Home > General > Rootkitpatched.TDSSg

Rootkitpatched.TDSSg

Several functions may not work. If you no longer need help with this issue, we would appreciate you letting us know. If you wish to show your appreciation, then you may Back to top #10 KenBeck KenBeck Topic Starter Members 14 posts OFFLINE Local time:02:07 AM Posted 27 April 2011 - Your cache administrator is webmaster.

Attached Files Gmer.txt 378.55KB 2 downloads Back to top #9 RPMcMurphy RPMcMurphy Bleeping *^#@%~ Malware Response Team 3,970 posts OFFLINE Gender:Male Local time:02:07 AM Posted 27 April 2011 - 12:28 Download GMER Rootkit Scanner from here to your desktop. Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. I don't think I did the Gmer scan correctly and am redoing it, I will post it shortly.

Completion time: 2011-04-28 15:14:15 - machine was rebooted ComboFix-quarantined-files.txt 2011-04-28 19:14 . DDS (Ver_11-03-05.01) - NTFSx86 Run by Kurt Melcher at 22:29:12.10 on Wed 04/13/2011 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.368 [GMT -4:00] . type msgs) log follows: ComboFix 11-04-27.01 - Kurt Melcher 04/28/2011 14:41:31.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.594 [GMT -4:00] Running from: c:\documents and settings\Kurt Melcher\Desktop\ComboFix.exe AV: BitDefender Antivirus *Disabled/Outdated* If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

scanning hidden processes ... . Please try the request again. A case like this could easily cost hundreds of thousands of dollars. AV: BitDefender Antivirus *Enabled/Outdated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB} FW: BitDefender Firewall *Enabled* . ============== Running Processes =============== .

c:\system volume information\_restore{67c4541f-d3f2-450d-8ba3-de79d55388cd}\RP275\A0027377.exe (Rogue.AntiVirusAntiSpyware2011) -> No action taken. c:\documents and settings\Kurt Melcher\Start Menu\Programs\Startup\ Antimalware Doctor.lnk - c:\documents and settings\Kurt Melcher\Application Data\3C593E30AE1F4ABD39B69FBC94A68DEF\k70ccreloc.exe [N/A] OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784] . Click here to Register a free account now! Please try the request again.

To learn more and to read the lawsuit, click here. R1 BdRawPr;BdRawPr;c:\windows\system32\drivers\bdrawpr.sys [2011-4-8 12960] R1 Bdvedisk;BDVEDISK;c:\windows\system32\drivers\bdvedisk.sys [2010-1-19 85128] R2 Updatesrv;BitDefender Desktop Update Service;c:\program files\bitdefender\bitdefender 2011\updatesrv.exe [2011-3-24 43936] R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2010-4-22 149520] R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf.sys [2010-8-20 WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . The system returned: (22) Invalid argument The remote host or network may be down.

c:\Qoobox\quarantine\C\documents and settings\kurt melcher\application data\defender.exe.vir (Trojan.FakeAlert) -> No action taken. c:\system volume information\_restore{67c4541f-d3f2-450d-8ba3-de79d55388cd}\RP280\A0040721.exe (Trojan.CodecPack) -> No action taken. ____________________ ComboFix 11-04-27.01 - Kurt Melcher 04/28/2011 19:05:15.2.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.605 [GMT -4:00] Running from: c:\documents and settings\Kurt The system returned: (22) Invalid argument The remote host or network may be down. the computer is almost worthless now.

uStart Page = about:blank uSearch Bar = hxxp://www.google.com/ie mStart Page = about:blank uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - Do not "re-run" Combofix. If you have difficulty properly disabling your protective programs, refer to this linkDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Your cache administrator is webmaster.

Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. The system returned: (22) Invalid argument The remote host or network may be down. scanning hidden autostart entries ... . Your cache administrator is webmaster.

c:\system volume information\_restore{67c4541f-d3f2-450d-8ba3-de79d55388cd}\RP280\A0040700.exe (Rogue.MSRemovalTool) -> No action taken. Contents of the 'Scheduled Tasks' folder . 2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 10:16] . 2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 10:16] . 2011-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1260479543-1484795918-4159121993-1006Core.job - c:\documents and settings\Kurt Melcher\Local Settings\Application After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Jump to content Sign In Create Account Search Advanced Search section: This topic Forums Members Help Files Calendar View New Content Forum Rules BleepingComputer.com Forums Members Tutorials Startup List

BLEEPINGCOMPUTER NEEDS YOUR HELP! KenBeck . c:\system volume information\_restore{67c4541f-d3f2-450d-8ba3-de79d55388cd}\RP280\A0040707.exe (Trojan.FakeAlert) -> No action taken. Also I went thu several bitdefender menus and thought I had everything disabled but I got seveal firewall messages (allow this?

Click the image to enlarge it In the right panel, you will see several boxes that have been checked. R1 BdRawPr;BdRawPr;c:\windows\system32\drivers\bdrawpr.sys [2011-4-8 12960] R1 Bdvedisk;BDVEDISK;c:\windows\system32\drivers\bdvedisk.sys [2010-1-19 85128] R2 Updatesrv;BitDefender Desktop Update Service;c:\program files\bitdefender\bitdefender 2011\updatesrv.exe [2011-3-24 43936] R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2010-4-22 149520] R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf.sys [2010-8-20 Generated Thu, 26 Jan 2017 09:07:35 GMT by s_wx1077 (squid/3.5.23) ERROR The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: http://0.0.0.10/ Connection I apologize for the delay.

C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\BitDefender\BitDefender 2011\vsserv.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\BitDefender\BitDefender 2011\updatesrv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\RTHDCPL.EXE HKCU-Run-Oceyamewobey - c:\windows\molimi.dll HKLM-Run-Vhejom - c:\windows\aluniwareheguri.dll AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe AddRemove-AntiVirus AntiSpyware 2011 - c:\documents and settings\Kurt Melcher\Application Data\AntiVirus AntiSpyware 2011\securityhelper.exe . . . ************************************************************************** . Your cache administrator is webmaster.