Jump to content

Please could you tell me if TDSS has gone ?


Recommended Posts

Hello,

On one of my occasional malware trawls with mbam, I was surprised to find TDSSlxwp.dll, and MS AntiSpyware 2009 5.7 which I deleted. Please could you confirm if my computer is now free of malware ? I know that MSAS is rogue software and I don't understand how it got on my system - I wouldn't have knowingly downloaded it. WirelessKeyView is a false positive, I believe. I'm disturbed by TDSS, hence my question. I occasionally use P2P to download old, no longer released, TV programmes, but other than that I have clean internet habits !

I use a BT Voyager 205 router as the firewall - GRC ShieldsUp! reports complete stealth and ESET NOD32 AntiVirus.

The following logs are :

1) mbam before (normal boot)

2) mbam after (normal boot)

3) HijackThis after (normal boot with minimal background processes running)

4) DDS after (normal boot with minimal background processes running)

5) attach after (normal boot with minimal background processes running)

---

1) mbam before

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8117

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

08/11/2011 21:06:14

mbam-log-2011-11-08 (21-06-14).txt

Scan type: Full scan (C:\|)

Objects scanned: 210805

Time elapsed: 23 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MS AntiSpyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\wirelesskeyview\wirelesskeyview.exe (PUP.WirelessKeyView) -> Not selected for removal.

c:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.

---

2) mbam after

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8130

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

10/11/2011 13:01:32

mbam-log-2011-11-10 (13-01-22).txt

Scan type: Full scan (C:\|)

Objects scanned: 208555

Time elapsed: 24 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\wirelesskeyview\wirelesskeyview.exe (PUP.WirelessKeyView) -> No action

taken.

---

3) HijackThis after

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 14:16:49, on 10/11/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\sm56hlpr.exe

C:\Program Files\McAfee\QuickClean\Plguni.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\o2flash.exe

C:\Program Files\AspEmail\BIN\EmailAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [No! Flash] C:\Program Files\NoFlash\NoFlash.exe

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe

O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1283691495718

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{838BCA67-48ED-4298-85F5-BE8EECFE1219}: NameServer = 192.168.1.1,195.7.224.57,195.7.224.143

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe

O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

O23 - Service: Persits Software EmailAgent - Persits Software, Inc. - C:\Program Files\AspEmail\BIN\EmailAgent.exe

O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--

End of file - 6402 bytes

---

4) DDS after

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27

Run by home at 14:02:27 on 2011-11-10

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.567 [GMT 0:00]

.

AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\sm56hlpr.exe

C:\Program Files\McAfee\QuickClean\Plguni.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\o2flash.exe

C:\Program Files\AspEmail\BIN\EmailAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [No! Flash] c:\program files\noflash\NoFlash.exe

uRun: [McAfee.InstantUpdate.Monitor] "c:\program files\mcafee\mcafee shared components\instant updater\RuLaunch.exe" /STARTMONITOR

uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe

uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [sMSERIAL] sm56hlpr.exe

mRun: [imonitor] "c:\program files\mcafee\quickclean\Plguni.exe" /START

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\home\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: swiftcover.com\secure

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1283691495718

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: Interfaces\{838BCA67-48ED-4298-85F5-BE8EECFE1219} : NameServer = 192.168.1.1,195.7.224.57,195.7.224.143

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\home\application data\mozilla\firefox\profiles\y89qlefa.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\entriq\mediasphere\3.8.2.9\npEntriqMediaMozillaPlugin.dll

FF - plugin: c:\program files\entriq\mediasphere\3.8.2.9\npEntriqVersionCheckMozillaPlugin.dll

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

.

============= SERVICES / DRIVERS ===============

.

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-2-27 34880]

R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-2-20 29056]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-20 135664]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-20 135664]

.

=============== Created Last 30 ================

.

2011-11-10 12:06:37 -------- d--h--w- c:\windows\system32\GroupPolicy

2011-11-08 18:18:25 -------- d-----w- c:\documents and settings\home\application data\Malwarebytes

2011-11-08 18:18:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-08 18:18:07 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-08 18:18:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-17 19:36:28 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll

2011-10-17 19:36:28 8704 ----a-w- c:\windows\system32\kbdjpn.dll

2011-10-17 19:36:28 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll

2011-10-17 19:36:28 8192 ----a-w- c:\windows\system32\kbdkor.dll

2011-10-17 19:36:28 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll

2011-10-17 19:36:28 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll

2011-10-17 19:36:28 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll

2011-10-17 19:36:28 6144 ----a-w- c:\windows\system32\kbd106.dll

2011-10-17 19:36:28 6144 ----a-w- c:\windows\system32\kbd101c.dll

2011-10-17 19:36:28 6144 ----a-w- c:\windows\system32\kbd101b.dll

2011-10-17 19:36:28 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll

2011-10-17 19:36:28 5632 ----a-w- c:\windows\system32\kbd103.dll

.

