1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Major Virus - Assistance Needed

Discussion in 'Windows - Virus and spyware problems' started by toto99, Nov 29, 2008.

  1. toto99

    toto99 Member

    Joined:
    Jun 17, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Hi Afterdawn!
    I have a doozy of a virus loaded onto my computer.
    I am normally very careful, but this one is driving me up the wall.

    I have read a few forum topics here and the main problem I am having is this, well actually - here is what happened.

    The virus:
    1. Disabled the firewall for a moment.
    2. Has disabled the Antivirus software from updating.
    3. Has disabled programs such as Spybot S&D from running.
    4. Can run Ad-Aware, however will not update and/or remove any entry.
    5. Cannot download any software from any links in the forum including Malwarebytes etc. I have been able to download a torrent of the program but it will not run at all.
    6. I have run hijack-this and here is the results...

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\vsnpstd.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Softwin\BitDefender10\bdagent.exe
    C:\Program Files\DNA\btdna.exe
    C:\WINDOWS\system32\drivers\svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    C:\Program Files\Softwin\BitDefender10\vsserv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Matt\Desktop\mbam-setup.exe
    C:\Documents and Settings\Matt\Desktop\mbam-setup.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
    O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
    O4 - HKCU\..\Run: [EPSON Stylus CX5500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE /FU "C:\WINDOWS\TEMP\E_S128.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203939476380
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    7. Please note that I cannot download/run most programs from the links provided for Combofix etc either.

    Any assistance would be great!
    toto99
     
  2. micha_el

    micha_el Guest

    if you have been instructed to use combofix, you can try downloading it from *removed* i just packaged it up. although you should only try to download it from trusted hosts.

    The rar sfx password is

    *removed*
     
    Last edited by a moderator: Nov 30, 2008
  3. toto99

    toto99 Member

    Joined:
    Jun 17, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Update..

    Ok - I have been able to download Malwaresbytes and SuperAnti Spyware - however cannot run the programs at all.

    Any ideas?

    toto99
     
  4. toto99

    toto99 Member

    Joined:
    Jun 17, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    To, micha_el

    It states that the bandwith has been exceeded on your download..

    I have tried scanning with the smitfraud fix and it has found nothing, the vundo fix finds nothing, but the virus basically locks the antivirus program (AVG) from updating, and the security programs such as Malwarebytes and SuperAnti Spyware from running at all..
    And some webpages are being blocked, and/or being redirected.

    Spybot has completely shut down and cant be reloaded.
    I have tried all this in safe mode also with no luck.

    I did manage to download the latest version of AVG and completed a scan, which found 1 virus under the name of FAKEALERT??? And it sucessfully deleted that.

    HELP!!!!

    toto99
     
  5. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hi toto99

    Please reboot your computer into Safe Mode With Networking by doing the following:
    • Restart your computer
    • After pressing the power button, repeatedly tap the F8 key.
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the option to run Windows in Safe Mode With Networking, then press Enter.
    • Choose the administrator's account.

    Now, please download ComboFix.
    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.

    • Run Combo-Fix.exe and follow the prompts.
    • Accept the End-User License Agreement.
    • Allow the Recovery Console to be installed.
    • When you see the window below, click on Yes.
    [​IMG]
    • When the Recovery Console has been installed, click on Yes to start the scan.
    [​IMG]

    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
    • Wait for the scan to be fully completed.
    • If it requires a reboot, please do so.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    Best Regards :D
     
  6. toto99

    toto99 Member

    Joined:
    Jun 17, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Hi cd,
    I am unable to download the program.

    It says that an unknown error occurred and I cannot connect to the website from your link..even in Safe Mode with networking.

    HELP!!
     
  7. toto99

    toto99 Member

    Joined:
    Jun 17, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    ..also FYI I cannot complete system restore.
    Once I select a date to go back to and get to the point where you press next to compete the restoration, it just will not work (and it just lays idle)

    Can ComboFix be downloaded from any other source? I am assuming that because the other programs will not work, even if I get to downloading it, it will not run??

    toto99
     
  8. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey toto99

    Do you have a second computer to download ComboFix from? If so, use it, and then transfer it over to the infected computer's desktop and run it from there.

    Best Regards :D
     
  9. toto99

    toto99 Member

    Joined:
    Jun 17, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Hi Cdavfrew,

    I have been able to download and run Combofix via another computer and it seemed to do the trick.
    Then I ran, Malwarebytes and deleted the entrys found there.

    It seems that my PC is now clean and I have loaded Comodo Firewall and updated AVG as further protection.

    I thought that I would run HJT once more and here is the log:



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:09:19 PM, on 30/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\vsnpstd.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\COMODO\SafeSurf\cssurf.exe
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG8\avgui.exe
    C:\Program Files\AVG\AVG8\avgscanx.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
    O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [EPSON Stylus CX5500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE /FU "C:\WINDOWS\TEMP\E_S128.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203939476380
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

    What do you think? Is it clean?

    BTW, thanks SO much for helping me out on this one...I can ALMOST sleep at night now.

