Win32.TDSS.rtk

Otherjohn · Aug 15, 2009

Thanks for you help. I hope your real life problems were easier to fix then this piece of malware has been.

The system is running mostly normal. The restore from backup utilities won't load anymore. I don't know if that was the virus or something that got hosed while trying to remove it.

I noticed that you had combofix send a sample of the infected file out for analysis. Who exactly gets the file and which utility will be updated to kill it in the future? It is a bit unnerving that at least three different antivirus programs failed to detect this thing.

Otherjohn · Aug 15, 2009

Sysprot is still finding something. Here is the log. I'm ready to format and start over.

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\smss.exe
PID: 468
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\csrss.exe
PID: 532
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\winlogon.exe
PID: 560
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SERVICES.EXE
PID: 604
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\LSASS.EXE
PID: 616
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\Ati2evxx.exe
PID: 792
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 804
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 864
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 936
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 988
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1072
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\spoolsv.exe
PID: 1368
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\Ati2evxx.exe
PID: 1536
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 436
Hidden: No
Window Visible: No

Name: C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
PID: 756
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 920
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1084
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehRecvr.exe
PID: 1220
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehSched.exe
PID: 1312
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 1548
Hidden: No
Window Visible: No

Name: C:\WINDOWS\RTHDCPL.EXE
PID: 1636
Hidden: No
Window Visible: No

Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 1908
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1936
Hidden: No
Window Visible: No

Name: C:\Program Files\Launch Manager\LManager.exe
PID: 1948
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PID: 1992
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1980
Hidden: No
Window Visible: No

Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 184
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\searchindexer.exe
PID: 196
Hidden: No
Window Visible: No

Name: C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
PID: 216
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\mcrdsvc.exe
PID: 1116
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PID: 1600
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft Office\Office\OSA.EXE
PID: 2188
Hidden: No
Window Visible: No

Name: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PID: 2248
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\wscntfy.exe
PID: 2588
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\wbem\wmiprvse.exe
PID: 2604
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\wbem\wmiprvse.exe
PID: 2784
Hidden: No
Window Visible: No

Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 2956
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\alg.exe
PID: 3228
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\wbem\unsecapp.exe
PID: 3236
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 4016
Hidden: No
Window Visible: No

