Rootkit.tdss was still found, now what?

View previous topic View next topic Go down

Rootkit.tdss was still found, now what?

Post by breba01 on Wed Sep 02, 2009 11:50 pm

When I ran the Malwarebytes program, it got rid of everything and then there was just one thing left, the rootkit.tdss...i found a post that said to do one of the combo fixes. So i did that and wanted to post my log to see what i should do next. thanks so much
ComboFix 09-09-02.02 - Terra 09/02/2009 16:03.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.435 [GMT -7:00]
Running from: c:\documents and settings\Terra\Desktop\Combo-Fix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Terra\LOCALS~1\Temp\catchme.dll
c:\documents and settings\Terra\Local Settings\Temp\catchme.dll
C:\Images
c:\images\DirCfg.ini
c:\windows\Downloaded Program Files\MyWebEx
c:\windows\Downloaded Program Files\MyWebEx\394\atarm.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atas32.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atasanot.exe
c:\windows\Downloaded Program Files\MyWebEx\394\atasctrl.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atcarmcl.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atinet.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atjpeg60.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atkbctl.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atmemmgr.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atnetext.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atpack.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atpdmod.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atpng12.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atprtses.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atrares.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atres.dll
c:\windows\Downloaded Program Files\MyWebEx\394\attp.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atwbxui.dll
c:\windows\Downloaded Program Files\MyWebEx\394\rafilesp.dll
c:\windows\Downloaded Program Files\MyWebEx\394\ramtmgr.dll
c:\windows\Downloaded Program Files\MyWebEx\394\ratrace.dll
c:\windows\Downloaded Program Files\MyWebEx\394\trace.txt
c:\windows\Downloaded Program Files\MyWebEx\394\uilibres.dll
c:\windows\Downloaded Program Files\MyWebEx\394\wbxadex.dll
c:\windows\Downloaded Program Files\MyWebEx\394\wbxcrypt.dll
c:\windows\Fonts\Wphv07nb.ttf
c:\windows\Installer\10045283.msi
c:\windows\Installer\10c1588.msi
c:\windows\Installer\10c158e.msi
c:\windows\Installer\157cf.msp
c:\windows\Installer\198815.msi
c:\windows\Installer\22ff88.msp
c:\windows\Installer\69acb.msp
c:\windows\system\mixcsd04.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FAD
-------\Legacy_kbiwkmpeuurwgq
-------\Service_kbiwkmpeuurwgq


