1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

"Windows has detected spyware infection!" Balloon popup and other problems

Discussion in 'Virus & Other Malware Removal' started by Ests, Nov 12, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Ests

    Ests Thread Starter

    Joined:
    Nov 12, 2008
    Messages:
    4
    I've posted this across at the VirtualDR forums too here http://discussions.virtualdr.com/showthread.php?p=1251748#post1251748

    Similar to a few other posts there I started with a popup pretending to be from microsoft telling me I had a virus on my computer and trying to get me to download Antiviruspro 2009 (a fake antivirus program). From there it stopped me visiting any websites that might help me remove it (anti spyware sites etc, even google) by changing the address of any site I typed so that they wouldn't work. It somehow managed to close my antivirus software and prevents any exe's in its blacklist (e.g. any anti virus programs - including the setup exes of other anti virus software so you couldn't install a new one) from running.

    Here are a few threads that I've found where the user has had similar experiences as me.
    http://discussions.virtualdr.com/showthread.php?t=234838
    http://discussions.virtualdr.com/showthread.php?t=234795
    http://forums.techguy.org/malware-r...locking-removal-malware-antimalwarebytes.html

    I've been following the advice in the second thread; renaming a few of the exes has allowed me to run most of the requested programs and I now have some logs which I hope you can help me with.


    SuperAntiSpyware Log:
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/12/2008 at 04:01 PM

    Application Version : 4.21.1004

    Core Rules Database Version : 3633
    Trace Rules Database Version: 1616

    Scan type : Complete Scan
    Total Scan Time : 04:35:35

    Memory items scanned : 175
    Memory threats detected : 2
    Registry items scanned : 6793
    Registry threats detected : 57
    File items scanned : 152247
    File threats detected : 159

    Trojan.Vundo-Variant/Packed-GEN
    C:\WINDOWS\SYSTEM32\IIFDASQN.DLL
    C:\WINDOWS\SYSTEM32\IIFDASQN.DLL
    C:\WINDOWS\SYSTEM32\RQRHATJJ.DLL
    C:\WINDOWS\SYSTEM32\RQRHATJJ.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF45184C-6EE4-43F7-AE85-2576219D3420}
    HKCR\CLSID\{DF45184C-6EE4-43F7-AE85-2576219D3420}
    HKCR\CLSID\{DF45184C-6EE4-43F7-AE85-2576219D3420}\InprocServer32
    HKCR\CLSID\{DF45184C-6EE4-43F7-AE85-2576219D3420}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F1F1537F-671E-41C2-8B7E-C3042F59C7ED}
    HKCR\CLSID\{F1F1537F-671E-41C2-8B7E-C3042F59C7ED}
    HKCR\CLSID\{F1F1537F-671E-41C2-8B7E-C3042F59C7ED}\InprocServer32
    HKCR\CLSID\{F1F1537F-671E-41C2-8B7E-C3042F59C7ED}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{F1F1537F-671E-41C2-8B7E-C3042F59C7ED}
    Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\iifdAsqN
    C:\WINDOWS\SYSTEM32\DDCYSSMC.DLL

    Trojan.Dropper/Gen-NV
    [brastk] C:\WINDOWS\SYSTEM32\BRASTK.EXE
    C:\WINDOWS\SYSTEM32\BRASTK.EXE
    [brastk] C:\WINDOWS\SYSTEM32\BRASTK.EXE
    [brastk] C:\WINDOWS\SYSTEM32\BRASTK.EXE
    C:\WINDOWS\BRASTK.EXE

    Unclassified.Unknown Origin
    HKLM\Software\Classes\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}
    HKCR\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}
    HKCR\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}
    HKCR\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}\InprocServer32
    HKCR\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}\InprocServer32#ThreadingModel
    HKCR\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}\ProgID
    HKCR\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}\Programmable
    HKCR\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}\TypeLib
    HKCR\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}\VersionIndependentProgID
    HKCR\HTASS.HTDP.1
    HKCR\HTASS.HTDP.1\CLSID
    HKCR\HTASS.HTDP
    HKCR\HTASS.HTDP\CLSID
    HKCR\HTASS.HTDP\CurVer
    HKCR\TypeLib\{4677FF8F-7740-4a9c-9F5E-E93794A86E85}
    HKCR\TypeLib\{4677FF8F-7740-4a9c-9F5E-E93794A86E85}\1.0
    HKCR\TypeLib\{4677FF8F-7740-4a9c-9F5E-E93794A86E85}\1.0\0
    HKCR\TypeLib\{4677FF8F-7740-4a9c-9F5E-E93794A86E85}\1.0\0\win32
    HKCR\TypeLib\{4677FF8F-7740-4a9c-9F5E-E93794A86E85}\1.0\FLAGS
    HKCR\TypeLib\{4677FF8F-7740-4a9c-9F5E-E93794A86E85}\1.0\HELPDIR
    C:\WINDOWS\HTASS.DLL