==================== Find3M ====================

.

2011-09-17 21:19:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-02 16:21:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-09-02 16:21:09 472808 ----a-w- c:\windows\system32\deployJava1.dll

.

============= FINISH: 14:02:52.64 ===============

---

5) attach after

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 10/09/2008 23:28:22

System Uptime: 10/11/2011 09:04:53 (5 hours ago)

.

Motherboard: FUJITSU SIEMENS | | AMILO Pi 1505

Processor: Genuine Intel® CPU T2050 @ 1.60GHz | U2E1 | 1600/mhz

Processor: Genuine Intel® CPU T2050 @ 1.60GHz | U2E1 | 1600/mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 112 GiB total, 72.633 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP815: 31/08/2011 09:51:00 - System Checkpoint

RP816: 01/09/2011 12:37:59 - System Checkpoint

RP817: 02/09/2011 13:02:56 - System Checkpoint

RP818: 02/09/2011 17:21:00 - Installed Java 6 Update 27

RP819: 03/09/2011 19:34:26 - System Checkpoint

RP820: 04/09/2011 19:41:34 - System Checkpoint

RP821: 06/09/2011 12:41:33 - System Checkpoint

RP822: 08/09/2011 11:59:55 - System Checkpoint

RP823: 09/09/2011 15:41:01 - System Checkpoint

RP824: 10/09/2011 18:17:30 - System Checkpoint

RP825: 12/09/2011 21:57:23 - System Checkpoint

RP826: 14/09/2011 09:05:03 - System Checkpoint

RP827: 15/09/2011 12:04:40 - System Checkpoint

RP828: 16/09/2011 13:14:43 - System Checkpoint

RP829: 17/09/2011 18:22:59 - System Checkpoint

RP830: 18/09/2011 19:07:51 - System Checkpoint

RP831: 19/09/2011 21:17:47 - System Checkpoint

RP832: 21/09/2011 20:19:54 - System Checkpoint

RP833: 23/09/2011 12:30:51 - System Checkpoint

RP834: 24/09/2011 13:17:36 - System Checkpoint

RP835: 25/09/2011 13:40:31 - System Checkpoint

RP836: 26/09/2011 16:59:11 - System Checkpoint

RP837: 27/09/2011 18:39:31 - System Checkpoint

RP838: 28/09/2011 19:23:00 - System Checkpoint

RP839: 29/09/2011 19:48:15 - System Checkpoint

RP840: 01/10/2011 17:45:56 - System Checkpoint

RP841: 02/10/2011 18:30:41 - System Checkpoint

RP842: 03/10/2011 17:01:42 - Removed BBC iPlayer Desktop

RP843: 04/10/2011 18:49:16 - System Checkpoint

RP844: 06/10/2011 12:14:27 - Removed Adobe Reader X (10.1.1).

RP845: 07/10/2011 18:38:03 - System Checkpoint

RP846: 08/10/2011 19:58:23 - System Checkpoint

RP847: 10/10/2011 15:55:44 - System Checkpoint

RP848: 11/10/2011 21:17:26 - System Checkpoint

RP849: 13/10/2011 21:25:31 - System Checkpoint

RP850: 14/10/2011 22:00:33 - System Checkpoint

RP851: 16/10/2011 13:41:05 - System Checkpoint

RP852: 17/10/2011 14:03:50 - System Checkpoint

RP853: 18/10/2011 18:42:14 - System Checkpoint

RP854: 19/10/2011 19:51:43 - System Checkpoint

RP855: 20/10/2011 21:22:01 - System Checkpoint

RP856: 21/10/2011 21:22:17 - System Checkpoint

RP857: 23/10/2011 11:29:33 - System Checkpoint

RP858: 24/10/2011 12:48:10 - System Checkpoint

RP859: 26/10/2011 19:41:04 - System Checkpoint

RP860: 27/10/2011 21:26:42 - System Checkpoint

RP861: 28/10/2011 21:49:26 - System Checkpoint

RP862: 30/10/2011 13:26:47 - System Checkpoint

RP863: 31/10/2011 13:45:55 - System Checkpoint

RP864: 01/11/2011 18:20:50 - System Checkpoint

RP865: 03/11/2011 18:27:53 - System Checkpoint

RP866: 04/11/2011 20:24:13 - System Checkpoint

RP867: 06/11/2011 18:25:08 - System Checkpoint

RP868: 07/11/2011 20:45:25 - System Checkpoint

.

==== Installed Programs ======================

.