((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-09-02 21:05 . 2009-09-02 21:05 -------- d-----w- c:\documents and settings\Terra\Application Data\Malwarebytes
2009-09-02 21:05 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 21:05 . 2009-09-02 21:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 21:05 . 2009-09-02 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-02 21:05 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 19:20 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-02 19:20 . 2009-08-24 21:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-02 19:20 . 2009-08-19 18:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-02 19:20 . 2009-09-02 19:20 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-02 19:20 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-02 19:20 . 2009-09-02 21:35 -------- d-----w- c:\program files\Spyware Doctor
2009-09-02 19:20 . 2009-09-02 19:20 -------- d-----w- c:\documents and settings\Terra\Application Data\PC Tools
2009-09-02 19:20 . 2009-09-02 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-02 19:17 . 2009-09-02 23:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-02 19:03 . 2009-09-02 19:03 163840 ----a-w- c:\windows\svchasts.exe
2009-09-02 00:51 . 2009-09-02 01:31 45344 ----a-w- c:\windows\system32\drivers\iqaf817.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 13:58 . 2009-09-02 19:20 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-07-31 13:54 . 2009-07-30 23:09 65 ----a-w- c:\windows\system32\bd9440cn.dat
2009-07-30 23:08 . 2003-11-19 23:47 -------- d-----w- c:\program files\Brother
2009-07-30 23:07 . 2003-11-13 15:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-30 23:07 . 2009-07-30 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-07-30 23:07 . 2009-07-30 23:07 -------- d-----w- c:\documents and settings\Terra\Application Data\InstallShield
2008-03-04 21:35 . 2003-12-02 20:48 2 ----a-w- c:\program files\LIMITS.DAT
2007-02-23 18:50 . 2003-12-02 20:52 25030 ---ha-w- c:\program files\FSHELP.GID
2005-05-11 17:36 . 2005-05-11 17:34 8628 ---ha-w- c:\program files\RPHELP.GID
2005-01-26 18:28 . 2004-11-15 23:49 16826 ---ha-w- c:\program files\EZHELP.GID
2005-01-26 18:27 . 2004-11-19 16:04 164 ----a-w- c:\program files\BACKUP.LOG
2004-11-15 23:49 . 2004-11-15 23:48 8628 ---ha-w- c:\program files\FDHELP.GID
2003-12-02 20:44 . 2003-12-02 20:44 22 ----a-w- c:\program files\Spellit.Dat
2003-12-02 20:44 . 2003-12-02 20:44 175 ----a-w- c:\program files\Numbers.Dat
2003-12-02 20:44 . 2003-12-02 20:44 0 ----a-w- c:\program files\Doctor.Dat
2002-03-14 19:19 . 2003-12-02 20:41 427520 ----a-w- c:\program files\WORKCOMP.EXE
2002-03-14 19:14 . 2003-12-02 20:40 523264 ----a-w- c:\program files\ATTORNEY.EXE
2002-03-14 12:19 . 2003-12-02 20:41 3287552 ----a-w- c:\program files\REPORT.EXE
2002-03-14 12:18 . 2003-12-02 20:41 375808 ----a-w- c:\program files\PREPECS.EXE
2002-03-14 12:18 . 2003-12-02 20:41 389120 ----a-w- c:\program files\NSF.EXE
2002-03-14 12:18 . 2003-12-02 20:41 1516032 ----a-w- c:\program files\NOTES.EXE
2002-03-14 12:17 . 2003-12-02 20:40 1100800 ----a-w- c:\program files\INSTALL.EXE
2002-03-14 12:17 . 2003-12-02 20:40 686592 ----a-w- c:\program files\INS.EXE
2002-03-14 12:17 . 2003-12-02 20:40 320000 ----a-w- c:\program files\IMPORT.EXE
2002-03-14 12:17 . 2003-12-02 20:40 2376704 ----a-w- c:\program files\FRONT.EXE
2002-03-14 12:16 . 2003-12-02 20:40 2230272 ----a-w- c:\program files\FILING.EXE
2002-03-14 12:15 . 2003-12-02 20:40 245760 ----a-w- c:\program files\EZTRANS.EXE
2002-03-14 12:15 . 2003-12-02 20:40 497664 ----a-w- c:\program files\EZBIS.EXE
2002-03-14 12:15 . 2003-12-02 20:40 212480 ----a-w- c:\program files\EDITDOC.EXE
2002-03-14 12:15 . 2003-12-02 20:40 750592 ----a-w- c:\program files\DNOTES.EXE
