tdss-trojan, black screen/safe mode

Computing.Net > Forums > Security and Virus > tdss-trojan, black screen/safe mode

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

tdss-trojan, black screen/safe mode

Name: indymm
Date: November 21, 2008 at 20:19:52 Pacific
OS: xp sp2
CPU/Ram: p4
Product: hp pavilion

Comment:

My computer will not start Windows. I get a black, DOS type screen & it will only start in safe mode. Ran MalwareBytes and found tdss-trojan agent. Tried some fixes, not sure how to proceed. Had McAfee AV, but uninstalled it. Have access to another computer and will have to use flash drive to transfer-no internet access on infected machine. Hopefully, someone can help, thanks.

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: November 21, 2008 at 20:34:35 Pacific

Reply:

Run Malwarebytes from safe mode with networking, see if you can update it( may not be possible yet) and be sure to follow the directions in step 6 below, copy the results to your flash drive and post them please.
Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

If you have trouble installing or running MalwareBytes or Hijack This do the following:
If you got them downloaded rename the setup file then try installing them again.
Right click the mbam-setup.exe file> click rename> rename it something.exe then try to run it. If it installed but will not run navigate to this folder:
C:\Programs Files\Malwarebytes' AntiMalware
Rename the mbam.exe file then try to run it again, if still no luck rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Response Number 2

Name: indymm
Date: November 21, 2008 at 21:37:19 Pacific

Reply:

Thanks for the quick response. I was not able to update MalwareBytes.
Here is the log file:
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2
11/22/2008 12:27:43 AM
mbam-log-2008-11-22 (00-27-24).txt
Scan type: Quick Scan
Objects scanned: 43987
Time elapsed: 13 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SYSTEM32\ (Trojan.Agent) -> No action taken.

Response Number 3

Name: jabuck
Date: November 21, 2008 at 22:00:40 Pacific

Reply:

Please run Malwarebytes again and be sure to follow the directions in step 6.
Post the Malwarebytes log and the Hijack This log.
Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Response Number 4

Name: indymm
Date: November 21, 2008 at 23:07:13 Pacific

Reply:

Thanks again. Took a little bit, but now things are looking like they used to-before the trojan. Appears I may be able to connect to internet with problem computer, but I would need some AV, right? As I said, I had McAfee, but uninstalled it, when starting the fixes.
Following are logs you asked for:
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2
11/22/2008 1:30:24 AM
mbam-log-2008-11-22 (01-30-14).txt
Scan type: Quick Scan
Objects scanned: 43994
Time elapsed: 13 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SYSTEM32\ (Trojan.Agent) -> No action taken.
Logfile of HijackThis v1.99.1
Scan saved at 1:34:12 AM, on 11/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.exe
O4 - HKLM\..\Run: [40257B93] C:\DOCUME~1\Owner\LOCALS~1\Temp\~F8FD.tmp.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" -quiet
O4 - HKCU\..\Run: [McAfee Update] C:\DOCUME~1\Owner\LOCALS~1\Temp\mcupdate_1226024682.exe /syncfin C:\DOCUME~1\Owner\LOCALS~1\Temp\mcupdate_1226024682.ini /insfin
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: $McRebootA5E6DEAA56$.lnk = C:\WINDOWS\SYSTEM32\cmd.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared...
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared...
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: System - {33B94534-0B35-4ACD-85A6-34D506D9428C} - C:\WINDOWS\system32\system32.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0031061225848621) (0031061225848621mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\003106~1.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
[b]SDFix: Version 1.240 [/b]
Run by Owner on Sat 11/22/2008 at 01:44 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
Rootkit Found :
C:\WINDOWS\system32\drivers\TDSSmqlt.sys - Rootkit.Win32.Agent.cku
[b]Name [/b]:
tdssserv
[b]Path [/b]:
\systemroot\system32\drivers\TDSSmqlt.sys
tdssserv - Deleted

AUTOEXEC.NT Restored from backups
Restoring Default Security Values
Restoring Default Hosts File
Rebooting

