Antivirus2009

[Melinda in MT]

Am working on my husbands computer - he somehow got the FakeAlert trojan. Terrible thing to get rid of! Thank goodness I found this site. I followed AdvancedSetup's steps to get mbam to run and thankfully it worked! I first found the infection with AVG which said it was removed -NOT!

Here are the mbam and hjt logs. This computer is not hooked up to the internet right now so I am transferring info from my usb flash drive back and forth. Thanks!!

MBAM

Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 2

12/16/2008 5:22:18 PM

mbam-log-2008-12-16 (17-22-18).txt

Scan type: Quick Scan

Objects scanned: 48167

Time elapsed: 2 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\TDSScfub.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSoeqh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\TDSSpaxt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\TDSSb390.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSosvn.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\TDSSb381.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:53:40 PM, on 12/16/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3650

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3650

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--

End of file - 5828 bytes

mbam_log_2008_12_16__17_22_18_.txt

mbam_log_2008_12_16__17_22_18_.txt

[Maurice Naggar]

Hello Mellinda and welcome to Malwarebytes forums.

btw, very good for you on having the pc disconnected from the internet. The infection came with a rootkit and who knows what else in the evil mix.

Kindly start by doing the following. And if somehow, you might have had on-going help elsewhere, stop and let us know which other forum is helping you.

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:

http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
  

=

Download The Avenger by Swandog46 from >> here<<.

Unzip/extract it to a folder on your desktop.

Double click on avenger.exe to run The Avenger.

Click OK.

Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

Copy all of the text below that's in between the dashed lines (including blank lines) to the clibpboard by highlighting it and then pressing Ctrl+C.

---------------------------------------------------------

Files to delete:

C:\windows\system32\drivers\tdssserv.sys

C:\WINDOWS\system32\TDSSfpmp.dll

C:\WINDOWS\system32\TDSSwpyd.dat

C:\WINDOWS\system32\TDSStkdv.log

C:\WINDOWS\system32\TDSSotxb.dll

C:\WINDOWS\system32\TDSScrrn.dll

C:\WINDOWS\system32\TDSSbvqh.dll

C:\WINDOWS\system32\TDSSjnmx.dll

C:\WINDOWS\system32\drivers\TDSSmact.sys

C:\Documents and Settings\Owner\Local Settings\Temp\TDSSb390.tmp

C:\Documents and Settings\Owner\Local Settings\Temp\TDSSb381.tmp

Drivers to delete:

tdssserv

Registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

HKEY_LOCAL_MACHINE\SOFTWARE\tdss

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV

----------------------------------------------------------------

• In the avenger window, click the Paste Script from Clipboard icon, button.
  
• Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
  Note: Not all of the entries will be on your system; I simply want to see if enough of them are gone from the TDSS infection.
  =
  Take out the trash (temporary files & temporary internet files)
  Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
  Start ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  If you use Firefox browser, do this also:
  Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  If you use Opera browser, do this also:
  Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  Click Exit on the Main menu to close the program.
  ATF-Cleaner should be run per the above in every user-login account {User Profile}
  =
  Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.
  >
  Get and run the Dr.Web Curit Utility.
  ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe
  Download and save it to your desktop.
  Run the utility and press the "Start" button in the opened window.
  Confirm the launch by pressing the "OK" button and wait for the scanning results of the main memory and startup files.
  Select the Complete scan and press the "Start scanning" button on the scanner right.
  After it completes, save the log file and make a copy of it in your next reply.
  =
  Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or
  http://www.forospyware.com/sUBs/dds
  Disable any script blocker if your antivirus/antimalware has it.
  Then double click dds.scr to run the tool.
  When done, DDS.txt will open.
  Click Yes at the next prompt for Optional Scan.
  
  • When done, DDS will open two (2) logs:
    
  • DDS.txt
    
  • Attach.txt
    

  [*]Save both reports to your desktop.

Please include the following logs in your next reply:

the C:\Avenger.txt log

DDS.txt

Attach.txt

and DrWeb Curit log.

and tell me, How is your system now ?

There will be more to do after this.