Coolwwwsearch and rootkit problem

A

aseee

New member
Hi spybot team,

I have been infected by coolwwwsearch and some kind of rootkit, some weeks ago i already opened a thread dealing about my problem. I received help but i could not go on with the instructions becrause another problem appeared (rootkit) and school started.

Just for information: i received intruktion to install combofix and to download a file but an error eppeared, it said: rootkit is on my computer, the system has to be restarted

My System: Microsoft Windows XP Media Center Edition
Service Pack 2


HJ log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:21:47, on 16.09.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\DU Meter\DUMeter.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.66.10:8088
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CodecPlugin Class - {098716A9-0310-4CBE-BD64-B790A9761158} - (no file)
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programme\Winamp Toolbar\winamptb.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar4.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programme\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [DU Meter] C:\Programme\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Programme\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - http://www.streamplug.com/StreamPlug/SP.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AD59486-ADA1-47B3-B186-C53743B6E789}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5160E54A-A4F6-4693-B031-1F356166FD1F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5824B53B-1DB7-4798-961F-D96F49204EE0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4D15E2A-9E3D-48C8-8567-78BFB6B7B77A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Programme\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8900 bytes
 
Hi aseee

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
Hi Shaba

I carried out all your instructions but another problem occurred.

I double clicked RunThis.bat to start the script then typed Y as you explaned. After that, 4 sentences appeared.

I will try to explain you how it looked like (those sentences were written in german, the language i use on my notebook is german too):


Type Y, A or N to Exit . . . . Y
The System can not find the stated file.
The System can not find the stated file.
The System can not find the stated file.
The command "dnif.exe" ist either written wrong or it couldn`t be found.


thanks in advance =)
 
OK, then we use this:

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
 
Hi

Another problem occurred.

I started gmer.exe afterwords a message appeared:

"Warning ! ! !
Loaded GMER`s driver version is incompatible with the currently running GMER application. You need to stop the driver with the command "net stop gmer" or restart your computer."

I could click "OK", the program started and another mesage eppeared saying:

C:\WINDOWS\system32\config\system: The process can not access the file, because it is being used from another process.


I really appreciate your help, i am sorry i have messed up my notebook that much =)

see you soon hopefully
 
Hi, i restarted my notebook many time but the error keeps coming.
I even tried save mode, doesn`t worke too.
 
Have you previously used GMER?

If so, go to start - run and type net stop gmer and click ok and try again, please.
 
I tryed that too.

I says: The required termination is for this service invalid. You can get help if you enter NET HELPMSG 2191.

I typed NET HELPMSG 2191 but nothing happened.
 
Great.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    C:\Windows\System32\drivers\tdssserv.sys
C:\WINDOWS\system32\tdssadw.dll 
C:\WINDOWS\system32\tdssinit.dll 
C:\WINDOWS\system32\tdssl.dll 
C:\WINDOWS\system32\tdsslog.dll 
C:\WINDOWS\system32\tdssmain.dll 
C:\WINDOWS\system32\tdssservers.dat
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run gmer if it runs now.

Post:

- otmoveit2 report
- gmer log (if possible)
 
Last edited:
After GMER finished scanning a warning appeared:

WARNING !!!
GMER has found system modification caused by ROOTKIT activity.



- otmoveit2 report:

File move failed. C:\Windows\System32\drivers\tdssserv.sys scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\tdssadw.dll not found.
LoadLibrary failed for C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssinit.dll NOT unregistered.
C:\WINDOWS\system32\tdssinit.dll moved successfully.
File/Folder C:\WINDOWS\system32\tdssl.dll not found.
LoadLibrary failed for C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdsslog.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\tdsslog.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssmain.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\tdssmain.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\tdssservers.dat moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09202008_163516

Files moved on Reboot...
File C:\Windows\System32\drivers\tdssserv.sys not found!
File C:\WINDOWS\system32\tdsslog.dll not found!
File C:\WINDOWS\system32\tdssmain.dll not found!



