Hey

Ive ran spybot and malwarebytes which seem to find the problem but after i reboot, windows often struggles to start. when it does i run these programs again only to find Win32.TDSS.rtk still there.

Please help

ComboFix 09-09-29.04 - Jon 30/09/2009 19:30.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1434 [GMT 1:00]
Running from: c:\documents and settings\Jon\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1351 [VPS 090929-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\jonefad.dl
c:\documents and settings\Jon\Application Data\caloweq.bin
c:\documents and settings\Jon\Application Data\ogijop.inf
c:\documents and settings\Jon\Cookies\efojo.dll
c:\documents and settings\Jon\Local Settings\Application Data\amydipob.pif
c:\documents and settings\Jon\Local Settings\Application Data\doziny.bin
c:\documents and settings\Jon\Local Settings\Application Data\iwyxexory.ban
c:\documents and settings\Jon\Local Settings\Application Data\labaraxa.reg
c:\documents and settings\Jon\Local Settings\Application Data\qolarur.reg
c:\documents and settings\Jon\Local Settings\Application Data\sutipi._sy
c:\documents and settings\Jon\Local Settings\Temporary Internet Files\epahybukoh.reg
c:\program files\Common Files\ytedanemy.bat
c:\recycler\S-1-5-21-1123492281-3161172719-1531045560-500
c:\recycler\S-1-5-21-2848099875-2545643026-1731080157-500
c:\windows\fagaf.inf
c:\windows\Installer\2999e7.msp
c:\windows\kb913800.exe
c:\windows\system32\drivers\gasfkyxdkcpdfx.sys
c:\windows\system32\gasfkyewqxrmlb.dat
c:\windows\system32\gasfkymitlweko.dll
c:\windows\system32\gasfkyomcqrssf.dat
c:\windows\system32\gasfkytiqobiuf.dll
c:\windows\system32\gasfkyxueqerrs.dll
c:\windows\uxuderekeg.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyowyrowbp
-------\Legacy_gasfkyowyrowbp
-------\Legacy_NWCWORKSTATION


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-30 14:36 . 2009-09-30 14:36 5632 ----a-w- C:\rlswn.exe
2009-09-09 06:04 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 14:40 . 2009-09-30 14:40 10263 ----a-w- c:\documents and settings\Jon\Application Data\kygurybu.dat
2009-09-24 14:47 . 2008-10-31 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-24 12:24 . 2009-06-17 14:54 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-21 15:11 . 2009-02-04 13:57 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-17 21:21 . 2009-01-05 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-10 17:30 . 2009-02-03 16:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-10 13:54 . 2008-10-31 20:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2008-10-31 20:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 08:22 . 2009-02-03 16:17 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 06:16 . 2009-03-13 10:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-29 14:52 . 2009-02-03 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 16:48 . 2009-08-24 16:48 -------- d-----w- c:\documents and settings\Jon\Application Data\Red Kawa
2009-08-24 15:20 . 2009-08-24 15:20 -------- d-----w- c:\program files\AviSynth 2.5
2009-08-24 15:20 . 2009-04-02 12:41 -------- d-----w- c:\program files\Red Kawa
2009-08-22 14:23 . 2009-08-22 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SKL
2009-08-17 16:10 . 2009-02-03 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2009-02-03 16:10 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2009-02-03 16:10 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2009-02-03 16:10 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2009-02-03 16:10 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2009-02-03 16:10 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2009-02-03 16:10 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2009-02-03 16:10 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2009-02-03 16:10 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-12 08:47 . 2009-08-12 08:47 -------- d-----w- c:\documents and settings\Jon\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-08-12 08:47 . 2009-08-12 08:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-05 09:01 . 2006-08-02 01:06 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 19:24 . 2009-07-19 17:01 167 ----a-w- c:\documents and settings\Jon\udownload.dat
2009-07-17 19:01 . 2006-08-02 01:17 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-08-02 01:09 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2008-06-04 08:13 . 2008-06-04 08:13 2877 ----a-w- c:\program files\unins000.dat
2008-06-04 08:12 . 2008-06-04 08:13 678682 ----a-w- c:\program files\unins000.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 151552]
"CloneDVDElbyDelay"="c:\program files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" [2002-11-02 45056]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 36975]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-09-12 16264192]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Philips Media Manager.lnk - c:\program files\Philips\Media Manager\Philips Media Manager.exe [2006-10-12 136704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-2-11 113664]
FreeventsSchedule.lnk - c:\freevents\FreeventsSchedule.exe [2006-8-2 16384]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2006-8-1 593920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"=rddv1027.dll
"midi3"=rddv1027.dll
"midi4"=rddv1027.dll
"midi5"=rddv1027.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Philips Media Manager.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Philips Media Manager.lnk
backup=c:\windows\pss\Philips Media Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24915:TCP"= 24915:TCP:BitComet 24915 TCP
"24915:UDP"= 24915:UDP:BitComet 24915 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [03/02/2009 17:12 64160]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [28/04/2008 12:18 11264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [03/02/2009 17:10 114768]
R1 CXAVSAUD;Prolink 2388x Audio Capture;c:\windows\system32\drivers\pvavsaud.sys [19/10/2006 17:28 9984]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03/02/2009 17:10 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 22:34 1028432]
R2 PVTUNE;Prolink 2388x Tuner;c:\windows\system32\drivers\pv88tune.sys [19/10/2006 17:28 32256]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [06/09/2007 18:44 33792]
R3 pvavSTS;Prolink 2388x AVStream TS Capture;c:\windows\system32\drivers\pvavsts.sys [19/10/2006 17:28 16768]
R3 pvavXBAR;Prolink 2388x AVStream Crossbar;c:\windows\system32\drivers\pvavxbar.sys [19/10/2006 17:28 11520]
R3 PVBDATUNE;Prolink BDA DVB Tuner/Demod;c:\windows\system32\drivers\PVBDAtun.sys [19/10/2006 17:28 104320]
S3 CXAVSTS;Conexant 2388x AVStream TS Capture;c:\windows\system32\drivers\cxavsts.sys [01/08/2006 19:45 16768]
S3 CXBDATUNE;Conexant BDA DVB Tuner/Demod;c:\windows\system32\drivers\cxBDAtun.sys [01/08/2006 19:45 102912]
.
Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 15:11]

2009-08-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\ix8v4ffo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dubplatemp3.co.uk
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 19:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\_av_proI.tm~a01272\stamp.tmp 10 bytes


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1291837236-1490131443-2992185112-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\rddv1027.dll

- - - - - - - > 'explorer.exe'(1572)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-30 19:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-30 18:54

Pre-Run: 89,149,304,832 bytes free
Post-Run: 89,330,851,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

245 --- E O F --- 2009-09-09 06:18

I ran Combo-Fix and it seems to have just solved the problem :eek:

Is there anything else i should do?

Hello jononez1,

Apprantly you missed this forum's FAQs. :eek:

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)



Please wait to be advised and Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806) (Pinned Sticky topic) If the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response. Please do not add logs from other scans. :)

;)

Yea i missed the faq pages, sorry about that. I ran combofix and it seems to have got rid of the problem. Ive done a full scan of my system with spybot, malware bytes, avast and nothing has turned up.