[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\SEKSDI~1.exe - Deleted
C:\WINDOWS\system32\drivers\TDSSmqlt.sys - Deleted
C:\WINDOWS\system32\TDSSoiqh.dll - Deleted
C:\WINDOWS\system32\TDSSbrsr.dll - Deleted
C:\WINDOWS\system32\TDSSriqp.dll - Deleted
C:\WINDOWS\system32\TDSSxfum.dll - Deleted
C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSrhyp.dll - Deleted
C:\WINDOWS\system32\TDSSosvn.dll - Deleted
C:\WINDOWS\system32\TDSSofxh.dll - Deleted
C:\WINDOWS\system32\TDSSosvd.dll - Deleted
C:\WINDOWS\system32\TDSSnrsr.dll - Deleted
C:\WINDOWS\system32\TDSScfum.dll - Deleted
C:\WINDOWS\system32\TDSSorvd.dat - Deleted
C:\WINDOWS\system32\TDSSpaxt.dat - Deleted
C:\WINDOWS\system32\TDSSnmxh.log - Deleted
C:\WINDOWS\system32\TDSSofxh.log - Deleted
C:\WINDOWS\system32\TDSSrhym.log - Deleted
Removing Temp Files
[b]ADS Check [/b]:

[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 01:50:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqxt.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpqxt.sys"
"TDSSl"="\systemroot\system32\TDSSosvn.dll"
"tdssservers"="\systemroot\system32\TDSSpaxt.dat"
"tdssmain"="\systemroot\system32\TDSSofxh.dll"
"tdsslog"="\systemroot\system32\TDSSosvd.dll"
"tdssadw"="\systemroot\system32\TDSSnrsr.dll"
"tdssinit"="\systemroot\system32\TDSScfum.dll"
"tdssurls"="\systemroot\system32\TDSSfxmp.log"
"tdsspanels"="\systemroot\system32\TDSSnmxh.dll"
"tdsserrors"="\systemroot\system32\TDSSsbhc.log"
"TDSSproc"="\systemroot\system32\TDSSrhym.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\TDSSserv.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\TDSSserv.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv]
"start"=dword:00000004
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmqlt.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqxt.sys"
"group"="file system"
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\SYSTEM32\drivers\TDSSpqxt.sys 60416 bytes executable
C:\WINDOWS\Temp\TDSS536a.tmp 60416 bytes executable
C:\WINDOWS\Temp\TDSS5520.tmp 35840 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df
C:\Documents and Settings\Owner\Local Settings\Temp\TDSSbf3e.tmp 135168 bytes executable
C:\Documents and Settings\Owner\Local Settings\Temp\TDSSc057.tmp 616960 bytes executable
scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 6

[b]Remaining Services [/b]:

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:AT&T Yahoo! Music Jukebox"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[b]Remaining Files [/b]:

File Backups: - C:\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]:

[b]Finished![/b]

Response Number 5

Name: jabuck
Date: November 22, 2008 at 07:36:36 Pacific

Reply:

Install an antivirus program.
Run Malwarebytes again and make sure to follow the directions in step 6 and post its log.
Post a new Hijack This log.

HP 9009 keyboard C:\Windows\System32\msxml3.dll AVG Free8 WatchDog safe mode services usbscan.sys download ntbackup logfile location windows nt4 safe mode disable safe mode wkdetect how to get your computer off safe mode	computer will not start in safe mode at&t yahoo reboot helper mcafee wont uninstall safe mode screen frozen how to run scandisk in safe mode vista will only start in safe mode safe mode with networking oeminfo.ini hp 5181 keyboard oeminfo.ini
See More

Response Number 6

Name: indymm
Date: November 22, 2008 at 09:09:51 Pacific

Reply:

Thanks again for your help. Tried to go and get McAfee, but that wouldn't work, so I installed AVG free, have not run it yet.
Tried to run MalwareBytes, but now it won't run. Guess I messed up somewhere.
This is the Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 11:47:38 AM, on 11/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.exe
C:\PROGRA~1\VISION~1\ONETOU~2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP Wireless Keyboard\KMaestro.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.exe
O4 - HKLM\..\Run: [40257B93] C:\DOCUME~1\Owner\LOCALS~1\Temp\~F8FD.tmp.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" -quiet
O4 - HKCU\..\Run: [McAfee Update] C:\DOCUME~1\Owner\LOCALS~1\Temp\mcupdate_1226024682.exe /syncfin C:\DOCUME~1\Owner\LOCALS~1\Temp\mcupdate_1226024682.ini /insfin
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared...
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared...
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0031061225848621) (0031061225848621mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\003106~1.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Response Number 7

Name: indymm
Date: November 22, 2008 at 18:22:20 Pacific

Reply:

Running a AVG scan, now

Response Number 8

Name: jabuck
Date: November 23, 2008 at 05:48:05 Pacific

Reply:

Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, Ad-Aware and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 9

Name: indymm
Date: November 23, 2008 at 08:10:56 Pacific

Reply:

I was not able to download Combofix from any of the 3 links you have. Somehow it blocks that, as well.
Can I use the other computer, download COmbofix to a flash drive and then transfer it over?

Response Number 10

Name: jabuck
Date: November 23, 2008 at 08:36:47 Pacific

Reply:

I don't think that will work with combofix.
Turn off Ad-Aware.
In the Malwarebytes scans above the "no action taken" indicates that either the boxes beside the baddies was not checked or removal of them was not selected.
Run Malwarebytes again, try to update it and make sure the boxes are checked beside the items to be removed and be sure to click "Remove Selected" and post its log.

Response Number 11

Name: indymm
Date: November 23, 2008 at 09:03:52 Pacific

Reply:

Ad-Aware is turned off.
Previous runs of Malware, I did check the boxes (I believe it was 4 of them)and asked for removal.
Currently, can not get Malware to open/start. Something is blocking it, as well.

Response Number 12

Name: indymm
Date: November 24, 2008 at 19:32:38 Pacific

Reply:

Did some more looking and finally was able to open/ run Malware. I checked all items it found and asked for removal.
Was able to also update AVG-free.
Have not yet, done anything with Combofix - waiting for your info.
Logs you requested:

Malwarebytes' Anti-Malware 1.30
Database version: 1415
Windows 5.1.2600 Service Pack 2
11/24/2008 10:06:30 PM
mbam-log-2008-11-24 (22-06-04).txt
Scan type: Quick Scan
Objects scanned: 48074
Time elapsed: 9 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SYSTEM32\TDSSnrsr.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\SYSTEM32\TDSSofxh.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\SYSTEM32\TDSSosvd.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\SYSTEM32\TDSSosvn.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\SYSTEM32\drivers\TDSSpqxt.sys (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSS536a.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSS5520.tmp (Trojan.TDSS) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\TDSSc057.tmp (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\TDSSbf3e.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\SYSTEM32\TDSScfum.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\TDSSrhym.log (Trojan.TDSS) -> No action taken.
Logfile of HijackThis v1.99.1
Scan saved at 10:20:42 PM, on 11/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\VISION~1\ONETOU~2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP Wireless Keyboard\KMaestro.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.exe
O4 - HKLM\..\Run: [40257B93] C:\DOCUME~1\Owner\LOCALS~1\Temp\~F8FD.tmp.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" -quiet
O4 - HKCU\..\Run: [McAfee Update] C:\DOCUME~1\Owner\LOCALS~1\Temp\mcupdate_1226024682.exe /syncfin C:\DOCUME~1\Owner\LOCALS~1\Temp\mcupdate_1226024682.ini /insfin
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnl...
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared...
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: karna.dat,avgrsstx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0031061225848621) (0031061225848621mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\003106~1.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Response Number 13

Name: jabuck
Date: November 24, 2008 at 19:49:50 Pacific

Reply:

What did you do to get Malwarebytes to run?
Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Response Number 14

Name: indymm
Date: November 25, 2008 at 18:00:12 Pacific

Reply:

Thanks for the continued help.
How did I get Malwarebytes to run - I found this info.
--------------
* Click on Start, click Run, and then type devmgmt.msc and click OK
* On the View menu click on Show hidden devices
* Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
* Highlight that driver and right click on it and select DISABLE - NOT uninstall.
* Now RESTART your computer.
* Download a copy of Malwarebytes but DO NOT run it yet.
* Rename the downloaded installer file to any generic name such as your own name but keep the .exe extension on the file and run it.
* Once the program is installed go to the UPDATE tab and try to update the program if you can.
* Then go to the SCANNER tab and run a Quick Scan and allow MBAM to fix anything found
------------
I had Malwarebytes, but couldn't open it. By following the above instructions then I was able to open it, update it and then run it. I was also then allowed to update AVG-free.
Do you want me to still download the SDFIX and run it again?

Response Number 15

Name: jabuck
Date: November 25, 2008 at 18:44:53 Pacific

Reply:

Yes on SDFix and thanks for the info.

Response Number 16

Name: indymm
Date: November 25, 2008 at 20:04:05 Pacific

Reply:

Ran SDfix and here is the log:

[b]SDFix: Version 1.240 [/b]
Run by Owner on Tue 11/25/2008 at 10:43 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
[b]Name [/b]:
TDSSserv.sys
[b]Path [/b]:
\systemroot\system32\drivers\TDSSpqxt.sys
TDSSserv.sys - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Rebooting

[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\system32\drivers\TDSSpqxt.sys - Deleted
C:\WINDOWS\system32\TDSSpaxt.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSPAXT.dat - Deleted
Removing Temp Files
[b]ADS Check [/b]:

[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 22:51:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

[b]Remaining Services [/b]:

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:AT&T Yahoo! Music Jukebox"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[b]Remaining Files [/b]:

File Backups: - C:\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]:

[b]Finished![/b]

Response Number 17

Name: jabuck
Date: November 25, 2008 at 20:52:18 Pacific

Reply:

Run Combofix as suggested in response #8 and after you run Combofix post a new Hijack This log please.

Response Number 18

Name: indymm
Date: November 25, 2008 at 21:28:05 Pacific

Reply:

Here is the Combofix log:
ComboFix 08-11-26.03 - Owner 2008-11-26 0:11:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.250 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system\oeminfo.ini
.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.
2008-11-22 15:12 . 2008-11-25 18:10 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-22 11:58 . 2008-11-24 20:43 <DIR> d-------- C:\MByte
2008-11-22 11:52 . 2008-11-22 11:52 76,040 --a------ c:\windows\SYSTEM32\drivers\avgtdix.sys
2008-11-22 11:52 . 2008-11-22 11:52 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2008-11-22 11:51 . 2008-11-25 18:22 <DIR> d-------- c:\windows\SYSTEM32\drivers\Avg
2008-11-22 11:51 . 2008-11-22 11:51 <DIR> d-------- c:\program files\AVG
2008-11-22 11:51 . 2008-11-22 12:42 <DIR> d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2008-11-22 11:51 . 2008-11-22 14:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-22 11:51 . 2008-11-22 11:51 97,928 --a------ c:\windows\SYSTEM32\drivers\avgldx86.sys
2008-11-22 11:38 . 2008-11-22 11:38 <DIR> d-------- C:\Mcafee
2008-11-22 01:54 . 2008-11-26 00:14 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-22 01:54 . 2008-11-26 00:14 1,409 --a------ c:\windows\QTFont.for
2008-11-22 01:39 . 2008-11-22 01:39 <DIR> d-------- c:\windows\ERUNT
2008-11-22 01:39 . 2001-08-18 12:00 1,688 --a------ c:\windows\SYSTEM32\AUTOEXEC.NT
2008-11-22 01:36 . 2008-11-25 22:55 <DIR> d-------- C:\SDFix
2008-11-09 22:06 . 2008-11-12 21:55 <DIR> d-------- c:\program files\Hijack
2008-11-09 22:04 . 2005-02-16 11:06 218,112 --a------ c:\program files\HijackThis.exe
2008-11-09 15:23 . 2008-11-09 15:23 <DIR> d-------- C:\AVG free
2008-11-08 22:14 . 2008-11-25 20:48 <DIR> d-------- c:\documents and settings\Owner\Application Data\U3
2008-10-27 21:13 . 2008-10-27 21:13 3,544,286 -ra------ C:\money backup Backup 406.mbf
2008-10-26 18:46 . 2008-11-24 22:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-26 18:46 . 2008-10-26 18:46 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-10-26 18:46 . 2008-10-26 18:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-26 18:46 . 2008-10-22 15:10 38,496 --a------ c:\windows\SYSTEM32\drivers\mbamswissarmy.sys
2008-10-26 18:46 . 2008-10-22 15:10 15,504 --a------ c:\windows\SYSTEM32\drivers\mbam.sys
2008-10-26 18:38 . 2008-10-26 18:38 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 03:00 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-11-05 01:28 --------- d-----w c:\program files\McAfee
2008-11-02 15:41 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-10-26 23:39 --------- d-----w c:\program files\Lavasoft
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\SYSTEM32\dllcache\mrxsmb.sys
2008-10-15 16:57 332,800 ----a-w c:\windows\SYSTEM32\dllcache\netapi32.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w c:\windows\SYSTEM32\dllcache\win32k.sys
2008-09-14 21:04 71,168 ----a-w c:\windows\SYSTEM32\LxrJD31s.exe
2008-09-14 21:04 61,440 ----a-w c:\windows\SYSTEM32\LxrJD20Sat.dll
2008-09-14 21:04 249,856 ----a-w c:\windows\SYSTEM32\LxrJD31.dll
2008-09-14 21:04 163,840 ----a-w c:\windows\SYSTEM32\LxrJD31c.exe
2008-09-14 21:04 146,432 ----a-w c:\windows\SYSTEM32\LxrJD31p.exe
2008-09-04 16:42 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\SYSTEM32\dllcache\msxml3.dll
2008-08-28 10:04 333,056 ----a-w c:\windows\SYSTEM32\dllcache\srv.sys
2005-06-26 14:04 212,849 ----a-w c:\program files\hijackthis.zip
2001-10-30 12:11 61,440 ----a-w c:\windows\INF\i386\onetUSD.dll
2001-10-02 13:58 36,864 ----a-w c:\windows\INF\i386\Wiamicro.dll
2001-09-28 13:00 139,264 ----a-w c:\windows\INF\i386\Rtscan.dll
2001-09-27 13:11 167,936 ----a-w c:\windows\INF\i386\viceo.dll
2001-01-18 21:13 12,400 ----a-w c:\windows\INF\i386\Usbscan.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="c:\progra~1\HPINST~1\plugin\bin\PCHButton.exe" [2001-11-06 155648]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]
"PPWebCap"="c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2001-10-15 43008]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 4670968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.exe" [2001-07-06 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.exe" [2001-06-15 212992]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-07 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-06 196608]
"OneTouch Monitor"="c:\progra~1\VISION~1\ONETOU~2.exe" [2001-10-30 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-15 77824]
"BtcMaestro"="c:\program files\HP Wireless Keyboard\KMaestro.exe" [2005-02-21 245760]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-22 1234712]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Check for OneTouch Updates.lnk - c:\program files\Visioneer OneTouch\WiseUpdt.exe [2003-03-02 166518]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-03-02 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-04-14 217088]
hp center UI.lnk - c:\program files\hp center\137903\Shadow\ShadowBar.exe [2001-11-06 69632]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.exe [1999-02-17 65588]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 54776]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat,avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"vidc.iv41"= IR41_32.DLL
"VIDC.DVSD"= miroDV2avi.DLL
"VIDC.PIM1"= pclepim1.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-22 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-22 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-22 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-22 76040]
S2 0031061225848621mcinstcleanup;McAfee Application Installer Cleanup (0031061225848621);c:\windows\TEMP\[u]0[/u]03106~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service []
S4 hpt3xx;hpt3xx; []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72be6e8a-ae0c-11dd-bbef-be4fb594b2cb}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c42a9541-3d14-11da-b73d-00e018580454}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure31.exe
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2002-02-16 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]
2002-02-16 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKCU-Run-Notn - c:\documents and settings\Owner\Application Data\eber.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-DDCM - c:\program files\WildTangent\DDC\DDCManager\DDCMan.exe
HKLM-Run-DDCActiveMenu - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
HKLM-Run-checktime - c:\program files\HPSelect\Frontend\ct.exe
HKLM-Run-ist service uninstall - c:\windows\mstasks2.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: {17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
IE: {17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy -
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 00:14:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\avgrsstx.dll
- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-11-26 0:16:25
ComboFix-quarantined-files.txt 2008-11-26 05:15:27
Pre-Run: 59,386,785,792 bytes free
Post-Run: 59,443,048,448 bytes free
178 --- E O F --- 2008-11-22 08:00:52