- gmer log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-20 17:16:12
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF76C3B3A]
SSDT F1F899AC ZwCreateThread
SSDT sptd.sys ZwEnumerateKey [0xF76C3C7E]
SSDT sptd.sys ZwEnumerateValueKey [0xF76C3FF6]
SSDT sptd.sys ZwOpenKey [0xF76C3A18]
SSDT F1F89998 ZwOpenProcess
SSDT F1F8999D ZwOpenThread
SSDT sptd.sys ZwQueryKey [0xF76C40C0]
SSDT sptd.sys ZwQueryValueKey [0xF76C3F58]
SSDT sptd.sys ZwSetValueKey [0xF76C4148]
SSDT F1F899A7 ZwTerminateProcess
SSDT F1F899A2 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
? C:\WINDOWS\System32\Drivers\SPTD4413.SYS Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F63174D0 16 Bytes [ EC, 1B, 97, 35, 98, 69, F7, ... ]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F63174E1 31 Bytes [ 60, 31, F6, 77, 27, AF, 7C, ... ]
? C:\WINDOWS\System32\Drivers\dtscsi.sys Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\winlogon.exe[920] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00D05DD9
.text C:\WINDOWS\system32\winlogon.exe[920] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00D05FF1
.text C:\WINDOWS\system32\winlogon.exe[920] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00D0610E
.text C:\WINDOWS\system32\winlogon.exe[920] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00D05EF3
.text C:\WINDOWS\Explorer.EXE[2120] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00B75DD9
.text C:\WINDOWS\Explorer.EXE[2120] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00B75FF1
.text C:\WINDOWS\Explorer.EXE[2120] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00B7610E
.text C:\WINDOWS\Explorer.EXE[2120] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00B75EF3
.text C:\Programme\DU Meter\DUMeter.exe[2892] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00AF5DD9
.text C:\Programme\DU Meter\DUMeter.exe[2892] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00AF5FF1
.text C:\Programme\DU Meter\DUMeter.exe[2892] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00AF610E
.text C:\Programme\DU Meter\DUMeter.exe[2892] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00AF5EF3
.text C:\WINDOWS\system32\00THotkey.exe[2908] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 009B5DD9
.text C:\WINDOWS\system32\00THotkey.exe[2908] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 009B5FF1
.text C:\WINDOWS\system32\00THotkey.exe[2908] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 009B610E
.text C:\WINDOWS\system32\00THotkey.exe[2908] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 009B5EF3
.text C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3044] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00B15DD9
.text C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3044] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00B15FF1
.text C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3044] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00B1610E
.text C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3044] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00B15EF3
.text C:\WINDOWS\system32\ctfmon.exe[3120] ntdll.dll!NtCreateThread 7C91D7D2 3 Bytes JMP 00925DD9
.text C:\WINDOWS\system32\ctfmon.exe[3120] ntdll.dll!NtCreateThread + 4 7C91D7D6 1 Byte [ 84 ]
.text C:\WINDOWS\system32\ctfmon.exe[3120] ntdll.dll!NtDeleteValueKey 7C91D8CE 3 Bytes JMP 00925FF1
.text C:\WINDOWS\system32\ctfmon.exe[3120] ntdll.dll!NtDeleteValueKey + 4 7C91D8D2 1 Byte [ 84 ]
.text C:\WINDOWS\system32\ctfmon.exe[3120] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 3 Bytes JMP 0092610E
.text C:\WINDOWS\system32\ctfmon.exe[3120] ntdll.dll!NtQueryDirectoryFile + 4 7C91DF62 1 Byte [ 84 ]
.text C:\WINDOWS\system32\ctfmon.exe[3120] ntdll.dll!NtSetValueKey 7C91E7BC 3 Bytes JMP 00925EF3
.text C:\WINDOWS\system32\ctfmon.exe[3120] ntdll.dll!NtSetValueKey + 4 7C91E7C0 1 Byte [ 84 ]
.text C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3156] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00385DD9
.text C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3156] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00385FF1
.text C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3156] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 0038610E
.text C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3156] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00385EF3
.text C:\Dokumente und Einstellungen\acoOdc\Desktop\gmer.exe[3176] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00375DD9
.text C:\Dokumente und Einstellungen\acoOdc\Desktop\gmer.exe[3176] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00375FF1
.text C:\Dokumente und Einstellungen\acoOdc\Desktop\gmer.exe[3176] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 0037610E

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F76CCDB2] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F76E271E] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F76CD3B2] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F76CD2B6] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F76CD482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F76CD482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F76CD3B2] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F76CD2B6] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F76E2032] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F76CCF6E] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F76E2864] sptd.sys
IAT \WINDOWS\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F76D1F78] sptd.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F76E1C76] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F76E1C82] sptd.sys
IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F76E2864] sptd.sys
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F76BF020] sptd.sys
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F76BF020] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8738A350
Device \FileSystem\Fastfat \FatCdrom 86ED7748
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8738A0E8
Device \Driver\dmio \Device\DmControl\DmConfig 8738A0E8
Device \Driver\dmio \Device\DmControl\DmPnP 8738A0E8
Device \Driver\dmio \Device\DmControl\DmInfo 8738A0E8
Device \Driver\prodrv06 \Device\ProDrv06 E1A44008
Device \Driver\Ftdisk \Device\HarddiskVolume1 873D3270
Device \Driver\Ftdisk \Device\HarddiskVolume2 873D3270
Device \Driver\Cdrom \Device\CdRom0 86DC5008
Device \FileSystem\Rdbss \Device\FsWrap 871A3518
Device \Driver\Cdrom \Device\CdRom1 86DC5008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86DC3008
Device \Driver\atapi \Device\Ide\IdePort0 86DC3008
Device \Driver\Cdrom \Device\CdRom2 86DC5008
Device \Driver\Cdrom \Device\CdRom3 86DC5008
Device \Driver\NetBT \Device\NetBT_Tcpip_{6D9375D0-B53C-46D9-BF7E-9DF2B8FE601C} 86D7D0E8
Device \Driver\Cdrom \Device\CdRom4 86DC5008
Device \Driver\prohlp02 \Device\ProHlp02 E18DDC90
Device \Driver\NetBT \Device\NetBt_Wins_Export 86D7D0E8
Device \Driver\NetBT \Device\NetbiosSmb 86D7D0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{0F2107D0-6C63-4E7F-BBAC-8DFACE06719E} 86D7D0E8
Device \Driver\00000050 \Device\0000005b sptd.sys
Device \FileSystem\Srv \Device\LanmanServer 86E4B154
Device \Driver\Disk \Device\Harddisk0\DR0 8738A608
Device \Driver\Disk \Device\Harddisk1\DR1 8738A608
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 871A4CA0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86D84254
Device \FileSystem\MRxSmb \Device\LanmanRedirector 871A4CA0
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86D84254
Device \FileSystem\Npfs \Device\NamedPipe 86F281F0
Device \FileSystem\Npfs \Device\NamedPipe 87021E8C
Device \Driver\Ftdisk \Device\FtControl 873D3270
Device \FileSystem\Msfs \Device\Mailslot 86F33628
Device \FileSystem\Msfs \Device\Mailslot 8702243C
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target1Lun0 87070628
Device \Driver\KR10N \Device\Scsi\KR10N1Port1Path0Target6Lun0 8738AB78
Device \Driver\KR10N \Device\Scsi\KR10N1Port1Path0Target6Lun0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\KR10N \Device\Scsi\KR10N1Port1Path0Target1Lun0 8738AB78
Device \Driver\KR10N \Device\Scsi\KR10N1Port1Path0Target1Lun0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\xmasscsi \Device\Scsi\xmasscsi1 8738A8C0
Device \Driver\KR10N \Device\Scsi\KR10N1 8738AB78
Device \Driver\KR10N \Device\Scsi\KR10N1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 87070628
Device \Driver\KR10N \Device\Scsi\KR10N1Port1Path0Target0Lun0 8738AB78
Device \Driver\KR10N \Device\Scsi\KR10N1Port1Path0Target0Lun0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target2Lun0 87070628
Device \Driver\dtscsi \Device\Scsi\dtscsi1 87070628
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target3Lun0 87070628
Device \FileSystem\Fastfat \Fat 86ED7748

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 871931BC
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 871931BC
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 871931BC
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 871931BC
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 871931BC
Device \FileSystem\Cdfs \Cdfs 86F6A0E8
Device \FileSystem\Cdfs \Cdfs 86DEB23C

---- Modules - GMER 1.0.14 ----

Module _________ F75C8000-F75E0000 (98304 bytes)