Name: C:\WINDOWS\EXPLORER.EXE
PID: 2760
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\ctfmon.exe
PID: 2508
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Karla\Desktop\SysProt\SysProt\SysProt.exe
PID: 3880
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
Service Name: geyekrttvogrql
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \??\C:\Documents and Settings\Karla\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: AE3C4000
Module End: AE3CF000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: BADA8000
Module End: BADAA000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: BACB8000
Module End: BACBB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: BA779000
Module End: BA7A7000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: BADAA000
Module End: BADAC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: BA768000
Module End: BA779000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: BA8A8000
Module End: BA8B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: BA8B8000
Module End: BA8C8000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: BA8C8000
Module End: BA8D6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: BACBC000
Module End: BACBF000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: BACC0000
Module End: BACC4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: BAE70000
Module End: BAE71000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: BAB28000
Module End: BAB2F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aliide.sys
Service Name: AliIde
Module Base: BADAC000
Module End: BADAE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: BADAE000
Module End: BADB0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\toside.sys
Service Name: TosIde
Module Base: BADB0000
Module End: BADB2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: BADB2000
Module End: BADB4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cmdide.sys
Service Name: CmdIde
Module Base: BADB4000
Module End: BADB6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: BA8D8000
Module End: BA8E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: BA72B000
Module End: BA74A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: BADB6000
Module End: BADB8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: BA705000
Module End: BA72B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: BACC4000
Module End: BACC7000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: BAE71000
Module End: BAE72000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: BAB30000
Module End: BAB35000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\UBHelper.sys
Service Name: UBHelper
Module Base: BACC8000
Module End: BACCC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: BA8E8000
Module End: BA8F5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cpqarray.sys
Service Name: Cpqarray
Module Base: BACCC000
Module End: BACD0000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: BA6ED000
Module End: BA705000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: BA6D5000
Module End: BA6ED000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aha154x.sys
Service Name: Aha154x
Module Base: BACD0000
Module End: BACD4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sparrow.sys
Service Name: Sparrow
Module Base: BAB38000
Module End: BAB3D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\symc810.sys
Service Name: symc810
Module Base: BACD4000
Module End: BACD8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aic78xx.sys
Service Name: aic78xx
Module Base: BA8F8000
Module End: BA906000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dac960nt.sys
Service Name: dac960nt
Module Base: BACD8000
Module End: BACDC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql10wnt.sys
Service Name: Ql10wnt
Module Base: BA908000
Module End: BA911000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\amsint.sys
Service Name: amsint
Module Base: BACDC000
Module End: BACDF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc.sys
Service Name: asc
Module Base: BAB40000
Module End: BAB47000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc3550.sys
Service Name: asc3550
Module Base: BACE0000
Module End: BACE4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mraid35x.sys
Service Name: mraid35x
Module Base: BAB48000
Module End: BAB4D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\i2omp.sys
Service Name: i2omp
Module Base: BAB50000
Module End: BAB55000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ini910u.sys
Service Name: ini910u
Module Base: BACE4000
Module End: BACE8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1240.sys
Service Name: ql1240
Module Base: BA918000
Module End: BA922000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aic78u2.sys
Service Name: aic78u2
Module Base: BA928000
Module End: BA936000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\symc8xx.sys
Service Name: symc8xx
Module Base: BAB58000
Module End: BAB60000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sym_hi.sys
Service Name: sym_hi
Module Base: BAB60000
Module End: BAB67000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sym_u3.sys
Service Name: sym_u3
Module Base: BAB68000
Module End: BAB70000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ABP480N5.SYS
Service Name: abp480n5
Module Base: BAB70000
Module End: BAB76000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc3350p.sys
Service Name: asc3350p
Module Base: BAB78000
Module End: BAB7E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cd20xrnt.sys
Service Name: cd20xrnt
Module Base: BADB8000
Module End: BADBA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ultra.sys
Service Name: ultra
Module Base: BA938000
Module End: BA941000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\adpu160m.sys
Service Name: adpu160m
Module Base: BA6BC000
Module End: BA6D5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dpti2o.sys
Service Name: dpti2o
Module Base: BAB80000
Module End: BAB85000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1080.sys
Service Name: ql1080
Module Base: BA948000
Module End: BA952000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1280.sys
Service Name: ql1280
Module Base: BA958000
Module End: BA964000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql12160.sys
Service Name: ql12160
Module Base: BA968000
Module End: BA974000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\perc2.sys
Service Name: perc2
Module Base: BAB88000
Module End: BAB8F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\perc2hib.sys
Service Name: perc2hib
Module Base: BADBA000
Module End: BADBC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\hpn.sys
Service Name: hpn
Module Base: BAB90000
Module End: BAB97000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cbidf2k.sys
Service Name: cbidf
Module Base: BACE8000
Module End: BACEC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dac2w2k.sys
Service Name: dac2w2k
Module Base: BA690000
Module End: BA6BC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: BA978000
Module End: BA981000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: BA988000
Module End: BA995000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: BA670000
Module End: BA690000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: BA65E000
Module End: BA670000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: BA998000
Module End: BA9A1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Fastfat.sys
Service Name: Fastfat
Module Base: BA63A000
Module End: BA65E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: BA623000
Module End: BA63A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: BA5F6000
Module End: BA623000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sisagp.sys
Service Name: sisagp
Module Base: BA9A8000
Module End: BA9B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaagp.sys
Service Name: viaagp
Module Base: BA9B8000
Module End: BA9C3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: BA5DC000
Module End: BA5F6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\alim1541.sys
Service Name: alim1541
Module Base: BA9C8000
Module End: BA9D3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\amdagp.sys
Service Name: amdagp
Module Base: BA9D8000
Module End: BA9E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: BA9E8000
Module End: BA9F3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agpCPQ.sys
Service Name: agpCPQ
Module Base: BA9F8000
Module End: BAA03000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Service Name: AmdK8
Module Base: BAA08000
Module End: BAA16000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: BAD68000
Module End: BAD6B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: BA345000
Module End: BA4CC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: BA331000
Module End: BA345000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: BAC00000
Module End: BAC05000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: BA30D000
Module End: BA331000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: BAC08000
Module End: BAC10000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: BAA18000
Module End: BAA23000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: BAA28000
Module End: BAA38000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: BAA38000
Module End: BAA47000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: BA2EA000
Module End: BA30D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
Service Name: NTIDrvr
Module Base: BADBC000
Module End: BADBE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: BAC10000
Module End: BAC15000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: BA2C2000
Module End: BA2EA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: BAA48000
Module End: BAA55000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
Service Name: DKbFltr
Module Base: BAC18000
Module End: BAC1D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: BAC20000
Module End: BAC26000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: BA292000
Module End: BA2C2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: BADBE000
Module End: BADC0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: BAC28000
Module End: BAC2E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: BAD70000
Module End: BAD74000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ar5211.sys
Service Name: AR5211
Module Base: BA21A000
Module End: BA292000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
Service Name: EMSCR
Module Base: BAA58000
Module End: BAA67000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Service Name: sdbus
Module Base: BA206000
Module End: BA21A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
Service Name: ESMCR
Module Base: BA1F3000
Module End: BA206000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
Service Name: ESDCR
Module Base: BAA68000
Module End: BAA72000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: BAF18000
Module End: BAF19000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\RootMdm.sys
Service Name: ROOTMODEM
Module Base: BADC0000
Module End: BADC2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: BAC30000
Module End: BAC38000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasirda.sys
Service Name: irda
Module Base: BAC38000
Module End: BAC3D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: BAC40000
Module End: BAC45000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: BAA78000
Module End: BAA85000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: BAD78000
Module End: BAD7B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: BA1DC000
Module End: BA1F3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: BAA88000
Module End: BAA93000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: BAA98000
Module End: BAAA4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: BA12B000
Module End: BA13C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: BAAA8000
Module End: BAAB1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: BAC48000
Module End: BAC4D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: BAC50000
Module End: BAC55000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\RimSerial.sys
Service Name: RimVSerPort
Module Base: BAC58000
Module End: BAC5F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: BA0FB000
Module End: BA12B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: BAAB8000
Module End: BAAC2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: BADC2000
Module End: BADC4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: BA075000
Module End: BA0D3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: BAD8C000
Module End: BAD90000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: BAAC8000
Module End: BAAD2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: BAAF8000
Module End: BAB07000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: B1B71000
Module End: B1FAC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B1B4D000
Module End: B1B71000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: BAB08000
Module End: BAB17000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
Service Name: HSXHWAZL
Module Base: B1B13000
Module End: B1B4D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
Service Name: HSF_DPV
Module Base: B1A1C000
Module End: B1B13000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
Service Name: winachsf
Module Base: B1965000
Module End: B1A1C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: BA500000
Module End: BA503000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: BADC6000
Module End: BADC8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: BAF6B000
Module End: BAF6C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: BADC8000
Module End: BADCA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: BAC80000
Module End: BAC87000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: BAC88000
Module End: BAC8E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: BADCA000
Module End: BADCC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: BADCC000
Module End: BADCE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: BAC90000
Module End: BAC95000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: BAC98000
Module End: BACA0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: BA4F8000
Module End: BA4FB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B182A000
Module End: B183D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B17D1000
Module End: B182A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B1781000
Module End: B17A9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B175B000
Module End: B1781000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: BA5BC000
Module End: BA5C5000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B1739000
Module End: B175B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: BA5AC000
Module End: BA5B5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B170E000
Module End: B1739000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B169E000
Module End: B170E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: BA58C000
Module End: BA597000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\BisonCam.sys
Service Name: Cam5603D
Module Base: B15D9000
Module End: B169E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\STREAM.SYS
Service Name: ---
Module Base: BA56C000
Module End: BA579000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: BA55C000
Module End: BA56C000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B1580000
Module End: B1598000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BADCE000
Module End: BADD0000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: BA0EF000
Module End: BA0F2000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: BACA0000
Module End: BACA5000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BAE84000
Module End: BAE85000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\irda.sys
Service Name: ---
Module Base: AF212000
Module End: AF228000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: AF35C000
Module End: AF360000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: AEFF5000
Module End: AF00A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: AF14A000
Module End: AF159000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: AED70000
Module End: AED9D000
Hidden: No

Module Name: \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys
Service Name: DritekPortIO
Module Base: AEDCD000
Module End: AEDD1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: AEB77000
Module End: AEBB8000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\int15.sys
Service Name: int15
Module Base: AEB3E000
Module End: AEB4F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: AED54000
Module End: AED58000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: AEAEC000
Module End: AEB3E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Service Name: Secdrv
Module Base: AECB8000
Module End: AECC2000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\tvicport.sys
Service Name: tvicport
Module Base: AEB4F000
Module End: AEB52000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\zntport.sys
Service Name: zntport
Module Base: BAF0C000
Module End: BAF0D000
Hidden: No

Module Name: \??\C:\otherjohn\catchme.sys
Service Name: catchme
Module Base: B18AD000
Module End: B18B5000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Service Name: ---
Module Base: BAE0A000
Module End: BAE0C000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: ADFD1000
Module End: ADFFC000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: COMPUTADORA.SERENITY:2869
Remote Address: 192.168.0.1:1092
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: CLOSE_WAIT

Local Address: COMPUTADORA.SERENITY:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: COMPUTADORA:27015
Remote Address: LOCALHOST:1029
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: COMPUTADORA:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: COMPUTADORA:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: COMPUTADORA:1032
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\alg.exe
State: LISTENING

Local Address: COMPUTADORA:1029
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED

Local Address: COMPUTADORA:9999
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
State: LISTENING

Local Address: COMPUTADORA:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: LISTENING

Local Address: COMPUTADORA:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: COMPUTADORA:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: LISTENING

Local Address: COMPUTADORA.SERENITY:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: COMPUTADORA.SERENITY:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA

Local Address: COMPUTADORA.SERENITY:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: COMPUTADORA.SERENITY:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: COMPUTADORA.SERENITY:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA

Local Address: COMPUTADORA:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA

Local Address: COMPUTADORA:1038
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA

Local Address: COMPUTADORA:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA

Local Address: COMPUTADORA:56324
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: COMPUTADORA:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\LSASS.EXE
State: NA

Local Address: COMPUTADORA:3776
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\ehome\mcrdsvc.exe
State: NA

Local Address: COMPUTADORA:1030
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\spoolsv.exe
State: NA

Local Address: COMPUTADORA:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: COMPUTADORA:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\LSASS.EXE
State: NA

Local Address: COMPUTADORA:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
No hidden files/folders found

Bio-Hazard · Aug 15, 2009

Hello!

Thanks for you help. I hope your real life problems were easier to fix then this piece of malware has been.

You are welcome. I am truly sorry for the delay. Yes it was easily solved.

The system is running mostly normal. The restore from backup utilities won't load anymore. I don't know if that was the virus or something that got hosed while trying to remove it.

That could be the case.

I noticed that you had combofix send a sample of the infected file out for analysis. Who exactly gets the file and which utility will be updated to kill it in the future? It is a bit unnerving that at least three different antivirus programs failed to detect this thing.

Thes files will go to the author of Combofix so he can add them to Combofix. Some files also be shared with antivirus companies. Well no antivirus program is 100% secure unfornately.

I'm ready to format and start over.

If you want to do this i fully understand. Sometimes it is best way. let me know what you want to do?

Run CFScript

Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:

Code:

File::
C:\FOUND.007
c:\windows\system32\geyekrjwmeoxta.dll
c:\windows\system32\geyekrornmbpxe.dll
c:\windows\system32\geyekrnrndxrqt.dat
c:\windows\system32\geyekrxfenxvmc.dll
c:\windows\system32\geyekrapjdskvl.dat
c:\windows\system32\geyekrbuhylhmn.dll
c:\windows\system32\drivers\geyekrtivmlkya.sys

Driver::
geyekrttvogrql

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\geyekrttvogrql]

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\geyekrttvogrql]

Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)
Refering to the picture below, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

Next Reply

Please reply with:

ComboFix log (found at C:\Combofix.txt)
New HijackThis log

Otherjohn · Aug 16, 2009

I decided to go with the format and reinstall of Windows. This thing has been too resistant to treatment for me not to always be wondering if we got it all.

I've done the format (not the quick format) and used the restore disks to get it back to the original factory condition. Now I'm working

on the windows updates to get all the service packs and security patches in place.

Thank you for your help. I hope the samples from the last combofix run are enough to crack that thing and get the fixes built in to all the anti malware programs out there.

Can you recommend a good package of security programs to prevent this from happening again? The AVG/ Spybot combo I was using wasn't up to the task.

John

Bio-Hazard · Aug 16, 2009

Re-format and Reinstall

I'll respect you decision to do a Re-format and Reinstall.

Please make sure that you know what to do before beginning the operation.

Here are a few links that propably help:

When should I re-format? How should I reinstall?
Windows XP Clean install

Then there are a couple of things you should do immediately after installing Windows and before surfing the net.

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
Set correct settings for files
- Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
- Under Hidden files and folders if necessary select Do not show hidden files and folders.
- If unchecked please check Hide protected operating system files (Recommended)
- If necessary check Display content of system folders
- If necessary Uncheck Hide file extensions for known file types.
- Click OK
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Here are few FREE alternatives:
- Avira AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.
- avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
- AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.
Install and use a firewall with outbound protection
The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
NOTE: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

Here are few FREE alternatives:
- Online-Armor Free
- PC Tools Firewall Plus (If you choose the PC Tools Firewall Plus and you are asked to install ThreatFire do not do so, unless you want it.)
- Sunbelt/Kerio (Free version after 30 days.)
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
Make Internet Explorer More Secure
You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE

Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide and Malwarebytes' Anti-Malware Scanning Guide.
Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:Firefox or Opera

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints >Malware Complaints<. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard

Otherjohn · Aug 17, 2009

Thanks again for your help.

Bio-Hazard · Aug 17, 2009

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Win32.TDSS.rtk

Otherjohn

New member

Otherjohn

New member

Bio-Hazard

Emeritus- Malware Team

Otherjohn

New member

Bio-Hazard

Emeritus- Malware Team

Otherjohn

New member

Bio-Hazard

Emeritus- Malware Team