µTorrent

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Shockwave Player 11.6

Apple Application Support

Apple Software Update

AspEmail

BBC iPlayer Desktop

Belarc Advisor 8.2

Canon i560

CCleaner

Demand Five Player

DVD Identifier

EPSON Printer Software

EPSON Scan

ESET NOD32 Antivirus

ffdshow [rev 2033] [2008-07-05]

FileZilla Client 3.3.5.1

Folding@home-x86

Foxit Reader 5.0

Google Earth

Google Update Helper

Google Updater

GPSU version 4.99

High Definition Audio Driver Package - KB888111

Hotfix for Windows XP (KB926239)

ImgBurn

Intel Matrix Storage Manager

Intel® Graphics Media Accelerator Driver

IrfanView (remove only)

Java Auto Updater

Java 6 Update 27

Malwarebytes' Anti-Malware version 1.51.2.1300

McAfee QuickClean

Microsoft .NET Framework 2.0

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Flight Simulator X Demo

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Motorola SM56 Data Fax Modem

Mozilla Firefox 6.0 (x86 en-GB)

MSXML 4.0 SP2 Parser and SDK

NetMeter 1.1.3

Nihuo Web Log Analyzer 3.44

NoFlash (remove only)

O2Micro Flash Memory Card Windows Driver V2.04

OpenOffice.org 3.0

PeerGuardian 2.0

PFPortChecker 1.0.28

Player

QuickTime

RealPlayer

REALTEK GbE & FE Ethernet PCI NIC Driver

Realtek High Definition Audio Driver

Security Update for Windows Internet Explorer 8 (KB982381)

swMSM

System Requirements Lab

Thermal Analysis Tool

TomTom HOME 2.8.2.2264

TomTom HOME Visual Studio Merge Modules

Uninstall Entriq MediaSphere

Update for Windows XP (KB898461)

Update for Windows XP (KB932823-v3)

WebFldrs XP

Winamp

Winamp Detector Plug-in

Windows Driver Package - Intel (NETw3x32) net (09/27/2006 10.5.1.68)

Windows Driver Package - Intel (w29n51) net (06/26/2006 9.0.4.17)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player Firefox Plugin

WinRAR archiver

.

==== Event Viewer Messages From Past Week ========

.

09/11/2011 08:11:24, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BANTExt ehdrv epfwtdir Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

09/11/2011 08:11:24, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

09/11/2011 08:11:24, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

09/11/2011 08:11:24, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

09/11/2011 08:11:24, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

09/11/2011 08:10:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

09/11/2011 08:10:02, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

08/11/2011 21:27:26, error: Service Control Manager [7038] - The ALG service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: Access is denied. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

08/11/2011 21:27:26, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not start due to a logon failure.

08/11/2011 17:21:31, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

08/11/2011 09:39:41, error: Service Control Manager [7034] - The KService service terminated unexpectedly. It has done this 1 time(s).

08/11/2011 09:39:35, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).

.

==== End Of File ===========================

---

Link to post
Share on other sites

Hello Daytona2! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/paste in your next reply.

I know that MSAS is rogue software and I don't understand how it got on my system - I wouldn't have knowingly downloaded it.

There is always a way. I recommend this article, which is very useful and interesting and will help you answer your question.

WirelessKeyView is a false positive, I believe.

No, it is not a false positive. That answer from one of our researchers in connection with this application:

These are often misused by malware so they are detected properly in this case.

PUP Means potentially unwanted program. They can be added to the ignore list if installed on purpose.

PUP in settings can also be set to show in mbam results but not check, show and check or not show at all.

Now, let's start:

Step 1

You have p2p software installed on your system, which is very dangerous and illegal. Please check our rules for piracy and uninstall µTorrent:

http://forums.malwarebytes.org/index.php?showtopic=97700

Step 2

I do not know for what purpose you use CCleaner, but I want to draw attention to the Registry feature. It is not recommended that you use it, because can cause issues with other programs. Once completed and if you feel your computer slow, try to use those instructions to speed up:

http://forums.malwarebytes.org/index.php?showtopic=81990

Step 3

Please follow the instructions to run ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#use

When you are ready, please post a log.txt (from ComboFix) and a new fresh DDS log file.

Link to post
Share on other sites

Hello Maniac and thanks for helping ! :)

I've removed uTorrent. Could someone take over my machine via the open port ?

CCleaner is used for deleting all the temporary files created by windows apps. I am wary of messing with the registry, but cleaned it out once about 2 years ago - I will not do it again - thanks for the info.

WirelessKeyView was installed two and a half years ago from CNET after reading the review.

Since the previous logs I installed Trusteer Rapport security software for my banking, so that's been flagged up as a recent change.

Here are the logs - what do you think !? -

---

ComboFix 11-11-10.02 - home 10/11/2011 20:13:50.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.451 [GMT 0:00]

Running from: c:\documents and settings\home\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

.

((((((((((((((((((((((((( Files Created from 2011-10-10 to 2011-11-10 )))))))))))))))))))))))))))))))

.

.

