WiredWX Hobby Weather ToolsLog in

 


descriptionRootkit.tdss was still found, now what? EmptyRootkit.tdss was still found, now what?

more_horiz
When I ran the Malwarebytes program, it got rid of everything and then there was just one thing left, the rootkit.tdss...i found a post that said to do one of the combo fixes. So i did that and wanted to post my log to see what i should do next. thanks so much
ComboFix 09-09-02.02 - Terra 09/02/2009 16:03.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.435 [GMT -7:00]
Running from: c:\documents and settings\Terra\Desktop\Combo-Fix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Terra\LOCALS~1\Temp\catchme.dll
c:\documents and settings\Terra\Local Settings\Temp\catchme.dll
C:\Images
c:\images\DirCfg.ini
c:\windows\Downloaded Program Files\MyWebEx
c:\windows\Downloaded Program Files\MyWebEx\394\atarm.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atas32.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atasanot.exe
c:\windows\Downloaded Program Files\MyWebEx\394\atasctrl.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atcarmcl.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atinet.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atjpeg60.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atkbctl.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atmemmgr.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atnetext.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atpack.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atpdmod.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atpng12.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atprtses.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atrares.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atres.dll
c:\windows\Downloaded Program Files\MyWebEx\394\attp.dll
c:\windows\Downloaded Program Files\MyWebEx\394\atwbxui.dll
c:\windows\Downloaded Program Files\MyWebEx\394\rafilesp.dll
c:\windows\Downloaded Program Files\MyWebEx\394\ramtmgr.dll
c:\windows\Downloaded Program Files\MyWebEx\394\ratrace.dll
c:\windows\Downloaded Program Files\MyWebEx\394\trace.txt
c:\windows\Downloaded Program Files\MyWebEx\394\uilibres.dll
c:\windows\Downloaded Program Files\MyWebEx\394\wbxadex.dll
c:\windows\Downloaded Program Files\MyWebEx\394\wbxcrypt.dll
c:\windows\Fonts\Wphv07nb.ttf
c:\windows\Installer\10045283.msi
c:\windows\Installer\10c1588.msi
c:\windows\Installer\10c158e.msi
c:\windows\Installer\157cf.msp
c:\windows\Installer\198815.msi
c:\windows\Installer\22ff88.msp
c:\windows\Installer\69acb.msp
c:\windows\system\mixcsd04.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FAD
-------\Legacy_kbiwkmpeuurwgq
-------\Service_kbiwkmpeuurwgq


