sparse

Members

View Profile See their activity

Posts
4
Joined
August 5, 2009
Last visited
August 12, 2009

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by sparse

Trojan.TDSS: need help with the log by combofix

sparse replied to sparse's topic in Resolved Malware Removal Logs

Sorry, I must have missed that somehow. Anyway, I ran "CombFix /u" and got the message that it has been uninstalled. Thanks for your help, I keep the fingers crossed. Cheers -sparse
- August 11, 2009
- 8 replies
Trojan.TDSS: need help with the log by combofix

sparse replied to sparse's topic in Resolved Malware Removal Logs

<bump>
- August 11, 2009
- 8 replies
Trojan.TDSS: need help with the log by combofix

sparse replied to sparse's topic in Resolved Malware Removal Logs

Hi Mieke, Thanks for looking at my log. After the previous run of combofix the system stabilized, and scans with AVG and superantispyware found nothing. Scans with malwarebytes repeatedly hanged at the last stage (what it was... some generic check after everything was found OK). AVG once came (by its own) with a report of a new trojan, and seems to remove it successfully. Here is the new log from combofix: <BEGIN> ComboFix 09-08-03.A2 - Administrator 07.08.2009 18:44.2.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2467 [GMT 2:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\str.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FKUDCVX -------\Service_fkudcvx ((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 ))))))))))))))))))))))))))))))) . 2009-08-05 18:12 . 2009-06-14 14:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-08-05 17:26 . 2009-08-05 17:26 -------- d-----w- c:\documents and settings\pavels\Application Data\Malwarebytes 2009-08-04 12:33 . 2009-08-07 16:53 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-08-04 12:33 . 2009-08-04 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-08-04 12:33 . 2009-08-04 12:33 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-08-04 12:33 . 2009-08-04 12:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-08-02 15:34 . 2009-08-05 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-08-02 15:34 . 2009-08-02 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-08-02 15:27 . 2009-08-02 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2009-08-01 07:19 . 2009-08-01 07:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-01 07:19 . 2009-08-01 07:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-01 02:23 . 2009-08-06 16:06 -------- d--h--w- C:\$AVG8.VAULT$ 2009-07-25 15:19 . 2009-07-27 11:38 2961 --s-a-w- c:\windows\system32\3180863869.dat 2009-07-16 18:26 . 2009-07-16 18:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar 2009-07-09 15:52 . 2009-07-09 15:52 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.463\English\setup.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-06 16:02 . 2008-01-05 17:55 -------- d-----w- c:\documents and settings\pavels\Application Data\Skype 2009-08-06 16:02 . 2008-01-05 17:57 -------- d-----w- c:\documents and settings\pavels\Application Data\skypePM 2009-08-05 18:28 . 2009-01-30 20:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype 2009-08-05 18:02 . 2007-12-20 13:13 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-05 17:51 . 2007-12-20 09:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-08-05 17:50 . 2007-12-20 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-02 15:41 . 2007-12-10 22:10 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-02 12:47 . 2009-02-08 18:35 -------- d-----w- c:\program files\Microsoft Silverlight 2009-08-01 06:27 . 2009-05-30 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-08-01 04:07 . 2007-12-20 13:08 -------- d-----w- c:\program files\Pidgin 2009-08-01 02:56 . 2009-01-30 20:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM 2009-07-16 17:26 . 2008-11-19 09:56 58216 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-05 11:52 . 2007-12-21 21:47 58216 ----a-w- c:\documents and settings\pavels\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-04 07:47 . 2007-12-21 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet 2009-07-02 17:30 . 2009-05-30 18:25 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-28 08:53 . 2009-06-28 08:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-06-28 08:53 . 2009-06-28 08:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR 2009-06-28 08:52 . 2009-05-30 18:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-28 08:52 . 2007-12-20 13:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-26 16:50 . 2004-08-04 08:00 666624 ----a-w- c:\windows\system32\wininet.dll 2009-06-26 16:50 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-06-18 20:27 . 2008-10-07 19:21 -------- d-----w- c:\program files\Winamp 2009-06-18 20:27 . 2008-10-07 19:21 -------- d-----w- c:\documents and settings\pavels\Application Data\Winamp 2009-06-18 20:16 . 2009-05-30 18:51 -------- d-----w- c:\documents and settings\pavels\Application Data\AVGTOOLBAR 2009-06-16 14:36 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-03 19:09 . 2004-08-04 08:00 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-05-30 18:25 . 2009-05-30 18:25 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-04-18 19:08 . 2008-06-21 07:30 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-04_16.03.39 ))))))))))))))))))))))))))))))))))))))))) . + 2007-12-20 15:36 . 2009-08-05 18:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2007-12-20 15:36 . 2009-08-04 16:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2007-12-20 15:36 . 2009-08-05 18:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2007-12-20 15:36 . 2009-08-04 16:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-06-26 08:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904] "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320] "gStart"="c:\garmin\gStart.exe" [2007-03-04 1891416] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-28 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448] "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-03 163840] "CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920] "Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-21 1187840] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912] "Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928] "HPWWANGSAssistant"="c:\swsetup\HPQWWAN\HPWWanGSAssistant.exe" [2007-05-03 4032056] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248] "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888] "CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-10-25 380928] "hp Update 2100C"="c:\sj644\hpupdate.exe" [2002-01-24 28672] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440] "MSxmlHpr"="c:\windows\system32\msxm192z.dll" [2004-08-17 28672] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213] DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-12-20 192512] HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-28 08:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP] 2007-04-30 16:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\APSHook.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "TapiSrv"=3 (0x3) "HpFkCryptService"=2 (0x2) "FLCDLOCK"=3 (0x3) "btwdins"=2 (0x2) "Bonjour Service"=2 (0x2) "aawserviceAlerter"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\StarNet\\X-Win32 9.0\\xwin32.exe"= "c:\\Documents and Settings\\pavels\\Local Settings\\Application Data\\Skype\\Phone\\Skype.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [27.04.2007 05:23 100095] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [09.10.2006 23:31 44720] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [30.03.2007 02:54 13696] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [30.05.2009 20:25 335752] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [30.05.2009 20:25 108552] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [27.04.2007 05:23 5808] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28.07.2009 10:53 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28.07.2009 10:53 72944] R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [04.08.2004 10:00 14336] R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04.08.2004 10:00 14336] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [30.05.2009 20:25 907032] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [30.05.2009 20:25 298776] R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [04.12.2006 17:13 292384] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [04.04.2007 21:16 41216] R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [10.12.2007 22:55 47616] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28.07.2009 10:53 7408] S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [23.04.2007 23:13 30008] S4 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [30.04.2007 18:28 172131] S4 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [27.04.2007 20:58 221184] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 Cognizance REG_MULTI_SZ ASBroker ASChannel hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2009-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.hp.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l5od8een.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo! Search FF - prefs.js: browser.startup.homepage - www.google.com.au FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-07 18:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(940) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll c:\windows\system32\DeviceNP.dll - - - - - - - > 'lsass.exe'(996) c:\windows\SbHpNp.dll c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll - - - - - - - > 'explorer.exe'(2756) c:\windows\system32\APSHook.dll c:\windows\system32\btmmhook.dll c:\windows\system32\msxm192z.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\scardsvr.exe c:\windows\system32\msdtc.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\mqsvc.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\windows\system32\rundll32.exe c:\program files\Hewlett-Packard\Shared\HpqToaster.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\windows\system32\mqtgsvc.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\windows\system32\msiexec.exe . ************************************************************************** . Completion time: 2009-08-07 18:57 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-07 16:57 ComboFix2.txt 2009-08-04 16:07 Pre-Run: 10
- August 7, 2009
- 8 replies
Trojan.TDSS: need help with the log by combofix

sparse posted a topic in Resolved Malware Removal Logs

Hi, Malwarebytes detected Trojan.TDSS but can not remove it. It is reported removed, but after a reboot malwarebytes detects the same threat again. I ran ComboFix as described in one of the threads on this forum, and need help in regard to my next step. Note that I do not have recovery console installed. I have a double boot Linux/Windows XP machine and I am afraid that it will mess up with Grub. Here is the log produced by ComboFix. Thanks in advance <LOG BEGINS HERE> ComboFix 09-08-03.A2 - Administrator 04.08.2009 17:54.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2564 [GMT 2:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-1214880521-1771959046-1285687842-500 c:\recycler\S-1-5-21-436374069-179605362-725345543-500 c:\windows\Installer\f99c.msp c:\windows\system32\AutoRun.inf c:\windows\system32\config\systemprofile\Desktop\System Security 2009.lnk c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security c:\windows\system32\drivers\hjgruivkypyqbi.sys c:\windows\system32\hjgruifpbwvrxd.dat c:\windows\system32\hjgruioirjxjvs.dll c:\windows\system32\hjgruiqjwtxwnl.dll c:\windows\system32\hjgruirteumnpq.dat c:\windows\system32\drivers\str.sys . . . . failed to delete . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_hjgruiwqpsmsrs -------\Legacy_DOT3SVCREMOTEREGISTRY -------\Service_Dot3svcRemoteRegistry ((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 ))))))))))))))))))))))))))))))) . 2009-08-04 16:02 . 2009-08-04 16:02 114688 ----a-w- c:\windows\system32\chg.exe 2009-08-04 12:33 . 2009-08-04 16:03 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-08-04 12:33 . 2009-08-04 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-08-04 12:33 . 2009-08-04 12:33 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-08-04 12:33 . 2009-08-04 12:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-08-02 15:34 . 2009-08-02 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-08-02 15:34 . 2009-08-02 15:34 -------- d-----w- c:\windows\system32\drivers\NSS 2009-08-02 15:34 . 2009-08-02 15:34 -------- d-----w- c:\program files\Norton Security Scan 2009-08-02 15:34 . 2009-08-02 15:34 -------- d-----w- c:\program files\NortonInstaller 2009-08-02 15:34 . 2009-08-02 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-08-02 15:27 . 2009-08-02 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2009-08-01 07:19 . 2009-08-01 07:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-01 07:19 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-01 07:19 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-01 07:19 . 2009-08-01 07:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-01 07:19 . 2009-08-04 14:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-01 02:23 . 2009-08-01 03:56 -------- d--h--w- C:\$AVG8.VAULT$ 2009-07-25 15:19 . 2009-07-27 11:38 2961 --s-a-w- c:\windows\system32\3180863869.dat 2009-07-16 18:26 . 2009-07-16 18:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar 2009-07-09 15:52 . 2009-07-09 15:52 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.463\English\setup.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-04 16:02 . 2009-01-30 20:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype 2009-08-04 12:32 . 2007-12-20 09:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-08-04 11:22 . 2008-01-05 17:55 -------- d-----w- c:\documents and settings\pavels\Application Data\Skype 2009-08-04 11:21 . 2008-01-05 17:57 -------- d-----w- c:\documents and settings\pavels\Application Data\skypePM 2009-08-02 15:41 . 2007-12-10 22:10 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-02 12:47 . 2009-02-08 18:35 -------- d-----w- c:\program files\Microsoft Silverlight 2009-08-01 06:35 . 2007-12-20 13:13 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-01 06:27 . 2009-05-30 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-08-01 06:26 . 2007-12-20 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-01 04:07 . 2007-12-20 13:08 -------- d-----w- c:\program files\Pidgin 2009-08-01 02:56 . 2009-01-30 20:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM 2009-07-16 17:26 . 2008-11-19 09:56 58216 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-05 11:52 . 2007-12-21 21:47 58216 ----a-w- c:\documents and settings\pavels\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-04 07:47 . 2007-12-21 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet 2009-07-02 17:30 . 2009-05-30 18:25 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-28 08:53 . 2009-06-28 08:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-06-28 08:53 . 2009-06-28 08:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR 2009-06-28 08:52 . 2009-05-30 18:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-28 08:52 . 2007-12-20 13:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-26 16:50 . 2004-08-04 08:00 666624 ----a-w- c:\windows\system32\wininet.dll 2009-06-26 16:50 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-06-18 20:27 . 2008-10-07 19:21 -------- d-----w- c:\program files\Winamp 2009-06-18 20:27 . 2008-10-07 19:21 -------- d-----w- c:\documents and settings\pavels\Application Data\Winamp 2009-06-18 20:16 . 2009-05-30 18:51 -------- d-----w- c:\documents and settings\pavels\Application Data\AVGTOOLBAR 2009-06-16 14:36 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-03 19:09 . 2004-08-04 08:00 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-05-30 18:25 . 2009-05-30 18:25 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-07 15:32 . 2004-08-04 08:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-18 19:08 . 2008-06-21 07:30 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-06-14 14:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904] "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320] "gStart"="c:\garmin\gStart.exe" [2007-03-04 1891416] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-28 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448] "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-03 163840] "CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920] "Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-21 1187840] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912] "Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928] "HPWWANGSAssistant"="c:\swsetup\HPQWWAN\HPWWanGSAssistant.exe" [2007-05-03 4032056] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248] "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888] "CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-10-25 380928] "hp Update 2100C"="c:\sj644\hpupdate.exe" [2002-01-24 28672] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440] "MSxmlHpr"="c:\windows\system32\msxm192z.dll" [2004-08-17 28672] "MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213] DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-12-20 192512] HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-28 08:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP] 2007-04-30 16:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\APSHook.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\StarNet\\X-Win32 9.0\\xwin32.exe"= "c:\\Documents and Settings\\pavels\\Local Settings\\Application Data\\Skype\\Phone\\Skype.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [27.04.2007 05:23 100095] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [09.10.2006 23:31 44720] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [30.03.2007 02:54 13696] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [30.05.2009 20:25 335752] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [30.05.2009 20:25 108552] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [27.04.2007 05:23 5808] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28.07.2009 10:53 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28.07.2009 10:53 72944] R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [04.08.2004 10:00 14336] R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04.08.2004 10:00 14336] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [30.05.2009 20:25 907032] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [30.05.2009 20:25 298776] R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [27.04.2007 20:58 221184] R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [04.12.2006 17:13 292384] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [04.04.2007 21:16 41216] R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [10.12.2007 22:55 47616] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28.07.2009 10:53 7408] S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [23.04.2007 23:13 30008] S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [30.04.2007 18:28 172131] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 Cognizance REG_MULTI_SZ ASBroker ASChannel hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2009-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42] 2009-08-02 c:\windows\Tasks\Norton Security Scan for Administrator.job - c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-02 15:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.hp.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l5od8een.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo! Search FF - prefs.js: browser.startup.homepage - www.google.com.au FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-04 18:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqsettware Updatet = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@ scanning hidden files ... c:\windows\system32\drivers\fxysvaofprt.sys 76544 bytes executable c:\windows\system32\drivers\str.sys 213024 bytes executable scan completed successfully hidden files: 2 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fkudcvx] "ImagePath"="\??\c:\windows\system32\drivers\fxysvaofprt.sys" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(948) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll c:\windows\system32\DeviceNP.dll - - - - - - - > 'lsass.exe'(1004) c:\windows\SbHpNp.dll c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll - - - - - - - > 'explorer.exe'(6520) c:\windows\system32\APSHook.dll c:\windows\system32\btmmhook.dll c:\windows\system32\msxm192z.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\scardsvr.exe c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe c:\windows\system32\msdtc.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe c:\windows\system32\mqsvc.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\windows\system32\rundll32.exe c:\program files\Hewlett-Packard\Shared\HpqToaster.exe c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\windows\system32\mqtgsvc.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\windows\system32\msiexec.exe . ************************************************************************** . Completion time: 2009-08-04 18:07 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-04 16:07 Pre-Run: 8 795 525 120 bytes free Post-Run: 10 228 822 016 bytes free 301 --- E O F --- 2009-08-02 12:41
- August 5, 2009
- 8 replies

Sign In

sparse

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Everything posted by sparse

Trojan.TDSS: need help with the log by combofix

Trojan.TDSS: need help with the log by combofix

Trojan.TDSS: need help with the log by combofix

Trojan.TDSS: need help with the log by combofix

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information