2011-11-10 17:22 . 2011-11-10 17:22 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\Trusteer

2011-11-10 17:22 . 2011-11-10 17:22 -------- d-----w- c:\program files\Trusteer

2011-11-10 17:20 . 2011-11-10 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer

2011-11-10 14:15 . 2011-11-10 14:15 388096 ----a-r- c:\documents and settings\home\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-11-10 14:15 . 2011-11-10 14:15 -------- d-----w- c:\program files\Trend Micro

2011-11-10 12:06 . 2011-11-10 12:06 -------- d--h--w- c:\windows\system32\GroupPolicy

2011-11-09 08:11 . 2011-11-09 08:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-11-09 08:10 . 2011-11-09 08:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-11-08 18:18 . 2011-11-08 18:18 -------- d-----w- c:\documents and settings\home\Application Data\Malwarebytes

2011-11-08 18:18 . 2011-11-08 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-08 18:18 . 2011-11-10 13:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-08 18:18 . 2011-08-31 17:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-07 21:28 . 2011-11-07 21:28 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2011-10-17 19:36 . 2001-08-17 21:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll

2011-10-17 19:36 . 2001-08-17 21:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll

2011-10-17 19:36 . 2001-08-17 21:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll

2011-10-17 19:36 . 2001-08-17 21:36 8192 ----a-w- c:\windows\system32\kbdkor.dll

2011-10-17 19:36 . 2001-08-17 13:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll

2011-10-17 19:36 . 2001-08-17 13:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll

2011-10-17 19:36 . 2001-08-17 13:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll

2011-10-17 19:36 . 2001-08-17 13:55 6144 ----a-w- c:\windows\system32\kbd106.dll

2011-10-17 19:36 . 2001-08-17 13:55 6144 ----a-w- c:\windows\system32\kbd101c.dll

2011-10-17 19:36 . 2001-08-17 13:55 6144 ----a-w- c:\windows\system32\kbd101b.dll

2011-10-17 19:36 . 2001-08-17 13:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll

2011-10-17 19:36 . 2001-08-17 13:55 5632 ----a-w- c:\windows\system32\kbd103.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-17 21:19 . 2011-09-08 17:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-02 16:21 . 2011-09-02 16:21 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-09-02 16:21 . 2011-09-02 16:21 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-08-12 06:12 . 2011-03-28 19:23 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"No! Flash"="c:\program files\NoFlash\NoFlash.exe" [2007-10-15 141824]

"McAfee.InstantUpdate.Monitor"="c:\program files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" [2002-08-05 122948]

"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]

"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-29 1432064]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 16269312]

"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]

"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"SMSERIAL"="sm56hlpr.exe" [2006-01-20 544768]

"Imonitor"="c:\program files\McAfee\QuickClean\Plguni.exe" [2002-08-05 98304]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

.

c:\documents and settings\home\Start Menu\Programs\Startup\

BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2011-10-3 142848]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4000 Series]

2006-09-21 03:01 139264 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIBEE.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4000 Series (Copy 1)]

2006-09-21 03:01 139264 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIBEE.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\five Media Manager Tray]

2008-05-21 10:32 368640 ----a-w- c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2011-04-22 12:21 247728 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"16579:TCP"= 16579:TCP:192.168.1.4/255.255.255.255:Enabled:uTorrent 16579 TCP

"16579:UDP"= 16579:UDP:uTorrent 16579 UDP

.

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [27/02/2006 14:00 34880]

R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [20/02/2006 15:01 29056]

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [07/11/2011 21:28 56208]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 14:47 107256]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14/05/2009 14:49 94360]

R1 RapportCerberus_32301;RapportCerberus_32301;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_32301.sys [07/11/2011 21:30 227312]

R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [07/11/2011 21:28 71440]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [07/11/2011 21:28 164112]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14/05/2009 14:47 731840]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [07/11/2011 21:28 931640]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [22/04/2011 12:21 92592]

R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportIaso.sys [07/11/2011 21:30 21520]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/12/2009 09:02 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [20/12/2009 09:02 135664]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - RAPPORTKELL

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-07 c:\windows\Tasks\Backup everything in My Documents hierarchy.job

- c:\windows\system32\ntbackup.exe [2004-08-04 00:56]

.

2011-11-10 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-26 17:27]

.

2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-20 09:01]

.

2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-20 09:01]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

Trusted Zone: swiftcover.com\secure

TCP: Interfaces\{838BCA67-48ED-4298-85F5-BE8EECFE1219}: NameServer = 192.168.1.1,195.7.224.57,195.7.224.143

FF - ProfilePath - c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\y89qlefa.default\

FF - prefs.js: browser.startup.homepage - www.google.com

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-10 20:17

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1957994488-1935655697-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

[HKEY_USERS\S-1-5-21-1957994488-1935655697-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7046AD1C-061D-4CDF-98C6-F61E3EBDBF18}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(960)

c:\windows\system32\WININET.dll

c:\program files\McAfee\QuickClean\imhook.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-11-10 20:19:00

ComboFix-quarantined-files.txt 2011-11-10 20:18

.

