1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive [InActive] No access to anti-virus sites

Discussion in 'Malware and Virus Removal Archive' started by piyush, 2009/04/14.

  1. 2009/04/14
    piyush

    piyush Inactive Thread Starter

    Joined:
    2009/04/14
    Messages:
    5
    Likes Received:
    0
    hello sir/mam....my o.s is windows XP....2.0 ghz...1gb ram...pentium dual core(its a desktop)....i basically use the avast anti virus 4.8...it was really gud and did its job quite well...but its nt able to catch this recent infection in my p.c...even with the boot -time scan...when i want to update it..it wont update saying cannot connect to server...neither any anti-virus sites are opening...
    ====>when i double click on my hard drives, they open in a new window and instantly a notification pop-up saying 'windows virtual memory minimum or too low' comes up on the right bottom of my screen...a suspicious folder named recycler is seen in all the drives... plz help...i'l b more than willing to give any other info required...thnx


    ROOTREPEAL (c) AD, 2007-2008
    ==================================================
    Scan Time: 2009/04/14 13:08
    Program Version: Version 1.2.3.0
    Windows Version: Windows XP SP2
    ==================================================

    Drivers
    -------------------
    Name: dump_atapi.sys
    Image Path: D:\WINDOWS\System32\Drivers\dump_atapi.sys
    Address: 0xA9DFB000 Size: 98304 File Visible: No
    Status: -

    Name: dump_WMILIB.SYS
    Image Path: D:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
    Address: 0xF7A3A000 Size: 8192 File Visible: No
    Status: -

    Name: PCI_PNP2232
    Image Path: \Driver\PCI_PNP2232
    Address: 0x00000000 Size: 0 File Visible: No
    Status: -

    Name: rootrepeal.sys
    Image Path: D:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0xA8F89000 Size: 45056 File Visible: No
    Status: -

    Name: sppb.sys
    Image Path: sppb.sys
    Address: 0xF7307000 Size: 1048576 File Visible: No
    Status: -

    Name: sptd
    Image Path: \Driver\sptd
    Address: 0x00000000 Size: 0 File Visible: No
    Status: -

    Name: TDSSmaxt.sys
    Image Path: D:\WINDOWS\system32\drivers\TDSSmaxt.sys
    Address: 0xAA229000 Size: 73728 File Visible: -
    Status: Hidden from Windows API!

    Hidden/Locked Files
    -------------------
    Path: C:\WINDOWS\SYSTEM\~0000001.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\SYSTEM\msvcrt40.1
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\SYSTEM\~GLH000e.TMP
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\SYSTEM\MSVCRT.DLL
    Status: Visible to the Windows API, but not on disk.

    Path: C:\WINDOWS\SYSTEM\MSVCRT40.DLL
    Status: Visible to the Windows API, but not on disk.

    Path: C:\WINDOWS\SYSTEM\MSVCP60.DLL
    Status: Visible to the Windows API, but not on disk.

    Path: D:\WINDOWS\system32\TDSScfum.dll
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\system32\TDSSfxmp.dll
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\system32\TDSSnrsr.dll
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\system32\TDSSofxh.dll
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\system32\TDSSosvd.dat
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\system32\TDSSriqp.dll
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\system32\TDSStkdv.log
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\Temp\TDSS4800.tmp
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\Temp\TDSS50a0.tmp
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\Temp\TDSS53fc.tmp
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\Temp\TDSS5a64.tmp
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\Temp\TDSS6aa0.tmp
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\Temp\TDSS74a3.tmp
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\Temp\TDSS78ba.tmp
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\Temp\TDSSf06a.tmp
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\Temp\TDSSfb47.tmp
    Status: Invisible to the Windows API!

    Path: D:\WINDOWS\system32\drivers\TDSSmaxt.sys
    Status: Invisible to the Windows API!

    Path: D:\Documents and Settings\123\Local Settings\Temp\TDSS6485.tmp
    Status: Invisible to the Windows API!