    Regards
    toto99
     
  10. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey toto99

    Glad to hear your problem's almost fixed!

    However, could you follow the instructions for ComboFix and post a log here? Also follow these instructions to post a log for Malwarebytes.

    Post A Log

    • Launch Malwarebytes, and click on the tab Logs.
    • The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open.
    Post the log here.

    Best Regards :D
     
  11. toto99

    toto99 Member

    Joined:
    Jun 17, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Hi,
    The log as follows:

    Malwarebytes' Anti-Malware 1.30
    Database version: 1437
    Windows 5.1.2600 Service Pack 2

    30/11/2008 9:55:50 PM
    mbam-log-2008-11-30 (21-55-50).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 119780
    Time elapsed: 32 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  12. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey toto99

    And the ComboFix log? It will be located at C:\Combofix.txt
     
  13. toto99

    toto99 Member

    Joined:
    Jun 17, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Hi, Apologies,

    Log:

    ComboFix 08-11-29.03 - Administrator 2008-11-30 19:17:14.1 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1787 [GMT 11:00]

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ADS - WINDOWS: deleted 24 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Matt\Application Data\inst.exe
    c:\windows\adaway.lic
    c:\windows\system32\drivers\TDSSpqlt.sys
    c:\windows\system32\TDSSbrsr.dll
    c:\windows\system32\TDSScfum.dll
    c:\windows\system32\TDSSlxwp.dll
    c:\windows\system32\TDSSnmxh.log
    c:\windows\system32\TDSSoiqh.dll
    c:\windows\system32\TDSSosvd.dat
    c:\windows\system32\TDSSrhym.log
    c:\windows\system32\TDSSriqp.dll
    c:\windows\system32\TDSSsihc.dll
    c:\windows\system32\TDSStkdv.log

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_TDSSSERV.SYS
    -------\Legacy_TDSSSERV.SYS


    ((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
    .

    2008-11-29 21:14 . 2008-11-29 21:14 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-11-29 21:12 . 2008-11-29 21:12 10,520 --a------ c:\windows\system32\avgrsstx.dll
    2008-11-29 21:11 . 2008-11-29 21:11 <DIR> d-------- c:\windows\system32\drivers\Avg
    2008-11-29 21:11 . 2008-11-29 21:11 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
    2008-11-29 18:59 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
    2008-11-29 18:59 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
    2008-11-29 18:59 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
    2008-11-29 18:59 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
    2008-11-29 18:59 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
    2008-11-29 18:59 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
    2008-11-29 18:59 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
    2008-11-29 18:59 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
    2008-11-29 18:59 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
    2008-11-29 18:59 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
    2008-11-29 18:59 . 2008-11-29 19:25 3,376 --a------ c:\windows\system32\tmp.reg
    2008-11-29 18:03 . 2008-11-29 18:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2
    2008-11-29 16:56 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2008-11-29 16:56 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2008-11-29 16:55 . 2008-11-29 17:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2008-11-29 16:55 . 2008-11-29 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2008-11-29 16:09 . 2008-11-29 21:10 81,984 --a------ c:\windows\system32\bdod.bin
    2008-11-29 16:03 . 2008-11-29 21:11 <DIR> d-------- c:\program files\Common Files\Softwin
    2008-11-29 15:50 . 2008-11-29 20:57 <DIR> d-------- C:\VundoFix Backups
    2008-11-25 01:58 . 2008-11-25 01:58 <DIR> d-------- c:\program files\Trend Micro
    2008-11-25 01:00 . 2008-11-25 01:08 <DIR> d-------- c:\program files\Windows Live Safety Center
    2008-11-25 00:12 . 2008-11-25 00:12 <DIR> d-------- c:\program files\AVG
    2008-11-25 00:12 . 2008-11-29 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
    2008-11-24 23:54 . 2008-11-24 23:54 <DIR> d-------- c:\program files\Lavasoft
    2008-11-24 23:54 . 2008-11-24 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
    2008-11-24 23:53 . 2008-11-29 21:59 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
    2008-11-19 22:39 . 2008-11-19 22:39 <DIR> d-------- c:\program files\WinFF
    2008-11-19 22:39 . 2008-11-20 06:32 <DIR> d-------- c:\documents and settings\Matt\Application Data\WinFF
    2008-11-08 21:52 . 2008-11-08 21:52 <DIR> d-------- c:\documents and settings\Matt\Application Data\DVDFab
    2008-11-03 22:31 . 2008-11-03 22:31 <DIR> d-------- c:\program files\iTunes
    2008-11-03 22:31 . 2008-11-03 22:31 <DIR> d-------- c:\program files\iPod
    2008-11-03 22:31 . 2008-11-03 22:31 <DIR> d-------- c:\program files\Bonjour
    2008-11-03 22:31 . 2008-11-03 22:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2008-11-03 22:30 . 2008-11-03 22:30 <DIR> d-------- c:\program files\QuickTime
    2008-11-03 22:29 . 2008-11-03 22:29 <DIR> d-------- c:\program files\Apple Software Update
    2008-10-24 02:07 . 2008-10-24 02:07 99,904 --a------ c:\windows\system32\drivers\AnyDVD.sys
    2008-10-11 16:30 . 2008-10-11 16:30 <DIR> d-------- c:\program files\Photo Viewer V208G2
    2008-10-09 02:56 . 2008-10-09 02:56 <DIR> d-------- C:\Garmin

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-29 23:26 --------- d-----w c:\documents and settings\Matt\Application Data\DNA
    2008-11-29 23:21 --------- d-----w c:\program files\DNA
    2008-11-29 10:59 --------- d-----w c:\program files\Add Remove Pro
    2008-11-29 07:45 --------- d-----w c:\documents and settings\Matt\Application Data\BitTorrent
    2008-11-29 07:26 --------- d-----w c:\program files\Opera
    2008-11-24 12:41 --------- d-----w c:\program files\Spybot - Search & Destroy
    2008-11-24 12:41 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-11-23 10:01 --------- d-----w c:\documents and settings\Matt\Application Data\Skype
    2008-11-23 09:01 --------- d-----w c:\documents and settings\Matt\Application Data\skypePM
    2008-11-23 06:28 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
    2008-11-08 11:18 --------- d-----w c:\documents and settings\All Users\Application Data\SlySoft
    2008-11-08 11:17 --------- d-----w c:\program files\SlySoft
    2008-11-08 10:54 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
    2008-11-08 10:54 47,360 ----a-w c:\documents and settings\Matt\Application Data\pcouffin.sys
    2008-11-08 10:54 --------- d-----w c:\program files\DVDFab 5
    2008-11-08 10:54 --------- d-----w c:\documents and settings\Matt\Application Data\Vso
    2008-11-03 11:30 --------- d-----w c:\program files\Common Files\Apple
    2008-11-03 11:30 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
    2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
    2008-09-30 05:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
    2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
    2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
    2008-08-29 09:06 1,350,664 ----a-w c:\windows\system32\msxml6.dll
    2008-08-28 23:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
    2008-08-28 22:53 61,440 ----a-w c:\windows\system32\dnssd.dll
    2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
    2008-08-14 09:58 2,136,064 ----a-w c:\windows\system32\ntoskrnl.exe
    2008-08-14 09:22 2,015,744 ----a-w c:\windows\system32\ntkrnlpa.exe
    2008-08-12 12:21 16,376 ----a-w c:\windows\gdrv.sys
    2008-02-26 08:42 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
    2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
    2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
    2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll
    2008-08-10 02:58 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081020080811\index.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-13 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
    "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-20 8429568]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-20 81920]
    "snpstd"="c:\windows\vsnpstd.exe" [2004-06-10 286720]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336]
    "RTHDCPL"="RTHDCPL.EXE" [2007-09-19 c:\windows\RTHDCPL.exe]
    "nwiz"="nwiz.exe" [2007-04-20 c:\windows\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.I420"= i420vfw.dll
    "msacm.divxa32"= msaud32_divx.acm

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "CTFMON.EXE"=c:\windows\system32\CTFMON.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "PCSuiteTrayApplication"=c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "snpstd"=c:\windows\vsnpstd.exe
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Ares\\Ares.exe"=
    "c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-29 97928]
    S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-29 231704]
    S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-02-25 96256]
    S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2008-03-24 18432]
    S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-02-29 360448]
    S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-02-29 18944]
    S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-02-29 33792]

    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder

    2008-11-21 c:\windows\Tasks\GoogleUpdateTaskUser.job
    - c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 19:56]
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0w6akn2x.default\
    FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
    FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-30 19:18:18
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
    "imagepath"="\systemroot\system32\drivers\TDSSpqlt.sys"
    .
    Completion time: 2008-11-30 19:18:45
    ComboFix-quarantined-files.txt 2008-11-30 08:18:38

    Pre-Run: 195,669,131,264 bytes free
    Post-Run: 196,092,608,512 bytes free

    194 --- E O F --- 2008-11-24 09:47:59
     
  14. toto99

    toto99 Member

    Joined:
    Jun 17, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    Hi cd,
    can you tell what virus I actually had? Would be interesting to know..
    regards
    toto99
     
  15. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey toto

    Your logs are clean!

    You managed to catch the notorious TDSSSERV.SYS malware. It's one of the most rampant rootkits around, and is a real pain in the butt. At least one-third of the threads I'm handling deal with this rootkit.

    Best Regards :D
     
  16. toto99

    toto99 Member

    Joined:
    Jun 17, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    11
    ..well it did concern me for a while, but with your fantastic assistance we got rid of it.
    For the record, you were magnificant and I cannot thank you enough.
    Thanks so much for helping me (and I see countless others on this forum)
    out with this malware.

    kindest regards and thanks
    toto99
     
  17. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey toto99

    Thanks for the compliment, even though I hardly think that I'm "magnificent". :) I just wish I could have given more quality advice; there's way too many people on this forum to be helped.

    Best Wishes :D
     

Share This Page