((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-09-02 21:05 . 2009-09-02 21:05 -------- d-----w- c:\documents and settings\Terra\Application Data\Malwarebytes
2009-09-02 21:05 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 21:05 . 2009-09-02 21:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 21:05 . 2009-09-02 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-02 21:05 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 19:20 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-02 19:20 . 2009-08-24 21:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-02 19:20 . 2009-08-19 18:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-02 19:20 . 2009-09-02 19:20 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-02 19:20 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-02 19:20 . 2009-09-02 21:35 -------- d-----w- c:\program files\Spyware Doctor
2009-09-02 19:20 . 2009-09-02 19:20 -------- d-----w- c:\documents and settings\Terra\Application Data\PC Tools
2009-09-02 19:20 . 2009-09-02 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-02 19:17 . 2009-09-02 23:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-02 19:03 . 2009-09-02 19:03 163840 ----a-w- c:\windows\svchasts.exe
2009-09-02 00:51 . 2009-09-02 01:31 45344 ----a-w- c:\windows\system32\drivers\iqaf817.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 13:58 . 2009-09-02 19:20 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-07-31 13:54 . 2009-07-30 23:09 65 ----a-w- c:\windows\system32\bd9440cn.dat
2009-07-30 23:08 . 2003-11-19 23:47 -------- d-----w- c:\program files\Brother
2009-07-30 23:07 . 2003-11-13 15:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-30 23:07 . 2009-07-30 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-07-30 23:07 . 2009-07-30 23:07 -------- d-----w- c:\documents and settings\Terra\Application Data\InstallShield
2008-03-04 21:35 . 2003-12-02 20:48 2 ----a-w- c:\program files\LIMITS.DAT
2007-02-23 18:50 . 2003-12-02 20:52 25030 ---ha-w- c:\program files\FSHELP.GID
2005-05-11 17:36 . 2005-05-11 17:34 8628 ---ha-w- c:\program files\RPHELP.GID
2005-01-26 18:28 . 2004-11-15 23:49 16826 ---ha-w- c:\program files\EZHELP.GID
2005-01-26 18:27 . 2004-11-19 16:04 164 ----a-w- c:\program files\BACKUP.LOG
2004-11-15 23:49 . 2004-11-15 23:48 8628 ---ha-w- c:\program files\FDHELP.GID
2003-12-02 20:44 . 2003-12-02 20:44 22 ----a-w- c:\program files\Spellit.Dat
2003-12-02 20:44 . 2003-12-02 20:44 175 ----a-w- c:\program files\Numbers.Dat
2003-12-02 20:44 . 2003-12-02 20:44 0 ----a-w- c:\program files\Doctor.Dat
2002-03-14 19:19 . 2003-12-02 20:41 427520 ----a-w- c:\program files\WORKCOMP.EXE
2002-03-14 19:14 . 2003-12-02 20:40 523264 ----a-w- c:\program files\ATTORNEY.EXE
2002-03-14 12:19 . 2003-12-02 20:41 3287552 ----a-w- c:\program files\REPORT.EXE
2002-03-14 12:18 . 2003-12-02 20:41 375808 ----a-w- c:\program files\PREPECS.EXE
2002-03-14 12:18 . 2003-12-02 20:41 389120 ----a-w- c:\program files\NSF.EXE
2002-03-14 12:18 . 2003-12-02 20:41 1516032 ----a-w- c:\program files\NOTES.EXE
2002-03-14 12:17 . 2003-12-02 20:40 1100800 ----a-w- c:\program files\INSTALL.EXE
2002-03-14 12:17 . 2003-12-02 20:40 686592 ----a-w- c:\program files\INS.EXE
2002-03-14 12:17 . 2003-12-02 20:40 320000 ----a-w- c:\program files\IMPORT.EXE
2002-03-14 12:17 . 2003-12-02 20:40 2376704 ----a-w- c:\program files\FRONT.EXE
2002-03-14 12:16 . 2003-12-02 20:40 2230272 ----a-w- c:\program files\FILING.EXE
2002-03-14 12:15 . 2003-12-02 20:40 245760 ----a-w- c:\program files\EZTRANS.EXE
2002-03-14 12:15 . 2003-12-02 20:40 497664 ----a-w- c:\program files\EZBIS.EXE
2002-03-14 12:15 . 2003-12-02 20:40 212480 ----a-w- c:\program files\EDITDOC.EXE
2002-03-14 12:15 . 2003-12-02 20:40 750592 ----a-w- c:\program files\DNOTES.EXE
2002-03-14 12:15 . 2003-12-02 20:40 1012736 ----a-w- c:\program files\CHECK.EXE
2002-03-14 12:14 . 2003-12-02 20:40 1477632 ----a-w- c:\program files\BILLING.EXE
2002-03-14 11:29 . 2003-12-02 20:41 831488 ----a-w- c:\program files\WORD.EXE
2002-03-14 11:29 . 2003-12-02 20:40 268288 ----a-w- c:\program files\CONVERT.DLL
2002-03-14 11:29 . 2003-12-02 20:40 1144832 ----a-w- c:\program files\CODEMGR.DLL
2002-01-18 16:22 . 2003-12-02 20:40 167936 ----a-w- c:\program files\MAKEFILE.EXE
2001-12-07 16:39 . 2003-12-02 20:41 71680 ----a-w- c:\program files\NSFSET.EXE
2001-10-29 11:42 . 2003-12-02 20:41 52224 ----a-w- c:\program files\SPELLING.DLL
2001-10-05 10:59 . 2003-12-02 20:41 22372 ----a-w- c:\program files\VARLIST.DAT
2001-08-09 13:55 . 2003-12-02 20:40 34304 ----a-w- c:\program files\CVIMAGE.EXE
2001-08-09 13:43 . 2003-12-02 20:40 6272 ----a-w- c:\program files\ETSNT4.BAT
2001-06-13 09:45 . 2003-12-02 20:40 79872 ----a-w- c:\program files\IMCONV2.EXE
2001-03-30 15:20 . 2003-12-02 20:41 256 ----a-w- c:\program files\ZIPIT.BAT
2001-03-21 11:04 . 2003-12-02 20:41 35328 ----a-w- c:\program files\UNZIPIT.EXE
2001-03-16 12:04 . 2003-12-02 20:41 55808 ----a-w- c:\program files\VERINFO.EXE
2001-02-14 10:16 . 2003-12-02 20:41 19190 ----a-w- c:\program files\WPHELP.HLP
2001-02-14 10:16 . 2003-12-02 20:41 101059 ----a-w- c:\program files\TNHELP.HLP
2001-02-14 10:16 . 2003-12-02 20:41 68807 ----a-w- c:\program files\RPHELP.HLP
2001-02-14 10:16 . 2003-12-02 20:41 5888 ----a-w- c:\program files\NSF.BAT
2001-02-14 10:16 . 2003-12-02 20:40 257949 ----a-w- c:\program files\FSHELP.HLP
2001-02-14 10:15 . 2003-12-02 20:40 77063 ----a-w- c:\program files\FDHELP.HLP
2001-02-14 10:15 . 2003-12-02 20:40 120153 ----a-w- c:\program files\EZHELP.HLP
2001-02-14 10:15 . 2003-12-02 20:40 29364 ----a-w- c:\program files\DNHELP.HLP
2001-02-14 10:15 . 2003-12-02 20:40 173197 ----a-w- c:\program files\BSHELP.HLP
2001-02-02 15:40 . 2003-12-02 20:41 106 ----a-w- c:\program files\OMIT.LST
2000-12-29 11:41 . 2003-12-02 20:41 339456 ----a-w- c:\program files\PKZIP25.EXE
2000-12-29 11:41 . 2003-12-02 20:40 4213 ----a-w- c:\program files\LICENSE.TXT
2000-12-28 18:16 . 2003-12-02 20:40 27136 ----a-w- c:\program files\CHKDISK.EXE
2000-11-20 17:15 . 2003-12-02 20:41 4718 ----a-w- c:\program files\VERINFO.DAT
2000-09-20 07:56 . 2003-12-02 20:40 84480 ----a-w- c:\program files\IMMAKE.EXE
2000-09-13 10:11 . 2003-12-02 20:40 75264 ----a-w- c:\program files\IMCONV.EXE
2000-06-15 09:40 . 2003-12-02 20:41 83456 ----a-w- c:\program files\SCREEN.EXE
2000-02-24 09:39 . 2003-12-02 20:41 908672 ----a-w- c:\program files\SPELL.DAT
2000-01-26 08:49 . 2003-12-02 20:40 6312 ----a-w- c:\program files\ETS.BAT
1999-12-27 13:23 . 2003-12-02 20:41 216640 ----a-w- c:\program files\SPHELP.HLP
1999-10-12 09:26 . 2003-12-02 20:41 11776 ----a-w- c:\program files\YORN.EXE
1999-10-12 09:25 . 2003-12-02 20:40 63488 ----a-w- c:\program files\MAKEDAT.EXE
1999-10-12 09:25 . 2003-12-02 20:40 62592 ----a-w- c:\program files\ECSWIN.EXE
1999-10-12 09:25 . 2003-12-02 20:40 63488 ----a-w- c:\program files\ECSDOS.EXE
1999-08-05 14:37 . 2003-12-02 20:40 128 ----a-w- c:\program files\CLINIC.DAT
1999-04-13 12:19 . 2003-12-02 20:40 62592 ----a-w- c:\program files\ECS.EXE
1998-11-12 11:16 . 2003-12-02 20:41 12358 ----a-w- c:\program files\RPBUTTON.BMP
1998-11-12 11:16 . 2003-12-02 20:41 452278 ----a-w- c:\program files\RPBACK.BMP
1997-11-21 10:12 . 2003-12-02 20:40 16378 ----a-w- c:\program files\EXPAND.EXE
2006-10-11 08:04 . 2004-12-20 18:43 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2004-12-20 18:43 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2007-11-26 22:09 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2007-11-26 22:09 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2004-12-20 18:43 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

descriptionRootkit.tdss was still found, now what? EmptyRe: Rootkit.tdss was still found, now what?

more_horiz
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Keyboard"="c:\program files\Hot Keyboard Pro\HotKeyb.exe" [2008-01-27 1041064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-30 68856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 36864]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2005-07-08 491520]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-12 282624]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-02 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-08 65536]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [9/2/2009 12:20 PM 206256]
S0 iqaf817;iqaf817;\SystemRoot\\SystemRoot\System32\drivers\iqaf817.sys --> \SystemRoot\\SystemRoot\System32\drivers\iqaf817.sys [?]
S1 193dd5c7.sys;193dd5c7.sys;\??\c:\windows\System32\drivers\193dd5c7.sys --> c:\windows\System32\drivers\193dd5c7.sys [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [11/19/2003 12:41 PM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\SYSTEM32\DRIVERS\BrParImg.sys [11/19/2003 12:42 PM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\SYSTEM32\DRIVERS\BrParwdm.sys [11/19/2003 12:42 PM 39552]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [11/19/2003 12:42 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\SYSTEM32\DRIVERS\BrUsbMdm.sys [12/19/2003 8:19 AM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\SYSTEM32\DRIVERS\BrUsbScn.sys [12/19/2003 8:19 AM 10368]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/2/2009 12:20 PM 348752]
S3 TLA13;TLA13;\??\c:\docume~1\Terra\LOCALS~1\Temp\user.bak --> c:\docume~1\Terra\LOCALS~1\Temp\user.bak [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2006-07-25 04:55]

2009-09-02 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-01-19 16:04]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-minix32 - c:\windows\system32\minix32.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Assign &hot key - c:\program files\Hot Keyboard Pro\IEScript.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {B9EF096C-B1D4-43CB-A62C-0CD0D0A6925D} = 192.168.17.1,205.177.3.65
DPF: {BAE57CC6-88D1-4AE8-B6FD-306120D5BC52} - hxxp://www.riosalado.edu/techcheck/SystemRequirements.cab
FF - ProfilePath - c:\documents and settings\Terra\Application Data\Mozilla\Firefox\Profiles\sy85saqq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Terra\Application Data\Mozilla\Firefox\Profiles\sy85saqq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\Terra\Application Data\Mozilla\Firefox\Profiles\sy85saqq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TLA13]
"ImagePath"="\??\c:\docume~1\Terra\LOCALS~1\Temp\user.bak"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\windows\SYSTEM32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-09-02 16:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-02 23:17

Pre-Run: 66,003,361,792 bytes free
Post-Run: 66,430,873,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

261

descriptionRootkit.tdss was still found, now what? EmptyRe: Rootkit.tdss was still found, now what?

more_horiz
Hello.

Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :services
    iqaf817
    193dd5c7.sys
    TLA13

    :files
    c:\windows\svchasts.exe
    c:\windows\system32\drivers\iqaf817.sys
    c:\windows\system32\bd9440cn.dat

    :reg
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TLA13]


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionRootkit.tdss was still found, now what? EmptyRe: Rootkit.tdss was still found, now what?

more_horiz
Here is what was in the result window and below that is what was in the log that it made

========== SERVICES/DRIVERS ==========

Service\Driver iqaf817 deleted successfully.

Service\Driver 193dd5c7.sys deleted successfully.

Service\Driver TLA13 deleted successfully.
========== FILES ==========
c:\windows\svchasts.exe moved successfully.
c:\windows\system32\drivers\iqaf817.sys moved successfully.
c:\windows\system32\bd9440cn.dat moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TLA13\ not found.

OTM by OldTimer - Version 3.0.0.6 log created on 09032009_065619
From the log.....
========== SERVICES/DRIVERS ==========

Service\Driver iqaf817 deleted successfully.

Service\Driver 193dd5c7.sys deleted successfully.

Service\Driver TLA13 deleted successfully.
========== FILES ==========
c:\windows\svchasts.exe moved successfully.
c:\windows\system32\drivers\iqaf817.sys moved successfully.
c:\windows\system32\bd9440cn.dat moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TLA13\ not found.

OTM by OldTimer - Version 3.0.0.6 log created on 09032009_065619

descriptionRootkit.tdss was still found, now what? EmptyRe: Rootkit.tdss was still found, now what?

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Rootkit.tdss was still found, now what? CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionRootkit.tdss was still found, now what? EmptyRe: Rootkit.tdss was still found, now what?

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum