Help! TDSS virus problem

Compaq
October 24, 2008 at 20:24:41
Specs: XP, Celeron
Hello everyone,

I have spent a couple of days reading the forum....as I had an unfortunate attack of virus's while surfing the net. I had the system just re-boot on me, and then come up with the little red X on the task bar which indicated that I had spyware. I unplugged the modem immediately.

I did an "avast" scan and it said there were some virus's in memory, and then it rebooted and it seemed to clean them out. It found a "karna.dat, and a "brastk.exe". I then did a spybot and found another trojan which it seemed to clean. One definate problem was that I couldn't access any updates with spybot, or avast. I ended up running an old version of AVG anti rootkit, and it found some more baddies...it found alot of TDSS problems, however, it cleaned it out. I also cleaned out all old versions of JAVA and installed the latest version

I then ran malwarebytes, and it found some more TDSS in the registry keys, and some temp files, but it cleaned it out. I then ran Superantispyware, and it didnt find anything else. I have run everything twice now, and it seems to be clean.

However, I ran a SDfix and there is still TDSS problems in the registry (log included), as well, I did a search on the hard drive, and there are TDSS entries in the system folder.

However, would someone be able to review my latest malwarebytes log, and hijackthis log, and SDfix log and let me know if it is clean or if I still have a major infection?

As well, from what I read here, this TDSS trojan is BAD!!!!... Would the experts recommend a format and clean install just in case. I use this machine for banking and I would hate to have any issues with a resident trojan lurking....

Thank you very, very much!!!


See More: Help! TDSS virus problem

Report •


#1
October 24, 2008 at 21:09:41
Please post, in order your SDFix, Malwarebytes and Hijack This logs.

Report •

#2
October 24, 2008 at 22:22:40
HI Jabuck,

Here are the logs..

[b]SDFix: Version 1.237 [/b]
Run by Owner on 24/10/2008 at 10:45 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found


Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-24 22:55:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys)]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys)\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpaxt.sys"
"TDSSl"="\systemroot\system32\TDSSofxh.dll"
"tdssservers"="\systemroot\system32\TDSSosvd.dat"
"tdssmain"="\systemroot\system32\TDSSnrsr.dll"
"tdsslog"="\systemroot\system32\TDSSriqp.dll"
"tdssadw"="\systemroot\system32\TDSScfum.dll"
"tdssinit"="\systemroot\system32\TDSSfxwp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsbhc.dll"
"tdssserf"="\systemroot\system32\TDSSrhym.dll"
"tdsserrors"="\systemroot\system32\TDSStkdv.log"
"TDSSproc"="\systemroot\system32\TDSSbubx.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys)]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpaxt.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys)\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpaxt.sys"
"TDSSl"="\systemroot\system32\TDSSofxh.dll"
"tdssservers"="\systemroot\system32\TDSSosvd.dat"
"tdssmain"="\systemroot\system32\TDSSnrsr.dll"
"tdsslog"="\systemroot\system32\TDSSriqp.dll"
"tdssadw"="\systemroot\system32\TDSScfum.dll"
"tdssinit"="\systemroot\system32\TDSSfxwp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsbhc.dll"
"tdssserf"="\systemroot\system32\TDSSrhym.dll"
"tdsserrors"="\systemroot\system32\TDSStkdv.log"
"TDSSproc"="\systemroot\system32\TDSSbubx.log"

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[b]Remaining Files [/b]:

[b]Files with Hidden Attributes [/b]:

Tue 17 Apr 2007 196 A.SHR --- "C:\BOOT.BAK"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Wed 30 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 26 Jun 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.SYS"
Mon 23 Apr 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 18 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 7 Feb 2004 5,294,080 ...H. --- "C:\hp\patches\42WW1REC\src\App00153.exe"
Sat 7 Feb 2004 452,096 ...H. --- "C:\hp\patches\42WW1REC\src\App00292.exe"
Sat 7 Feb 2004 444,416 ...H. --- "C:\hp\patches\42WW1REC\src\App00491.exe"
Sat 7 Feb 2004 1,838,592 ...H. --- "C:\hp\patches\42WW1REC\src\App02995.exe"
Sat 7 Feb 2004 492,544 ...H. --- "C:\hp\patches\42WW1REC\src\App04827.exe"
Sat 7 Feb 2004 1,401,856 ...H. --- "C:\hp\patches\42WW1REC\src\App05447.exe"
Sat 7 Feb 2004 440,320 ...H. --- "C:\hp\patches\42WW1REC\src\App05705.exe"
Sat 7 Feb 2004 462,848 ...H. --- "C:\hp\patches\42WW1REC\src\App09961.exe"
Sat 7 Feb 2004 15,596,032 ...H. --- "C:\hp\patches\42WW1REC\src\App14604.exe"
Sat 7 Feb 2004 5,256,704 ...H. --- "C:\hp\patches\42WW1REC\src\App16827.exe"
Sat 7 Feb 2004 3,668,992 ...H. --- "C:\hp\patches\42WW1REC\src\App17421.exe"
Tue 10 Feb 2004 696,832 ...H. --- "C:\hp\patches\42WW1REC\src\App18716.exe"
Sat 7 Feb 2004 423,936 ...H. --- "C:\hp\patches\42WW1REC\src\App19169.exe"
Sat 7 Feb 2004 1,157,632 ...H. --- "C:\hp\patches\42WW1REC\src\App19718.exe"
Tue 10 Feb 2004 995,328 ...H. --- "C:\hp\patches\42WW1REC\src\App19895.exe"
Sat 7 Feb 2004 453,632 ...H. --- "C:\hp\patches\42WW1REC\src\App23281.exe"
Sat 7 Feb 2004 453,632 ...H. --- "C:\hp\patches\42WW1REC\src\App24464.exe"
Sat 7 Feb 2004 2,251,776 ...H. --- "C:\hp\patches\42WW1REC\src\App26962.exe"
Sat 7 Feb 2004 481,792 ...H. --- "C:\hp\patches\42WW1REC\src\App29358.exe"
Sat 7 Feb 2004 12,426,752 ...H. --- "C:\hp\patches\42WW1REC\src\App32391.exe"
Sat 7 Feb 2004 12,426,752 ...H. --- "C:\hp\patches\42WW1REC\src\App99990.exe"
Sat 7 Feb 2004 15,596,032 ...H. --- "C:\hp\patches\42WW1REC\src\App99992.exe"
Sat 7 Feb 2004 5,256,704 ...H. --- "C:\hp\patches\42WW1REC\src\App99993.exe"
Sat 7 Feb 2004 5,256,704 ...H. --- "C:\hp\patches\42WW1REC\src\xApp14604.exe"

[b]Finished![/b]

Malwarebytes' Anti-Malware 1.30
Database version: 1316
Windows 5.1.2600 Service Pack 3

24/10/2008 8:27:08 PM
mbam-log-2008-10-24 (20-27-08).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 117326
Time elapsed: 1 hour(s), 1 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:53 PM, on 24/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrob...
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7140 bytes


Report •

#3
October 25, 2008 at 03:55:54
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Avast antivirus, ZoneAlarm, Spybot and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

Related Solutions

#4
October 25, 2008 at 19:05:28
Hi Jabuck,

I hope it was ok, however, I spent all night trying to get this thing going, because I have a project due on Monday. I friend of mine asked me to run a script with combofix...here is the log...

I hope your ok with it... The strange thing is that no matter how much I try to disable my Avast anti virus, it still says it is running....if I have to, I guess I can un-install it.....let me know if you want me to

ComboFix 08-10-24.02 - Owner 2008-10-25 19:30:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.471 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\TDSSpaxt.sy_
C:\WINDOWS\system32\TDSSbubx.lo_
C:\WINDOWS\system32\TDSScfum.dl_
C:\WINDOWS\system32\TDSSfxwp.dl_
C:\WINDOWS\system32\TDSSnmxh.lo_
C:\WINDOWS\system32\TDSSnrsr.dl_
C:\WINDOWS\system32\TDSSofxh.dl_
C:\WINDOWS\system32\TDSSosvd.da_
C:\WINDOWS\system32\TDSSrhym.dl_
C:\WINDOWS\system32\TDSSriqp.dl_

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASWARKRN
-------\Legacy_MEMSWEEP2
-------\Service_aswArKrn
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 )))))))))))))))))))))))))))))))
.

2008-10-24 22:37 . 2008-10-24 22:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\R-Wipe&Clean
2008-10-24 22:36 . 2004-01-26 07:10 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-10-24 22:36 . 2004-01-27 04:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-10-24 22:36 . 2004-01-26 06:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-10-24 22:36 . 2004-01-26 07:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-10-24 22:36 . 2004-01-27 04:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-10-24 22:36 . 2008-10-24 22:36 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-24 20:48 . 2008-10-25 19:43 690,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-24 20:48 . 2008-10-25 19:37 9,092 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-24 20:43 . 2008-10-24 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-24 20:43 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-10-24 20:43 . 2008-10-24 20:46 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-10-24 20:42 . 2008-10-24 20:43 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-10-24 20:42 . 2008-10-24 20:42 <DIR> d-------- C:\Program Files\Zone Labs
2008-10-24 20:42 . 2008-07-09 09:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-10-24 20:42 . 2008-10-25 19:38 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-10-24 20:41 . 2008-10-25 19:41 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-10-24 18:03 . 2008-10-24 18:03 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-10-24 18:00 . 2008-10-24 18:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-24 17:57 . 2008-10-22 02:19 <DIR> d-------- C:\SDFix
2008-10-24 00:14 . 2008-10-24 00:14 2,898 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-24 00:09 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-10-24 00:09 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-10-24 00:09 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-10-24 00:09 . 2008-10-01 15:51 87,552 --a------ C:\WINDOWS\system32\VACFix.exe
2008-10-24 00:09 . 2008-10-10 08:58 82,944 --a------ C:\WINDOWS\system32\o4Patch.exe
2008-10-24 00:09 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-10-24 00:09 . 2008-10-10 08:58 82,944 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-10-24 00:09 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-10-24 00:09 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-10-24 00:09 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-10-24 00:09 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-10-23 21:35 . 2008-10-24 17:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-23 21:35 . 2008-10-24 17:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-10-23 21:35 . 2008-10-23 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-23 21:25 . 2008-10-23 21:25 <DIR> d-------- C:\Program Files\Sophos
2008-10-23 20:11 . 2008-10-23 20:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-23 20:11 . 2008-10-23 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-23 20:10 . 2008-10-24 17:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-23 18:28 . 2008-10-15 10:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-23 17:35 . 2008-10-23 17:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-23 17:35 . 2008-10-23 17:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-23 17:35 . 2008-10-23 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-23 17:35 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-23 17:35 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-23 17:29 . 2008-10-23 17:29 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-10-14 22:20 . 2008-09-08 04:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-14 22:19 . 2008-08-14 04:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-14 22:19 . 2008-08-14 04:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-14 22:19 . 2008-08-14 03:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-14 22:19 . 2008-08-14 03:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-14 22:19 . 2008-09-15 06:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 02:08 --------- d-----w C:\Program Files\Java
2008-10-23 08:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\R-Wipe&Clean
2008-10-23 08:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\R-Wipe&Clean
2008-10-11 18:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-25_ 1.06.41.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-26 01:38:59 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_114.dat
+ 2008-10-26 01:38:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 126976]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 483328]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2003-11-03 221184]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 282624]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 221184]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-23 136600]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AGRSMMSG"="AGRSMMSG.exe" [2003-12-12 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Organize.lnk
backup=C:\WINDOWS\pss\Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2005-03-17 14:45 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-05-20 20:10 20480 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-01-18 17:07 196608 C:\Program Files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-01-18 17:47 458752 C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-01-18 17:37 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-12-11 03:40 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2005-03-17 14:25 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 10:22 155648 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-23 152984]
.
Contents of the 'Scheduled Tasks' folder

2008-03-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-25 19:39:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-10-25 19:47:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-26 01:46:52
ComboFix2.txt 2008-10-25 07:08:48

Pre-Run: 21,811,089,408 bytes free
Post-Run: 21,835,366,400 bytes free

197 --- E O F --- 2008-10-15 05:02:21


Report •

#5
October 25, 2008 at 19:34:21
Looks better, we need to do some clean-up and double check for bad files.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Please run Esets online scanner from this link:

ESET

1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.


Report •

#6
January 12, 2009 at 13:02:30
Message: I've been battling this as a tech professional for several hours and though Malwarebytes is a great program, and I've used it several times, ComboFix has found the tdss files after several full scans with Malwarebytes, which removed a couple of them. In my opinion, ComboFix is the answer folks. Thanks for all the helpful posts

Report •


Ask Question