2002-03-14 12:15 . 2003-12-02 20:40 1012736 ----a-w- c:\program files\CHECK.EXE
2002-03-14 12:14 . 2003-12-02 20:40 1477632 ----a-w- c:\program files\BILLING.EXE
2002-03-14 11:29 . 2003-12-02 20:41 831488 ----a-w- c:\program files\WORD.EXE
2002-03-14 11:29 . 2003-12-02 20:40 268288 ----a-w- c:\program files\CONVERT.DLL
2002-03-14 11:29 . 2003-12-02 20:40 1144832 ----a-w- c:\program files\CODEMGR.DLL
2002-01-18 16:22 . 2003-12-02 20:40 167936 ----a-w- c:\program files\MAKEFILE.EXE
2001-12-07 16:39 . 2003-12-02 20:41 71680 ----a-w- c:\program files\NSFSET.EXE
2001-10-29 11:42 . 2003-12-02 20:41 52224 ----a-w- c:\program files\SPELLING.DLL
2001-10-05 10:59 . 2003-12-02 20:41 22372 ----a-w- c:\program files\VARLIST.DAT
2001-08-09 13:55 . 2003-12-02 20:40 34304 ----a-w- c:\program files\CVIMAGE.EXE
2001-08-09 13:43 . 2003-12-02 20:40 6272 ----a-w- c:\program files\ETSNT4.BAT
2001-06-13 09:45 . 2003-12-02 20:40 79872 ----a-w- c:\program files\IMCONV2.EXE
2001-03-30 15:20 . 2003-12-02 20:41 256 ----a-w- c:\program files\ZIPIT.BAT
2001-03-21 11:04 . 2003-12-02 20:41 35328 ----a-w- c:\program files\UNZIPIT.EXE
2001-03-16 12:04 . 2003-12-02 20:41 55808 ----a-w- c:\program files\VERINFO.EXE
2001-02-14 10:16 . 2003-12-02 20:41 19190 ----a-w- c:\program files\WPHELP.HLP
2001-02-14 10:16 . 2003-12-02 20:41 101059 ----a-w- c:\program files\TNHELP.HLP
2001-02-14 10:16 . 2003-12-02 20:41 68807 ----a-w- c:\program files\RPHELP.HLP
2001-02-14 10:16 . 2003-12-02 20:41 5888 ----a-w- c:\program files\NSF.BAT
2001-02-14 10:16 . 2003-12-02 20:40 257949 ----a-w- c:\program files\FSHELP.HLP
2001-02-14 10:15 . 2003-12-02 20:40 77063 ----a-w- c:\program files\FDHELP.HLP
2001-02-14 10:15 . 2003-12-02 20:40 120153 ----a-w- c:\program files\EZHELP.HLP
2001-02-14 10:15 . 2003-12-02 20:40 29364 ----a-w- c:\program files\DNHELP.HLP
2001-02-14 10:15 . 2003-12-02 20:40 173197 ----a-w- c:\program files\BSHELP.HLP
2001-02-02 15:40 . 2003-12-02 20:41 106 ----a-w- c:\program files\OMIT.LST
2000-12-29 11:41 . 2003-12-02 20:41 339456 ----a-w- c:\program files\PKZIP25.EXE
2000-12-29 11:41 . 2003-12-02 20:40 4213 ----a-w- c:\program files\LICENSE.TXT
2000-12-28 18:16 . 2003-12-02 20:40 27136 ----a-w- c:\program files\CHKDISK.EXE
2000-11-20 17:15 . 2003-12-02 20:41 4718 ----a-w- c:\program files\VERINFO.DAT
2000-09-20 07:56 . 2003-12-02 20:40 84480 ----a-w- c:\program files\IMMAKE.EXE
2000-09-13 10:11 . 2003-12-02 20:40 75264 ----a-w- c:\program files\IMCONV.EXE
2000-06-15 09:40 . 2003-12-02 20:41 83456 ----a-w- c:\program files\SCREEN.EXE
2000-02-24 09:39 . 2003-12-02 20:41 908672 ----a-w- c:\program files\SPELL.DAT
2000-01-26 08:49 . 2003-12-02 20:40 6312 ----a-w- c:\program files\ETS.BAT
1999-12-27 13:23 . 2003-12-02 20:41 216640 ----a-w- c:\program files\SPHELP.HLP
1999-10-12 09:26 . 2003-12-02 20:41 11776 ----a-w- c:\program files\YORN.EXE
1999-10-12 09:25 . 2003-12-02 20:40 63488 ----a-w- c:\program files\MAKEDAT.EXE
1999-10-12 09:25 . 2003-12-02 20:40 62592 ----a-w- c:\program files\ECSWIN.EXE
1999-10-12 09:25 . 2003-12-02 20:40 63488 ----a-w- c:\program files\ECSDOS.EXE
1999-08-05 14:37 . 2003-12-02 20:40 128 ----a-w- c:\program files\CLINIC.DAT
1999-04-13 12:19 . 2003-12-02 20:40 62592 ----a-w- c:\program files\ECS.EXE
1998-11-12 11:16 . 2003-12-02 20:41 12358 ----a-w- c:\program files\RPBUTTON.BMP
1998-11-12 11:16 . 2003-12-02 20:41 452278 ----a-w- c:\program files\RPBACK.BMP
1997-11-21 10:12 . 2003-12-02 20:40 16378 ----a-w- c:\program files\EXPAND.EXE
2006-10-11 08:04 . 2004-12-20 18:43 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2004-12-20 18:43 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2007-11-26 22:09 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2007-11-26 22:09 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2004-12-20 18:43 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