    Path: D:\Documents and Settings\123\Local Settings\Temp\TDSS66a8.tmp
    Status: Invisible to the Windows API!

    Path: D:\Documents and Settings\123\Local Settings\Temp\TDSSb40d.tmp
    Status: Invisible to the Windows API!

    Path: D:\Documents and Settings\Administrator\Local Settings\Temp\qvbiuamu.dat
    Status: Locked to the Windows API!

    SSDT
    -------------------
    #: 025 Function Name: NtClose
    Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa9fc4618

    #: 041 Function Name: NtCreateKey
    Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa9fc44d4

    #: 065 Function Name: NtDeleteValueKey
    Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa9fc49b2

    #: 068 Function Name: NtDuplicateObject
    Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa9fc40ac

    #: 071 Function Name: NtEnumerateKey
    Status: Hooked by "sppb.sys" at address 0xf7326ca2

    #: 073 Function Name: NtEnumerateValueKey
    Status: Hooked by "sppb.sys" at address 0xf7327030

    #: 119 Function Name: NtOpenKey
    Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa9fc45ae

    #: 122 Function Name: NtOpenProcess
    Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa9fc3fec

    #: 128 Function Name: NtOpenThread
    Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa9fc4050

    #: 160 Function Name: NtQueryKey
    Status: Hooked by "sppb.sys" at address 0xf7327108

    #: 177 Function Name: NtQueryValueKey
    Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa9fc46ce

    #: 204 Function Name: NtRestoreKey
    Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa9fc468e

    #: 247 Function Name: NtSetValueKey
    Status: Hooked by "D:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa9fc480e

    Stealth Objects
    -------------------
    Object: Hidden Module [Name: twbkgln.dll]
    Process: winlogon.exe (PID: 584) Address: 0x01480000 Size: 294912

    Object: Hidden Module [Name: pwhnllhg.dll]
    Process: winlogon.exe (PID: 584) Address: 0x03300000 Size: 151552

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: winlogon.exe (PID: 584) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: services.exe (PID: 628) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: lsass.exe (PID: 640) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSSofxh.dll]
    Process: svchost.exe (PID: 816) Address: 0x00850000 Size: 81920

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: svchost.exe (PID: 816) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: twbkgln.dll]
    Process: svchost.exe (PID: 996) Address: 0x019f0000 Size: 294912

    Object: Hidden Module [Name: pwhnllhg.dll]
    Process: svchost.exe (PID: 996) Address: 0x03520000 Size: 151552

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: svchost.exe (PID: 996) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: aswUpdSv.exe (PID: 1224) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: ashServ.exe (PID: 1296) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: twbkgln.dll]
    Process: Explorer.EXE (PID: 1552) Address: 0x01680000 Size: 294912

    Object: Hidden Module [Name: pwhnllhg.dll]
    Process: Explorer.EXE (PID: 1552) Address: 0x0f8a0000 Size: 151552

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: Explorer.EXE (PID: 1552) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: spoolsv.exe (PID: 1680) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: igfxtray.exe (PID: 1968) Address: 0x003d0000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: hkcmd.exe (PID: 1976) Address: 0x003d0000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: winampa.exe (PID: 1984) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: RTHDCPL.EXE (PID: 1992) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: igfxpers.exe (PID: 2000) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: PDVDServ.exe (PID: 2008) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: ashDisp.exe (PID: 2024) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: googletalk.exe (PID: 2032) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: CyberoamClient.exe (PID: 172) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: igfxsrvc.exe (PID: 244) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: jqs.exe (PID: 1056) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: svchost.exe (PID: 1196) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: ashMaiSv.exe (PID: 2192) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: ashWebSv.exe (PID: 2228) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: ymsgr_tray.exe (PID: 3208) Address: 0x10000000 Size: 126976

    Object: Hidden Module [Name: TDSScfum.dll]
    Process: RootRepeal.exe (PID: 1812) Address: 0x10000000 Size: 126976

    Object: Hidden Code [ETHREAD: 0x86db5568]
    Process: System Address: 0xaa22bd66 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
    Process: System Address: 0x871671f8 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
    Process: System Address: 0x86f01500 Size: -

    Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
    Process: System Address: 0x871681f8 Size: -

    Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
    Process: System Address: 0x871681f8 Size: -

    Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
    Process: System Address: 0x871681f8 Size: -

    Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
    Process: System Address: 0x871681f8 Size: -

    Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
    Process: System Address: 0x871681f8 Size: -

    Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
    Process: System Address: 0x871681f8 Size: -

    Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
    Process: System Address: 0x871681f8 Size: -

    Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
    Process: System Address: 0x86f351f8 Size: -

    Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
    Process: System Address: 0x86f351f8 Size: -

    Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
    Process: System Address: 0x86f351f8 Size: -

    Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
    Process: System Address: 0x86f351f8 Size: -

    Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
    Process: System Address: 0x86f351f8 Size: -

    Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
    Process: System Address: 0x86f351f8 Size: -

    Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
    Process: System Address: 0x86f351f8 Size: -

    Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
    Process: System Address: 0x86f351f8 Size: -

    Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
    Process: System Address: 0x86f351f8 Size: -

    Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
    Process: System Address: 0x86f351f8 Size: -

    Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
    Process: System Address: 0x86f351f8 Size: -

    Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
    Process: System Address: 0x871d81f8 Size: -

    Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
    Process: System Address: 0x871d81f8 Size: -

    Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
    Process: System Address: 0x871d81f8 Size: -

    Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
    Process: System Address: 0x871d81f8 Size: -

    Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
    Process: System Address: 0x871d81f8 Size: -

    Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
    Process: System Address: 0x871d81f8 Size: -

    Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
    Process: System Address: 0x871d81f8 Size: -

    Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
    Process: System Address: 0x871d81f8 Size: -

    Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
    Process: System Address: 0x871d81f8 Size: -

    Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
    Process: System Address: 0x871d81f8 Size: -

    Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
    Process: System Address: 0x871d81f8 Size: -

    Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
    Process: System Address: 0x86fe51f8 Size: -

    Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
    Process: System Address: 0x86fe51f8 Size: -

    Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
    Process: System Address: 0x86fe51f8 Size: -

    Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
    Process: System Address: 0x86fe51f8 Size: -

    Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
    Process: System Address: 0x86fe51f8 Size: -

    Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
    Process: System Address: 0x86fe51f8 Size: -

    Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
    Process: System Address: 0x86fe51f8 Size: -

    Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
    Process: System Address: 0x871691f8 Size: -

    Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
    Process: System Address: 0x871691f8 Size: -

    Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
    Process: System Address: 0x871691f8 Size: -

    Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
    Process: System Address: 0x871691f8 Size: -

    Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
    Process: System Address: 0x871691f8 Size: -

    Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
    Process: System Address: 0x871691f8 Size: -

    Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
    Process: System Address: 0x871691f8 Size: -

    Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
    Process: System Address: 0x871691f8 Size: -

    Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
    Process: System Address: 0x871691f8 Size: -

    Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
    Process: System Address: 0x871691f8 Size: -

    Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
    Process: System Address: 0x871691f8 Size: -

    Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
    Process: System Address: 0x869eb1f8 Size: -

    Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
    Process: System Address: 0x869eb1f8 Size: -

    Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
    Process: System Address: 0x869eb1f8 Size: -

    Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
    Process: System Address: 0x869eb1f8 Size: -

    Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
    Process: System Address: 0x869eb1f8 Size: -

    Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
    Process: System Address: 0x869eb1f8 Size: -

    Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
    Process: System Address: 0x86f9f1f8 Size: -

    Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
    Process: System Address: 0x86f9f1f8 Size: -

    Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
    Process: System Address: 0x86f9f1f8 Size: -

    Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
    Process: System Address: 0x86f9f1f8 Size: -

    Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
    Process: System Address: 0x86f9f1f8 Size: -

    Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
    Process: System Address: 0x86f9f1f8 Size: -

    Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
    Process: System Address: 0x86f9f1f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
    Process: System Address: 0x869971f8 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_CREATE]
    Process: System Address: 0x868dc500 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_CLOSE]
    Process: System Address: 0x868dc500 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_READ]
    Process: System Address: 0x868dc500 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_QUERY_INFORMATION]
    Process: System Address: 0x868dc500 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_SET_INFORMATION]
    Process: System Address: 0x868dc500 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_QUERY_VOLUME_INFORMATION]
    Process: System Address: 0x868dc500 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_DIRECTORY_CONTROL]
    Process: System Address: 0x868dc500 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_FILE_SYSTEM_CONTROL]
    Process: System Address: 0x868dc500 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_DEVICE_CONTROL]
    Process: System Address: 0x868dc500 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_SHUTDOWN]
    Process: System Address: 0x868dc500 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_LOCK_CONTROL]
    Process: System Address: 0x868dc500 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_CLEANUP]
    Process: System Address: 0x868dc500 Size: -

    Object: Hidden Code [Driver: REG, IRP_MJ_PNP]
    Process: System Address: 0x868dc500 Size: -

    Hidden Services
    -------------------
    Service Name: TDSSserv.sys
    Image Path: D:\WINDOWS\system32\drivers\TDSSmaxt.sys
     
    Last edited: 2009/04/14
    piyush,
    #1
  2. 2009/04/14
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    Hi and welcome


    You have a backdoor rootkit infection on the computer, it will make things difficult.


    Download worksnow from HERE:

    [color= "purple"]* IMPORTANT !!! Save worksnow to your Desktop[/color]
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
      Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

    • Double click on worksnow & follow the prompts.

      Note: worksnow will run without the Recovery Console installed.
    • As part of it's process, combofix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    [color= "blue"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/color]


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    "copy/paste" a new HijackThis log file into this thread as well.

    Notes:

    1.[color= "red"]Do not mouse-click Combofix's window while it is running. That may cause it to stall.[/color]
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Give it atleast 20-30 minutes to finish if needed.
     
    Juliet,
    #2


  3. to hide this advert.

  4. 2009/04/14
    piyush

    piyush Inactive Thread Starter

    Joined:
    2009/04/14
    Messages:
    5
    Likes Received:
    0
    thnx a lot Juliet!!!! problem seems 2 hv been solved...although combofix was running in reduced functionality mode bcoz it had expired...thnx again

    ComboFix 09-02-01.01 - 123 2009-04-14 20:53:37.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.638 [GMT 5.5:30]
    Running from: d:\documents and settings\123\Desktop\worksnow.exe
    AV: avast! antivirus 4.8.1229 [VPS 080731-0] *On-access scanning disabled* (Outdated)
    .
    - REDUCED FUNCTIONALITY MODE -
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Autorun.inf
    D:\autorun.inf
    d:\windows\Fonts\'
    d:\windows\GnuHashes.ini
    d:\windows\system32\1.tmp
    d:\windows\system32\9.tmp
    d:\windows\system32\GroupPolicy000.dat
    d:\windows\system32\GroupPolicyManifest
    d:\windows\system32\GroupPolicyManifest\32.crack.zip
    d:\windows\system32\GroupPolicyManifest\32.crack.zip.kwd
    d:\windows\system32\GroupPolicyManifest\33.video.zip.kwd
    d:\windows\system32\GroupPolicyManifest\34.setup.zip.kwd
    d:\windows\system32\GroupPolicyManifest\35.unpack.zip.kwd
    d:\windows\system32\GroupPolicyManifest\36.keygen.zip.kwd
    d:\windows\system32\GroupPolicyManifest\37.serial.zip.kwd
    d:\windows\system32\GroupPolicyManifest\39.music.mp3
    d:\windows\system32\GroupPolicyManifest\39.music.mp3.kwd
    d:\windows\system32\GroupPolicyManifest\40.mpgvideo.mpg
    d:\windows\system32\GroupPolicyManifest\40.mpgvideo.mpg.kwd
    E:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
    .

    2009-04-13 11:35 . 2009-04-13 11:35 <DIR> d-------- d:\documents and settings\123\Application Data\rjiblmtq
    2009-04-13 11:28 . 2009-04-13 11:28 <DIR> d-------- d:\documents and settings\NetworkService\Application Data\rjiblmtq
    2009-04-11 00:31 . 2009-04-11 00:31 <DIR> d-------- d:\documents and settings\Administrator\Application Data\vlc
    2009-04-11 00:15 . 2004-08-04 00:56 221,184 --a------ d:\windows\system32\wmpns.dll
    2009-04-11 00:08 . 2009-04-11 00:08 552 --a------ d:\windows\system32\d3d8caps.dat
    2009-04-09 17:15 . 2009-04-14 20:58 <DIR> d-------- d:\program files\runit
    2009-04-04 22:13 . 2009-04-04 22:15 <DIR> d--hs---- d:\windows\system32\NetworkService32
    2009-04-03 12:47 . 2009-04-04 23:07 34,816 --a------ d:\windows\system32\drivers\gaopdxserv.sys
    2009-03-28 18:39 . 2009-03-28 18:39 374,272 --ahs---- d:\windows\system32\5.tmp
    2009-03-28 10:38 . 2009-03-28 10:38 139,264 --a------ d:\windows\system32\devmgr32.dll.1
    2009-03-23 20:08 . 2009-03-23 20:08 26 --a------ d:\windows\SYMGAMES.INI
    2009-03-23 19:47 . 2009-03-23 19:47 54,156 --ah----- d:\windows\QTFont.qfn
    2009-03-23 19:47 . 2009-03-23 19:47 1,409 --a------ d:\windows\QTFont.for
    2009-03-23 00:12 . 2009-03-23 00:12 <DIR> d--hs---- d:\windows\ftpcache
    2009-03-23 00:11 . 2009-03-23 00:11 <DIR> d-------- d:\program files\MSXML 6.0
    2009-03-23 00:09 . 2007-10-12 15:14 3,734,536 --a------ d:\windows\system32\d3dx9_36.dll
    2009-03-23 00:08 . 2009-03-23 00:08 <DIR> d-------- d:\windows\Logs
    2009-03-23 00:08 . 2006-07-28 09:30 236,824 --a------ d:\windows\system32\xactengine2_3.dll
    2009-03-23 00:08 . 2006-07-28 09:30 62,744 --a------ d:\windows\system32\xinput1_2.dll
    2009-03-20 21:59 . 2009-03-20 21:59 <DIR> d-------- d:\windows\Hornet Leader Demo
    2009-03-14 13:49 . 2009-03-14 13:49 <DIR> d-------- d:\documents and settings\All Users\Application Data\Trymedia

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-04-13 08:35 --------- d-----w d:\documents and settings\123\Application Data\LimeWire
    2009-03-23 14:45 --------- d-----w d:\documents and settings\All Users\Application Data\Apple Computer
    2009-03-23 13:40 --------- d-----w d:\program files\Google
    2009-03-08 18:56 --------- d-----w d:\documents and settings\123\Application Data\Canon
    2009-03-03 10:28 --------- d-----w d:\documents and settings\123\Application Data\Privacy components
    2009-02-25 02:10 --------- d-----w d:\program files\Common Files\Symantec Shared
    2009-02-24 15:12 --------- d--h--w d:\program files\InstallShield Installation Information
    2008-09-25 19:32 8 --sh--r d:\windows\system32\ABE16357DF.sys
    2008-09-25 19:32 1,682 -csha-w d:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{018CE4C8-72C0-4B5A-BD80-2DD26057CF02}]
    2001-10-05 00:45 143872 --a------ d:\windows\system32\pwhnllhg.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A8CB43B-C929-4DC8-AE72-A5AF00F2E28B}]
    2001-10-05 00:45 106496 --a--c--- d:\windows\system32\twbkgln.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!) "= "d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray "= "d:\windows\system32\igfxtray.exe" [2007-11-08 141848]
    "HotKeysCmds "= "d:\windows\system32\hkcmd.exe" [2007-11-08 166424]
    "WinampAgent "= "d:\program files\Winamp\winampa.exe" [2003-12-13 33792]
    "Persistence "= "d:\windows\system32\igfxpers.exe" [2007-11-08 137752]
    "RemoteControl "= "d:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
    "Adobe Reader Speed Launcher "= "d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "avast! "= "d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
    "googletalk "= "d:\program files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
    "Rthdcpl "= "RTHDCPL.EXE" [2007-10-25 d:\windows\RTHDCPL.exe]

    d:\documents and settings\123\Start Menu\Programs\Startup\
    runit_32.lnk - d:\program files\runit\runit_32.exe [2008-12-26 24576]

    d:\documents and settings\All Users\Start Menu\Programs\Startup\
    24Online Client.lnk - d:\program files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe [2003-12-17 245760]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hqoiirle]
    2001-10-05 00:45 106496 d:\windows\system32\twbkgln.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=d:\windows\System32\FM20ENU32.dll d:\progra~1\Google\GOOGLE~4\GOEC62~1.DLL,d:\windows\System32\FM20ENU32.dll d:\progra~1\Google\GOOGLE~4\GOEC62~1.DLL,d:\windows\System32\FM20ENU32.dll d:\progra~1\Google\GOOGLE~4\GOEC62~1.DLL,d:\windows\System32\FM20ENU32.dll d:\progra~1\Google\GOOGLE~4\GOEC62~1.DLL,d:\windows\System32\FM20ENU32.dll,d:\windows\System32\devmgr32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
    "c:\\Program Files\\LimeWire\\LimeWire.exe "=
    "d:\\WINDOWS\\explorer.exe "=
    "c:\\Program Files\\Rediff Bol\\RediffMessenger.exe "=
    "d:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe "=
    "d:\\Program Files\\Alwil Software\\Avast4\\Setup\\avast.setup "=
    "d:\\Program Files\\Google\\Google Talk\\googletalk.exe "=

    R0 nragbfmg;nragbfmg;d:\windows\system32\drivers\nragbfmg.sys [2001-10-05 23424]
    R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [2009-01-30 78416]
    R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [2009-01-30 20560]
    R2 kjxijqev;PnP ISA/EISA Bus Helper;d:\windows\System32\svchost.exe -k netsvcs [2004-08-04 14336]
    R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;d:\windows\system32\drivers\l251x86.sys [2008-09-20 30720]
    S2 gupdate1c9667bd874c874;Google Update Service (gupdate1c9667bd874c874);d:\program files\Google\Update\GoogleUpdate.exe [2008-12-25 119280]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - TDSSserv.sys

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    kjxijqev

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0fc10b78-d03d-11dd-afab-0018f372bfef}]
    \Shell\AutoRun\command - System\DriveGuard\DriveProtect.exe -run*
    \Shell\Explore\Command - System\DriveGuard\DriveProtect.exe -run**
    \Shell\Open\Command - System\DriveGuard\DriveProtect.exe -run*

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2abb998-894d-11dd-ae9e-0018f372bfef}]
    \Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\desktop.exe
    \Shell\Explore\Command - g:\recycler\desktop.exe
    \Shell\Open\Command - g:\recycler\desktop.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2009-04-01 d:\windows\Tasks\At1.job
    - d:\windows\system32\twbkgln.dll [2001-10-05 00:45]

    2009-04-14 d:\windows\Tasks\At2.job
    - d:\windows\system32\supkeho.dll [2001-10-05 00:45]

    2009-04-12 d:\windows\Tasks\GoogleUpdateTaskMachine.job
    - d:\program files\Google\Update\GoogleUpdate.exe [2008-12-25 16:00]

    2009-01-15 d:\windows\Tasks\Norton Security Scan for 123.job
    - d:\program files\Norton Security Scan\Nss.exe []
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-winmgmt - d:\windows\system32\wmiprvse.exe
    HKCU-Run-jsf8j34rgfght - d:\docume~1\123\LOCALS~1\Temp\winloggn.exe
    Notify-844b0466511 - d:\windows\System32\FM20ENU32.dll
    Notify-844b0466565 - d:\windows\System32\devmgr32.dll


    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    IE: Add to Google Photos Screensa&ver - d:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: {11AE98C0-DE32-4D7F-98C3-49E731E7CCFD} = 85.255.112.150,85.255.112.69
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-04-14 20:58:41
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet018\Services\TDSSserv.sys]
    "imagepath "= "\systemroot\system32\drivers\TDSSmaxt.sys "
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1409082233-2111687655-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\System\ControlSet018\Services\TDSSserv.sys]
    @DACL=(02 0000)
    "start "=dword:00000001
    "type "=dword:00000001
    "imagepath "=expand: "\\systemroot\\system32\\drivers\\TDSSmaxt.sys "
    "group "= "file system "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(584)
    d:\windows\system32\twbkgln.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    d:\program files\Alwil Software\Avast4\aswUpdSv.exe
    d:\program files\Alwil Software\Avast4\ashServ.exe
    d:\program files\Java\jre6\bin\jqs.exe
    d:\windows\system32\igfxsrvc.exe
    d:\program files\Alwil Software\Avast4\ashDisp.exe
    d:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2009-04-14 21:00:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-04-14 15:30:22

    Pre-Run: 6,991,749,120 bytes free
    Post-Run: 7,133,433,856 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    C:\= "Microsoft Windows 98 "

    Current=18 Default=18 Failed=17 LastKnownGood=19 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
    209 --- E O F --- 2008-12-21 09:55:13
     
    piyush,
    #3
  5. 2009/05/20
    Juliet

    Juliet Well-Known Member

    Joined:
    2008/09/15
    Messages:
    976
    Likes Received:
    6
    I am so very sorry for the delay in my response.
    Please send a personal message if this should happen again.

    Please let's continue.

    Locate and delete the version of ComboFix I had you download earlier.

    Download Combofix from any of the links below.

    Save it to your desktop.

    Link 1
    Link 2
    Link 3



    Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.

    Download Flash_Disinfector.exe by sUBs from >here<
    or from >here< and save it to your desktop.

    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Your desktop will vanish for a while, and then reappear. This is normal.
    • Wait until it has finished scanning and then exit the program. If you use more than 1 flash drive, run the tool with each plugged in.
    • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


    Please leave the flash drive plugged in while completing the following.


    Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
    This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

    Click on this link Here to see a list of programs that should be disabled.
    The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
    Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.
    Code:
    RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet018\Services\TDSSserv.sys]

File:: 
g:\recycler\desktop.exe
d:\windows\system32\drivers\nragbfmg.sys
d:\windows\System32\FM20ENU32.dll
d:\windows\system32\twbkgln.dll
d:\windows\system32\pwhnllhg.dll
d:\documents and settings\123\Application Data\rjiblmtq
d:\windows\system32\drivers\gaopdxserv.sys
d:\windows\system32\5.tmp
d:\windows\system32\supkeho.dll
Folder::
d:\program files\runit
d:\documents and settings\NetworkService\Application Data\rjiblmtq
d:\documents and settings\All Users\Application Data\Trymedia
FixCSet::
Driver::
nragbfmg
kjxijqev
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2abb998-894d-11dd-ae9e-0018f372bfef}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0fc10b78-d03d-11dd-afab-0018f372bfef}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
 "AppInit_DLLs "= "GOEC62~1.DLL "=
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hqoiirle]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "runit_32.lnk "=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{018CE4C8-72C0-4B5A-BD80-2DD26057CF02}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A8CB43B-C929-4DC8-AE72-A5AF00F2E28B}]
AtJob::
NetSvc::
kjxijqev
    [​IMG]

    Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
     
    Juliet,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...