You are not connected. Please login or register

Cheetah-Fast Antivirus Forum (formerly The Ultimate Geek TaskForce!) » Malware/Threat Removal » TDSS rootkit

View previous topic View next topic Go down  Message [Page 1 of 1]

1 TDSS rootkit on Thu Mar 18, 2010 11:18 am

sailingsouth


New Member
Malwarebytes' Anti-Malware 1.44
Database version: 3872
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
3/15/2010 9:13:47 PM
mbam-log-2010-03-15 (21-13-47).txt

Scan type: Quick Scan
Objects scanned: 129672
Time elapsed: 11 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Please help.

View user profile

2 Re: TDSS rootkit on Thu Mar 18, 2010 11:18 am

DragonMaster Jay


Site Owner
Site Owner
Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


..........................................................
DragonMaster Jay
Owner/Administrator/Operator Cheetah-Fast Services
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here
View user profile

3 Re: TDSS rootkit on Thu Mar 18, 2010 11:25 am

sailingsouth


New Member
that was darn fast mr dragonmaster

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-16 22:20:50
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\pfrirpog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xA4C72C90]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xA4C72D7E]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAF35FDF0]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateThread [0xA4C72EC4]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \FileSystem\Fastfat \Fat mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A5ABCA1

---- Files - GMER 1.0.15 ----

File C:\Program Files\Common Files\BitDefender\BitDefender Update Service\Cache 0 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

View user profile

4 Re: TDSS rootkit on Thu Mar 18, 2010 11:26 am

DragonMaster Jay


Site Owner
Site Owner
Download this << file >> & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
Code:
@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says


..........................................................
DragonMaster Jay
Owner/Administrator/Operator Cheetah-Fast Services
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here
View user profile

5 Re: TDSS rootkit on Thu Mar 18, 2010 1:09 pm

sailingsouth


New Member
20:34:28:656 2204 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
20:34:28:656 2204 ================================================================================
20:34:28:656 2204 SystemInfo:

20:34:28:656 2204 OS Version: 5.1.2600 ServicePack: 3.0
20:34:28:656 2204 Product type: Workstation
20:34:28:656 2204 ComputerName: BOISCOMPUTER
20:34:28:671 2204 UserName: Compaq_Administrator
20:34:28:671 2204 Windows directory: C:\WINDOWS
20:34:28:671 2204 Processor architecture: Intel x86
20:34:28:671 2204 Number of processors: 1
20:34:28:671 2204 Page size: 0x1000
20:34:28:671 2204 Boot type: Normal boot
20:34:28:671 2204 ================================================================================
20:34:28:671 2204 UnloadDriverW: NtUnloadDriver error 2
20:34:28:671 2204 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:34:28:765 2204 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:34:28:765 2204 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:34:28:765 2204 wfopen_ex: Trying to KLMD file open
20:34:28:765 2204 wfopen_ex: File opened ok (Flags 2)
20:34:28:765 2204 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:34:28:765 2204 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:34:28:765 2204 wfopen_ex: Trying to KLMD file open
20:34:28:765 2204 wfopen_ex: File opened ok (Flags 2)
20:34:28:765 2204 Initialize success
20:34:28:765 2204
20:34:28:765 2204 Scanning Services ...
20:34:29:328 2204 GetAdvancedServicesInfo: Raw services enum returned 356 services
20:34:29:328 2204
20:34:29:328 2204 Scanning Kernel memory ...
20:34:29:343 2204 Devices to scan: 11
20:34:29:343 2204
20:34:29:343 2204 Driver Name: Disk
20:34:29:343 2204 IRP_MJ_CREATE : BA90EBB0
20:34:29:343 2204 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:34:29:343 2204 IRP_MJ_CLOSE : BA90EBB0
20:34:29:343 2204 IRP_MJ_READ : BA908D1F
20:34:29:343 2204 IRP_MJ_WRITE : BA908D1F
20:34:29:343 2204 IRP_MJ_QUERY_INFORMATION : 804F355A
20:34:29:343 2204 IRP_MJ_SET_INFORMATION : 804F355A
20:34:29:343 2204 IRP_MJ_QUERY_EA : 804F355A
20:34:29:343 2204 IRP_MJ_SET_EA : 804F355A
20:34:29:343 2204 IRP_MJ_FLUSH_BUFFERS : BA9092E2
20:34:29:343 2204 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:34:29:343 2204 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:34:29:343 2204 IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:34:29:343 2204 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:34:29:343 2204 IRP_MJ_DEVICE_CONTROL : BA9093BB
20:34:29:343 2204 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
20:34:29:343 2204 IRP_MJ_SHUTDOWN : BA9092E2
20:34:29:343 2204 IRP_MJ_LOCK_CONTROL : 804F355A
20:34:29:343 2204 IRP_MJ_CLEANUP : 804F355A
20:34:29:343 2204 IRP_MJ_CREATE_MAILSLOT : 804F355A
20:34:29:343 2204 IRP_MJ_QUERY_SECURITY : 804F355A
20:34:29:343 2204 IRP_MJ_SET_SECURITY : 804F355A
20:34:29:343 2204 IRP_MJ_POWER : BA90AC82
20:34:29:343 2204 IRP_MJ_SYSTEM_CONTROL : BA90F99E
20:34:29:343 2204 IRP_MJ_DEVICE_CHANGE : 804F355A
20:34:29:343 2204 IRP_MJ_QUERY_QUOTA : 804F355A
20:34:29:343 2204 IRP_MJ_SET_QUOTA : 804F355A
20:34:29:375 2204 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:34:29:375 2204
20:34:29:375 2204 Driver Name: Disk
20:34:29:375 2204 IRP_MJ_CREATE : BA90EBB0
20:34:29:375 2204 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:34:29:375 2204 IRP_MJ_CLOSE : BA90EBB0
20:34:29:375 2204 IRP_MJ_READ : BA908D1F
20:34:29:375 2204 IRP_MJ_WRITE : BA908D1F
20:34:29:375 2204 IRP_MJ_QUERY_INFORMATION : 804F355A
20:34:29:375 2204 IRP_MJ_SET_INFORMATION : 804F355A
20:34:29:375 2204 IRP_MJ_QUERY_EA : 804F355A
20:34:29:375 2204 IRP_MJ_SET_EA : 804F355A
20:34:29:375 2204 IRP_MJ_FLUSH_BUFFERS : BA9092E2
20:34:29:375 2204 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:34:29:375 2204 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:34:29:375 2204 IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:34:29:375 2204 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:34:29:375 2204 IRP_MJ_DEVICE_CONTROL : BA9093BB
20:34:29:375 2204 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
20:34:29:375 2204 IRP_MJ_SHUTDOWN : BA9092E2
20:34:29:375 2204 IRP_MJ_LOCK_CONTROL : 804F355A
20:34:29:375 2204 IRP_MJ_CLEANUP : 804F355A
20:34:29:375 2204 IRP_MJ_CREATE_MAILSLOT : 804F355A
20:34:29:375 2204 IRP_MJ_QUERY_SECURITY : 804F355A
20:34:29:375 2204 IRP_MJ_SET_SECURITY : 804F355A
20:34:29:375 2204 IRP_MJ_POWER : BA90AC82
20:34:29:375 2204 IRP_MJ_SYSTEM_CONTROL : BA90F99E
20:34:29:375 2204 IRP_MJ_DEVICE_CHANGE : 804F355A
20:34:29:375 2204 IRP_MJ_QUERY_QUOTA : 804F355A
20:34:29:375 2204 IRP_MJ_SET_QUOTA : 804F355A
20:34:29:375 2204 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:34:29:375 2204
20:34:29:375 2204 Driver Name: Disk
20:34:29:375 2204 IRP_MJ_CREATE : BA90EBB0
20:34:29:375 2204 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:34:29:375 2204 IRP_MJ_CLOSE : BA90EBB0
20:34:29:375 2204 IRP_MJ_READ : BA908D1F
20:34:29:375 2204 IRP_MJ_WRITE : BA908D1F
20:34:29:375 2204 IRP_MJ_QUERY_INFORMATION : 804F355A
20:34:29:375 2204 IRP_MJ_SET_INFORMATION : 804F355A
20:34:29:375 2204 IRP_MJ_QUERY_EA : 804F355A
20:34:29:375 2204 IRP_MJ_SET_EA : 804F355A
20:34:29:375 2204 IRP_MJ_FLUSH_BUFFERS : BA9092E2
20:34:29:375 2204 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:34:29:375 2204 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:34:29:375 2204 IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:34:29:375 2204 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:34:29:375 2204 IRP_MJ_DEVICE_CONTROL : BA9093BB
20:34:29:375 2204 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
20:34:29:375 2204 IRP_MJ_SHUTDOWN : BA9092E2
20:34:29:375 2204 IRP_MJ_LOCK_CONTROL : 804F355A
20:34:29:375 2204 IRP_MJ_CLEANUP : 804F355A
20:34:29:375 2204 IRP_MJ_CREATE_MAILSLOT : 804F355A
20:34:29:375 2204 IRP_MJ_QUERY_SECURITY : 804F355A
20:34:29:375 2204 IRP_MJ_SET_SECURITY : 804F355A
20:34:29:375 2204 IRP_MJ_POWER : BA90AC82
20:34:29:375 2204 IRP_MJ_SYSTEM_CONTROL : BA90F99E
20:34:29:375 2204 IRP_MJ_DEVICE_CHANGE : 804F355A
20:34:29:375 2204 IRP_MJ_QUERY_QUOTA : 804F355A
20:34:29:375 2204 IRP_MJ_SET_QUOTA : 804F355A
20:34:29:375 2204 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:34:29:375 2204
20:34:29:375 2204 Driver Name: Disk
20:34:29:375 2204 IRP_MJ_CREATE : BA90EBB0
20:34:29:375 2204 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:34:29:375 2204 IRP_MJ_CLOSE : BA90EBB0
20:34:29:375 2204 IRP_MJ_READ : BA908D1F
20:34:29:375 2204 IRP_MJ_WRITE : BA908D1F
20:34:29:375 2204 IRP_MJ_QUERY_INFORMATION : 804F355A
20:34:29:375 2204 IRP_MJ_SET_INFORMATION : 804F355A
20:34:29:375 2204 IRP_MJ_QUERY_EA : 804F355A
20:34:29:375 2204 IRP_MJ_SET_EA : 804F355A
20:34:29:375 2204 IRP_MJ_FLUSH_BUFFERS : BA9092E2
20:34:29:375 2204 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:34:29:375 2204 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:34:29:375 2204 IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:34:29:375 2204 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:34:29:375 2204 IRP_MJ_DEVICE_CONTROL : BA9093BB
20:34:29:375 2204 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
20:34:29:375 2204 IRP_MJ_SHUTDOWN : BA9092E2
20:34:29:375 2204 IRP_MJ_LOCK_CONTROL : 804F355A
20:34:29:375 2204 IRP_MJ_CLEANUP : 804F355A
20:34:29:375 2204 IRP_MJ_CREATE_MAILSLOT : 804F355A
20:34:29:375 2204 IRP_MJ_QUERY_SECURITY : 804F355A
20:34:29:375 2204 IRP_MJ_SET_SECURITY : 804F355A
20:34:29:375 2204 IRP_MJ_POWER : BA90AC82
20:34:29:375 2204 IRP_MJ_SYSTEM_CONTROL : BA90F99E
20:34:29:375 2204 IRP_MJ_DEVICE_CHANGE : 804F355A
20:34:29:375 2204 IRP_MJ_QUERY_QUOTA : 804F355A
20:34:29:375 2204 IRP_MJ_SET_QUOTA : 804F355A
20:34:29:390 2204 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:34:29:390 2204
20:34:29:390 2204 Driver Name: usbstor
20:34:29:390 2204 IRP_MJ_CREATE : BABBD218
20:34:29:390 2204 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:34:29:390 2204 IRP_MJ_CLOSE : BABBD218
20:34:29:390 2204 IRP_MJ_READ : BABBD23C
20:34:29:390 2204 IRP_MJ_WRITE : BABBD23C
20:34:29:390 2204 IRP_MJ_QUERY_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_EA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_EA : 804F355A
20:34:29:390 2204 IRP_MJ_FLUSH_BUFFERS : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_DEVICE_CONTROL : BABBD180
20:34:29:390 2204 IRP_MJ_INTERNAL_DEVICE_CONTROL : BABB89E6
20:34:29:390 2204 IRP_MJ_SHUTDOWN : 804F355A
20:34:29:390 2204 IRP_MJ_LOCK_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_CLEANUP : 804F355A
20:34:29:390 2204 IRP_MJ_CREATE_MAILSLOT : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_SET_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_POWER : BABBC5F0
20:34:29:390 2204 IRP_MJ_SYSTEM_CONTROL : BABBAA6E
20:34:29:390 2204 IRP_MJ_DEVICE_CHANGE : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_QUOTA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_QUOTA : 804F355A
20:34:29:390 2204 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
20:34:29:390 2204
20:34:29:390 2204 Driver Name: usbstor
20:34:29:390 2204 IRP_MJ_CREATE : BABBD218
20:34:29:390 2204 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:34:29:390 2204 IRP_MJ_CLOSE : BABBD218
20:34:29:390 2204 IRP_MJ_READ : BABBD23C
20:34:29:390 2204 IRP_MJ_WRITE : BABBD23C
20:34:29:390 2204 IRP_MJ_QUERY_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_EA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_EA : 804F355A
20:34:29:390 2204 IRP_MJ_FLUSH_BUFFERS : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_DEVICE_CONTROL : BABBD180
20:34:29:390 2204 IRP_MJ_INTERNAL_DEVICE_CONTROL : BABB89E6
20:34:29:390 2204 IRP_MJ_SHUTDOWN : 804F355A
20:34:29:390 2204 IRP_MJ_LOCK_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_CLEANUP : 804F355A
20:34:29:390 2204 IRP_MJ_CREATE_MAILSLOT : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_SET_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_POWER : BABBC5F0
20:34:29:390 2204 IRP_MJ_SYSTEM_CONTROL : BABBAA6E
20:34:29:390 2204 IRP_MJ_DEVICE_CHANGE : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_QUOTA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_QUOTA : 804F355A
20:34:29:390 2204 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
20:34:29:390 2204
20:34:29:390 2204 Driver Name: usbstor
20:34:29:390 2204 IRP_MJ_CREATE : BABBD218
20:34:29:390 2204 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:34:29:390 2204 IRP_MJ_CLOSE : BABBD218
20:34:29:390 2204 IRP_MJ_READ : BABBD23C
20:34:29:390 2204 IRP_MJ_WRITE : BABBD23C
20:34:29:390 2204 IRP_MJ_QUERY_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_EA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_EA : 804F355A
20:34:29:390 2204 IRP_MJ_FLUSH_BUFFERS : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_DEVICE_CONTROL : BABBD180
20:34:29:390 2204 IRP_MJ_INTERNAL_DEVICE_CONTROL : BABB89E6
20:34:29:390 2204 IRP_MJ_SHUTDOWN : 804F355A
20:34:29:390 2204 IRP_MJ_LOCK_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_CLEANUP : 804F355A
20:34:29:390 2204 IRP_MJ_CREATE_MAILSLOT : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_SET_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_POWER : BABBC5F0
20:34:29:390 2204 IRP_MJ_SYSTEM_CONTROL : BABBAA6E
20:34:29:390 2204 IRP_MJ_DEVICE_CHANGE : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_QUOTA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_QUOTA : 804F355A
20:34:29:390 2204 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
20:34:29:390 2204
20:34:29:390 2204 Driver Name: usbstor
20:34:29:390 2204 IRP_MJ_CREATE : BABBD218
20:34:29:390 2204 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:34:29:390 2204 IRP_MJ_CLOSE : BABBD218
20:34:29:390 2204 IRP_MJ_READ : BABBD23C
20:34:29:390 2204 IRP_MJ_WRITE : BABBD23C
20:34:29:390 2204 IRP_MJ_QUERY_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_EA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_EA : 804F355A
20:34:29:390 2204 IRP_MJ_FLUSH_BUFFERS : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_DEVICE_CONTROL : BABBD180
20:34:29:390 2204 IRP_MJ_INTERNAL_DEVICE_CONTROL : BABB89E6
20:34:29:390 2204 IRP_MJ_SHUTDOWN : 804F355A
20:34:29:390 2204 IRP_MJ_LOCK_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_CLEANUP : 804F355A
20:34:29:390 2204 IRP_MJ_CREATE_MAILSLOT : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_SET_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_POWER : BABBC5F0
20:34:29:390 2204 IRP_MJ_SYSTEM_CONTROL : BABBAA6E
20:34:29:390 2204 IRP_MJ_DEVICE_CHANGE : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_QUOTA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_QUOTA : 804F355A
20:34:29:390 2204 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
20:34:29:390 2204
20:34:29:390 2204 Driver Name: Disk
20:34:29:390 2204 IRP_MJ_CREATE : BA90EBB0
20:34:29:390 2204 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:34:29:390 2204 IRP_MJ_CLOSE : BA90EBB0
20:34:29:390 2204 IRP_MJ_READ : BA908D1F
20:34:29:390 2204 IRP_MJ_WRITE : BA908D1F
20:34:29:390 2204 IRP_MJ_QUERY_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_EA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_EA : 804F355A
20:34:29:390 2204 IRP_MJ_FLUSH_BUFFERS : BA9092E2
20:34:29:390 2204 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_DEVICE_CONTROL : BA9093BB
20:34:29:390 2204 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
20:34:29:390 2204 IRP_MJ_SHUTDOWN : BA9092E2
20:34:29:390 2204 IRP_MJ_LOCK_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_CLEANUP : 804F355A
20:34:29:390 2204 IRP_MJ_CREATE_MAILSLOT : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_SET_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_POWER : BA90AC82
20:34:29:390 2204 IRP_MJ_SYSTEM_CONTROL : BA90F99E
20:34:29:390 2204 IRP_MJ_DEVICE_CHANGE : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_QUOTA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_QUOTA : 804F355A
20:34:29:390 2204 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:34:29:390 2204
20:34:29:390 2204 Driver Name: Disk
20:34:29:390 2204 IRP_MJ_CREATE : BA90EBB0
20:34:29:390 2204 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:34:29:390 2204 IRP_MJ_CLOSE : BA90EBB0
20:34:29:390 2204 IRP_MJ_READ : BA908D1F
20:34:29:390 2204 IRP_MJ_WRITE : BA908D1F
20:34:29:390 2204 IRP_MJ_QUERY_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_EA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_EA : 804F355A
20:34:29:390 2204 IRP_MJ_FLUSH_BUFFERS : BA9092E2
20:34:29:390 2204 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_DEVICE_CONTROL : BA9093BB
20:34:29:390 2204 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
20:34:29:390 2204 IRP_MJ_SHUTDOWN : BA9092E2
20:34:29:390 2204 IRP_MJ_LOCK_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_CLEANUP : 804F355A
20:34:29:390 2204 IRP_MJ_CREATE_MAILSLOT : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_SET_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_POWER : BA90AC82
20:34:29:390 2204 IRP_MJ_SYSTEM_CONTROL : BA90F99E
20:34:29:390 2204 IRP_MJ_DEVICE_CHANGE : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_QUOTA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_QUOTA : 804F355A
20:34:29:390 2204 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:34:29:390 2204
20:34:29:390 2204 Driver Name: atapi
20:34:29:390 2204 IRP_MJ_CREATE : BA6406F2
20:34:29:390 2204 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:34:29:390 2204 IRP_MJ_CLOSE : BA6406F2
20:34:29:390 2204 IRP_MJ_READ : 804F355A
20:34:29:390 2204 IRP_MJ_WRITE : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_EA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_EA : 804F355A
20:34:29:390 2204 IRP_MJ_FLUSH_BUFFERS : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:34:29:390 2204 IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_DEVICE_CONTROL : BA640712
20:34:29:390 2204 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA63C852
20:34:29:390 2204 IRP_MJ_SHUTDOWN : 804F355A
20:34:29:390 2204 IRP_MJ_LOCK_CONTROL : 804F355A
20:34:29:390 2204 IRP_MJ_CLEANUP : 804F355A
20:34:29:390 2204 IRP_MJ_CREATE_MAILSLOT : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_SET_SECURITY : 804F355A
20:34:29:390 2204 IRP_MJ_POWER : BA64073C
20:34:29:390 2204 IRP_MJ_SYSTEM_CONTROL : BA647336
20:34:29:390 2204 IRP_MJ_DEVICE_CHANGE : 804F355A
20:34:29:390 2204 IRP_MJ_QUERY_QUOTA : 804F355A
20:34:29:390 2204 IRP_MJ_SET_QUOTA : 804F355A
20:34:29:406 2204 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
20:34:29:406 2204
20:34:29:406 2204 Completed
20:34:29:406 2204
20:34:29:406 2204 Results:
20:34:29:406 2204 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
20:34:29:406 2204 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:34:29:406 2204 File objects infected / cured / cured on reboot: 0 / 0 / 0
20:34:29:406 2204
20:34:29:406 2204 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:34:29:406 2204 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:34:29:406 2204 KLMD(ARK) unloaded successfully

View user profile

6 Re: TDSS rootkit on Thu Mar 18, 2010 1:47 pm

DragonMaster Jay


Site Owner
Site Owner
Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.


..........................................................
DragonMaster Jay
Owner/Administrator/Operator Cheetah-Fast Services
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here
View user profile

View previous topic View next topic Back to top  Message [Page 1 of 1]

Cheetah-Fast Antivirus Forum (formerly The Ultimate Geek TaskForce!) » Malware/Threat Removal » TDSS rootkit

Permissions in this forum:
You cannot reply to topics in this forum