Hi Afterdawn! I have a doozy of a virus loaded onto my computer. I am normally very careful, but this one is driving me up the wall. I have read a few forum topics here and the main problem I am having is this, well actually - here is what happened. The virus: 1. Disabled the firewall for a moment. 2. Has disabled the Antivirus software from updating. 3. Has disabled programs such as Spybot S&D from running. 4. Can run Ad-Aware, however will not update and/or remove any entry. 5. Cannot download any software from any links in the forum including Malwarebytes etc. I have been able to download a torrent of the program but it will not run at all. 6. I have run hijack-this and here is the results... Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\vsnpstd.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Softwin\BitDefender10\bdagent.exe C:\Program Files\DNA\btdna.exe C:\WINDOWS\system32\drivers\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Matt\Desktop\mbam-setup.exe C:\Documents and Settings\Matt\Desktop\mbam-setup.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe" O4 - HKCU\..\Run: [EPSON Stylus CX5500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE /FU "C:\WINDOWS\TEMP\E_S128.tmp" /EF "HKCU" O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203939476380 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe 7. Please note that I cannot download/run most programs from the links provided for Combofix etc either. Any assistance would be great! toto99
if you have been instructed to use combofix, you can try downloading it from *removed* i just packaged it up. although you should only try to download it from trusted hosts. The rar sfx password is *removed*
Update.. Ok - I have been able to download Malwaresbytes and SuperAnti Spyware - however cannot run the programs at all. Any ideas? toto99
To, micha_el It states that the bandwith has been exceeded on your download.. I have tried scanning with the smitfraud fix and it has found nothing, the vundo fix finds nothing, but the virus basically locks the antivirus program (AVG) from updating, and the security programs such as Malwarebytes and SuperAnti Spyware from running at all.. And some webpages are being blocked, and/or being redirected. Spybot has completely shut down and cant be reloaded. I have tried all this in safe mode also with no luck. I did manage to download the latest version of AVG and completed a scan, which found 1 virus under the name of FAKEALERT??? And it sucessfully deleted that. HELP!!!! toto99
Hi toto99 Please reboot your computer into Safe Mode With Networking by doing the following: • Restart your computer • After pressing the power button, repeatedly tap the F8 key. • Instead of Windows loading as normal, the Advanced Options Menu should appear; • Select the option to run Windows in Safe Mode With Networking, then press Enter. • Choose the administrator's account. Now, please download ComboFix. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop. Please disable all security programs, such as antiviruses, antispywares, and firewalls. • Run Combo-Fix.exe and follow the prompts. • Accept the End-User License Agreement. • Allow the Recovery Console to be installed. • When you see the window below, click on Yes. • When the Recovery Console has been installed, click on Yes to start the scan. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. • Wait for the scan to be fully completed. • If it requires a reboot, please do so. • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt) Do not click on the ComoboFix window, as it may cause it to stall. Best Regards
Hi cd, I am unable to download the program. It says that an unknown error occurred and I cannot connect to the website from your link..even in Safe Mode with networking. HELP!!
..also FYI I cannot complete system restore. Once I select a date to go back to and get to the point where you press next to compete the restoration, it just will not work (and it just lays idle) Can ComboFix be downloaded from any other source? I am assuming that because the other programs will not work, even if I get to downloading it, it will not run?? toto99
Hey toto99 Do you have a second computer to download ComboFix from? If so, use it, and then transfer it over to the infected computer's desktop and run it from there. Best Regards
Hi Cdavfrew, I have been able to download and run Combofix via another computer and it seemed to do the trick. Then I ran, Malwarebytes and deleted the entrys found there. It seems that my PC is now clean and I have loaded Comodo Firewall and updated AVG as further protection. I thought that I would run HJT once more and here is the log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:09:19 PM, on 30/11/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\vsnpstd.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\COMODO\SafeSurf\cssurf.exe C:\Program Files\COMODO\Firewall\cfp.exe C:\Program Files\DNA\btdna.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\COMODO\Firewall\cmdagent.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVG\AVG8\avgui.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKCU\..\Run: [EPSON Stylus CX5500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE /FU "C:\WINDOWS\TEMP\E_S128.tmp" /EF "HKCU" O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203939476380 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe What do you think? Is it clean? BTW, thanks SO much for helping me out on this one...I can ALMOST sleep at night now. Regards toto99