    Adware.Vundo Variant/Rel
    HKLM\SOFTWARE\Microsoft\FCOVM
    HKLM\SOFTWARE\Microsoft\RemoveRP
    HKLM\SOFTWARE\Microsoft\MS Juan
    HKLM\SOFTWARE\Microsoft\MS Juan#RID
    HKLM\SOFTWARE\Microsoft\contim
    HKLM\SOFTWARE\Microsoft\contim#SysShell
    HKLM\SOFTWARE\Microsoft\MS Track System
    HKLM\SOFTWARE\Microsoft\MS Track System#Uid
    HKLM\SOFTWARE\Microsoft\rdfa
    HKLM\SOFTWARE\Microsoft\rdfa#F
    HKLM\SOFTWARE\Microsoft\rdfa#N

    Rogue.XP AntiSpyware 2009
    HKU\S-1-5-21-436374069-1592454029-725345543-1003\Control Panel\don't load#wscui.cpl [ No ]

    Rogue.XP AntiSpyware2009-Trace
    C:\WINDOWS\karna.dat
    C:\WINDOWS\system32\karna.dat
    C:\WINDOWS\system32\_scui.cpl

    Trojan.Downloader-Gen
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run#brastk [ brastk.exe ]
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run#brastk [ C:\WINDOWS\system32\brastk.exe ]
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run#brastk [ C:\WINDOWS\system32\brastk.exe ]

    Rogue.Component/Trace
    HKLM\Software\Microsoft\88A8A18C
    HKLM\Software\Microsoft\88A8A18C#88a8a18c
    HKLM\Software\Microsoft\88A8A18C#Version
    HKLM\Software\Microsoft\88A8A18C#88a80c0c
    HKLM\Software\Microsoft\88A8A18C#88a865e9

    Rogue.AntiVirusPro2009
    HKLM\Software\AntivirusPro2009
    HKLM\Software\AntivirusPro2009#email3
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run#Antivirus Pro 2009 [ "C:\Program Files\AntivirusPro2009\AntivirusPro2009.exe" /hide ]
    C:\Program Files\AntivirusPro2009
    C:\Documents and Settings\Hugh\Start Menu\Programs\AntivirusPro2009\AntivirusPro2009.lnk
    C:\Documents and Settings\Hugh\Start Menu\Programs\AntivirusPro2009\Uninstall.lnk
    C:\Documents and Settings\Hugh\Start Menu\Programs\AntivirusPro2009

    Trojan.Fake-Alert/Trace
    HKU\S-1-5-21-436374069-1592454029-725345543-1003\SOFTWARE\Microsoft\fias4013

    Rootkit.Karna/Beep-Fake
    C:\WINDOWS\DRIVERS\BEEP.SYS
    C:\WINDOWS\SYSTEM32\DLLCACHE\BEEP.SYS
    C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS

    Trojan.Vundo-Variant/Packed-Zone
    C:\WINDOWS\SYSTEM32\DRJWLWXB.DLL

    Adware.Vundo/Variant-Zone
    C:\WINDOWS\SYSTEM32\QFLWKT.DLL
    C:\WINDOWS\SYSTEM32\YQICFPDL.DLL





    I've removed the cookies from the post so that's why it says there are more results than in this log. As suggested I quarantined and removed what it could and this has got rid of the popup, but I'm not convinced it's all clean yet as it's still running very slowly and certain exe's won't open.
     
