Bad, Bad Rootkit.TDSS.v2

**ken545** · 2012-01-21, 15:19

That appears to be a false positive from what I am reading,

Let me see a new DDS log and extra log it produces also

Download DDS from one of the links below to your desktop

Link 1
Link 2

Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files)

**Cal626** · 2012-01-21, 16:56

Here is dds.txt, attached.txt is attached.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_16
Run by Admiral Turron at 10:43:54 on 2012-01-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.989 [GMT -5:00]
.
AV: PC Tools Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft SQL Server\MSSQL$RECOVERYMANAGER\Binn\sqlservr.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
svchost.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Noel Danjou\DynSite\DynSite.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WePrint\WePrint Server.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Tools Security\pctsGui.exe
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.smith.edu/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Defender BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - Updater For XFIN_PORTAL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nForce Tray Options] sstray.exe /r
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe
mRun: [DynSite] "c:\program files\noel danjou\dynsite\DynSite.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [ClocX] c:\program files\clocx\ClocX.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
StartupFolder: c:\docume~1\admira~1\startm~1\programs\startup\weprint server.lnk - c:\program files\weprint\WePrint Server.exe
uPolicies-explorer: NoInstrumentation = 1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: intuit.com\ttlc
Trusted Zone: msi.com\www
Trusted Zone: smith.edu\stod-kvm-a
Trusted Zone: spybot.info\forums
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218942204500
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218942194859
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpn.smith.edu/dana-cached/setup/JuniperSetupSP1.cab
TCP: Interfaces\{446EA4A1-BEC5-47D1-A446-582624668906} : NameServer = 68.87.71.230,68.87.73.246
TCP: Interfaces\{97C302CB-1334-4BF2-8F91-80D138F03607} : DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{EEB7000A-24A5-4EDC-9B71-8D35124DE109} : NameServer = 68.87.71.230,68.87.73.246
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AutorunsDisabled - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - c:\program files\pixiepack codec pack\InstallerHelper.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admiral turron\application data\mozilla\firefox\profiles\c8qz2hea.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.smith.edu
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\pc tools security\bdt\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\admiral turron\application data\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-12-9 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-12-9 341656]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-12-9 660992]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 494816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-10 31704]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2010-12-2 34592]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2011-12-9 253096]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2011-12-9 185560]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2011-12-11 546768]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-9-10 1960584]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-2-14 12672]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-19 652872]
R2 MSSQL$RECOVERYMANAGER;MSSQL$RECOVERYMANAGER;c:\program files\microsoft sql server\mssql$recoverymanager\binn\sqlservr.exe -srecoverymanager --> c:\program files\microsoft sql server\mssql$recoverymanager\binn\sqlservr.exe -sRECOVERYMANAGER [?]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-12-11 793056]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-12-9 402336]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-12-9 1117624]
R2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [2011-7-26 354176]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-9-18 54960]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-19 20464]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2011-12-11 56840]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2011-12-9 70536]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [2009-12-21 31848]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-11 136176]
S3 DMDefragService;PC Tools Performance Toolkit Defrag Service;c:\program files\pc tools\pc tools utilities\tools\defrag\DMDefragSrv.exe [2011-12-11 1038304]
