Author Topic: Another "application cannot be executed" infection (Read 16435 times)

evilfantasy · « **Reply #15 on:** February 18, 2010, 07:32:04 PM »

One more rootkit scan just to be sure.

Download GMER Rootkit Detector and save it your desktop.

* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.

Crazywumbat · « **Reply #16 on:** February 19, 2010, 12:06:00 AM »

Here it is. It did say it found something modifed by rootkit

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-19 02:00:28
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Kevin\LOCALS~1\Temp\uxldqpow.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB7A8F4FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB7A8F50F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB7A8F53B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB7A8F4E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB7A8F525]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB7A8F551]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB7A8F567]
Code 85F764A4 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D13E4 5 Bytes JMP B7A8F56B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80620992 7 Bytes JMP B7A8F555 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621CF8 7 Bytes JMP B7A8F529 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806222D2 5 Bytes JMP B7A8F4FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622762 7 Bytes JMP B7A8F513 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622932 7 Bytes JMP B7A8F53F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80623668 5 Bytes JMP B7A8F4EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF65EC380, 0x21FC8D, 0xE8000020]
init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xF40CB280]
.text tcpip.sys!IPTransmit + 10BC F3585CFA 6 Bytes CALL 85F76487
.text tcpip.sys!IPTransmit + 263D F358727B 6 Bytes CALL 85F76487
.text tcpip.sys!ARPRcv + 521E F358C4BE 6 Bytes CALL 85F76487
.text wanarp.sys F76A73FD 7 Bytes CALL 85F76494

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] 85F75576
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] 85F7556C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat kmixer.sys (Kernel Mode Audio Mixer/Microsoft Corporation)
Device \FileSystem\Fastfat \Fat kmixer.sys (Kernel Mode Audio Mixer/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [AUTO] asc3550p <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmhct.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmhct.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqn.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSorvd.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrsr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\asc3550p
Reg HKLM\SYSTEM\CurrentControlSet\Services\asc3550p@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\asc3550p@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\asc3550p@Group SCSI miniport
Reg HKLM\SYSTEM\CurrentControlSet\Services\asc3550p@Tag 42
Reg HKLM\SYSTEM\CurrentControlSet\Services\asc3550p@Type 1

---- EOF - GMER 1.0.15 ----

evilfantasy · « **Reply #17 on:** February 19, 2010, 08:16:20 AM »

Download TDSSKiller and save it to your desktop.

* Right click on the file and choose extract all extract the file to your desktop then run it.
* Once completed it will create a log in your C:\ drive with a name similar to 'TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt'.
* Please post the contents of that log.

Crazywumbat · « **Reply #18 on:** February 19, 2010, 12:59:48 PM »

Okay here it is:

14:52:57:406 3004   TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
14:52:57:406 3004   ================================================================================
14:52:57:406 3004   SystemInfo:

14:52:57:406 3004   OS Version: 5.1.2600 ServicePack: 2.0
14:52:57:406 3004   Product type: Workstation
14:52:57:406 3004   ComputerName: CAPTAIN
14:52:57:406 3004   UserName: Kevin
14:52:57:406 3004   Windows directory: C:\WINDOWS
14:52:57:406 3004   Processor architecture: Intel x86
14:52:57:406 3004   Number of processors: 2
14:52:57:406 3004   Page size: 0x1000
14:52:57:421 3004   Boot type: Normal boot
14:52:57:421 3004   ================================================================================
14:52:57:437 3004   UnloadDriverW: NtUnloadDriver error 2
14:52:57:437 3004   ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:52:57:453 3004   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
14:52:58:328 3004   UtilityInit: KLMD drop and load success
14:52:58:328 3004   KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
14:52:58:328 3004   UtilityInit: KLMD open success
14:52:58:328 3004   UtilityInit: Initialize success
14:52:58:328 3004
14:52:58:328 3004   Scanning   Services ...
14:52:58:328 3004   CreateRegParser: Registry parser init started
14:52:58:328 3004   DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
14:52:58:328 3004   CreateRegParser: DisableWow64Redirection error
14:52:58:328 3004   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:52:58:343 3004   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
14:52:58:343 3004   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:52:58:343 3004   wfopen_ex: Trying to KLMD file open
14:52:58:343 3004   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
14:52:58:343 3004   wfopen_ex: File opened ok (Flags 2)
14:52:58:343 3004   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384DB0
14:52:58:343 3004   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:52:58:343 3004   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
14:52:58:343 3004   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:52:58:343 3004   wfopen_ex: Trying to KLMD file open
14:52:58:343 3004   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
14:52:58:343 3004   wfopen_ex: File opened ok (Flags 2)
14:52:58:343 3004   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384E58
14:52:58:343 3004   EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
14:52:58:343 3004   CreateRegParser: EnableWow64Redirection error
14:52:58:343 3004   CreateRegParser: RegParser init completed
14:52:58:390 3004   GetAdvancedServicesInfo: Raw services enum returned 377 services
14:52:58:812 3004
14:52:58:812 3004   Hidden service detected!
14:52:58:812 3004   Service name:   asc3550p
14:52:58:812 3004   Image path:
14:52:58:812 3004   Type "delete" (without quotes) to delete it: 14:53:17:718 3004
14:53:17:718 3004   ScanTDL2Services: By user detect asc3550p
14:53:17:718 3004   RegNode HKLM\SYSTEM\ControlSet001\services\asc3550p infected by TDSS rootkit ... 14:53:17:718 3004   will be deleted on reboot
14:53:17:718 3004   DeleteTDL2Service: SafeBoot Minimal doesn't infected
14:53:17:718 3004   DeleteTDL2Service: SafeBoot Network doesn't infected
14:53:17:718 3004   RegNode HKLM\SYSTEM\ControlSet002\services\asc3550p infected by TDSS rootkit ... 14:53:17:718 3004   will be deleted on reboot
14:53:17:718 3004   DeleteTDL2Service: SafeBoot Minimal doesn't infected
14:53:17:718 3004   DeleteTDL2Service: SafeBoot Network doesn't infected
14:53:17:718 3004   RegNode HKLM\SYSTEM\ControlSet003\services\asc3550p infected by TDSS rootkit ... 14:53:17:718 3004   will be deleted on reboot
14:53:17:718 3004   DeleteTDL2Service: SafeBoot Minimal doesn't infected
14:53:17:718 3004   DeleteTDL2Service: SafeBoot Network doesn't infected
14:53:17:718 3004   DeleteTDL2Service: Service asc3550p have empty ImagePath!
14:53:17:718 3004   ScanTDL2Services: DeleteEvilService(asc3550p) success
14:53:17:734 3004   fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:53:17:734 3004   fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:53:17:734 3004
14:53:17:734 3004   Scanning   Kernel memory ...
14:53:17:734 3004   KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
14:53:17:734 3004   DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8717DA08
14:53:17:734 3004   DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
14:53:17:734 3004
14:53:17:734 3004   DetectCureTDL3: DEVICE_OBJECT: 87153C68
14:53:17:734 3004   KLMD_GetLowerDeviceObject: Trying to get lower device object for 87153C68
14:53:17:734 3004   KLMD_ReadMem: Trying to ReadMemory 0x87153C68[0x38]
14:53:17:734 3004   DetectCureTDL3: DRIVER_OBJECT: 8717DA08
14:53:17:734 3004   KLMD_ReadMem: Trying to ReadMemory 0x8717DA08[0xA8]
14:53:17:734 3004   KLMD_ReadMem: Trying to ReadMemory 0xE191CC28[0x18]
14:53:17:734 3004   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_CREATE : F7598C30
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_CLOSE : F7598C30
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_READ : F7592D9B
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_WRITE : F7592D9B
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_SET_EA : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F7593366
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F759344D
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7596FC3
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_SHUTDOWN : F7593366
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_CLEANUP : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_POWER : F7594EF3
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F7599A24
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4544
14:53:17:734 3004   DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4544
14:53:17:734 3004   TDL3_FileDetect: Processing driver: Disk
14:53:17:734 3004   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:53:17:734 3004   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:53:17:750 3004   TDL3_FileDetect: Processing driver: Disk
14:53:17:750 3004   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:53:17:750 3004   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:53:17:750 3004   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:53:17:750 3004
14:53:17:750 3004   DetectCureTDL3: DEVICE_OBJECT: 87117C68
14:53:17:750 3004   KLMD_GetLowerDeviceObject: Trying to get lower device object for 87117C68
14:53:17:750 3004   KLMD_ReadMem: Trying to ReadMemory 0x87117C68[0x38]
14:53:17:750 3004   DetectCureTDL3: DRIVER_OBJECT: 8717DA08
14:53:17:750 3004   KLMD_ReadMem: Trying to ReadMemory 0x8717DA08[0xA8]
14:53:17:750 3004   KLMD_ReadMem: Trying to ReadMemory 0xE191CC28[0x18]
14:53:17:750 3004   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_CREATE : F7598C30
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_CLOSE : F7598C30
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_READ : F7592D9B
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_WRITE : F7592D9B
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_SET_EA : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F7593366
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F759344D
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7596FC3
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_SHUTDOWN : F7593366
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_CLEANUP : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_POWER : F7594EF3
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F7599A24
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4544
14:53:17:750 3004   DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4544
14:53:17:750 3004   TDL3_FileDetect: Processing driver: Disk
14:53:17:750 3004   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:53:17:750 3004   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:53:17:750 3004   TDL3_FileDetect: Processing driver: Disk
14:53:17:750 3004   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:53:17:750 3004   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:53:17:765 3004   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:53:17:765 3004
14:53:17:765 3004   DetectCureTDL3: DEVICE_OBJECT: 87179C68
14:53:17:765 3004   KLMD_GetLowerDeviceObject: Trying to get lower device object for 87179C68
14:53:17:765 3004   KLMD_ReadMem: Trying to ReadMemory 0x87179C68[0x38]
14:53:17:765 3004   DetectCureTDL3: DRIVER_OBJECT: 8717DA08
14:53:17:765 3004   KLMD_ReadMem: Trying to ReadMemory 0x8717DA08[0xA8]
14:53:17:765 3004   KLMD_ReadMem: Trying to ReadMemory 0xE191CC28[0x18]
14:53:17:765 3004   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_CREATE : F7598C30
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_CLOSE : F7598C30
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_READ : F7592D9B
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_WRITE : F7592D9B
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_SET_EA : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F7593366
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F759344D
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7596FC3
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_SHUTDOWN : F7593366
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_CLEANUP : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_POWER : F7594EF3
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F7599A24
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4544
14:53:17:765 3004   TDL3_FileDetect: Processing driver: Disk
14:53:17:765 3004   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:53:17:765 3004   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:53:17:765 3004   TDL3_FileDetect: Processing driver: Disk
14:53:17:765 3004   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:53:17:765 3004   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:53:17:765 3004   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:53:17:765 3004
14:53:17:765 3004   DetectCureTDL3: DEVICE_OBJECT: 8717AAB8
14:53:17:765 3004   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8717AAB8
14:53:17:765 3004   DetectCureTDL3: DEVICE_OBJECT: 87188F18
14:53:17:765 3004   KLMD_GetLowerDeviceObject: Trying to get lower device object for 87188F18
14:53:17:765 3004   DetectCureTDL3: DEVICE_OBJECT: 8717E940
14:53:17:765 3004   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8717E940
14:53:17:765 3004   KLMD_ReadMem: Trying to ReadMemory 0x8717E940[0x38]
14:53:17:765 3004   DetectCureTDL3: DRIVER_OBJECT: 87159608
14:53:17:765 3004   KLMD_ReadMem: Trying to ReadMemory 0x87159608[0xA8]
14:53:17:765 3004   KLMD_ReadMem: Trying to ReadMemory 0xE190A8E0[0x1A]
14:53:17:765 3004   DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_CREATE : F73BF572
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_CLOSE : F73BF572
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_READ : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_WRITE : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_SET_EA : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F73BF592
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F73BB7B4
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_CLEANUP : 804F4544
14:53:17:765 3004   DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4544
14:53:17:781 3004   DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4544
14:53:17:781 3004   DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4544
14:53:17:781 3004   DetectCureTDL3: IRP_MJ_POWER : F73BF5BC
14:53:17:781 3004   DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F73C6164
14:53:17:781 3004   DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4544
14:53:17:781 3004   DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4544
14:53:17:781 3004   DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4544
14:53:17:781 3004   TDL3_FileDetect: Processing driver: atapi
14:53:17:781 3004   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
14:53:17:781 3004   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
14:53:17:781 3004   KLMD_ReadMem: Trying to ReadMemory 0xF73BC7C6[0x400]
14:53:17:781 3004   TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
14:53:17:781 3004   TDL3_FileDetect: Processing driver: atapi
14:53:17:781 3004   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
14:53:17:781 3004   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
14:53:17:796 3004   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
14:53:17:796 3004   UtilityBootReinit: Reboot required for cure complete..
14:53:17:796 3004   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
14:53:17:890 3004   UtilityBootReinit: KLMD drop success
14:53:17:906 3004   KLMD_ApplyPendList: Pending buffer(77BF_159C, 448) dropped successfully
14:53:17:906 3004   UtilityBootReinit: Cure on reboot scheduled successfully
14:53:17:906 3004
14:53:17:906 3004   Completed
14:53:17:906 3004
14:53:17:906 3004   Results:
14:53:17:906 3004   Memory objects infected / cured / cured on reboot:   0 / 0 / 0
14:53:17:906 3004   Registry objects infected / cured / cured on reboot:   3 / 0 / 3
14:53:17:906 3004   File objects infected / cured / cured on reboot:   0 / 0 / 0
14:53:17:906 3004
14:53:17:906 3004   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
14:53:17:906 3004   UtilityDeinit: KLMD(ARK) unloaded successfully

evilfantasy · « **Reply #19 on:** February 19, 2010, 01:08:32 PM »

Run GMER again and post the log please.

Crazywumbat · « **Reply #20 on:** February 19, 2010, 08:16:21 PM »

Here's the new one.

[Saving space, attachment deleted by admin]

evilfantasy · « **Reply #21 on:** February 19, 2010, 08:44:41 PM »

Download and install SUPERAntiSpyware Free

If you already have SUPERAntiSpyware be sure it is the current version. 4.34.1000. If it is a lower version you need to install it again to get the updated one.

* Start SUPERAntiSpyware and click Check for updates If you encounter any problems while downloading the updates, manually download and unzip them from here

* Once the update is finished, on the main screen, click Scan your computer
* Check Perform Complete Scan
* Click Next to start the scan.

* When finished SUPERAntiSpyware will list all the infections found.
* Make sure everything found has a check next to it and press Next
* Then click Finish

- It is possible that the SUPERAntiSpyware asks to reboot the PC in order to delete some files, please do so.

Locate the SUPERAntiSpyware log as follows:

* Click: Preferences
* Click the Statistics/Logs tab
* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log
* The log will open in your default text editor (such as Notepad)
* Post the SUPERAntiSpyware log in your reply.

----------

After the computer has been restarted run a new GMER scan and post the log.

Crazywumbat · « **Reply #22 on:** February 22, 2010, 07:17:18 PM »

Here's the SuperAntiSpyware log, but for some reason I can't get the GMER log. I've tried three times now to run it over the last day and a half, and after each run my CPU usage goes up to 100% and everything freezes when I try to open up firefox, or notepad, or anything. It did say that rootkit activity was detected though.

[Saving space, attachment deleted by admin]

evilfantasy · « **Reply #23 on:** February 22, 2010, 07:31:06 PM »

Please download SystemLook from one of the below links and save it to your desktop.

Link #1
Link #2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

* Double-click SystemLook.exe to run it.
* Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind 
TDSSserv.sys

:reg
HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys /sub

* Click the Look button to start the scan.
* Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
* When finished, a notepad window will open with the results of the scan. Please post the log.

The log can also be found on your desktop entitled SystemLook.txt

Crazywumbat · « **Reply #24 on:** February 22, 2010, 09:58:24 PM »

Ok done.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 23:55 on 22/02/2010 by Kevin (Administrator - Elevation successful)

========== filefind ==========

Searching for "TDSSserv.sys"
No files found.

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]
(Unable to open key - access denied)

-=End Of File=-

evilfantasy · « **Reply #25 on:** February 23, 2010, 09:59:28 AM »

Delete your current version of ComboFix and download it again!

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Crazywumbat · « **Reply #26 on:** February 23, 2010, 03:44:57 PM »

OK here's the new Combofix

[Saving space, attachment deleted by admin]

evilfantasy · « **Reply #27 on:** February 23, 2010, 04:17:29 PM »

Now to see if it actually worked this time.

Run a new GMER scan please and post the log.

Crazywumbat · « **Reply #28 on:** February 23, 2010, 08:51:42 PM »

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-23 22:51:12
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Kevin\LOCALS~1\Temp\uxldqpow.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF38DE320]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB87074FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB870750F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB870753B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB87074E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB8707525]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB8707551]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB8707567]
Code 85ED54A4 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D167A 5 Bytes JMP B870756B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80620C3E 7 Bytes JMP B8707555 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621FA4 7 Bytes JMP B8707529 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8062257E 5 Bytes JMP B87074FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622A0E 7 Bytes JMP B8707513 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622BDE 7 Bytes JMP B870753F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80623914 5 Bytes JMP B87074EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? Combo-Fix.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6399380, 0x21FC8D, 0xE8000020]
init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xF3EA0280]
.text tcpip.sys!IPTransmit + 10BC F3963CFA 6 Bytes CALL 85ED5487
.text tcpip.sys!IPTransmit + 263D F396527B 6 Bytes CALL 85ED5487
.text tcpip.sys!ARPRcv + 521E F396A4BE 6 Bytes CALL 85ED5487
.text wanarp.sys F77E93FD 7 Bytes CALL 85ED5494
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] 85ED4576
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] 85ED456C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B2D94C8A

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmhct.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmhct.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqn.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSorvd.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrsr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log

---- EOF - GMER 1.0.15 ----

evilfantasy · « **Reply #29 on:** February 23, 2010, 09:32:16 PM »

This is a stubborn one!

Download OTM by OldTimer to your desktop.

Note: If you are using Vista or Windows 7, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]

:files
%SystemRoot%\system32\drivers\TDSSmhct.sys
%SystemRoot%\system32\drivers\TDSSoiqn.dll
%SystemRoot%\system32\TDSSrtqp.dll
%SystemRoot%\system32\TDSSlxwp.dll
%SystemRoot%\system32\TDSSxfum.dll
%SystemRoot%\system32\TDSSnmxh.log
%SystemRoot%\system32\TDSSsihc.dll
%SystemRoot%\system32\TDSSrhyp.log
%SystemRoot%\system32\TDSSkkbi.log
%SystemRoot%\system32\TDSSorvd.dat
%SystemRoot%\system32\TDSShrsr.dll

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

Computer Hope Forum

News:

Author Topic: Another "application cannot be executed" infection (Read 16435 times)

evilfantasy

Re: Another "application cannot be executed" infection

Crazywumbat

Re: Another "application cannot be executed" infection

evilfantasy

Re: Another "application cannot be executed" infection

Crazywumbat

Re: Another "application cannot be executed" infection

evilfantasy

Re: Another "application cannot be executed" infection

Crazywumbat

Re: Another "application cannot be executed" infection

evilfantasy

Re: Another "application cannot be executed" infection

Crazywumbat

Re: Another "application cannot be executed" infection

evilfantasy

Re: Another "application cannot be executed" infection

Crazywumbat

Re: Another "application cannot be executed" infection

evilfantasy

Re: Another "application cannot be executed" infection

Crazywumbat

Re: Another "application cannot be executed" infection

evilfantasy

Re: Another "application cannot be executed" infection

Crazywumbat

Re: Another "application cannot be executed" infection

evilfantasy

Re: Another "application cannot be executed" infection