"Windows has detected spyware infection!" Balloon popup

We're all in different timezones. Someone will be along before the end of the day.

Right click mine and select SaveAs and it will download. Sometimes the old methods is still the best.

We are in different parts of the world, some of the folks are probably at work, or in bed sleeping. That is on top of the4 different time zones.

No it did not work, any other suggestions?

Most unusual, I sure hope a answer can be found.

What if I did a system restore, do you think it would help?

MrFinance

Wait for someone who knows more than I do.

Fact is, you just may not have any restore points, so it is best to wait.

When I tried to attempt it in the beginning it listed multiple restore points before this happened. In normal mode, it could not do it. In safe mode, it gave me an option I forgo it to follow your instructions. What do you think?

MrFinance

I would not attempt any restore points right now.

Well even if I did, it will not work it's seem that the malware prevents me from going forward with it this thing is a nightmare. I notice another user on this forum is have the same problem and blocks by this malware. I feel better that I did not do anything to block my usage of the anti-virus tools. If anybody have a solution please help me!!!

MrFinance

There is nothing malicious visible in your HJT log.
Try renaming gmer.exe to whatever.exe, and try to run it again.
If that doesn't work, try to run it from Safe Mode.

Broni, YOU THE MAN or WOMAN!!!! I want to give you a HIGH FIVE. your suggestion worked. I renamed it to whatever and it worked. It appears the malware is also stopping the initialization of certain named files man is thing vicious. Well gentlemen and ladies here is a copy of the gmer log however it stopped abruptly due to me minimizing it please instruct me what to do next.

MrFinance

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-11 18:34:38
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT 82DCD1E8 ZwConnectPort

Code E1EE7670 ZwEnumerateKey
Code E1EE7750 ZwFlushInstructionCache
Code F66A0EAB pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP E1EE7674
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP E1EE7754

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Opera\opera.exe[3260] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00A6000A
.text C:\Program Files\Opera\opera.exe[3260] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00A5000A
.text C:\Program Files\Opera\opera.exe[3260] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00A7000A
.text C:\WINDOWS\Explorer.EXE[3784] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00AB000A
.text C:\WINDOWS\Explorer.EXE[3784] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00AA000A
.text C:\WINDOWS\Explorer.EXE[3784] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00AD000A

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\TDSSrfdc.sys (*** hidden *** ) F669F000-F66B1000 (73728 bytes)

---- Threads - GMER 1.0.14 ----

Thread 4:380 F66A1D66

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\TDSSrfdc.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000ea1336e3c
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000ea1336e3c@00131723ea60 0x4A 0x04 0xE0 0x42 ...
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSrfdc.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSrfdc.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSedwv.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSnero.dat
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrgi.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSfvfe.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSpuax.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSxblw.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSrfhc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSmhvw.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSayoa.log
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000ea1336e3c
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000ea1336e3c@00131723ea60 0x4A 0x04 0xE0 0x42 ...
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSrfdc.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSrfdc.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSedwv.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSnero.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrgi.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSfvfe.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSpuax.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSxblw.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSrfhc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSmhvw.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSayoa.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000ea1336e3c
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000ea1336e3c@00131723ea60 0x4A 0x04 0xE0 0x42 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSrfdc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSrfdc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSedwv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSnero.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrgi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSfvfe.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSpuax.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSxblw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSrfhc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSmhvw.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSayoa.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@affid 5
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@subid 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@control 0x09 0x19 0x1F 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@flagged 1

---- EOF - GMER 1.0.14 ----

Man, man, I'm a man :D

We got SOB rootkit!
Open GMER again, right click on:
Service C:\WINDOWS\system32\drivers\TDSSrfdc.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!
and click "Delete the service", and answer YES to all questions.

Restart computer.
Try running Super, and Malwarebytes again (Super in Safe Mode).

Quote:

We got SOB rootkit!

Well done! I've seen very few of those.

Thanks, fink :D
We had, I guess, two of them at VD over last moth, or so.
That bad guy is pretty new

Glad to see the rename work. First I have seen of that rootkit.

Wonder if renaming our normal tools would help out?