Response Number 19

Name: jabuck
Date: November 25, 2008 at 22:02:09 Pacific

Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat,avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Please run Esets online scanner from this link:
ESET
1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.

Response Number 20

Name: indymm
Date: November 26, 2008 at 04:39:03 Pacific

Reply:

After I put the CFScript.txt file into Combofix, do I need to go offline and turn off AVG before I run this?

Response Number 21

Name: jabuck
Date: November 26, 2008 at 07:37:11 Pacific

Reply:

No, we only do that while running the combofix program.

Response Number 22

Name: indymm
Date: November 26, 2008 at 10:13:28 Pacific

Reply:

Thanks for all of the help.
Here is the Eset log:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3643 (20081126)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=686b658fcb816f45a7cf230b35fde44a
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-26 05:46:57
# local_time=2008-11-26 12:46:57 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=205384
# found=0
# scan_time=4910

Response Number 23

Name: jabuck
Date: November 26, 2008 at 17:47:27 Pacific

Reply:

You computer appears to be clean
Navigate to and delete this folder:
C:\SDFix
Empty the recycle bin.
Go to start> run> combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.
Go to start> control panel> add/remove programs and uninstall these programs:
Hijack This
Malwarebytes
Eset
You should keep AFT Cleaner and run it weekly.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster
Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
How is the computer operating?

Response Number 24

Name: indymm
Date: November 30, 2008 at 16:09:27 Pacific

Reply:

Sorry for delayed response, have been away.
All seems to be good and everything seems to be working fine.
Thank you very much for all your help and patience.

Response Number 25

Name: jabuck
Date: November 30, 2008 at 16:49:33 Pacific

Reply:

Glad we could help.

Sponsored Link

Ads by Google

Zlob Trojan virus

Unable to use anti-spywar...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: tdss-trojan, black screen/safe mode

trojan and blank safe mode

Summary

www.computing.net/answers/security/trojan-and-blank-safe-mode/16713.html

trojan-agent-tdss, safe mode only

Summary

www.computing.net/answers/security/trojanagenttdss-safe-mode-only/23812.html

XP Safe Mode Blank No Icons No TM

Summary

www.computing.net/answers/security/xp-safe-mode-blank-no-icons-no-tm/25626.html

From the Geek Dictionary
spyware - Spyware is software that spys on the activities on your computer then sends...

Ask a Question!

Weekly Poll
Do you think Comcast should have bought NBC?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
Video not playing

PSU good enough?

ram shared vga

worm/virus prevents acces to regedit

bricked wrt54gs router

All Awaiting Reply

Tom's News
Verizon: iPhone is Digitally Clueless Beauty Queen

Nintendo DS Flash Cards are Legal Says Judge

Go Retro: Dragon's Lair Confirmed for iPhone

Sony's PSPgo May Get External UMD Reader

Report: Teen Internet Addicts Likely to Self-Harm

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE