Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi -- I seem to have contracted the Google redirect virus. I've been reading this forum and attempted to download Malwarebytes from the two recommended sites (major geeks and the other one), but couldn't access those sites for some reason. I was able to download it from download.com but then couldn't get it to run.
However, I was able to download and run HijackThis. Should I post my HiJackThis report here?
Any advice welcome...
First try this:
Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
Highlight that driver and right click on it and select DISABLE - NOT uninstall.
Now RESTART your computer.Please download Malwarebytes' Anti-Malware from one of these sites:
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.
If you have trouble installing or running MalwareBytes do the following:If you got them downloaded rename the setup file then try installing them again.
Right click the mbam-setup.exe file> click rename> rename it something.exe then try to run it. If it installed but will not run navigate to this folder:
C:\Programs Files\Malwarebytes' AntiMalware
Rename the mbam.exe file then try to run it again, if still no luck rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.
And post your Hijack This log please.
0 
jabuck, you said to disable it, but not to uninstall the TDSServ.sys driver/file? I've also contracted this malware and I'm running a machine with Vista and I'm not being given the option to disable it in device manager. Only an option comes up to uninstall it. Since this is my only option, should I uninstall it instead or is there some other method I can use to disable it?
0
If you uninstall it upon restart it will be reinstalled.
Lets try it this way:
1. Click on start
2. Type services.msc in the search box
You might be prompted by a UAC box. Choose to continue.
3. Double click TDSServ.sys, and choose Stop to stop it immediately
4. Click the drop down arrow on the far right of "Startup Type" and select disable
5. Click apply. ok then exit services by clicking the x at the top right of the screen.Restrat the computer.
0
Hi Jabuck,
Many thanks for the guidance. I was able to install Malwarebytes' after following the steps you gave me. Here's the log from my scan:
Malwarebytes' Anti-Malware 1.31
Database version: 1528
Windows 5.1.2600 Service Pack 322/12/2008 00:00:52
mbam-log-2008-12-22 (00-00-52).txtScan type: Quick Scan
Objects scanned: 62537
Time elapsed: 12 minute(s), 39 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
(No malicious items detected)Folders Infected:
(No malicious items detected)Files Infected:
C:\WINDOWS\system32\TDSScrrn.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSjcur.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSotpa.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSyavh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmxoe.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSd4b5.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSda33.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSdfb1.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSe520.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSec25.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Decke\Local Settings\Temp\TDSS5aa7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Decke\Local Settings\Temporary Internet Files\Content.IE5\Y1KL6VMN\PLAY_MP3[1].exe (Adware.PlayMp3z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Decke\Local Settings\Temp\TDSS5940.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSScc48.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSqxgx.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSwkod.log (Trojan.TDSS) -> Quarantined and deleted successfully._________________________________________
I ran HijackThis after my computer restarted. Here's the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:16:14, on 22/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0060907
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0060907
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.exe--
End of file - 11212 bytes
0
Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 11 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.To run the next scan, Combofix, your McAfee will need to be turned off, you will have to know your version then google or yahoo for info on exactly to turn it off or disable it.
Please download ComboFix to the desktop from one of the following links:
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.In your case to run Combofix do the following:
1. Go offline turn off your McAfee antivirus, Windows Defender (if you have it), and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.
Remember to re-enable the protection again afterwards before connecting to the Internet.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
0
Wish mine was going to be that easy. :( jabuck, it doesn't appear to be running as a service. I found the registry key which seems to call it: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSERV.SYS.
I can't delete the key. It even seems to be loading into memory from safe mode as any malware/virus scanner/rootkit scanner I try to run even from there is stopped. Is there any way I can get to the file and rename it? Or stop it from loading before the system completely boots into windows?
0
Jase, Start a thread of you own and we will see if we can help you. Don't post any logs until requested please.
0
Hi Jabuck -- Thanks for your help so far... I've installed the latest Java version as you instructed. However, I couldn't get to the sites to download Combofix. The urls for all three default to this very page: http://www.computing.net/answers/se...
Weird... Can you post the full urls for the sites where I can download it?
thanks
0
Download it from this site:
Try this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
Hi Jabuck - I downloaded Combofix, but am stuck at the point in the instructions where it says you need to install the Windows XP Recovery Console. I went to the Microsoft page and downloaded the bootdisk. But when I drag it on top of the Combofix icon nothing happens. According to the instructions Combofix is supposed to install the Windows Recovery Console, but nothing is happening.