S3 DMRepairService;PC Tools Performance Toolkit Repair Service;c:\program files\pc tools\pc tools utilities\tools\repair\DMRepairSrv.exe [2011-12-11 1030112]
S3 FLASHSYS;FLASHSYS;\??\c:\program files\msi\live update 4\lu4\flashsys.sys --> c:\program files\msi\live update 4\lu4\FLASHSYS.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-1-8 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-11 136176]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\program files\msi\live update 5\msibios32_100507.sys [2011-7-9 25912]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;c:\program files\msi\live update 5\NTIOLib.sys [2011-7-9 7680]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-2-11 34760]
S3 PCTDMDefrag;PCTDMDefrag;c:\windows\system32\drivers\PCTDMDefrag.sys [2011-12-11 108864]
S3 PCTDSMon;PCTDSMon;c:\windows\system32\drivers\PCTDSMon.sys [2011-12-11 128120]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [2009-12-21 31848]
S3 SQLAgent$RECOVERYMANAGER;SQLAgent$RECOVERYMANAGER;c:\program files\microsoft sql server\mssql$recoverymanager\binn\sqlagent.exe -i recoverymanager --> c:\program files\microsoft sql server\mssql$recoverymanager\binn\sqlagent.EXE -i RECOVERYMANAGER [?]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2008-8-17 223128]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-4-11 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-4-11 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-4-11 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-4-11 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-4-11 25704]
S4 atitray;atitray;\??\c:\program files\radeon omega drivers\v4.8.442\ati tray tools\atitray.sys --> c:\program files\radeon omega drivers\v4.8.442\ati tray tools\atitray.sys [?]
.
=============== Created Last 30 ================
.
2012-01-19 19:24:58 -------- d-----w- c:\documents and settings\admiral turron\application data\Malwarebytes
2012-01-19 19:24:32 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-19 19:24:31 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-19 19:24:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-19 00:51:26 -------- d-sha-r- C:\cmdcons
2012-01-17 18:51:58 -------- d-----w- c:\documents and settings\admiral turron\local settings\application data\Temp
2012-01-13 20:48:09 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-13 16:06:11 -------- d-----w- c:\documents and settings\admiral turron\application data\Curiolab
2012-01-13 00:44:04 98224 ----a-w- c:\windows\system32\drivers\36403866.sys
2012-01-13 00:44:04 187776 ----a-w- c:\windows\system32\drivers\tskA.tmp
2012-01-03 13:10:44 182672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-12-24 00:55:53 -------- d-----w- c:\documents and settings\all users\application data\WePrint
.
==================== Find3M ====================
.
2011-12-22 00:08:15 66048 ----a-w- c:\documents and settings\admiral turron\application data\WePrintCleanAfterBoot.exe
2011-12-22 00:01:47 1915791 ----a-w- C:\weprintwin23.exe
2011-12-19 18:59:21 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 18:59:20 494816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 18:59:19 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 18:58:56 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 18:58:55 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-12 00:19:49 341656 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-12-07 01:02:56 119767706 ----a-w- c:\documents and settings\admiral turron\application data\hkey_local_machine.reg
2011-12-02 00:11:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-27 03:38:20 3511776 ----a-w- C:\ccsetup312.exe
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-23 00:43:02 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-11-23 00:42:40 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2011-11-23 00:41:28 17848 ----a-w- c:\windows\system32\drivers\pctBTFix.sys
2011-11-23 00:38:04 253096 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-11-14 21:07:06 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-11-14 21:07:04 2246608 ----a-w- c:\windows\PCTBDCore.dll
2011-11-14 21:07:04 1681360 ----a-w- c:\windows\PCTBDRes.dll
2011-11-14 21:06:54 767952 ----a-w- c:\windows\BDTSupport.dll
2011-11-14 20:12:26 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-11-14 20:12:24 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 23:47:32 128120 ----a-w- c:\windows\system32\drivers\PCTDSMon.sys
2011-10-25 23:47:26 108864 ----a-w- c:\windows\system32\drivers\PCTDMDefrag.sys
2011-10-25 23:46:40 37344 ----a-w- c:\windows\system32\CleanMFT32.exe
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 10:49:24.06 ===============

**ken545** · 2012-01-21, 17:29

You need to update your Java, older versions leave holes for this garbage to sneak in.

Go to the Control Panel > Java > Update Tab and have it check for new updates, download and install them.

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

c:\windows\system32\drivers\36403866.sys
c:\windows\system32\drivers\tskA.tmp

If the site is busy you can try this one
http://virusscan.jotti.org/en

**Cal626** · 2012-01-21, 19:40

Okay, Updated Java nad removed old versions. n the Virustotal scan, the web page show the results but there is no send option. I used File > send > page via email, to get the output emailed to me, then copied to this post.
Is there a better way to do this?

The first file....

SHA256: 88e157221bcbc2c78d3a893149e75775c5b86a8dfb79f22911fe6a482a43730f
SHA1: c0183b03e434770e519c437ec84f0e866b22c1b4
MD5: 21617ffff50abf580174ae9dac968d9f
File size: 95.9 KB ( 98224 bytes )
File type: Win32 EXE
Tags: SIGNED
Detection ratio: 0 / 43
Analysis date: 2012-01-21 18:19:19 UTC ( 7 minutes ago )
Antivirus Result Update
nProtect - 20120121
CAT-QuickHeal - 20120121
McAfee - 20120121
TheHacker - 20120120
K7AntiVirus - 20120120
VirusBuster - 20120120
NOD32 - 20120121
F-Prot - 20120120
Symantec - 20120121
Norman - 20120121
ByteHero - 20120111
TrendMicro-HouseCall - 20120121
Avast - 20120121
eSafe - 20120120
ClamAV - 20120121
Kaspersky - 20120121
BitDefender - 20120121
SUPERAntiSpyware - 20120121
Sophos - 20120121
Comodo - 20120121
F-Secure - 20120121
DrWeb - 20120121
VIPRE - 20120121
AntiVir - 20120120
TrendMicro - 20120121
McAfee-GW-Edition - 20120120
Emsisoft - 20120121
eTrust-Vet - 20120121
Jiangmin - 20120121
Antiy-AVL - 20120120
Microsoft - 20120121
ViRobot - 20120121
Prevx - 20120121
GData - 20120121
Commtouch - 20120120
AhnLab-V3 - 20120121
VBA32 - 20120120
PCTools - 20120121
Rising - 20120118
Ikarus - 20120121
Fortinet - 20120121
AVG - 20120121
Panda - 20120121
• Comments
• Additional information
More comments
Leave your comment...
?
Post comment
You have not signed in. Only registered users can leave comments, sign in and have a voice!
Sign in Join the community

ssdeep file piecewise hash
768:dmo/syv4DTmNMNVa/wVTqmNN8dKX4aWfu2c9Fe9GgLa1kDxPPtPZE7vshkd3iKm9:ZMnxEwpYZmALamDxPFPZEohkddmA0ao7
TrID file type information
Win32 Executable Generic (51.1%)
Win16/32 Executable Delphi generic (12.4%)
Clipper DOS Executable (12.1%)
Generic Win/DOS Executable (12.0%)
DOS Executable Generic (12.0%)
ExifTool file metadata
UninitializedDataSize....: 0
InitializedDataSize......: 19712
ImageVersion.............: 6.0
ProductName..............: Kaspersky Lab Mini Driver
FileVersionNumber........: 2.7.0.0
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
FileDescription..........: Kaspersky Lab Mini Driver
CharacterSet.............: Unicode
LinkerVersion............: 8.0
FileOS...................: Windows NT 32-bit
MIMEType.................: application/octet-stream
Subsystem................: Native
FileVersion..............: 2.7.0.0 built by: WinDDK
TimeStamp................: 2012:01:10 06:12:08+01:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: klmd.sys
ProductVersion...........: 2.7.0.0
SubsystemVersion.........: 5.0
OSVersion................: 6.0
OriginalFilename.........: klmd.sys
LegalCopyright...........: Copyright (c) Kaspersky Lab, GERT
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Kaspersky Lab, GERT
CodeSize.................: 68736
FileSubtype..............: 7
ProductVersionNumber.....: 2.7.0.0
EntryPoint...............: 0x13a61
ObjectFileType...........: Driver
Sigcheck digital signature information
publisher................: Kaspersky Lab, GERT
product..................: Kaspersky Lab Mini Driver
internal name............: klmd.sys
copyright................: Copyright (c) Kaspersky Lab, GERT
original name............: klmd.sys
signing date.............: 6:12 AM 1/10/2012
signers..................: Kaspersky Lab
VeriSign Class 3 Code Signing 2010 CA
VeriSign Class 3 Public Primary Certification Authority - G5
file version.............: 2.7.0.0 built by: WinDDK
description..............: Kaspersky Lab Mini Driver
Portable Executable structural information
Compilation timedatestamp.....: 2012-01-10 05:12:08
Target machine................: 332
Entry point address...........: 0x00013A61

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 1280 42170 42240 6.43 5dbe02ec7106b1d1d01911c38d406363
.rdata 43520 11388 11392 6.24 0cbe51e835c2efcac49f46fd771e8f02
.data 54912 2760 2816 0.23 65fbb818c446028198ad3f6073802dbe
PAGECODE 57728 21550 21632 6.34 0ce1672eefba16c80ec9adf8ab26ca5c
PAGE 79360 930 1024 5.64 6c6ce0738dfde90945c576a92e24fcc6
INIT 80384 3728 3840 5.53 fea26a3f383ea265fca760ebeaac4e93
.rsrc 84224 920 1024 3.07 efef67658b51325c2f07840c05aacd3b
.reloc 85248 4356 4480 5.92 4c785d348961cbf93c483b4246c90143

PE Imports....................:

HAL.dll
KfAcquireSpinLock, KeGetCurrentIrql, KeRaiseIrqlToDpcLevel, KfLowerIrql, KfRaiseIrql, KeQueryPerformanceCounter, KfReleaseSpinLock

ntoskrnl.exe
IoAllocateWorkItem, IoDriverObjectType, ObfDereferenceObject, IoGetDeviceObjectPointer, ZwClose, ZwSetValueKey, ZwOpenKey, MmIsAddressValid, memcpy, memset, ProbeForRead, RtlInitUnicodeString, ProbeForWrite, KeGetCurrentThread, IoDeleteDevice, IoUnregisterShutdownNotification, IoDeleteSymbolicLink, PsGetCurrentThreadId, PsGetCurrentProcessId, IoRegisterDriverReinitialization, IoRegisterBootDriverReinitialization, IoRegisterLastChanceShutdownNotification, IoCreateSymbolicLink, IoCreateDevice, DbgPrint, KeTickCount, KeBugCheckEx, RtlUnwind, RtlAnsiCharToUnicodeChar, ExAcquireResourceExclusiveLite, KeLeaveCriticalRegion, KeEnterCriticalRegion, ExReleaseResourceLite, RtlRandom, ExDeleteResourceLite, ExInitializeResourceLite, ZwCreateKey, ZwDeleteValueKey, ZwEnumerateValueKey, RtlCompareMemory, ZwReadFile, ZwMapViewOfSection, RtlAppendUnicodeToString, IoCreateFile, KeUnstackDetachProcess, ZwSetInformationFile, ZwQueryValueKey, ZwUnmapViewOfSection, RtlPrefixUnicodeString, PsInitialSystemProcess, RtlCopyUnicodeString, ZwCreateSection, ZwQueryInformationFile, ZwWriteFile, ZwDeleteKey, KeStackAttachProcess, ZwEnumerateKey, RtlCompareUnicodeString, IoGetRelatedDeviceObject, ExAllocatePoolWithTag, ObReferenceObjectByHandle, ZwSetSecurityObject, ObOpenObjectByPointer, IoFreeMdl, MmProbeAndLockPages, MmUnlockPages, IoAllocateMdl, RtlAnsiStringToUnicodeString, RtlInitAnsiString, ZwQuerySystemInformation, RtlFreeUnicodeString, ExAcquireResourceSharedLite, KeClearEvent, memmove, IoRegisterPlugPlayNotification, KeSetEvent, KeInitializeEvent, KeDelayExecutionThread, KefAcquireSpinLockAtDpcLevel, IoUnregisterPlugPlayNotification, KeWaitForSingleObject, IoFreeIrp, IoAllocateIrp, IoGetDeviceInterfaces, ObfReferenceObject, KefReleaseSpinLockFromDpcLevel, ExInterlockedPopEntrySList, IofCallDriver, RtlEqualUnicodeString, RtlGetElementGenericTable, RtlDeleteElementGenericTable, RtlLookupElementGenericTable, RtlIsGenericTableEmpty, RtlInitializeGenericTable, RtlInsertElementGenericTable, RtlAppendUnicodeStringToString, NtBuildNumber, ObQueryNameString, MmMapLockedPagesSpecifyCache, ZwOpenFile, KeSetImportanceDpc, KeSetTargetProcessorDpc, KeInitializeDpc, KeInsertQueueDpc, KeNumberProcessors, IoBuildSynchronousFsdRequest, RtlUnicodeStringToInteger, IoBuildDeviceIoControlRequest, RtlUpcaseUnicodeString, FsRtlIsNameInExpression, ZwOpenDirectoryObject, _purecall, toupper, towupper, IoQueueWorkItem, RtlCreateSecurityDescriptor, RtlSetDaclSecurityDescriptor, IofCompleteRequest, IoFreeWorkItem, ExFreePoolWithTag, IoFileObjectType, MmGetSystemRoutineAddress, _allmul
First seen by VirusTotal
2012-01-10 12:13:13 UTC ( 1 week, 4 days ago )
Last seen by VirusTotal
2012-01-21 18:19:19 UTC ( 7 minutes ago )
File names (max. 25)
1. C:\WINDOWS\system32\drivers\36403866.sys
2. C:\WINDOWS\system32\drivers\36403866.sys
3. AF56E78EB00A8A597F0301527789A90035A0B4DB.sys
4. D:\sav\BestiaMadre\queues\webroot\tmp_zip2\DPYRAEELRT-743.pms.sys.SVD

For the second file I used cut/paste as it looked like the additional stuff was not needed....

SHA256: 594f8e0c3695400b0c09a797af6bdfac6f750ecd67d0ee803914c572b1dcc43c
SHA1: faf1ae66cc016dd7281a1fca53be841b6b611106
MD5: 8fd99680a539792a30e97944fdaecf17
File size: 183.4 KB ( 187776 bytes )
File type: Win32 EXE
Detection ratio: 0 / 43
Analysis date: 2012-01-21 18:34:47 UTC ( 1 minute ago )

10
Antivirus Result Update
AhnLab-V3 - 20120121
AntiVir - 20120120
Antiy-AVL - 20120120
Avast - 20120121
AVG - 20120121
BitDefender - 20120121
ByteHero - 20120111
CAT-QuickHeal - 20120121
ClamAV - 20120121
Commtouch - 20120120
Comodo - 20120121
DrWeb - 20120121
Emsisoft - 20120121
eSafe - 20120120
eTrust-Vet - 20120121
F-Prot - 20120120
F-Secure - 20120121
Fortinet - 20120121
GData - 20120121
Ikarus - 20120121
Jiangmin - 20120121
K7AntiVirus - 20120120
Kaspersky - 20120121
McAfee - 20120121
McAfee-GW-Edition - 20120120
Microsoft - 20120121
NOD32 - 20120121
Norman - 20120121
nProtect - 20120121
Panda - 20120121
PCTools - 20120121
Prevx - 20120121
Rising - 20120118
Sophos - 20120121
SUPERAntiSpyware - 20120121
Symantec - 20120121
TheHacker - 20120120
TrendMicro - 20120121
TrendMicro-HouseCall - 20120121
VBA32 - 20120120
VIPRE - 20120121
ViRobot - 20120121
VirusBuster - 20120120

**ken545** · 2012-01-21, 20:55

Been using VT and Jotti for many years but have never had to use it personally, your correct, there is no option to save a report, there used to be, the site may have changed.

Both of those files appear to be ok

**Cal626** · 2012-01-21, 21:07

Ok, thanks you for your help. I will contact the PC Tools folk and ask them about the false positive. They took my money for the software, lets see how much help I get. Again, thank you.

**ken545** · 2012-01-21, 21:11

You can give this a read

http://www.pctools.com/forum/showthr...ootkit.TDSS.v3

Thread: Bad, Bad Rootkit.TDSS.v2

Thread Tools

Display

Tags for this Thread

Posting Permissions