---- Services - GMER 1.0.14 ----

Service system32\drivers\TDSSserv.sys (*** hidden *** ) [SYSTEM] tdssserv <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE5 0x3D 0xF3 0xAB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x86 0x31 0x04 0x7E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCC 0xFE 0x85 0x7F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0xCF 0xA8 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x3A 0x01 0x63 0x40 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x3A 0x01 0x63 0x40 ...
Reg HKLM\SYSTEM\ControlSet002\Services\tdssserv@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\tdssserv@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\tdssserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 -1267934926
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -887537436
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 530801311
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE5 0x3D 0xF3 0xAB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x86 0x31 0x04 0x7E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCC 0xFE 0x85 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0xCF 0xA8 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x3A 0x01 0x63 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x3A 0x01 0x63 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG06.00.00.01WORKSTATION D8805FE6CAC0FD1F50DDEC1272C58C614F5AC7E936AC24216B4938C9D14162DB8960EC2B43527A304098E4715915F7F680961C4C061AE16D22B114AE0E5624F1AA7BA9CAF9B84BCBF0E0372C635194860FD989D28C85C65EA125FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E6679DB7CE019D40AA5C5D575E7D6A3B9808FEBC9E127BECC74C023291A1B28850424D01CD36BCB411C0DB5AC4A7564D845188F27A775250DEC7767D88B4762721EB00CFBBA6DD15D4B58210F79F222B1C1C6BF771CAD8DA9AF1A3AA37975F089A57BE130D2EF93C953580DC0DF4BDD801CEB56DA72ACBE771DD53FCE986E0F00741EC3B1278326B34BDF8F87C6496AF46C9E6F25C03050A4D6B02A1C1BEE14E482D251AF0331A06A513C18090AD8EAC1630B1109CC454F5ADC1DEA532023EAB4F60B4E62491381471BBE474689379F02E6AFE2D4EE57987A4C850FA0594433E23659D3EF74B8AC03304223A76DDA140DE266997275DACBBD62DED7957C0B45C610B15A01119005C9D79EB18015842040ED0BF00B32916340061055A9955490238E1046EE1BA7D5BF170E63BA3D28D4934A1877DD3C85438ED1994BC90232D4CE94089703672D8D48A80EF35CCA0A9425F8EF588BB4279AF044F5222547F7EFECEC275532B07E005538315793F1AAD4
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 0BE8DA16D80848BB3FEB834C4521BE7A3EA9BBECC265A6EF1F0D3500510E288268BEB85D53BB9343FB67E56F405A2114133D7AC66A5BC628C36738854FBDA4CEA2AA51877AE7748FE66FE3F174CD1799A68E0C844FEC25F9A56F823A2B0E96B128004742E4E77D08656D654243FCC6BD7B393A6CB8DC1587FC98DD6336A7A45A8C25886E90674308055C957B70B856ABB56F11FA5544EFE6A969577A2786786D0796C0215BE8E1E0764CE372A4A7F1001EFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933C038D530D6EB3452AE804B0E791A67A8F85488591BFBD162D53AF0805C022867ECB71E5579CD6B7BB0B404DFA575D00CA341BB0DED4CF0AD67DB167276B0C6269B5681A182F9750492C3BA8AC86C6ECBCDF3D3ECA1BE54B04F818BDA79323E603B76E94EA0BABFDF48F3BDC45D2FC86F7FF2DCF9D417CF8A4C15B5A5CAFB51705E80BA4D9ED41841D84D8FAAAFF45A23540A931AFC1DAD012FC1339EA08636542AA08C76191141FE5FA064BA63F916377E486B92DD9BA8FC5CF752F606CB972D59C8AC03003EF2950BFE2658ECF9DC1FBF808B1294E3F38CCF6B17C4DD5013C13BAF1A12992E59211FBE73CC96B9887272C94D290EC7B45E1415B801D916BA7B314B0C25FB359

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\kdjql.exe 73737 bytes executable

---- EOF - GMER 1.0.14 ----
 
We are progressing :)

Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
C:\Windows\System32\drivers\tdssserv.sys
Now click Delete
Also do that with this file:

C:\WINDOWS\system32\kdjql.exe

Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.

Re-run gmer.

Post a fresh gmer log, please.
 
After i clicked the Safe... button the computer rebooted as you said.
Then a small window appeared:

System is running in "GMER Safe Mode".
Clicke "OK" to continue.
I clicked OK and another window appeared.

The titel of this window was: gmer.exe - The image / mapping (found this in the dictionary) is incorrect.
It said: The application or DLL C:\WINDOWS\system32\MsgPlusLoader.dll is not a valid windows - file. Control this with the installationdiskette.