Hey toto99 Glad to hear your problem's almost fixed! However, could you follow the instructions for ComboFix and post a log here? Also follow these instructions to post a log for Malwarebytes. Post A Log • Launch Malwarebytes, and click on the tab Logs. • The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open. • Post the log here. Best Regards
Hi, The log as follows: Malwarebytes' Anti-Malware 1.30 Database version: 1437 Windows 5.1.2600 Service Pack 2 30/11/2008 9:55:50 PM mbam-log-2008-11-30 (21-55-50).txt Scan type: Full Scan (C:\|) Objects scanned: 119780 Time elapsed: 32 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
Hi, Apologies, Log: ComboFix 08-11-29.03 - Administrator 2008-11-30 19:17:14.1 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1787 [GMT 11:00] WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ADS - WINDOWS: deleted 24 bytes in 1 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Matt\Application Data\inst.exe c:\windows\adaway.lic c:\windows\system32\drivers\TDSSpqlt.sys c:\windows\system32\TDSSbrsr.dll c:\windows\system32\TDSScfum.dll c:\windows\system32\TDSSlxwp.dll c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSoiqh.dll c:\windows\system32\TDSSosvd.dat c:\windows\system32\TDSSrhym.log c:\windows\system32\TDSSriqp.dll c:\windows\system32\TDSSsihc.dll c:\windows\system32\TDSStkdv.log . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSSERV.SYS -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 ))))))))))))))))))))))))))))))) . 2008-11-29 21:14 . 2008-11-29 21:14 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-11-29 21:12 . 2008-11-29 21:12 10,520 --a------ c:\windows\system32\avgrsstx.dll 2008-11-29 21:11 . 2008-11-29 21:11 <DIR> d-------- c:\windows\system32\drivers\Avg 2008-11-29 21:11 . 2008-11-29 21:11 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2008-11-29 18:59 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe 2008-11-29 18:59 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe 2008-11-29 18:59 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe 2008-11-29 18:59 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe 2008-11-29 18:59 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe 2008-11-29 18:59 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe 2008-11-29 18:59 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe 2008-11-29 18:59 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe 2008-11-29 18:59 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe 2008-11-29 18:59 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe 2008-11-29 18:59 . 2008-11-29 19:25 3,376 --a------ c:\windows\system32\tmp.reg 2008-11-29 18:03 . 2008-11-29 18:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2 2008-11-29 16:56 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-29 16:56 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-29 16:55 . 2008-11-29 17:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-29 16:55 . 2008-11-29 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-29 16:09 . 2008-11-29 21:10 81,984 --a------ c:\windows\system32\bdod.bin 2008-11-29 16:03 . 2008-11-29 21:11 <DIR> d-------- c:\program files\Common Files\Softwin 2008-11-29 15:50 . 2008-11-29 20:57 <DIR> d-------- C:\VundoFix Backups 2008-11-25 01:58 . 2008-11-25 01:58 <DIR> d-------- c:\program files\Trend Micro 2008-11-25 01:00 . 2008-11-25 01:08 <DIR> d-------- c:\program files\Windows Live Safety Center 2008-11-25 00:12 . 2008-11-25 00:12 <DIR> d-------- c:\program files\AVG 2008-11-25 00:12 . 2008-11-29 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-11-24 23:54 . 2008-11-24 23:54 <DIR> d-------- c:\program files\Lavasoft 2008-11-24 23:54 . 2008-11-24 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-24 23:53 . 2008-11-29 21:59 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-19 22:39 . 2008-11-19 22:39 <DIR> d-------- c:\program files\WinFF 2008-11-19 22:39 . 2008-11-20 06:32 <DIR> d-------- c:\documents and settings\Matt\Application Data\WinFF 2008-11-08 21:52 . 2008-11-08 21:52 <DIR> d-------- c:\documents and settings\Matt\Application Data\DVDFab 2008-11-03 22:31 . 2008-11-03 22:31 <DIR> d-------- c:\program files\iTunes 2008-11-03 22:31 . 2008-11-03 22:31 <DIR> d-------- c:\program files\iPod 2008-11-03 22:31 . 2008-11-03 22:31 <DIR> d-------- c:\program files\Bonjour 2008-11-03 22:31 . 2008-11-03 22:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-03 22:30 . 2008-11-03 22:30 <DIR> d-------- c:\program files\QuickTime 2008-11-03 22:29 . 2008-11-03 22:29 <DIR> d-------- c:\program files\Apple Software Update 2008-10-24 02:07 . 2008-10-24 02:07 99,904 --a------ c:\windows\system32\drivers\AnyDVD.sys 2008-10-11 16:30 . 2008-10-11 16:30 <DIR> d-------- c:\program files\Photo Viewer V208G2 2008-10-09 02:56 . 2008-10-09 02:56 <DIR> d-------- C:\Garmin . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-29 23:26 --------- d-----w c:\documents and settings\Matt\Application Data\DNA 2008-11-29 23:21 --------- d-----w c:\program files\DNA 2008-11-29 10:59 --------- d-----w c:\program files\Add Remove Pro 2008-11-29 07:45 --------- d-----w c:\documents and settings\Matt\Application Data\BitTorrent 2008-11-29 07:26 --------- d-----w c:\program files\Opera 2008-11-24 12:41 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-24 12:41 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-23 10:01 --------- d-----w c:\documents and settings\Matt\Application Data\Skype 2008-11-23 09:01 --------- d-----w c:\documents and settings\Matt\Application Data\skypePM 2008-11-23 06:28 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink 2008-11-08 11:18 --------- d-----w c:\documents and settings\All Users\Application Data\SlySoft 2008-11-08 11:17 --------- d-----w c:\program files\SlySoft 2008-11-08 10:54 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys 2008-11-08 10:54 47,360 ----a-w c:\documents and settings\Matt\Application Data\pcouffin.sys 2008-11-08 10:54 --------- d-----w c:\program files\DVDFab 5 2008-11-08 10:54 --------- d-----w c:\documents and settings\Matt\Application Data\Vso 2008-11-03 11:30 --------- d-----w c:\program files\Common Files\Apple 2008-11-03 11:30 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-09-30 05:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys 2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-08-29 09:06 1,350,664 ----a-w c:\windows\system32\msxml6.dll 2008-08-28 23:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-08-28 22:53 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll 2008-08-14 09:58 2,136,064 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 09:22 2,015,744 ----a-w c:\windows\system32\ntkrnlpa.exe 2008-08-12 12:21 16,376 ----a-w c:\windows\gdrv.sys 2008-02-26 08:42 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat 2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll 2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll 2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll 2008-08-10 02:58 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081020080811\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864] "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-29 1966080] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-20 8429568] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-20 81920] "snpstd"="c:\windows\vsnpstd.exe" [2004-06-10 286720] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336] "RTHDCPL"="RTHDCPL.EXE" [2007-09-19 c:\windows\RTHDCPL.exe] "nwiz"="nwiz.exe" [2007-04-20 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.I420"= i420vfw.dll "msacm.divxa32"= msaud32_divx.acm [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "CTFMON.EXE"=c:\windows\system32\CTFMON.EXE [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" "PCSuiteTrayApplication"=c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime "snpstd"=c:\windows\vsnpstd.exe "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Ares\\Ares.exe"= "c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-29 97928] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-29 231704] S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-02-25 96256] S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2008-03-24 18432] S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-02-29 360448] S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-02-29 18944] S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-02-29 33792] *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-11-21 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 19:56] . - - - - ORPHANS REMOVED - - - - HKLM-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0w6akn2x.default\ FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-30 19:18:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys] "imagepath"="\systemroot\system32\drivers\TDSSpqlt.sys" . Completion time: 2008-11-30 19:18:45 ComboFix-quarantined-files.txt 2008-11-30 08:18:38 Pre-Run: 195,669,131,264 bytes free Post-Run: 196,092,608,512 bytes free 194 --- E O F --- 2008-11-24 09:47:59
Hey toto Your logs are clean! You managed to catch the notorious TDSSSERV.SYS malware. It's one of the most rampant rootkits around, and is a real pain in the butt. At least one-third of the threads I'm handling deal with this rootkit. Best Regards
..well it did concern me for a while, but with your fantastic assistance we got rid of it. For the record, you were magnificant and I cannot thank you enough. Thanks so much for helping me (and I see countless others on this forum) out with this malware. kindest regards and thanks toto99
Hey toto99 Thanks for the compliment, even though I hardly think that I'm "magnificent". I just wish I could have given more quality advice; there's way too many people on this forum to be helped. Best Wishes