Do I need to follow this step or can I just disable McAfee and run Combofix?
0
Hi Jabuck,
Happy New Year... Not sure if you saw my last message (Response #11), but I'm stuck on the Combofix install. Any help resolving it would be greatly appreciated.
thanks
0
Just disable your antivirus and any antispyware that you have a run Combofix. Be sure to alert me when you post the log.
0
Hi Jabuck,
Thanks for your help so far. My Combofix log is below. I forgot to mention that over the past couple weeks since I ran Malwarebytes and updated my Java, I've stopped having the redirect problem. Is Combofix intended to extract any remaining infections?
ComboFix 09-01-11.04 - Decke 2009-01-12 21:03:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.189 [GMT 0:00]
Running from: c:\documents and settings\Decke\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:\windows\IE4 Error Log.txt
c:\windows\system32\TDSSippe.dat.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.2008-12-29 12:17 . 2009-01-05 21:00 <DIR> d-------- c:\documents and settings\Guest\Application Data\skypePM
2008-12-29 12:15 . 2009-01-05 21:00 <DIR> d-------- c:\documents and settings\Guest\Application Data\Skype
2008-12-28 20:48 . 2008-12-28 20:51 <DIR> d-------- c:\documents and settings\Guest\Application Data\GTek
2008-12-28 20:47 . 2006-09-07 19:50 <DIR> d-------- c:\documents and settings\Guest\Application Data\Symantec
2008-12-28 20:47 . 2008-12-28 20:47 <DIR> d-------- c:\documents and settings\Guest\Application Data\PC Suite
2008-12-28 20:47 . 2009-01-05 21:02 <DIR> d-------- c:\documents and settings\Guest
2008-12-24 18:09 . 2008-12-24 18:28 <DIR> d-------- c:\program files\LimeWire
2008-12-22 21:33 . 2008-12-22 21:33 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-22 21:33 . 2008-12-22 21:33 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-22 01:08 . 2008-12-22 01:08 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-12-22 00:55 . 2008-12-22 00:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-21 23:43 . 2008-12-21 23:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-21 23:43 . 2008-12-21 23:43 <DIR> d-------- c:\documents and settings\Decke\Application Data\Malwarebytes
2008-12-21 23:43 . 2008-12-21 23:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-21 23:43 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-21 23:43 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-21 02:10 . 2008-12-21 02:10 <DIR> d-------- c:\windows\system32\scripting
2008-12-21 02:10 . 2008-12-21 02:10 <DIR> d-------- c:\windows\system32\en
2008-12-21 02:10 . 2008-12-21 02:10 <DIR> d-------- c:\windows\system32\bits
2008-12-21 02:10 . 2008-12-21 02:10 <DIR> d-------- c:\windows\l2schemas
2008-12-21 02:07 . 2008-12-21 02:11 <DIR> d-------- c:\windows\ServicePackFiles.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 20:50 --------- d-----w c:\documents and settings\Decke\Application Data\Skype
2009-01-12 19:40 --------- d-----w c:\documents and settings\Decke\Application Data\skypePM
2008-12-24 18:21 --------- d-----w c:\documents and settings\Decke\Application Data\LimeWire
2008-12-24 07:43 --------- d-----w c:\program files\Common Files\Adobe
2008-12-24 07:35 --------- d-----w c:\program files\McAfee
2008-12-22 21:32 --------- d-----w c:\program files\Java
2008-12-20 10:34 --------- d-----w c:\program files\Trend Micro
2008-11-27 22:13 --------- d-----w c:\program files\Microsoft Silverlight
2008-03-09 09:41 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-07-22 19:53 88 --sh--r c:\windows\system32\7255BAE4C8.sys
2008-07-22 19:53 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 695808][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 1537696]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-09-07 169984]
"DellHelp"="c:\dell\DellHelp\DellHelp.exe" [2004-04-01 1589248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-07 98304]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-10-06 1445904]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-09-07 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-04 81920][HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-22 206096]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c82432b-d8d1-11db-af16-00038a000015}]
\Shell\AutoRun\command - F:\autohtml.exe /s[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29ea77cb-e720-11dc-af4b-00038a000015}]
\Shell\AutoRun\command - F:\Web'n'walk_Helper.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cbfe330-473e-11db-ae31-00038a000015}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure31.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76d2d2fc-4fbf-11db-ae3f-00038a000015}]
\Shell\AutoRun\command - F:\autohtml.exe /s[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b31f12cc-8a7c-11dd-af5b-00038a000015}]
\Shell\AutoRun\command - F:\AutoRun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b31f12ce-8a7c-11dd-af5b-00038a000015}]
\shell\AutoRun\command - F:\AutoRun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e03f00b3-5d4a-11db-ae6e-00038a000015}]
\Shell\AutoRun\command - F:\autohtml.exe /s[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef7371e0-7db3-11db-aed3-00038a000015}]
\Shell\AutoRun\command - F:\autohtml.exe /s
.
Contents of the 'Scheduled Tasks' folder2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0060907
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: online.musicmatch.com
FF - ProfilePath - c:\documents and settings\Decke\Application Data\Mozilla\Firefox\Profiles\xpnvqnj7.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 21:15:32
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
r Running Proce
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\WLTRYSVC.exe
c:\windows\system32\BCMWLTRY.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\gearsec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrJD31s.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-12 21:18:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 21:18:38Pre-Run: 37,597,577,216 bytes free
Post-Run: 37,619,867,648 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetectCurrent=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
214 --- E O F --- 2008-12-22 06:33:49
0
That looks much better.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Run an online scan with Kaspersky from the following link:
Kaspersky Online ScannerNote: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
0
Hi Jabuck,
I ran ATF Cleaner and Kaspersky Online Scanner. Here's the Kaspersky report:
----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, January 14, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, January 14, 2009 11:33:55
Records in database: 1619211
----------------------Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yesScan area - My Computer:
C:\
D:\
E:\Scan statistics:
Files scanned: 91766
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:18:57
File name / Threat name / Threats count
C:\Documents and Settings\Decke\My Documents\LimeWire\Saved\soul rebel marley.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1The selected area was scanned.
0
Navigate to and delete thus file if found:
C:\Documents and Settings\Decke\My Documents\LimeWire\Saved\soul rebel marley.mp3
Your computer appears to be clean other than the above files.
Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.Go to start> control panel> add/remove programs and uninstall these programs:
Hijack This
Malwarebytes
Kaspersky
You should keep AFT Cleaner and run it weekly.
You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link SpywareblasterJust download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
How is the computer operating?
0
Hi Jabuck,
Thanks again for all your help with this. This forum is a blessing. I deleted the mp3 file as instructed. The computer overall seems to be working fine and fast now. Just need your guidance on a few things:
McAfee threw up the message below. I asked McAfee to remove RemAdm-ProcLaunch!171 and I got a message saying it couldn't be removed. Should I be worried about this? Is there a way to manually remove it?
"McAfee has blocked a potentially unwanted program (PUP) on your computer. If you do not recognize it, we recommend that you remove the program.
About this Potentially Unwanted Program
Name: RemAdm-ProcLaunch!171
Location: C:\32788R22FWJFW\psexec.cfexe"
When I tried to uninstall HijackThis using the Add/Remove programs on the control panel I got this message:"This will remove HiJackThis' settings from the Registry and exit. Note that you will have to delete the HijackThis.exe manually."
How do I manally delete the HijackThis.exe file?
Also, I didn't see Kaspersky listed on the Add/Remove list. How do I uninstall it?
Lastly, should I create a new System Snapshot in SpywareBlaster?
thanks again
0
Navigate to and delete these folders if found:
C:\32788R22FWJFW
C:\Program Files\Trend Micro
If Kaspersky is not listed do not worry about it, we remove the programs so in does not think it is install should you ever need it again.
Yes, make a snap shot.. just more security.
0
Hi Jabuck,
I was able to delete C:\Program Files\Trend Micro
However, I wasn't able to locate C:\32788R22FWJFW
Are the any risks to not being able to delete RemAdm-ProcLaunch!171
thanks
0
Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.Then look for C:\32788R22FWJFW
As for the risk...none.
0
Hi Jabuck,
I still wasn't able to locate C:\32788R22FWJFW after doing as you instructed. But since you said that file doesn't pose any risks, I'm just going to leave it be.
Thanks again for all your help. It was quite an education.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