I clicked OK and another window appeared:
LoadLibrary "gmer.dll": The stated module was not found.


I clicked OK and another window appeared:
The titel of this window was: kdjql.exe - The image / mapping (found this in the dictionary) is incorrect.
It said: The application or DLL C:\WINDOWS\system32\MsgPlusLoader.dll is not a valid windows - file. Control this with the installationdiskette.


I clicked OK and another window appeared:
The titel of this window was: services.exe - The image / mapping (found this in the dictionary) is incorrect.
It said: The application or DLL C:\WINDOWS\system32\MsgPlusLoader.dll is not a valid windows - file. Control this with the installationdiskette.


I clicked OK and another window appeared:
The titel of this window was: lsass.exe - The image / mapping (found this in the dictionary) is incorrect.
It said: The application or DLL C:\WINDOWS\system32\MsgPlusLoader.dll is not a valid windows - file. Control this with the installationdiskette.

Then the screen with the accounts appeared and i entered my password.
 
I canned again and the same warning appeared:

GMER has found system modification caused by ROOTKT activity.

- gmer log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-20 20:59:53
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF76C3B3A]
SSDT F7E7B16C ZwCreateThread
SSDT sptd.sys ZwEnumerateKey [0xF76C3C7E]
SSDT sptd.sys ZwEnumerateValueKey [0xF76C3FF6]
SSDT sptd.sys ZwOpenKey [0xF76C3A18]
SSDT F7E7B158 ZwOpenProcess
SSDT F7E7B15D ZwOpenThread
SSDT sptd.sys ZwQueryKey [0xF76C40C0]
SSDT sptd.sys ZwQueryValueKey [0xF76C3F58]
SSDT sptd.sys ZwSetValueKey [0xF76C4148]
SSDT F7E7B167 ZwTerminateProcess
SSDT F7E7B162 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + 120 804E277C 1 Byte [ 6C ]
.text ntoskrnl.exe!_abnormal_termination + 122 804E277E 2 Bytes [ E7, F7 ]
? C:\WINDOWS\system32\drivers\sptd.sys Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
? C:\WINDOWS\System32\Drivers\SPTD4413.SYS Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F614A4D0 16 Bytes [ 68, C1, 60, B3, 98, 03, 63, ... ]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F614A4E1 31 Bytes [ 90, 14, F6, 62, FE, 62, BA, ... ]
? C:\WINDOWS\System32\Drivers\dtscsi.sys Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[604] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00B65DD9
.text C:\WINDOWS\Explorer.EXE[604] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00B65FF1
.text C:\WINDOWS\Explorer.EXE[604] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00B6610E
.text C:\WINDOWS\Explorer.EXE[604] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00B65EF3
.text C:\WINDOWS\system32\winlogon.exe[888] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00D15DD9
.text C:\WINDOWS\system32\winlogon.exe[888] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00D15FF1
.text C:\WINDOWS\system32\winlogon.exe[888] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00D1610E
.text C:\WINDOWS\system32\winlogon.exe[888] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00D15EF3
.text C:\Programme\DU Meter\DUMeter.exe[1016] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00AD5DD9
.text C:\Programme\DU Meter\DUMeter.exe[1016] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00AD5FF1
.text C:\Programme\DU Meter\DUMeter.exe[1016] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00AD610E
.text C:\Programme\DU Meter\DUMeter.exe[1016] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00AD5EF3
.text C:\Dokumente und Einstellungen\acoOdc\Desktop\gmer.exe[1444] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00375DD9
.text C:\Dokumente und Einstellungen\acoOdc\Desktop\gmer.exe[1444] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00375FF1
.text C:\Dokumente und Einstellungen\acoOdc\Desktop\gmer.exe[1444] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 0037610E

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F76CCDB2] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F76E271E] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F76CD3B2] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F76CD2B6] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F76CD482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F76CD482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F76CD3B2] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F76CD2B6] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F76E2032] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F76CCF6E] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F76E2864] sptd.sys
IAT \WINDOWS\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F76D1F78] sptd.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F76E1C76] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F76E1C82] sptd.sys
IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F76E2864] sptd.sys
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F76BF020] sptd.sys
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F76BF020] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8738A350
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8738A0E8
Device \Driver\dmio \Device\DmControl\DmConfig 8738A0E8
Device \Driver\dmio \Device\DmControl\DmPnP 8738A0E8
Device \Driver\dmio \Device\DmControl\DmInfo 8738A0E8
Device \Driver\prodrv06 \Device\ProDrv06 E1A28610
Device \Driver\Ftdisk \Device\HarddiskVolume1 873D3270
Device \Driver\Ftdisk \Device\HarddiskVolume2 873D3270
Device \Driver\Cdrom \Device\CdRom0 87081788
Device \FileSystem\Rdbss \Device\FsWrap 87021330
Device \FileSystem\Rdbss \Device\FsWrap 86E6611C
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86CF3260
Device \Driver\atapi \Device\Ide\IdePort0 86CF3260
Device \Driver\Cdrom \Device\CdRom1 87081788
Device \Driver\Cdrom \Device\CdRom2 87081788
Device \Driver\Cdrom \Device\CdRom3 87081788
Device \Driver\NetBT \Device\NetBT_Tcpip_{6D9375D0-B53C-46D9-BF7E-9DF2B8FE601C} 86ED2C40
Device \Driver\Cdrom \Device\CdRom4 87081788
Device \Driver\prohlp02 \Device\ProHlp02 E1011CA0
Device \Driver\NetBT \Device\NetBt_Wins_Export 86ED2C40
Device \Driver\NetBT \Device\NetbiosSmb 86ED2C40
Device \Driver\NetBT \Device\NetBT_Tcpip_{0F2107D0-6C63-4E7F-BBAC-8DFACE06719E} 86ED2C40
Device \Driver\00000050 \Device\0000005b sptd.sys
Device \Driver\Disk \Device\Harddisk0\DR0 8738A608
Device \Driver\Disk \Device\Harddisk1\DR1 8738A608
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8702B860
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86E7021C
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8702B860
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86E7021C
Device \FileSystem\Npfs \Device\NamedPipe 86D210E8
Device \FileSystem\Npfs \Device\NamedPipe 87044F04
Device \Driver\Ftdisk \Device\FtControl 873D3270
Device \FileSystem\Msfs \Device\Mailslot 86EEE3E0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target1Lun0 86F0CF00
Device \Driver\KR10N \Device\Scsi\KR10N1Port1Path0Target6Lun0 8738AB78
Device \Driver\KR10N \Device\Scsi\KR10N1Port1Path0Target6Lun0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\KR10N \Device\Scsi\KR10N1Port1Path0Target1Lun0 8738AB78
Device \Driver\KR10N \Device\Scsi\KR10N1Port1Path0Target1Lun0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\xmasscsi \Device\Scsi\xmasscsi1 8738A8C0
Device \Driver\KR10N \Device\Scsi\KR10N1 8738AB78
Device \Driver\KR10N \Device\Scsi\KR10N1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 86F0CF00
Device \Driver\KR10N \Device\Scsi\KR10N1Port1Path0Target0Lun0 8738AB78
Device \Driver\KR10N \Device\Scsi\KR10N1Port1Path0Target0Lun0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target2Lun0 86F0CF00
Device \Driver\dtscsi \Device\Scsi\dtscsi1 86F0CF00
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target3Lun0 86F0CF00
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 87020304
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 87020304
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 87020304
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 87020304
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 87020304
Device \FileSystem\Cdfs \Cdfs 87178320
Device \FileSystem\Cdfs \Cdfs 86CD6E4C

---- Modules - GMER 1.0.14 ----

Module _________ F75C8000-F75E0000 (98304 bytes)

---- Services - GMER 1.0.14 ----

Service system32\drivers\TDSSserv.sys (*** hidden *** ) [DISABLED] tdssserv <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE5 0x3D 0xF3 0xAB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x86 0x31 0x04 0x7E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCC 0xFE 0x85 0x7F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0xCF 0xA8 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x3A 0x01 0x63 0x40 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x3A 0x01 0x63 0x40 ...
Reg HKLM\SYSTEM\ControlSet002\Services\tdssserv@start 4
Reg HKLM\SYSTEM\ControlSet002\Services\tdssserv@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\tdssserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 -1267934926
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -887537436
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 530801311
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE5 0x3D 0xF3 0xAB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x86 0x31 0x04 0x7E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCC 0xFE 0x85 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCD 0xCF 0xA8 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x3A 0x01 0x63 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x3A 0x01 0x63 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv@start 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG06.00.00.01WORKSTATION D8805FE6CAC0FD1F50DDEC1272C58C614F5AC7E936AC24216B4938C9D14162DB8960EC2B43527A304098E4715915F7F680961C4C061AE16D22B114AE0E5624F1AA7BA9CAF9B84BCBF0E0372C635194860FD989D28C85C65EA125FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E6679DB7CE019D40AA5C5D575E7D6A3B9808FEBC9E127BECC74C023291A1B28850424D01CD36BCB411C0DB5AC4A7564D845188F27A775250DEC7767D88B4762721EB00CFBBA6DD15D4B58210F79F222B1C1C6BF771CAD8DA9AF1A3AA37975F089A57BE130D2EF93C953580DC0DF4BDD801CEB56DA72ACBE771DD53FCE986E0F00741EC3B1278326B34BDF8F87C6496AF46C9E6F25C03050A4D6B02A1C1BEE14E482D251AF0331A06A513C18090AD8EAC1630B1109CC454F5ADC1DEA532023EAB4F60B4E62491381471BBE474689379F02E6AFE2D4EE57987A4C850FA0594433E23659D3EF74B8AC03304223A76DDA140DE266997275DACBBD62DED7957C0B45C610B15A01119005C9D79EB18015842040ED0BF00B32916340061055A9955490238E1046EE1BA7D5BF170E63BA3D28D4934A1877DD3C85438ED1994BC90232D4CE94089703672D8D48A80EF35CCA0A9425F8EF588BB4279AF044F5222547F7EFECEC275532B07E005538315793F1AAD4
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 0BE8DA16D80848BB3FEB834C4521BE7A3EA9BBECC265A6EF1F0D3500510E288268BEB85D53BB9343FB67E56F405A2114133D7AC66A5BC628C36738854FBDA4CEA2AA51877AE7748FE66FE3F174CD1799A68E0C844FEC25F9A56F823A2B0E96B128004742E4E77D08656D654243FCC6BD7B393A6CB8DC1587FC98DD6336A7A45A8C25886E90674308055C957B70B856ABB56F11FA5544EFE6A969577A2786786D0796C0215BE8E1E0764CE372A4A7F1001EFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933C038D530D6EB3452AE804B0E791A67A8F85488591BFBD162D53AF0805C022867ECB71E5579CD6B7BB0B404DFA575D00CA341BB0DED4CF0AD67DB167276B0C6269B5681A182F9750492C3BA8AC86C6ECBCDF3D3ECA1BE54B04F818BDA79323E603B76E94EA0BABFDF48F3BDC45D2FC86F7FF2DCF9D417CF8A4C15B5A5CAFB51705E80BA4D9ED41841D84D8FAAAFF45A23540A931AFC1DAD012FC1339EA08636542AA08C76191141FE5FA064BA63F916377E486B92DD9BA8FC5CF752F606CB972D59C8AC03003EF2950BFE2658ECF9DC1FBF808B1294E3F38CCF6B17C4DD5013C13BAF1A12992E59211FBE73CC96B9887272C94D290EC7B45E1415B801D916BA7B314B0C25FB359

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\kdjql.exe 73737 bytes executable
File C:\WINDOWS\Prefetch\KDJQL.EXE-22667086.pf 3478 bytes

---- EOF - GMER 1.0.14 ----
 
Yes we need stronger tools.

Download Avenger by Swandog and unzip it to your Desktop.

Note: This program must be run from an account with Administrator priviledges.

  • Open the Avenger folder and double click Avenger.exe to launch the program.
  • Copy the text in the code box below and Paste it into the Input script here: box.
Code: 
Files to delete:
C:\windows\system32\drivers\TDSSserv.sys
C:\WINDOWS\system32\kdjql.exe

Drivers to delete:
tdssserv

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Ensure the following:
    • Scan for Rootkits is checked.
    • Automatically disable any rootkits found is Unchecked.
  • Press the Execute key.
  • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
  • Post the log back here please. (it can also be found at C:\avenger.txt)
 
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\windows\system32\drivers\TDSSserv.sys" not found!
Deletion of file "C:\windows\system32\drivers\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\kdjql.exe" deleted successfully.
Driver "tdssserv" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
 
You must log in or register to reply here.
Back
Top