Trojan.TDSS won't go away

rsa98 · August 30, 2009

Malwarebytes finds Trojan.TDSS in my computer.

Here is from the log : Registry Keys Infected : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetpwixtbdw (Trojan.TDSS) -> Quarantined and deleted successfully.

Say the PC must reboot to complete the cleaning so I click yes. Computer reboots, I rescan and it's back. Same exact error.

Using Regedit I found the key SKYNETpwixtbdw in 4 registry entries :

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetpwixtbdw

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\skynetpwixtbdw

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\skynetpwixtbdw

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\skynetpwixtbdw

The CurrentControlSet is the only key showing the Trojan.TDSS infection

Also, I cannot delete (or rename) any of these keys manually. RegEdit says : error in deleting key

In researching at Symantec, I also don't seem to have any of the files associated with the Trojan.TDSS or the SKYNET registry entries on my hard drives (search from windows including hidden and system files)

Here are the full MalwareBytes and HijackThis logs

Malwarebytes' Anti-Malware 1.40

Database version: 2719

Windows 5.1.2600 Service Pack 3

8/30/2009 6:09:17 PM

mbam-log-2009-08-30 (18-09-17).txt

Scan type: Quick Scan

Objects scanned: 134251

Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetpwixtbdw (Trojan.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

________________________________________________________________________________

________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:15:41 PM, on 8/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://unipay.unibank.com/onlinepaymentcen...i=1077&ttid

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1241814190093

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Unknown owner - C:\WINDOWS\system32\IoctlSvc.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 4438 bytes

Thanks for any help.

extremeboy · September 1, 2009

Hello and welcome to the forum!

My name is Extremeboy, and I will help you with your log.

Please continue with running a scan with RootRepeal, followed by DDS, a scanner tool.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

Direct Download (Recommended)
[*]Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
Physically disconnect your machine from the internet as your system will be unprotected.
Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
Click the tab at the bottom.
Now press the button.
A box will pop up, check the boxes beside All Seven options/scan area
Now click OK.
Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
The scan will take a little while to run, so let it go unhindered.
Once it is done, click the Save Report button.
Save it as RepealScan and save it to your desktop
Reconnect to the internet.
Post the contents of that log in your reply please.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
[*]Double click on the DDS icon, allow it to run.
[*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.
[*]Notepad will open with the results soon.
[*]Follow the instructions that pop up for posting the results and then click Ok.
[*]The black and message box window shall then disappear.
[*]Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Also, please provide a description of any remaining problems or symptoms you may still have please.

With Regards,

Extremeboy

rsa98 · September 2, 2009

Hello and welcome to the forum!
My name is Extremeboy, and I will help you with your log.
Please continue with running a scan with RootRepeal, followed by DDS, a scanner tool.
Download and run RootRepeal CR
Please download RootRepeal from the following location and save it to your desktop.
Direct Download (Recommended)
Primary Mirror
Secondary Mirror
Secondary Mirror
Secondary Mirror
[*]Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

Primary Mirror
Secondary Mirror
Secondary Mirror
Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
Physically disconnect your machine from the internet as your system will be unprotected.
Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
Click the tab at the bottom.
Now press the button.
A box will pop up, check the boxes beside All Seven options/scan area

Now click OK.
Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
The scan will take a little while to run, so let it go unhindered.
Once it is done, click the Save Report button.
Save it as RepealScan and save it to your desktop
Reconnect to the internet.
Post the contents of that log in your reply please.
Download and run DDS
We need to see some information about what is happening in your machine. Please perform the following scan:
Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.scr
DDS.pif
[*]Double click on the DDS icon, allow it to run.
[*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.
[*]Notepad will open with the results soon.
[*]Follow the instructions that pop up for posting the results and then click Ok.
[*]The black and message box window shall then disappear.
[*]Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE
Also, please provide a description of any remaining problems or symptoms you may still have please.
With Regards,
Extremeboy

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/01 19:02

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB4BB2000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79DF000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB1916000 Size: 49152 File Visible: No Signed: -

Status: -

Name: srescan.sys

Image Path: srescan.sys

Address: 0xB87EC000 Size: 81920 File Visible: No Signed: -

Status: -

SSDT

-------------------

#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cd2c30

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ccf4f0

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cea090

#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cd3320

#: 047 Function Name: NtCreateProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce7760

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce7970

#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cec310

#: 056 Function Name: NtCreateWaitablePort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cd3410

#: 062 Function Name: NtDeleteFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ccfd20

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ceae90

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ceaab0

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce70e0

#: 098 Function Name: NtLoadKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ceb560

#: 099 Function Name: NtLoadKey2

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ceb5e0

#: 108 Function Name: NtMapViewOfSection

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cec590

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ccfa80

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce9070

#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce8e30

#: 192 Function Name: NtRenameKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cebdd0

#: 193 Function Name: NtReplaceKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ceb7a0

#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cd2840

#: 204 Function Name: NtRestoreKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cebc20

#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cd2e80

#: 224 Function Name: NtSetInformationFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ccff90

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4cea5c0

#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce80f0

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb4ce7f70

Hidden Services

-------------------

Service Name: kungsfbekxvrbn

Image Path: C:\WINDOWS\system32\drivers\kungsfmtbyoewq.sys

Service Name: SKYNETpwixtbdw

Image Path: C:\WINDOWS\system32\drivers\SKYNEToeeftoij.sys

==EOF==

DDS (Ver_09-07-30.01) - NTFSx86

Run by rsa at 19:59:24.10 on Tue 09/01/2009

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1570 [GMT -4:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RunDLL32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Documents and Settings\rsa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://unipay.unibank.com/onlinepaymentcen...i=1077&ttid

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241814190093

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rsa\applic~1\mozilla\firefox\profiles\owhohht4.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.wunderground.com/cgi-bin/findweather/getForecast?query=01020

FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-8-30 150544]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-11 365448]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]

S?2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-09-01 17:00 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-09-01 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-08-30 17:53 <DIR> --d----- c:\program files\Trend Micro

2009-08-30 09:51 1,221,512 a------- c:\windows\system32\zpeng25.dll

2009-08-30 04:53 <DIR> --d----- c:\program files\ESET

2009-08-30 04:42 <DIR> --d----- c:\program files\SpywareBlaster

2009-08-23 14:12 1,312 a------- c:\windows\ST6UNST.000

2009-08-23 13:58 249,856 -------- c:\windows\Setup1.exe

2009-08-23 13:58 73,216 a------- c:\windows\ST6UNST.EXE

2009-08-17 19:43 <DIR> --d----- c:\docume~1\rsa\applic~1\Hoyle FaceCreator

2009-08-17 19:43 <DIR> --d----- c:\docume~1\rsa\applic~1\Hoyle Puzzle and Board Games

2009-08-17 19:36 <DIR> --d----- c:\program files\common files\Datalode

2009-08-10 08:14 <DIR> --d----- c:\program files\ReflexiveArcade

2009-08-10 08:10 <DIR> --d----- c:\program files\THQ

2009-08-10 07:56 <DIR> --d----- c:\program files\Rockstar Games

==================== Find3M ====================

2009-09-01 19:59 9,977,888 a--sh--- c:\windows\system32\drivers\fidbox.dat

2009-09-01 19:55 4,212 a---h--- c:\windows\system32\zllictbl.dat

2009-09-01 18:33 131,672 a--sh--- c:\windows\system32\drivers\fidbox.idx

2009-08-29 18:41 156,672 a------- c:\windows\system32\rmc_fixasf.exe

2009-08-29 18:41 237,568 a------- c:\windows\system32\rmc_rtspdl.dll

2009-08-29 18:41 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL

2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-06-27 23:32 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

2009-06-26 17:45 0 a------- c:\docume~1\rsa\applic~1\CopyToGo.dat

2009-06-21 08:46 485,920 a------- c:\windows\system32\NVUNINST.EXE

2009-06-10 16:21 2,828 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys

2009-06-10 08:28 3,510,272 a------- c:\windows\system32\nvgames.dll

2009-06-10 08:28 4,022,272 a------- c:\windows\system32\nvdisps.dll

2009-06-10 08:28 13,758,464 a------- c:\windows\system32\nvcpl.dll

2009-06-10 08:28 168,004 a------- c:\windows\system32\nvsvc32.exe

2009-06-10 08:28 143,360 a------- c:\windows\system32\nvcolor.exe

2009-06-10 08:28 86,016 a------- c:\windows\system32\nvmctray.dll

2009-06-10 08:28 229,376 a------- c:\windows\system32\nvmccs.dll

2009-06-10 06:03 9,998,336 a------- c:\windows\system32\nvoglnt.dll

2009-06-10 06:03 5,908,608 a------- c:\windows\system32\nv4_disp.dll

2009-06-10 06:03 1,720,320 a------- c:\windows\system32\nvcuda.dll

2009-06-10 06:03 1,580,550 a------- c:\windows\system32\nvdata.bin

2009-06-10 06:03 1,310,720 a------- c:\windows\system32\nvcuvenc.dll

2009-06-10 06:03 815,104 a------- c:\windows\system32\nvapi.dll

2009-06-10 06:03 671,744 a------- c:\windows\system32\nvcuvid.dll

2009-06-10 06:03 457,248 a------- c:\windows\system32\nvudisp.exe

2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcodins.dll

2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll

2009-06-05 06:35 410,984 a------- c:\windows\system32\deploytk.dll

2009-05-11 09:08 8 ---shr-- c:\docume~1\alluse~1\applic~1\121009EB70.sys

2008-08-12 17:33 87,608 a------- c:\docume~1\rsa\applic~1\inst.exe

2008-08-12 17:33 47,360 a------- c:\docume~1\rsa\applic~1\pcouffin.sys

============= FINISH: 19:59:32.50 ===============

Attach.zip

extremeboy · September 2, 2009

Hello.

Next time, please do not quote everything I say. Just simply use the Add Reply button to reply back to me.

--

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

--

If you wish to continue follow the steps below please:

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:

ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.

Link 1

Link 2

Please refer to this page for full instructions on how to run ComboFix.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
Double click ComboFix.exe to start the program. Agree to the prompts.
When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,

Extremeboy

rsa98 · September 2, 2009

ComboFix 09-09-01.04 - rsa 09/02/2009 16:24.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1687 [GMT -4:00]

Running from: c:\documents and settings\rsa\Desktop\Combo-Fix.exe

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\rsa\Application Data\inst.exe

c:\documents and settings\rsa\rsa

c:\windows\Installer\WMEncoder.msi

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_kungsfbekxvrbn

-------\Legacy_SKYNETpwixtbdw

-------\Service_kungsfbekxvrbn

-------\Service_SKYNETpwixtbdw

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))

.

2009-09-02 01:17 . 2002-07-02 13:15 299008 ----a-w- c:\windows\system32\regxplor.dll

2009-09-01 21:00 . 2009-09-01 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-01 21:00 . 2009-09-01 21:03 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-30 21:53 . 2009-08-30 21:53 -------- d-----w- c:\program files\Trend Micro

2009-08-30 13:52 . 2009-05-29 00:25 69000 ----a-w- c:\windows\system32\zlcomm.dll

2009-08-30 13:52 . 2009-05-29 00:25 103816 ----a-w- c:\windows\system32\zlcommdb.dll

2009-08-30 13:51 . 2009-05-29 00:25 1221512 ----a-w- c:\windows\system32\zpeng25.dll

2009-08-30 08:53 . 2009-08-30 08:53 -------- d-----w- c:\program files\ESET

2009-08-30 08:42 . 2009-08-30 08:44 -------- d-----w- c:\program files\SpywareBlaster

2009-08-30 07:45 . 2009-08-30 07:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-23 17:58 . 2009-08-23 18:17 249856 ------w- c:\windows\Setup1.exe

2009-08-23 17:58 . 2009-08-23 18:16 73216 ----a-w- c:\windows\ST6UNST.EXE

2009-08-17 23:43 . 2009-08-17 23:44 -------- d-----w- c:\documents and settings\rsa\Application Data\Hoyle FaceCreator

2009-08-17 23:43 . 2009-08-31 02:06 -------- d-----w- c:\documents and settings\rsa\Application Data\Hoyle Puzzle and Board Games

2009-08-17 23:36 . 2009-08-17 23:36 -------- d-----w- c:\program files\Common Files\Datalode

2009-08-10 12:14 . 2009-08-10 12:14 -------- d-----w- c:\program files\ReflexiveArcade

2009-08-10 12:10 . 2009-08-10 12:10 -------- d-----w- c:\program files\THQ

2009-08-10 11:56 . 2009-08-10 11:56 -------- d-----w- c:\program files\Rockstar Games

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-02 20:34 . 2009-06-28 22:04 13160480 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-09-02 20:32 . 2008-08-11 04:19 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2009-09-02 20:28 . 2009-06-28 22:04 177272 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-09-02 09:51 . 2008-08-11 05:02 -------- d-----w- c:\documents and settings\rsa\Application Data\MailWasherPro

2009-09-01 20:50 . 2009-01-28 05:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-31 17:23 . 2008-08-12 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\1Click DVD Copy Pro

2009-08-31 17:20 . 2008-08-12 21:33 -------- d-----w- c:\documents and settings\rsa\Application Data\Vso

2009-08-29 23:06 . 2009-06-25 23:37 -------- d-----w- c:\program files\Replay Media Catcher

2009-08-29 22:41 . 2009-06-25 23:40 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2009-08-29 22:41 . 2009-06-25 23:40 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2009-08-29 22:41 . 2009-06-25 23:39 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL

2009-08-26 23:20 . 2009-03-25 19:18 54 ---h--w- c:\windows\popcreg.dat

2009-08-26 23:20 . 2009-03-25 19:18 16 ----a-w- c:\windows\popcinfot.dat

2009-08-25 05:29 . 2009-05-07 09:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-17 23:34 . 2008-08-15 00:18 -------- d-----w- c:\program files\Encore

2009-08-17 20:59 . 2008-08-12 01:00 16 ----a-w- c:\windows\popcinfo.dat

2009-08-12 20:18 . 2008-09-21 21:12 16071835 ----a-w- c:\windows\Internet Logs\tvDebug.zip

2009-08-10 12:11 . 2008-08-11 03:59 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-07 03:29 . 2009-06-19 01:20 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-03 17:36 . 2009-05-07 09:55 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 17:36 . 2009-05-07 09:55 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-02 19:59 . 2009-08-02 19:58 -------- d-----w- c:\program files\Secret Of Monkey Island SE

2009-07-25 10:27 . 2009-07-25 10:26 -------- d-----w- c:\program files\Revistronic

2009-07-20 14:18 . 2009-07-20 14:19 25088 ----a-w- c:\windows\Internet Logs\xDBF.tmp

2009-07-20 14:14 . 2009-07-20 14:15 2624512 ----a-w- c:\windows\Internet Logs\xDBD.tmp

2009-07-20 14:14 . 2009-07-20 14:15 3842560 ----a-w- c:\windows\Internet Logs\xDBE.tmp

2009-07-19 19:34 . 2008-08-16 01:43 -------- d-----w- c:\program files\Combined Community Codec Pack

2009-07-19 15:59 . 2009-07-19 15:59 -------- d-----w- c:\program files\Windows Media Connect 2

2009-07-15 23:26 . 2009-07-15 23:26 -------- d-----w- c:\documents and settings\rsa\Application Data\LucasArts

2009-07-08 23:56 . 2008-10-27 15:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-08 23:55 . 2008-10-27 15:35 -------- d-----w- c:\program files\AGEIA Technologies

2009-07-08 22:19 . 2009-07-08 22:19 -------- d-----w- c:\program files\Telltale Games

2009-07-08 20:35 . 2009-07-08 20:35 -------- d-----w- c:\program files\Samsung

2009-07-04 02:35 . 2009-07-04 02:36 3159552 ----a-w- c:\windows\Internet Logs\xDBB.tmp

2009-07-04 02:35 . 2009-07-04 02:36 3567104 ----a-w- c:\windows\Internet Logs\xDBC.tmp

2009-06-29 06:56 . 2008-08-11 04:17 45632 ----a-w- c:\documents and settings\rsa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-28 03:32 . 2008-08-11 03:51 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-06-26 21:45 . 2009-06-26 21:45 0 ----a-w- c:\documents and settings\rsa\Application Data\CopyToGo.dat

2009-06-21 12:46 . 2008-08-11 04:12 485920 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-06-10 20:21 . 2009-05-11 13:08 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2009-06-10 12:28 . 2009-06-10 12:28 3510272 ----a-w- c:\windows\system32\nvgames.dll

2009-06-10 12:28 . 2009-06-10 12:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll

2009-06-10 12:28 . 2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll

2009-06-10 12:28 . 2009-06-10 12:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe

2009-06-10 12:28 . 2009-06-10 12:28 143360 ----a-w- c:\windows\system32\nvcolor.exe

2009-06-10 12:28 . 2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll

2009-06-10 12:28 . 2009-06-10 12:28 229376 ----a-w- c:\windows\system32\nvmccs.dll

2009-06-10 10:03 . 2009-06-10 10:03 1580550 ----a-w- c:\windows\system32\nvdata.bin

2009-06-10 10:03 . 2009-06-10 10:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll

2009-06-10 10:03 . 2009-03-27 14:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll

2009-06-10 10:03 . 2008-08-11 04:14 457248 ----a-w- c:\windows\system32\nvudisp.exe

2009-06-10 10:03 . 2007-12-05 05:41 1720320 ----a-w- c:\windows\system32\nvcuda.dll

2009-06-10 10:03 . 2007-06-28 16:43 9998336 ----a-w- c:\windows\system32\nvoglnt.dll

2009-06-10 10:03 . 2007-06-28 16:43 815104 ----a-w- c:\windows\system32\nvapi.dll

2009-06-10 10:03 . 2007-06-28 16:43 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2009-06-10 10:03 . 2007-06-28 16:43 5908608 ----a-w- c:\windows\system32\nv4_disp.dll

2009-06-10 10:03 . 2007-06-28 16:43 151552 ----a-w- c:\windows\system32\nvcodins.dll

2009-06-10 10:03 . 2007-06-28 16:43 151552 ----a-w- c:\windows\system32\nvcod.dll

2009-06-05 10:35 . 2009-04-26 02:29 410984 ----a-w- c:\windows\system32\deploytk.dll

2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-11-22 16858112]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2009-06-10 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=

"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"=

"c:\\Program Files\\Sierra Entertainment\\FEAR Perseus Mandate\\FEARXP2.exe"=

"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]

.

Contents of the 'Scheduled Tasks' folder

2009-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 17:42]

.

------- Supplementary Scan -------

.

uStart Page = https://unipay.unibank.com/onlinepaymentcen...i=1077&ttid

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

FF - ProfilePath - c:\documents and settings\rsa\Application Data\Mozilla\Firefox\Profiles\owhohht4.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.wunderground.com/cgi-bin/findweather/getForecast?query=01020

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-02 16:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-1532298954-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:19,41,de,94,4c,5f,c8,2a,9b,ce,da,20,e4,2e,32,35,5b,fe,c8,b3,97,bb,1a,

9c,8d,1e,b9,13,47,bd,60,78,c4,bf,da,82,93,1f,29,4f,cc,96,22,6d,0e,66,4b,e5,\

"??"=hex:cf,66,88,dc,66,2a,e5,0c,43,8d,13,c1,a6,1c,78,9b

[HKEY_USERS\S-1-5-21-527237240-1532298954-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:9d,3d,59,c4,96,34,3b,cf,19,f2,49,98,4c,f4,f3,fa,7f,ce,44,84,48,

44,75,06,9c,a1,80,1e,32,db,bd,97,1d,c1,f6,78,e1,9e,a9,85,fa,fb,b2,f2,a6,c4,\

"rkeysecu"=hex:c5,f7,8e,72,38,44,f9,80,66,f4,7a,88,ed,bd,42,07

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3228)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-02 16:36 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-02 20:36

Pre-Run: 42,599,469,056 bytes free

Post-Run: 42,395,619,328 bytes free

206

extremeboy · September 2, 2009

Hello.

looks better.

Let's run a scan with GMER, followed by Malwarebytes.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

Please download GMER from one of the following locations, and save it to your desktop:
- Main Mirror
  This version will download a randomly named file (Recommended)
- Zip Mirror
  Alternate Zip Mirror 1
  Alternate Zip Mirror 2
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

Close any and all open programs, as this process may crash your computer.
Double click or on your desktop.
When you have done this, close all running programs.
There is a small chance this application may crash your computer so save any work you have open.

Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
Allow the gmer.sys driver to load if asked.
If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..

In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
- Sections
- IAT/EAT
- Registry
- Drives/Partition other than Systemdrive (typically C:\)
- Show all (Don't miss this one!)
[*]Click on and wait for the scan to finish.
[*]If you see a rootkit warning window, click OK.
[*]Push and save the logfile to your desktop.
[*]Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running

*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
[*]Then click Finish.
[*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
[*]On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
[*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
[*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
[*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
[*]Click OK to close the message box and continue with the removal process.
[*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
[*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
[*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,

Extremeboy

rsa98 · September 2, 2009

First may I say a big thank you to you extremeboy for all your help (and apologies for the posting goofs). I wasn't experiencing any problems with my system, at least nothing that was noticable or suspicious. That's what was so confusing about it. I was doing a scan with MalwareBytes when the Trojan.TDSS showed up and wouldn't go away. Still can't figure out how it happened with zone alarm running all the time. Here are the GMER and DDS logs along with the attach.zip. Malwarebytes scan didn't find anything. Thanks again.

GMER 1.0.15.15077 [652o3op8.exe] - http://www.gmer.net

Rootkit scan 2009-09-02 19:21:09

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB4CE8C30]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB4CE54F0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB4D00090]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB4CE9320]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB4CFD760]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB4CFD970]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB4D02310]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB4CE9410]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB4CE5D20]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB4D00E90]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB4D00AB0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB4CFD0E0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xB4CE1130]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB4D01560]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB4D015E0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xB4D02590]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB4CE5A80]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB4CFF070]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB4CFEE30]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB4D01DD0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB4D017A0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB4CE8840]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB4D01C20]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB4CE8E80]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB4CE5F90]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xB4CE0BB0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB4D005C0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB4CFE0F0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB4CFDF70]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xB4CE13E0]

INT 0x20 srescan.sys B87F3CB0

Code \??\C:\DOCUME~1\rsa\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.15 ----

DDS (Ver_09-07-30.01) - NTFSx86

Run by rsa at 19:26:33.60 on Wed 09/02/2009

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1553 [GMT -4:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RunDLL32.exe

C:\WINDOWS\explorer.exe