjnbrhhhdp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTqjvirxwuyw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTaff6.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTb43c.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Yahoo! Games\CLUE Classic\CLUE Classic.exe:{CC5160A4-9F4F-088F-27DA-2CFECCEC6996}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\H8SRTlnirmrohvd.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\l\local settings\temp\~df6935.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\l\local settings\temp\~dfa18e.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\L\Local Settings\Temp\H8SRT3cf3.tmp
Status: Invisible to the Windows API!

---------------------

Thanks CUBE
 

More replies
Answer Match 52.5%

I found a (or what I thought was..) keygen program for a garden layout software. I used MCafee Total protection to scan the file prior to running it. It came back clean. I ran the program, it asked me to allow a program with a different name to run. (the name had the word setup in the title.) I selected yes. the original file disapeared and nothing appeared to happen. I thought it might of been corrupt and aborted during the install, so I downloaded and ran it again. same results. I continued working with other programs and noticed problems with file operation, memory operations, and internet problems. something was definately wrong. the next time I got the chance I ran Malwarebyte. it identified Rootkit.TDSS in sever temp files and was able to delete them. it seemed too easy to only find tmp files. the problems remained. I tried other things such as Superantivirus, without much luck. I attempted to run RootRepeal (I saw recommendations for this on other boards)and found out it was way out of my league. I attempted to run COMBOFIX, without really reading up on it like I should have. It would not run. (i guess I got lucky there. I started really reading what your site had to say, and I realized how short sighted I was. So I decided to do all the steps in order as you listed.

I had problems trying to do Vista backups as well, and ended up using cobian backup 10 for some of my important files.
I had to reboot before defogger would run.

So here is my info. I hope it tells you ... Read more

A:Infected with Rootkit.TDSS or other

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

32 more replies
Answer Match 52.5%

Hi, I have been battling a virus for about two weeks now that has been installing other infections on my computer. One of the infections that slipped through the cracks is this one. It refuses to get deleted, and wont allow me access to the registry keys for the kit. It gives me error messages for each. Cannot delete tltkoobh: Cannot read source file or diskCannot delete tltkoobh: Error while deleting keyPlease direct me to the correct program that can delete this thing from my computer. Scans I ran: MBAM doesn't detect it, AVG wont detect it, SuperANTIspyware detects it, but doesn't remove it.I ran a gmer scan for it. GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-08-09 17:20:03Windows 5.1.2600 Service Pack 3Running: okwo00rz.exe; Driver: C:\DOCUME~1\JANETT~1\LOCALS~1\Temp\pxkiiaob.sys---- Kernel code sections - GMER 1.0.15 ----.text tltkoobh.sys F743200D 42 Bytes [00, 0F, 9B, C0, 0F, A4, F2, ...].text tltkoobh.sys F7432038 34 Bytes [00, 66, 81, D7, 1C, 11, 66, ...].text tltkoobh.sys F743205C 2 Bytes [86, F0] {XCHG AL, DH}.text tltkoobh.sys ... Read more

A:Rootkit.Agent/Gen-TDSS

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

3 more replies
Answer Match 52.5%

Hello.History of my problem:QUOTEIn the mid of January i was surfing the web with Internet Explorer (usually i use Firefox).A popup appeared in the task bar, that windows has detected updates.I allowed it to update, and went back browsing.I don't exactly remember which site it was, but i have been crossreferencing through certain news and blogs.Shorty after that i received another popup, suggesting that my system was infected.By that time i thought the update may have provided a new antivirus system called "Malware Defense" since the design reminded me of windows security center.I was wrong.To make a long story short, after figuring out that "malware defense" was a fraud,i tried to battle it out of my system to this day.I have tried out a bunch of anti-malware, somehow i got Prevx and Spywaredoctor to work.It gave me hints where the registry and file system was infected.By looking at the registry i noticed that there was a registry folder containing keys to preventmajor antivirus and anti-malware products from running.So i edited the keys to allow me to use MBAM.Finally i was able to run my "Malwarebytes' Anti Malware" again,so i updated it anddid various quick and full scans, both in safe and normal mode.This is what MBAM found:QUOTEDate: 10.01.2010 *FIRST RUN* *quick scan* *normal mode*HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\H8SRTpksiqwmnyi.... Read more

A:TDSS.Rootkit is killing me

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.[We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEnetsvcsmsconfigsafebootminimalsafebootnetworkactivexdrivers32%systemroot%&#... Read more

17 more replies
Answer Match 52.5%

Hello I was sent over here by rigel from this topic179470post. I seem to have contracted a variant of the TDSS rootkit and am tying to see if it I can clean it up.Any help would be appreciated. Thanks JoshLogfile of Trend Micro HijackThis v2.0.2Scan saved at 10:10:19 AM, on 11/15/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\WLTRAY.exeC:\WINDOWS\stsystra.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Dell\MediaDirect\PCMService.exeC:\Program Files\Lexmark X6100 Series\lxbfbmgr.exeC:\Program Files\Dell\QuickSet\Quickset.exeC:\Program Files\Dell AIO Printer A920\dlbkbmgr.exeC:\WINDOWS\Imgtask.exeC:\Program Files\Lexmark X6100 Series\lxbfbmon.exeC:\Program... Read more

A:TDSS rootkit infection

Hello and welcome to the forums!I'm Odd dude, pleased to meet you; if it helps, you can call me OD ;). I will be helping you with your infection. However, it is important to take note of the following - quite the wall of text, I know, but please bear with me:Logs from malware removal programs (Hijackthis is one of them) can take some time to analyze. I need you to be patient whilst I analyze any logs you post.Please carefully read any instruction that I give you.
Reading too lightly will cause you to miss important steps, which could have destructive effects.If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!Only YOU must use these instructions, they are not suitable for any other computer with similar problems.Do not do things I do not ask for, such as running a spyware scan. The one thing you should always do, though, is making sure that your antivirus definitions are up-to-date!If I tell you to download a tool which you already have, please re-download it and do not use the copy you already have. This is because the tools are updated regularly.In Windows Vista, all tools need to be started by right clicking and selecting Run as administrator!I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you were to do the same. From this point, we're in this together ;)As I am still in training at the Malware Removal University, anything I do must be checked by an experienced malware ... Read more

14 more replies
Answer Match 52.5%

Please help system infected with rootkit,tried Mawarebytes it is unable to remove itHijackthis logs:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:32:29 PM, on 11/1/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\Juniper Networks\Common Files\dsNcService.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEc:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\System32\alg.exeC:\Program Files\QuickTime\qttask.exeC:\Pr... Read more

A:Rootkit.TDSS infection Please help

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results.Follo... Read more

2 more replies