Pre-Run: 77,692,035,072 bytes free

Post-Run: 77,757,304,832 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 99412B06DF276277688758487F91D774

---

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27

Run by home at 20:23:54 on 2011-11-10

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.547 [GMT 0:00]

.

AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\sm56hlpr.exe

C:\Program Files\McAfee\QuickClean\Plguni.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\NoFlash\NoFlash.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\AspEmail\BIN\EmailAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [No! Flash] c:\program files\noflash\NoFlash.exe

uRun: [McAfee.InstantUpdate.Monitor] "c:\program files\mcafee\mcafee shared components\instant updater\RuLaunch.exe" /STARTMONITOR

uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe

uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [sMSERIAL] sm56hlpr.exe

mRun: [imonitor] "c:\program files\mcafee\quickclean\Plguni.exe" /START

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\home\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: swiftcover.com\secure

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1283691495718

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: Interfaces\{838BCA67-48ED-4298-85F5-BE8EECFE1219} : NameServer = 192.168.1.1,195.7.224.57,195.7.224.143

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\home\application data\mozilla\firefox\profiles\y89qlefa.default\

FF - prefs.js: browser.startup.homepage - www.google.com

.

============= SERVICES / DRIVERS ===============

.

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-2-27 34880]

R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-2-20 29056]

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-11-7 56208]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]

R1 RapportCerberus_32301;RapportCerberus_32301;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_32301.sys [2011-11-7 227312]

R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-11-7 71440]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-11-7 164112]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-11-7 931640]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]

R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\baseline\RapportIaso.sys [2011-11-7 21520]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-20 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-20 135664]

.

=============== Created Last 30 ================

.

2011-11-10 20:12:47 -------- d-sha-r- C:\cmdcons

2011-11-10 20:09:53 98816 ----a-w- c:\windows\sed.exe

2011-11-10 20:09:53 518144 ----a-w- c:\windows\SWREG.exe

2011-11-10 20:09:53 256000 ----a-w- c:\windows\PEV.exe

2011-11-10 20:09:53 208896 ----a-w- c:\windows\MBR.exe

2011-11-10 17:22:51 -------- d-----w- c:\documents and settings\home\local settings\application data\Trusteer

2011-11-10 17:22:40 -------- d-----w- c:\program files\Trusteer

2011-11-10 17:20:15 -------- d-----w- c:\documents and settings\all users\application data\Trusteer

2011-11-10 14:15:28 388096 ----a-r- c:\documents and settings\home\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-11-10 14:15:27 -------- d-----w- c:\program files\Trend Micro

2011-11-10 12:06:37 -------- d--h--w- c:\windows\system32\GroupPolicy

2011-11-08 18:18:25 -------- d-----w- c:\documents and settings\home\application data\Malwarebytes

2011-11-08 18:18:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-08 18:18:07 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-08 18:18:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-07 21:28:38 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2011-10-17 19:36:28 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll

2011-10-17 19:36:28 8704 ----a-w- c:\windows\system32\kbdjpn.dll

2011-10-17 19:36:28 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll

2011-10-17 19:36:28 8192 ----a-w- c:\windows\system32\kbdkor.dll

2011-10-17 19:36:28 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll

2011-10-17 19:36:28 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll

2011-10-17 19:36:28 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll

2011-10-17 19:36:28 6144 ----a-w- c:\windows\system32\kbd106.dll

2011-10-17 19:36:28 6144 ----a-w- c:\windows\system32\kbd101c.dll

2011-10-17 19:36:28 6144 ----a-w- c:\windows\system32\kbd101b.dll

2011-10-17 19:36:28 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll

2011-10-17 19:36:28 5632 ----a-w- c:\windows\system32\kbd103.dll

.

==================== Find3M ====================

.

2011-09-17 21:19:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-02 16:21:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-09-02 16:21:09 472808 ----a-w- c:\windows\system32\deployJava1.dll

.

============= FINISH: 20:24:12.34 ===============

---

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 10/09/2008 23:28:22

System Uptime: 10/11/2011 19:41:11 (1 hours ago)

.

Motherboard: FUJITSU SIEMENS | | AMILO Pi 1505

Processor: Genuine Intel® CPU T2050 @ 1.60GHz | U2E1 | 1600/mhz

Processor: Genuine Intel® CPU T2050 @ 1.60GHz | U2E1 | 1600/mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 112 GiB total, 72.446 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP815: 31/08/2011 09:51:00 - System Checkpoint