  2. Ests

    Ests Thread Starter

    Joined:
    Nov 12, 2008
    Messages:
    4
    HijackThis Log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:40:30, on 12/11/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
    C:\Program Files\Trend Micro\HijackThis\hjtnothing.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [88a8b302] rundll32.exe "C:\WINDOWS\system32\drjwlwxb.dll",b
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Bleh Obj] C:\DOCUME~1\Hugh\APPLIC~1\INFOHE~1\Readme Flap.exe
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Hugh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Logitech SetPoint.lnk = ?
    O4 - Startup: Thumbs.db
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O13 - WWW. Prefix: http://
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1127922181607
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
    O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab57213.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
    O20 - AppInit_DLLs: karna.dat
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

    --
    End of file - 10356 bytes
     
  3. Ests

    Ests Thread Starter

    Joined:
    Nov 12, 2008
    Messages:
    4
    GMER Log:
    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2008-11-12 16:53:09
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.14 ----

    SSDT 89DE2708 ZwConnectPort
    SSDT 89FAA890 ZwCreateThread
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB6E4A2A0]
    SSDT 89DCDC38 ZwLoadDriver
    SSDT 88F5E428 ZwResumeThread
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB6E4AA50]

    Code E203E490 ZwEnumerateKey
    Code E1ECA868 ZwFlushInstructionCache
    Code B6F1BEAB pIofCallDriver

    ---- Kernel code sections - GMER 1.0.14 ----

    PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP E203E494
    PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP E1ECA86C
    ? SYMEFA.SYS The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.14 ----

    .text C:\WINDOWS\Explorer.EXE[2056] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C4000A
    .text C:\WINDOWS\Explorer.EXE[2056] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00C3000A
    .text C:\WINDOWS\Explorer.EXE[2056] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C5000A

    ---- Devices - GMER 1.0.14 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- Modules - GMER 1.0.14 ----

    Module \systemroot\system32\drivers\TDSSmqlt.sys (*** hidden *** ) B6F1A000-B6F2C000 (73728 bytes)

    ---- Threads - GMER 1.0.14 ----

    Thread 4:456 B6F1CD66

    ---- Services - GMER 1.0.14 ----

    Service C:\WINDOWS\system32\drivers\TDSSmqlt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.14 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\[email protected] 0
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\[email protected] 0xC3 0xD9 0xC2 0xEB ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0xEE 0x8D 0xA4 0x05 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x0A 0x2F 0x20 0x67 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x9C 0x1A 0xB1 0xA2 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0xC3 0xD9 0xC2 0xEB ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0xEE 0x8D 0xA4 0x05 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x0A 0x2F 0x20 0x67 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x9C 0x1A 0xB1 0xA2 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\[email protected] 30501
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0xC3 0xD9 0xC2 0xEB ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0xEE 0x8D 0xA4 0x05 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x0A 0x2F 0x20 0x67 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x9C 0x1A 0xB1 0xA2 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \systemroot\system32\drivers\TDSSmqlt.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] file system
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\drivers\TDSSmqlt.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqt.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSmtvd.dat
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSShrxr.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSmtql.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSxfum.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSlxwp.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSnmxh.log
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSsahc.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSmhct.log
    Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSotxh.log
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[email protected] 0
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[email protected] 0xC3 0xD9 0xC2 0xEB ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0xEE 0x8D 0xA4 0x05 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x0A 0x2F 0x20 0x67 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x9C 0x1A 0xB1 0xA2 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys
    Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] 1
    Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] 1
    Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] \systemroot\system32\drivers\TDSSmqlt.sys
    Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] file system
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\[email protected] \systemroot\system32\drivers\TDSSmqlt.sys
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSoiqt.dll
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSmtvd.dat
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSShrxr.dll
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSmtql.dll
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSxfum.dll
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSlxwp.dll
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSnmxh.log
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSsahc.dll
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSmhct.log
    Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\[email protected] \systemroot\system32\TDSSotxh.log
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 11
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] v3av
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 0x09 0x19 0x1F 0x16 ...
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10010
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] pagead2.googlesyndication.com
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 1

    ---- EOF - GMER 1.0.14 ----



    The bit I've highlighted in red is because of this post in my second link:
    and this looks similar, but then again I know nothing about this so I've not deleted anything yet.


    Unfortunately I can't update malware bytes definitions because the virus prevents access to certain sites, including the update server..

    I've turned off my pc for now so I'm just waiting for any help you can give.
    Thanks in advance,
    Ests
     
  4. Ests

    Ests Thread Starter

    Joined:
    Nov 12, 2008
    Messages:
    4
    Any help appreciated..
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/768649

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice