Jump to content

As instructed


glivo

Recommended Posts

MBAM is installed but wont run. Had to download on different computer as browser is blocking all helpful sites (Anti-virus / Anti Malware, Microsoft etc). Cannot uninstall to try again either.

AVG will not update definitions and in Sfae Mode (with Network) will only run Command line scan. I recieve 2 warnings (Roguesuspect)

Lavasoft Ad-aware (manually updated today) finds 2 categrory 10 threats (Backdoor32) and removes them but they are back after reboot.

Windows updates terminated in mid flow so no Malicious Software removal update and Service Pack 3 terminated and a roll back was performed. All System Restore points are gone.

Just copied Avira setup and rebooted. Will now go and see if I can perform update and / or scan.

Link to post
Share on other sites

Update of Avira from VDF file failed. Scan found 1 virus (DIAL/19220) removed and 5 warnings.

to szgr. your suggestion did not work. Couldn't update Dr web cureit. express scanned anyway and found 3 items. 2 were incurable so deleted. (Mywebsearch items) cannot remove mywebsearch from programs.

Will now run HJT if possible and post log. Not looking good.

Link to post
Share on other sites

You need to understand that all my downloads must be done on a second computer and transferred to the infected one.. Even this forum is unviewable from the concerned machine. Whatever is on it is blocking all contact with any sites that are useful.

Link to post
Share on other sites

Ok. That worked. Here is log file I hope!!!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:04:57 PM, on 4/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

\Newpc\documents\Antivirus Malware Programs\Fooledya.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

O4 - HKCU\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')

O4 - Global Startup: Bluetooth.lnk = ?

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab

O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O24 - Desktop Component 1: Harry Potter and the Order of the Phoenix Movie Countdown - http://www.mugglenet.com/countdown/ootp-co...wn.php?o=july13

O24 - Desktop Component 2: MuggleNet.com Desktop Countdown - http://www.mugglenet.com/countdown/desktop-dhootp.html

--

End of file - 9511 bytes

Link to post
Share on other sites

  • Root Admin

Please copy this to a CD if needed and run it on the affected machine.

If it won't run in normal mode, try renaming the file to test.exe

If that does not work then try running it from SAFE MODE

You must run it from the DESKTOP.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

It's getting later and the machine is in my daughters room. I have downloaded combofix to a shared directory from this machine and I'll copy it to the desktop of afflicted one. It may be tomorrow before any further action taken.

I only have safe mode now since Windows updates were terminated mid flow day before yesterday. It's surprising to see the HJT log says I have SP3 since it didn't finish and Windows actually performed a Roll Back. Since then no Normal startup.

What are these people thinking to create such rubbish?

Link to post
Share on other sites

I dont think were going to win this one.

In Safe mode I had no Icons in the System Tray so I did uninstall of Lavasoft Adaware since it was showing up in the processes. Also in SM there was no way to disable realtime protection in AVG8 but it wasn't showing up in the processes.

Renamed Combofix to tricky and ran it but it told me AVG was present and advised to turn off. Since I couldn't do this I did an uninstall instead but the program came back to me saying it couldn't be uninstalled because it wasn't there. Clicked on Comobofix OK and it warned me continueing was at own risk but what else to do. It told me there was "activity in processes", and needed to reboot. Provided the list of files needed later to write down on paper.

The reboot is unsuccessful. It is now either in a boot reboot cycle or if I select Safe Mode it gets to the text boot screen listing installed files (of which Combofix is a new addition) and hangs?

I think I better get the system restore disks out. Luckily I have transfered my girls files and settings out early on so it's just an inconvenience now. Possibly a good thing as Windows bogs down and runs like a maggot after a while anyway.

Let me know if you have any other ideas to try. I'd like to inject a virus or two into someone right now.

By the way thank you for youe help.

Greg

Link to post
Share on other sites

OK. After 7 or so hours the screen was still out. Did a hard boot and to my complete surprise, Windows came back to it's Safe Mode (Network support) condition. So not dead but not quite alive either. Sort of a Zombie computer if you will. Perhaps this virus is Haitian (sp). The monitor had not switched over to no signal or standby mode though. It was just dark or as Eistein would argue, light was absent.

I'm going deep sea fishing at 4.00 am tomorrow morning so I'll be preparing gear and getting to bed early tonight. I'll be interested to know what you think I should do next. Maybe I should unplug it to take with me and give it a sea burial.

Link to post
Share on other sites

Combofix log.

ComboFix 09-02-02.04 - Compaq_Owner 2009-02-05 7:55:47.1 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.255 [GMT 11:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\tricky.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

.

ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd

c:\program files\FunWebProducts

c:\program files\FunWebProducts\ScreenSaver\Images\62253548.urr

c:\program files\FunWebProducts\Shared\00EA3BCE.dat

c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html

c:\program files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html

c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html

c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html

c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html

c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html

c:\program files\MyWebSearch

c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG

c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL

c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL

c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL

c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL

c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL

c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL

c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR

c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL

c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL

c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE

c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL

c:\program files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL

c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV

c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT

c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL

c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR

c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST

c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL

c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL

c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR

c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL

c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL

c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL

c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE

c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL

c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL

c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL

c:\program files\MyWebSearch\bar\Cache\00067ED7

c:\program files\MyWebSearch\bar\Cache\001139D9.bin

c:\program files\MyWebSearch\bar\Cache\00113D93.bin

c:\program files\MyWebSearch\bar\Cache\00114081.bin

c:\program files\MyWebSearch\bar\Cache\0058A377

c:\program files\MyWebSearch\bar\Cache\005D6ACB

c:\program files\MyWebSearch\bar\Cache\0079BBB2.bin

c:\program files\MyWebSearch\bar\Cache\009DB440.bin

c:\program files\MyWebSearch\bar\Cache\009DB867.bin

c:\program files\MyWebSearch\bar\Cache\00B8885B.bin

c:\program files\MyWebSearch\bar\Cache\00E456A6.bin

c:\program files\MyWebSearch\bar\Cache\00E45CA1.bin

c:\program files\MyWebSearch\bar\Cache\00E462DB.bin

c:\program files\MyWebSearch\bar\Cache\00E4659A.bin

c:\program files\MyWebSearch\bar\Cache\014B79C9

c:\program files\MyWebSearch\bar\Cache\14DD04A8

c:\program files\MyWebSearch\bar\Cache\3104F43A

c:\program files\MyWebSearch\bar\Cache\479D92D6.bin

c:\program files\MyWebSearch\bar\Cache\575FF860

c:\program files\MyWebSearch\bar\Cache\files.ini

c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S

c:\program files\MyWebSearch\bar\Game\CHESS.F3S

c:\program files\MyWebSearch\bar\Game\REVERSI.F3S

c:\program files\MyWebSearch\bar\History\search2

c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm

c:\program files\MyWebSearch\bar\Settings\s_pid.dat

c:\program files\MyWebSearch\bar\Settings\setting2.htm

c:\program files\MyWebSearch\bar\Settings\settings.dat

c:\windows\system32\Drivers\TDSSmhct.sys

c:\windows\system32\drivers\TDSSmhlt.sys

c:\windows\system32\Drivers\TDSSpcuu.sys

c:\windows\system32\f3PSSavr.scr

c:\windows\system32\TDSSbivk.log

c:\windows\system32\TDSSbubv.dll

c:\windows\system32\TDSShrxm.dat

c:\windows\system32\TDSShrxm.dll

c:\windows\system32\TDSSirrb.dll

c:\windows\system32\TDSSkkai.log

c:\windows\system32\TDSSkkbi.log

c:\windows\system32\TDSSktkl.dll

c:\windows\system32\TDSSlxwp.dll

c:\windows\system32\TDSSmtql.dll

c:\windows\system32\TDSSmtvd.dat

c:\windows\system32\TDSSnmxh.dll

c:\windows\system32\TDSSoiqt.dll

c:\windows\system32\TDSSonmm.dll

c:\windows\system32\TDSSotqt.dll

c:\windows\system32\TDSSqrwn.log

c:\windows\system32\TDSSrhyp.dll

c:\windows\system32\TDSSrmjf.dll

c:\windows\system32\TDSSsahc.dll

c:\windows\system32\TDSSvkql.dll

c:\windows\system32\TDSSvvbj.log

c:\windows\system32\TDSSwgqt.dat

c:\windows\system32\TDSSxekj.dll

c:\windows\system32\TDSSxfum.dll

c:\windows\system32\twex.exe

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV.SYS

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))

.

2009-02-04 12:26 . 2009-02-04 12:26 <DIR> d-------- c:\documents and settings\Compaq_Owner\DoctorWeb

2009-02-04 11:23 . 2009-02-04 11:23 <DIR> d-------- c:\program files\Avira

2009-02-04 11:23 . 2009-02-04 11:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-02-03 08:04 . 2009-02-03 08:04 0 --a------ c:\windows\nsreg.dat

2009-02-02 16:37 . 2009-02-02 20:51 <DIR> d-------- C:\Transfer Wizard

2009-02-02 15:52 . 2009-02-02 15:52 <DIR> d-------- c:\windows\LastGood.Tmp

2009-02-02 15:52 . 2009-02-02 15:56 2,833 --a------ c:\windows\system32\spupdsvc.inf

2009-02-02 15:42 . 2009-02-02 15:49 <DIR> d-------- c:\windows\ServicePackFiles

2009-02-02 14:29 . 2009-02-02 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZipSE

2009-02-02 13:50 . 2009-02-02 13:50 <DIR> d-------- c:\windows\system32\drivers\Avg

2009-02-02 13:50 . 2009-02-02 13:50 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys

2009-02-02 13:50 . 2009-02-02 13:50 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys

2009-02-02 13:50 . 2009-02-02 13:50 10,520 --a------ c:\windows\system32\avgrsstx.dll

2009-02-02 12:22 . 2009-02-02 12:22 61,440 --a------ c:\windows\system32\SPR00292.TMP

2009-02-02 12:02 . 2009-02-02 15:48 <DIR> d-------- c:\windows\system32\scripting

2009-02-02 12:02 . 2009-02-02 15:48 <DIR> d-------- c:\windows\system32\en

2009-02-02 12:02 . 2009-02-02 15:48 <DIR> d-------- c:\windows\system32\bits

2009-02-02 12:02 . 2009-02-02 15:48 <DIR> d-------- c:\windows\l2schemas

2009-02-02 11:40 . 2009-02-05 07:06 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-02-02 11:39 . 2009-02-05 07:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-02-02 11:34 . 2008-04-14 11:11 2,843,136 --a------ c:\windows\system32\msi.dll

2009-02-02 11:32 . 2009-02-02 15:33 <DIR> d-------- c:\windows\EHome

2009-02-02 11:14 . 2009-02-02 11:14 <DIR> d-------- C:\32e3db7e833fa4fd767f80

2009-02-02 10:46 . 2009-02-02 10:46 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live

2009-02-02 10:46 . 2009-02-02 10:46 <DIR> d-------- C:\684a9eac2f32b802e6

2009-02-01 22:50 . 2004-08-03 22:41 1,041,536 --------- c:\windows\system32\drivers\hsfdpsp2.sys

2009-02-01 22:50 . 2004-08-03 22:41 685,056 --------- c:\windows\system32\drivers\hsfcxts2.sys

2009-02-01 22:50 . 2004-08-03 22:41 220,032 --------- c:\windows\system32\drivers\hsfbs2s2.sys

2009-02-01 22:50 . 2004-07-17 22:55 129,045 --------- c:\windows\system32\drivers\cxthsfs2.cty

2009-02-01 21:39 . 2008-08-14 21:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe

2009-02-01 21:39 . 2008-08-14 21:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-02-01 21:39 . 2008-08-14 20:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-02-01 21:39 . 2008-08-14 20:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

2009-02-01 21:30 . 2008-06-13 22:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys

2009-02-01 20:58 . 2009-02-01 20:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft

2009-02-01 20:55 . 2005-03-10 14:57 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS

2009-02-01 20:55 . 2005-03-10 14:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec

2009-02-01 20:55 . 2005-03-10 14:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView

2009-02-01 20:55 . 2005-03-10 14:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer

2009-02-01 20:55 . 2009-02-02 13:51 <DIR> d-------- c:\documents and settings\Administrator

2009-02-01 20:39 . 2008-09-15 23:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys

2009-02-01 20:20 . 2008-10-24 22:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

2009-02-01 20:20 . 2008-05-09 01:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys

2009-02-01 20:18 . 2008-12-11 21:57 333,952 --------- c:\windows\system32\dllcache\srv.sys

2009-02-01 20:06 . 2008-04-12 06:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll

2009-02-01 20:00 . 2008-10-16 03:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll

2009-02-01 19:49 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-01 19:48 . 2009-02-01 19:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-01 19:48 . 2009-02-01 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-01 19:48 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-01 19:05 . 2009-02-01 19:05 0 --a------ c:\windows\system32\REN22.tmp

2009-02-01 19:05 . 2009-02-01 19:05 0 --a------ c:\windows\system32\REN21.tmp

2009-02-01 18:33 . 2009-02-01 18:33 <DIR> d-------- c:\program files\AVG

2009-02-01 18:33 . 2009-02-05 07:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-01-25 19:59 . 2009-02-05 07:46 <DIR> d--hs---- c:\windows\system32\twain32

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-04 20:06 --------- d-----w c:\program files\Lavasoft

2009-02-02 02:31 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Lavasoft

2009-02-02 00:29 --------- d-----w c:\program files\Google

2009-02-01 08:02 --------- d-----w c:\program files\Java

2009-01-11 07:22 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\uTorrent

2008-12-29 06:45 476 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat

2008-12-24 00:02 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Ahead

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2004-10-01 04:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe

2005-06-05 04:51 22 --sha-w c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 695808]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]

"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]

"D-Link AirPlus Xtreme G"="c:\program files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 2502656]

"ANIWZCSService"="c:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 32768]

"WT GameChannel"="c:\program files\WildTangent\Apps\GameChannel.exe" [2003-10-10 184784]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-04-07 631364]

"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-14 1397760]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 c:\windows\LOGI_MWX.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [8/16/2005 11:56:00 AM 577597]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-02-02 13:50 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\utorrent\\utorrent.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [10/22/2003 4:27:10 PM 344800]

R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2/27/2008 9:31:09 AM 14156]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/2/2009 1:50:46 PM 97928]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2/2/2009 1:49:32 PM 875288]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/2/2009 1:49:28 PM 231704]

S2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/2/2009 1:50:52 PM 76040]

S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [6/25/2005 9:45:17 PM 26488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1710efac-c02d-11d9-80cd-806d6172696f}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9b4daa4-cf47-11dd-8198-000f3daf1cb2}]

\Shell\AutoRun\command - J:\DPFMate.exe

.

Contents of the 'Scheduled Tasks' folder

2009-02-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

HKLM-RunOnce-<NO NAME> - (no file)

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\f8svp54m.default\

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-05 15:56:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)

c:\windows\system32\avgrsstx.dll

.

Completion time: 2009-02-05 16:03:04 - machine was rebooted [Compaq_Owner]

ComboFix-quarantined-files.txt 2009-02-05 05:02:52

Pre-Run: 10,419,535,872 bytes free

Post-Run: 10,718,105,600 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=,1,2,3,4,5

309 --- E O F --- 2009-02-02 04:56:35

Link to post
Share on other sites

  • Root Admin

So is this a DOS console you can type commands in on the screen?

See if you can type in EXPLORER.EXE and hit the ENTER key to load the Windows shell.

The system looks like it was cleaned up a LOT. Not sure though what the "rollback" of SP3 did to the system, that could be devastating.

Try to shut down the computer and leave it off for a couple minutes. Then start it back up and try to launch the Last Known Good menu..

You may need to tap the F8 key while it's booting.

Can you still copy or run programs on the system?

Maybe try this if you can.

  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
  • Reboot your computer after it runs

Then maybe this command.

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

Let me know the current PC status please.

Link to post
Share on other sites

Sorry for the delay. Getting over sea-sickness. I'm an idiot.

Had to reboot hard. Last known good did not work so back in Safe Mode with Network. Yes I can still copy files to the system.

I will perform last instruction.

Link to post
Share on other sites

  • Root Admin

Okay, please delete you current copy of Combofix.exe and download a NEW fresh copy and put it on the desktop of the affected system in SAFE MODE and run it again.

First remove this folder C:\QOOBOX\Lastrun before running the new one.

Post back that Combofix log.

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.