RP816: 01/09/2011 12:37:59 - System Checkpoint

RP817: 02/09/2011 13:02:56 - System Checkpoint

RP818: 02/09/2011 17:21:00 - Installed Java 6 Update 27

RP819: 03/09/2011 19:34:26 - System Checkpoint

RP820: 04/09/2011 19:41:34 - System Checkpoint

RP821: 06/09/2011 12:41:33 - System Checkpoint

RP822: 08/09/2011 11:59:55 - System Checkpoint

RP823: 09/09/2011 15:41:01 - System Checkpoint

RP824: 10/09/2011 18:17:30 - System Checkpoint

RP825: 12/09/2011 21:57:23 - System Checkpoint

RP826: 14/09/2011 09:05:03 - System Checkpoint

RP827: 15/09/2011 12:04:40 - System Checkpoint

RP828: 16/09/2011 13:14:43 - System Checkpoint

RP829: 17/09/2011 18:22:59 - System Checkpoint

RP830: 18/09/2011 19:07:51 - System Checkpoint

RP831: 19/09/2011 21:17:47 - System Checkpoint

RP832: 21/09/2011 20:19:54 - System Checkpoint

RP833: 23/09/2011 12:30:51 - System Checkpoint

RP834: 24/09/2011 13:17:36 - System Checkpoint

RP835: 25/09/2011 13:40:31 - System Checkpoint

RP836: 26/09/2011 16:59:11 - System Checkpoint

RP837: 27/09/2011 18:39:31 - System Checkpoint

RP838: 28/09/2011 19:23:00 - System Checkpoint

RP839: 29/09/2011 19:48:15 - System Checkpoint

RP840: 01/10/2011 17:45:56 - System Checkpoint

RP841: 02/10/2011 18:30:41 - System Checkpoint

RP842: 03/10/2011 17:01:42 - Removed BBC iPlayer Desktop

RP843: 04/10/2011 18:49:16 - System Checkpoint

RP844: 06/10/2011 12:14:27 - Removed Adobe Reader X (10.1.1).

RP845: 07/10/2011 18:38:03 - System Checkpoint

RP846: 08/10/2011 19:58:23 - System Checkpoint

RP847: 10/10/2011 15:55:44 - System Checkpoint

RP848: 11/10/2011 21:17:26 - System Checkpoint

RP849: 13/10/2011 21:25:31 - System Checkpoint

RP850: 14/10/2011 22:00:33 - System Checkpoint

RP851: 16/10/2011 13:41:05 - System Checkpoint

RP852: 17/10/2011 14:03:50 - System Checkpoint

RP853: 18/10/2011 18:42:14 - System Checkpoint

RP854: 19/10/2011 19:51:43 - System Checkpoint

RP855: 20/10/2011 21:22:01 - System Checkpoint

RP856: 21/10/2011 21:22:17 - System Checkpoint

RP857: 23/10/2011 11:29:33 - System Checkpoint

RP858: 24/10/2011 12:48:10 - System Checkpoint

RP859: 26/10/2011 19:41:04 - System Checkpoint

RP860: 27/10/2011 21:26:42 - System Checkpoint

RP861: 28/10/2011 21:49:26 - System Checkpoint

RP862: 30/10/2011 13:26:47 - System Checkpoint

RP863: 31/10/2011 13:45:55 - System Checkpoint

RP864: 01/11/2011 18:20:50 - System Checkpoint

RP865: 03/11/2011 18:27:53 - System Checkpoint

RP866: 04/11/2011 20:24:13 - System Checkpoint

RP867: 06/11/2011 18:25:08 - System Checkpoint

RP868: 07/11/2011 20:45:25 - System Checkpoint

RP869: 10/11/2011 14:15:27 - Installed HiJackThis

RP870: 10/11/2011 17:22:37 - Installed Rapport

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Shockwave Player 11.6

Apple Application Support

Apple Software Update

AspEmail

BBC iPlayer Desktop

Belarc Advisor 8.2

Canon i560

CCleaner

Demand Five Player

DVD Identifier

EPSON Printer Software

EPSON Scan

ESET NOD32 Antivirus

ffdshow [rev 2033] [2008-07-05]

FileZilla Client 3.3.5.1

Folding@home-x86

Foxit Reader 5.0

Google Earth

Google Update Helper

Google Updater

GPSU version 4.99

High Definition Audio Driver Package - KB888111

HiJackThis

Hotfix for Windows XP (KB926239)

ImgBurn

Intel Matrix Storage Manager

Intel® Graphics Media Accelerator Driver

IrfanView (remove only)

Java Auto Updater

Java 6 Update 27

Malwarebytes' Anti-Malware version 1.51.2.1300

McAfee QuickClean

Microsoft .NET Framework 2.0

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Flight Simulator X Demo

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Motorola SM56 Data Fax Modem

Mozilla Firefox 6.0 (x86 en-GB)

MSXML 4.0 SP2 Parser and SDK

NetMeter 1.1.3

Nihuo Web Log Analyzer 3.44

NoFlash (remove only)

O2Micro Flash Memory Card Windows Driver V2.04

OpenOffice.org 3.0

PeerGuardian 2.0

PFPortChecker 1.0.28

Player

QuickTime

Rapport

RealPlayer

REALTEK GbE & FE Ethernet PCI NIC Driver

Realtek High Definition Audio Driver

Security Update for Windows Internet Explorer 8 (KB982381)

swMSM

System Requirements Lab

Thermal Analysis Tool

TomTom HOME 2.8.2.2264

TomTom HOME Visual Studio Merge Modules

Uninstall Entriq MediaSphere

Update for Windows XP (KB898461)

Update for Windows XP (KB932823-v3)

WebFldrs XP

Winamp

Winamp Detector Plug-in

Windows Driver Package - Intel (NETw3x32) net (09/27/2006 10.5.1.68)

Windows Driver Package - Intel (w29n51) net (06/26/2006 9.0.4.17)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player Firefox Plugin

WinRAR archiver

.

==== Event Viewer Messages From Past Week ========

.

10/11/2011 20:13:41, error: Service Control Manager [7034] - The O2Micro Flash Memory service terminated unexpectedly. It has done this 1 time(s).

09/11/2011 08:11:24, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BANTExt ehdrv epfwtdir Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

09/11/2011 08:11:24, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

09/11/2011 08:11:24, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

09/11/2011 08:11:24, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

09/11/2011 08:11:24, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

09/11/2011 08:10:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

09/11/2011 08:10:02, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

08/11/2011 21:27:26, error: Service Control Manager [7038] - The ALG service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: Access is denied. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

08/11/2011 21:27:26, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not start due to a logon failure.

08/11/2011 17:21:31, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

08/11/2011 09:39:41, error: Service Control Manager [7034] - The KService service terminated unexpectedly. It has done this 1 time(s).

08/11/2011 09:39:35, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).

.

==== End Of File ===========================

---

Link to post
Share on other sites

Could someone take over my machine via the open port ?

There are different techniques, but it is really possible, that's why everyone needs a good firewall to protect the system from hacker attacks.

Since the previous logs I installed Trusteer Rapport security software for my banking, so that's been flagged up as a recent change.

You miss a very imporant note in the initial instructions. I mean this one:

Please refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.

http://forums.malwarebytes.org/index.php?showtopic=9573

Now:

Open Notepad and copy&paste next present in the quotebox below in it:

REGEDIT4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"16579:TCP"=-

"16579:UDP"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Everything else seems fine and I suggest you to perform a full system scan with NOD32, but your version is generation 4. It's very good to upgrade from generation 4 to 5, because it is much better. Instructions for upgrade are here:

http://kb.eset.com/esetkb/index?page=content&id=SOLN2476

List of improvements in the new generation are here:

http://kb.eset.com/esetkb/index?page=content&id=SOLN2808

Perform a full system scan and come back to let me know.

Link to post
Share on other sites

Doh! I should have looked at the full report log as it looks like TDSS is hiding in Spybot or is it quaranteened!? -

Scan Log

Version of virus signature database: 6619 (20111110)

Date: 10/11/2011 Time: 22:44:51

Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\

C:\hiberfil.sys - error opening [4]

C:\pagefile.sys - error opening [4]

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusOverride.zip » ZIP » sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusOverride.zip » ZIP » sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMutantyf.zip » ZIP » sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMutantyf.zip » ZIP » sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk.zip » ZIP » sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk.zip » ZIP » sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk1.zip » ZIP » sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk1.zip » ZIP » sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk2.zip » ZIP » sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk2.zip » ZIP » sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk3.zip » ZIP » sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk3.zip » ZIP » sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk4.zip » ZIP » sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk4.zip » ZIP » sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk5.zip » ZIP » sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk5.zip » ZIP » sbRecovery.ini - incorrect CRC checksum, the file may be damaged

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk6.zip » ZIP » TDSStkdu.log - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk6.zip » ZIP » sbRecovery.ini - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk7.zip » ZIP » sbRecovery.reg - error - password-protected file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk7.zip » ZIP » sbRecovery.ini - error - password-protected file

C:\Documents and Settings\home\My Documents\Downloads\advisorinstaller.exe » WISE » file_00000000.bin - incorrect CRC checksum, the file may be damaged

C:\Documents and Settings\home\My Documents\Downloads\advisorinstaller.exe » WISE » - bad archive

C:\Documents and Settings\home\My Documents\Downloads\jxpiinstall.exe » CAB » jusched - archive damaged - the file could not be extracted.

C:\Documents and Settings\home\My Documents\Downloads\jxpiinstall.exe » CAB » task.xml - archive damaged - the file could not be extracted.

C:\Documents and Settings\home\My Documents\Downloads\jxpiinstall.exe » CAB » task64.xml - archive damaged - the file could not be extracted.

C:\Documents and Settings\home\My Documents\Downloads\mbam-setup-1.51.2.1300.exe » INNO » files.info - internal error (10010)

C:\Documents and Settings\home\My Documents\Downloads\OOo_3.0.1_Win32Intel_install_en-US.exe » NSIS » openofficeorg1.cab » CAB » testtar.tar » TAR » - archive damaged

C:\Documents and Settings\home\My Documents\Downloads\setuptah-light.exe » NSIS » DejaVuSansCondensed-BoldOblique.ttf - archive damaged - the file could not be extracted.

C:\Documents and Settings\home\My Documents\Downloads\SM_M35_v10.rar » RAR » SM_M35_v10.doc - next archive volume not found

C:\Documents and Settings\home\My Documents\Downloads\winamp5581_full_emusic-7plus_en-us.exe » NSIS » OCSetupHlp.dll - Win32/OpenCandy potentially unsafe application

C:\Documents and Settings\home\My Documents\Downloads\wirelesskeyview.zip » ZIP » WirelessKeyView.exe - a variant of Win32/WirelessKeyView.A potentially unsafe application

C:\Program Files\OpenOffice.org 3\Basis\program\python-core-2.3.4\lib\test\testtar.tar » TAR » - archive damaged

C:\Program Files\WirelessKeyView\WirelessKeyView.exe - a variant of Win32/WirelessKeyView.A potentially unsafe application - action selection postponed until scan completion

C:\Documents and Settings\home\My Documents\Downloads\winamp5581_full_emusic-7plus_en-us.exe » NSIS » OCSetupHlp.dll - Win32/OpenCandy potentially unsafe application - was a part of the deleted object

C:\Documents and Settings\home\My Documents\Downloads\wirelesskeyview.zip » ZIP » WirelessKeyView.exe - a variant of Win32/WirelessKeyView.A potentially unsafe application

Number of scanned objects: 251087

Number of threats found: 3

Number of cleaned objects: 1

Time of completion: 23:37:23 Total scanning time: 3152 sec (00:52:32)

Notes:

[4] Object cannot be opened. It may be in use by another application or operating system.

Link to post
Share on other sites

Yes, I think your defense react properly and prevented a more serious infection of the system.

Doh! I should have looked at the full report log as it looks like TDSS is hiding in Spybot or is it quaranteened!? -

There is nothing to worry about. That's why:

If the file found is in the Recovery directory inside the Spybot-S&D directory, it is such a backup. It is no longer of any harm there, as the file will not be found and loaded from there. But once you are sure you do not need the backup, go to the Recovery section inside Spybot-S&D and purge that files.

Current versions compress the recovery files into password-protected zip archives, thus avoiding other spyware applications will give false alarms. Some programs might notify you that they cannot access these zip archives - this can easily be ignored. As the recovery files are named after the threat some programs might also naively detect the backups as threats just because of the file name. This can also be ignored.

From Go to Spybot-S&D => Recovery you can claen them.

Everything is great for me. How about you?

Link to post
Share on other sites

Ah! OK..... :)

It all occurred some years ago, and since then I've uninstalled SpyBot and use mbam instead. But actually SpyBot did a good job. I was using the free version of AVG at the time as my main realtime AV. I find it difficult to know which product is best - different software seems best at different times - I guess it's just natural evolution.

I think that I'll upgrade XP to SP3 and investigate whether to upgrade to full mbam.

Many thanks for your help Maniac - it's good to have peace of mind. :)

Link to post
Share on other sites

SpyBot a few years ago was really one of the best solutions, but times are changing and it is a fact a new problem, a new and more serious malware, but is a fact and a new solution for the problems - Malwarebytes' Anti-Malware.

Last steps for you:

Step 1

Go to Start => Run... and copy & paste next command in the field:

ComboFix /uninstall

Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

Note: Make sure there's a space between ComboFix and /uninstall

Step 2

Please uninstall ESET Online Scanner and HiJackThis.

Step 3

Please manually delete DDS.

Step 4

Here are some tips to prevent future malware problems:

You need to ensure that you have the latest version of Java. Before you download and install the latest versions is important to uninstall the older, so for this purpose: Click Start => Control Panel => Add or Remove Programs highlight them and click on Remove button. Next, click on each of the programs to download it:

Slowly and carefully install applications and then restart your computer.

Some quick tips:

  1. Alternative browser - Due to the large market share of Internet Explorer, it is a top target of the writers of malware, so we recommend using an alternative browser. There are many better alternatives to Internet Explorer regarding security, features and speed such as:

[*]Program updates - Updating the software is really important for the productivity, but also for their security. Here is an application that will help in checking the new versions and updates for your programs. It is called FileHippo Update Checker and you can download it from here.

[*]Clear old system restore points - Once your system is infected as a result there will be infected restore points that need to be cleaned.

  1. Open Start => All Programs => Accessories => System tools => Disk Cleanup.
  2. In the Drop down box that appears select your main drive e.g. C:\
  3. Click OK.
  4. The System will do some calculation and display a dialogue box with TABS.
  5. Select the More Options tab.
  6. At the bottom will be a system restore box with a CLEANUP button. Click on it.
  7. Accept the Warning and select OK again, the program will close and you are done.

[*]Create a new system restore point - Now that everything is fine, it is necessary to create a new restore point to restore your system to an earlier stage in case you get a problem. Do the following:

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

Safe surfing! ;)

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.