breba01
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-09-02
OS OS : windows xp i think
Points Points : 26526
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit.tdss was still found, now what?

Post by breba01 on Wed Sep 02, 2009 11:50 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Keyboard"="c:\program files\Hot Keyboard Pro\HotKeyb.exe" [2008-01-27 1041064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-30 68856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 36864]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2005-07-08 491520]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-12 282624]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-02 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-08 65536]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [9/2/2009 12:20 PM 206256]
S0 iqaf817;iqaf817;\SystemRoot\\SystemRoot\System32\drivers\iqaf817.sys --> \SystemRoot\\SystemRoot\System32\drivers\iqaf817.sys [?]
S1 193dd5c7.sys;193dd5c7.sys;\??\c:\windows\System32\drivers\193dd5c7.sys --> c:\windows\System32\drivers\193dd5c7.sys [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [11/19/2003 12:41 PM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\SYSTEM32\DRIVERS\BrParImg.sys [11/19/2003 12:42 PM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\SYSTEM32\DRIVERS\BrParwdm.sys [11/19/2003 12:42 PM 39552]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [11/19/2003 12:42 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\SYSTEM32\DRIVERS\BrUsbMdm.sys [12/19/2003 8:19 AM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\SYSTEM32\DRIVERS\BrUsbScn.sys [12/19/2003 8:19 AM 10368]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/2/2009 12:20 PM 348752]
S3 TLA13;TLA13;\??\c:\docume~1\Terra\LOCALS~1\Temp\user.bak --> c:\docume~1\Terra\LOCALS~1\Temp\user.bak [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2006-07-25 04:55]

2009-09-02 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-01-19 16:04]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-minix32 - c:\windows\system32\minix32.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: Assign &hot key - c:\program files\Hot Keyboard Pro\IEScript.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {B9EF096C-B1D4-43CB-A62C-0CD0D0A6925D} = 192.168.17.1,205.177.3.65
DPF: {BAE57CC6-88D1-4AE8-B6FD-306120D5BC52} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Terra\Application Data\Mozilla\Firefox\Profiles\sy85saqq.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Terra\Application Data\Mozilla\Firefox\Profiles\sy85saqq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\Terra\Application Data\Mozilla\Firefox\Profiles\sy85saqq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TLA13]
"ImagePath"="\??\c:\docume~1\Terra\LOCALS~1\Temp\user.bak"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\windows\SYSTEM32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-09-02 16:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-02 23:17

Pre-Run: 66,003,361,792 bytes free
Post-Run: 66,430,873,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

261

breba01
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-09-02
OS OS : windows xp i think
Points Points : 26526
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit.tdss was still found, now what?

Post by Belahzur on Thu Sep 03, 2009 12:06 am

Hello.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    iqaf817
    193dd5c7.sys
    TLA13

    :files
    c:\windows\svchasts.exe
    c:\windows\system32\drivers\iqaf817.sys
    c:\windows\system32\bd9440cn.dat

    :reg
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TLA13]


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rootkit.tdss was still found, now what?

Post by breba01 on Thu Sep 03, 2009 1:59 pm

Here is what was in the result window and below that is what was in the log that it made

========== SERVICES/DRIVERS ==========

Service\Driver iqaf817 deleted successfully.

Service\Driver 193dd5c7.sys deleted successfully.

Service\Driver TLA13 deleted successfully.
========== FILES ==========
c:\windows\svchasts.exe moved successfully.
c:\windows\system32\drivers\iqaf817.sys moved successfully.
c:\windows\system32\bd9440cn.dat moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TLA13\ not found.

OTM by OldTimer - Version 3.0.0.6 log created on 09032009_065619
From the log.....
========== SERVICES/DRIVERS ==========

Service\Driver iqaf817 deleted successfully.

Service\Driver 193dd5c7.sys deleted successfully.

Service\Driver TLA13 deleted successfully.
========== FILES ==========
c:\windows\svchasts.exe moved successfully.
c:\windows\system32\drivers\iqaf817.sys moved successfully.
c:\windows\system32\bd9440cn.dat moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TLA13\ not found.

OTM by OldTimer - Version 3.0.0.6 log created on 09032009_065619

breba01
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-09-02
OS OS : windows xp i think
Points Points : 26526
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit.tdss was still found, now what?

Post by Belahzur on Thu Sep 03, 2009 2:57 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum