Trojan-agent-tdss, among other viru

Computing.Net > Forums > Security and Virus > Trojan-agent-tdss, among other viru

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to get for your free account now!

Trojan-agent-tdss, among other viru

Name: mehere
Date: October 30, 2008 at 07:52:46 Pacific
OS: Microsoft Windows XP [Ver
CPU/Ram: Pentium4 515, 512ram
Manufacturer/Model: compaq presario

Comment:

Hello, I have this problem: Trojan-agent-tdss and I posted here last night on this site and this morning my post was not here any more. I really need help folks... I have had the antivirus2008 problem, as well as the following trojans over the past week, Troj/FAKEAV-FE, softcashier fakealert, Troj/Jardo-A, Troj/Fortn-A, VBS/InfSR-A, Karna, ~ Any help would be great , Thanks

Report Offensive Message For Removal

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: October 30, 2008 at 14:42:42 Pacific

Reply:

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Report Offensive Follow Up For Removal

Response Number 2

Name: mehere
Date: October 30, 2008 at 16:05:49 Pacific

Reply:

Thanks for your reply Jabuck. When my comp restarted after the SDfix ran, it would almost restart, then it would lock up, begin the restart again and would only let me start in safe mode, and so SDfix if it was supposed to run again, it didnt. I reran it and the loop continued. I was finally able to download Mbam, and it removed everything except this:
C\Windows\system32\TDSSosvn.dat, which it was supposed to remove upon restart, but this restart loop is not allowing it to do so...
here is the info:

[b]SDFix: Version 1.221 [/b]
Run by Compaq_Owner on Thu 10/30/2008 at 05:49 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\Compaq_Owner\Desktop\SDFix
[b]Checking Services [/b]:
[b]Name [/b]:
sysrest.sys
[b]Path [/b]:
sysrest.sys - Deleted

Report Offensive Follow Up For Removal

Response Number 3

Name: jabuck
Date: October 30, 2008 at 17:31:20 Pacific

Reply:

Lets see if we can get you out of the boot loop. We will need to edit the boot.ini file most likly but first we need to see it.
Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.
Next, Go to start> my computer> local disk C:> double click boot.ini file> maximize the window with the middle box on the top right of your boot.ini/ notepad screen> hightlight all the text in the window with you cursor> click edit> copy. Post that in your next reply please.

Report Offensive Follow Up For Removal

Response Number 4

Name: mehere
Date: October 30, 2008 at 17:43:19 Pacific

Reply:

Here is the info :
[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Report Offensive Follow Up For Removal

Response Number 5

Name: jabuck
Date: October 30, 2008 at 18:29:27 Pacific

Reply:

The boot.ini file is normal.
Let look elsewhere. Go to start> run> type in msconfig> press enter> click the boot.ini tab> uncheck the box to the left of /safeboot if checked> apply>ok. Restart the computer.

Report Offensive Follow Up For Removal

how to remove trojan-agent.tdss virtumonde trojan-agent-tdss ccleaner and trojan-agent-tdss	trojan agent tdss+WEBROOT SPYSWEEPER how to remove trojan agent tdss trojan-agent-tdss
See More

Response Number 6

Name: mehere
Date: October 30, 2008 at 19:27:50 Pacific

Reply:

That box wasn't checked so I checked it , then unchecked it, and got an access denied error, but i am the only one on my comp so i have admin access

Report Offensive Follow Up For Removal

Response Number 7

Name: jabuck
Date: October 30, 2008 at 19:33:02 Pacific

Reply:

Do not check the box, you could get in a worse boot loop.
You are using the computer giving you the problems to access the internet from safemode with networking, is this right.

Report Offensive Follow Up For Removal

Response Number 8

Name: mehere
Date: October 30, 2008 at 20:17:33 Pacific

Reply:

yes. I finally was able to dload combofix, and ran it, even though mcafee kept turning itself on, and evn so I ran combofix, and when it ran, it immediately rebooted my comp, and it rebooted normally, I told mcafee to trust what combofix was doing, and it did its thing. when comp rebooted again, again successfully, combofix finished, SDfix was able to finish at last and both found no traces of virus. These are the files combofix deleted:
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\drivers\TDSSmqlt.sys
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\TDSScfgb.dll
C:\WINDOWS\system32\TDSSfpmp.dll
C:\WINDOWS\system32\TDSShrxx.dll
C:\WINDOWS\system32\TDSSkhyp.dll
C:\WINDOWS\system32\TDSSlxwp.dll
C:\WINDOWS\system32\TDSSmhxt.log
C:\WINDOWS\system32\TDSSmqxt.dll
C:\WINDOWS\system32\TDSSmtvd.dat
C:\WINDOWS\system32\TDSSnmxa.log
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSnrsr.dll
C:\WINDOWS\system32\TDSSofxh.log
C:\WINDOWS\system32\TDSSoiqh.dll
C:\WINDOWS\system32\TDSSoiqt.dll
C:\WINDOWS\system32\TDSSosvn.dat
C:\WINDOWS\system32\TDSSriqp.dll
C:\WINDOWS\system32\TDSSsahc.dll
C:\WINDOWS\system32\TDSSsbhc.dll
C:\WINDOWS\system32\TDSSthym.log
C:\WINDOWS\system32\TDSStkdv.log
C:\WINDOWS\system32\TDSSvkql.dll
C:\WINDOWS\system32\TDSSxfum.dll
D:\Autorun.inf
these were under drivers and services:
-------\Service_TDSSserv
-------\Legacy_TDSSserv
-------\Legacy_SYSREST.SYS
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
Things look normal should I post the rest of my combofix log and/or the SDfix log. I sure appreciate your help Jabuck, these trojans are sure a pain, nonetheless it is clear that you have been a huge help. Many thanks ! ! !

Report Offensive Follow Up For Removal

Response Number 9

Name: jabuck
Date: October 31, 2008 at 03:34:20 Pacific

Reply:

Please post the entire combofix log, as all the baddies are usually not removed.
Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Report Offensive Follow Up For Removal

Response Number 10

Name: mehere
Date: October 31, 2008 at 08:08:09 Pacific

Reply:

ComboFix 08-10-30.09 - Compaq_Owner 2008-10-30 21:44:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.250 [GMT -5:00]
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\drivers\TDSSmqlt.sys
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\TDSScfgb.dll
C:\WINDOWS\system32\TDSSfpmp.dll
C:\WINDOWS\system32\TDSShrxx.dll
C:\WINDOWS\system32\TDSSkhyp.dll
C:\WINDOWS\system32\TDSSlxwp.dll
C:\WINDOWS\system32\TDSSmhxt.log
C:\WINDOWS\system32\TDSSmqxt.dll
C:\WINDOWS\system32\TDSSmtvd.dat
C:\WINDOWS\system32\TDSSnmxa.log
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSnrsr.dll
C:\WINDOWS\system32\TDSSofxh.log
C:\WINDOWS\system32\TDSSoiqh.dll
C:\WINDOWS\system32\TDSSoiqt.dll
C:\WINDOWS\system32\TDSSosvn.dat
C:\WINDOWS\system32\TDSSriqp.dll
C:\WINDOWS\system32\TDSSsahc.dll
C:\WINDOWS\system32\TDSSsbhc.dll
C:\WINDOWS\system32\TDSSthym.log
C:\WINDOWS\system32\TDSStkdv.log
C:\WINDOWS\system32\TDSSvkql.dll
C:\WINDOWS\system32\TDSSxfum.dll
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSserv
-------\Legacy_TDSSserv
-------\Legacy_SYSREST.SYS
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-31 )))))))))))))))))))))))))))))))
.
2008-10-30 15:19 . 2008-10-30 16:22 <DIR> d--h----- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-30 15:19 . 2008-10-30 15:19 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-10-30 15:19 . 2008-10-30 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-30 15:19 . 2008-10-22 16:27 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-30 15:19 . 2008-10-22 16:27 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-30 00:41 . 2008-10-30 00:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-30 00:39 . 2008-10-30 17:39 <DIR> d-------- C:\SDFix
2008-10-30 00:31 . 2008-10-30 00:31 <DIR> d--h----- C:\Program Files\Trend Micro
2008-10-30 00:25 . 2008-10-30 01:25 <DIR> d--h----- C:\Program Files\SpywareBlaster
2008-10-29 22:43 . 2008-10-29 22:43 18 --ah----- C:\SYSREST
2008-10-29 19:38 . 2008-10-29 19:38 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-10-28 19:27 . 2008-10-28 19:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-10-24 17:32 . 2008-10-24 17:32 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-10-22 14:59 . 2008-10-22 15:18 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-22 14:31 . 2008-10-03 12:41 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-10-22 14:31 . 2008-08-26 02:24 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-10-22 14:31 . 2008-08-26 02:24 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-10-22 14:31 . 2008-08-26 02:24 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-10-22 14:31 . 2008-08-26 02:24 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-10-22 14:31 . 2008-08-26 02:24 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-10-22 14:31 . 2008-08-25 03:38 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-10-21 02:11 . 2008-10-21 02:11 <DIR> d-------- C:\Documents and Settings\SECOND ACCOUNT\Application Data\ATI
2008-10-21 02:10 . 2008-10-21 02:10 <DIR> d-------- C:\Documents and Settings\SECOND ACCOUNT\Application Data\Ideazon
2008-10-21 02:09 . 2004-08-10 10:30 <DIR> d-------- C:\Documents and Settings\SECOND ACCOUNT\WINDOWS
2008-10-21 02:09 . 2004-08-11 08:55 <DIR> d-------- C:\Documents and Settings\SECOND ACCOUNT\Application Data\Symantec
2008-10-21 02:09 . 2004-08-10 11:16 <DIR> d-------- C:\Documents and Settings\SECOND ACCOUNT\Application Data\SampleView
2008-10-21 02:09 . 2004-08-10 10:28 <DIR> d-------- C:\Documents and Settings\SECOND ACCOUNT\Application Data\Apple Computer
2008-10-21 02:09 . 2008-10-21 02:09 <DIR> d-------- C:\Documents and Settings\SECOND ACCOUNT
2008-10-21 01:09 . 2008-10-30 21:52 3,599 --a------ C:\WINDOWS\system32\Config.MPF
2008-10-21 01:05 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-10-21 01:05 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-10-21 01:05 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-10-21 01:05 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-10-21 01:05 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-10-21 01:05 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-10-21 01:04 . 2008-10-21 01:05 <DIR> d--h----- C:\Program Files\McAfee.com
2008-10-21 01:04 . 2008-10-21 12:08 <DIR> d--h----- C:\Program Files\McAfee
2008-10-21 01:04 . 2008-10-21 01:05 <DIR> d--h----- C:\Program Files\Common Files\McAfee
2008-10-21 00:49 . 2008-10-21 01:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-10-21 00:45 . 2008-10-21 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-10-21 00:40 . 2008-10-21 00:40 <DIR> d--h----- C:\Program Files\ATI
2008-10-20 23:26 . 2008-10-20 23:26 <DIR> d--h----- C:\Program Files\Common Files\PC Tools
2008-10-19 23:40 . 2008-10-19 23:40 74 --a------ C:\WINDOWS\st_affiliate.ini
2008-10-07 02:53 . 2008-10-07 03:54 <DIR> d--h----- C:\Program Files\Gamesville
2008-10-07 02:53 . 2008-10-07 02:53 <DIR> d--h----- C:\Program Files\GamesBar
2008-10-07 02:53 . 2008-10-07 02:53 <DIR> d--h----- C:\Program Files\Common Files\Oberon Media
2008-10-07 02:53 . 2008-10-07 02:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SpinTop Games
2008-09-23 20:38 . 2008-10-24 12:12 55,160 --a------ C:\WINDOWS\system32\ativvaxx.cap
2008-09-17 22:06 . 2008-10-24 20:40 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-30 00:38 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Hoyle Casino
2008-10-25 01:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-25 00:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-21 15:04 --------- d--h--w C:\Program Files\Common Files\Symantec Shared
2008-10-21 07:13 --------- d--h--w C:\Program Files\Symantec
2008-10-21 06:03 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\PC Tools
2008-10-21 06:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-21 05:38 --------- d--h--w C:\Program Files\ATI Technologies
2008-10-19 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-10-10 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dillie-O Digital
2008-10-04 08:27 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Hoyle FaceCreator
2008-09-24 03:09 3,331,072 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-09-24 02:18 425,984 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-09-24 02:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-09-24 02:04 581,632 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-09-24 01:18 53,248 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-09-24 01:18 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-10 04:12 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\ErrorRepairTool
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 09:58 2,136,064 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,015,744 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-30 17:00 90,112 ----a-w C:\WINDOWS\system32\atibrtmon.exe
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2005-08-06 04:39 50,518 -c-ha-w C:\Program Files\japan_hiroshima_dc.htm
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-10 180269]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"USB Storage Toolbox"="C:\Program Files\USB Disk Win98 Driver\Res.exe" [2005-09-14 65536]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"ATICustomerCare"="C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 307200]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 158208]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 C:\WINDOWS\ALCWZRD.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Zboard]
2003-09-03 08:14 49152 C:\WINDOWS\system32\Winlognotif.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.uyvy"= C:\WINDOWS\system32\msyuv.dll
"vidc.yuy2"= ATIVYUY.DLL
"VIDC.YU12"= ATIYUV12.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=C:\WINDOWS\pss\Compaq Organize.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--ah----- 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--ah----- 2004-06-15 23:17 69705 C:\Program Files\ATI Multimedia\main\atidtct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
--ah----- 2004-06-15 23:22 106571 C:\Program Files\ATI Multimedia\main\LaunchPd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--ah----- 2004-08-27 00:51 200704 C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--ah----- 2005-05-03 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 16:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-11-02 09:59 126976 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 18:04 52736 c:\WINDOWS\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
--ah----- 2003-09-15 22:00 270336 C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionViewPort]
--ah----- 2003-09-15 22:00 364544 C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-11-02 10:03 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--ah----- 2007-11-01 18:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2003-09-12 14:13 98304 C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 22:43 233472 C:\WINDOWS\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 01:31 118784 C:\WINDOWS\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--ah----- 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--ah----- 2004-08-10 10:04 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--ah----- 2004-11-12 12:24 106557 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-04-12 01:10 65536 C:\WINDOWS\ALCMTR.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2005-04-06 18:53 2805248 C:\WINDOWS\ALCWZRD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-04-06 18:57 90112 C:\WINDOWS\SOUNDMAN.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"iPodService"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\UT2004\\System\\UT2004.exe"=
"C:\\Program Files\\SG2\\SG2Browser.exe"=
"C:\\Program Files\\SG2\\SG2 PC Analizer.exe"=
"C:\\Program Files\\2Wire\\2PortalMon.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
S0 ljdv;ljdv;C:\WINDOWS\system32\drivers\lpiash.sys [ ]
S0 xsrb;xsrb;C:\WINDOWS\system32\drivers\uodealze.sys [ ]
S3 hwi4857;Duo Digital Media Player;C:\WINDOWS\system32\Drivers\hwi4857.sys [2001-12-20 10532]
S3 PortRST;BaromTec HMS30C6001 Reset Driver;C:\WINDOWS\system32\Drivers\PortRST.sys [2001-08-06 12721]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-08 15576]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59902a82-bd73-11dc-a262-00112f7cab8d}]
\Shell\AutoRun\command - K:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2008-10-21 C:\WINDOWS\Tasks\ErrorRepairTool Scheduled Scan.job
- C:\Program Files\ErrorRepairTool\ErrorRepairTool.exe []
2008-10-21 C:\WINDOWS\Tasks\ErrorRepairTool Scheduled Scan.job
- C:\Program Files\ErrorRepairTool []
2008-10-21 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-10-21 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-AntiSpywareXP 2009 - C:\Program Files\AntiSpywareXP2009\AntiSpywareXP2009.exe
MSConfigStartUp-ATICCC - C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
MSConfigStartUp-brastk - C:\WINDOWS\system32\brastk.exe
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe
MSConfigStartUp-KBD - C:\HP\KBD\KBD.exe
MSConfigStartUp-QuickTime Task - C:\Program Files\QuickTime\qttask.exe
MSConfigStartUp-Symantec NetDriver Monitor - C:\PROGRA~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-WildTangent CDA - C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
MSConfigStartUp-WT GameChannel - C:\Program Files\WildTangent\Apps\GameChannel.exe
MSConfigStartUp-Logitech Utility - Logi_MwX.exe
MSConfigStartUp-VTTimer - VTTimer.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://my.yahoo.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R0 -: HKLM-Main,Start Page = hxxp://yahoo.sbc.com/dsl
R0 -: HKLM-Main,Search Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 -: HKCU-SearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O8 -: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 -: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 -: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 21:50:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\DOCUME~1\COMPAQ~1\Desktop\SDFix\dnif.exe
C:\WINDOWS\system32\verclsid.exe
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:19 AM, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\SOUNDMAN.exe
C:\WINDOWS\ALCWZRD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\USB Disk Win98 Driver\Res.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [USB Storage Toolbox] "C:\Program Files\USB Disk Win98 Driver\Res.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexp...
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 5793 bytes
Here as requested are the files, Jabuck :-)

Report Offensive Follow Up For Removal

Response Number 11

Name: jabuck
Date: October 31, 2008 at 16:53:48 Pacific

Reply:

Actually cleaned up better than normal.
Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 10 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Post a new Combofix log following the previous directions.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Report Offensive Follow Up For Removal

Response Number 12

Name: mehere
Date: November 1, 2008 at 14:09:09 Pacific

Reply:

Did as instructed on Java, uninstall, then reinstall new version. When you say,"Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page." What do you want me to paste into Notepad?"

Report Offensive Follow Up For Removal

Response Number 13

Name: jabuck
Date: November 1, 2008 at 14:33:16 Pacific

Reply:

This:
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

Report Offensive Follow Up For Removal

Response Number 14

Name: mehere
Date: November 1, 2008 at 14:36:13 Pacific

Reply:

Sorry Jabuck, forgive my ig, but where is this info you would like me to post?

Report Offensive Follow Up For Removal

Response Number 15

Name: jabuck
Date: November 1, 2008 at 14:50:07 Pacific

Reply:

There is no need to post anything yet, lets run this online scan as a double check. Pending the online scan the computer appears clean.
Please run Esets online scanner from this link:
ESET
1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.

Report Offensive Follow Up For Removal

Response Number 16

Name: mehere
Date: November 1, 2008 at 22:35:42 Pacific

Reply:

This looks good!!!
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3575 (20081031)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=5ff05603ba00304ab526d7e38fa4d7a8
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-01 11:47:14
# local_time=2008-11-01 06:47:14 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=361585
# found=0
# scan_time=6353

Report Offensive Follow Up For Removal

Response Number 17

Name: jabuck
Date: November 2, 2008 at 06:05:50 Pacific

Reply:

Yes, your computer is clean.
How is it operating?

Report Offensive Follow Up For Removal

Response Number 18

Name: mehere
Date: November 2, 2008 at 17:34:24 Pacific

Reply:

Ahh much better sooo sooo much better! The only damage may have been my video processor or it just may have been its time. But either way, Trojan idiots 1, Computer.net and Jabuck 100! Thanks a million, D

Report Offensive Follow Up For Removal

Response Number 19

Name: jabuck
Date: November 2, 2008 at 17:43:56 Pacific

Reply:

Glad we could help.

Report Offensive Follow Up For Removal

Response Number 20

Name: mmcalli
Date: November 3, 2008 at 17:48:00 Pacific

Reply:

I had similar problems with the TDSS items and followed your recomendations on using SDFix in this thread and I think I may be finally cleared up thanks to your help. Latest updated spybotSD says
"Congratulations!: No immediate threats were found" but I wanted to post my Hijack log for your blessings as there were some entries regarding bratesk (sp).
Thanks,
mmcalli

Report Offensive Follow Up For Removal

Response Number 21

Name: jabuck
Date: November 4, 2008 at 14:51:35 Pacific

Reply:

mmcalli, please start a thread of your own and state your problem as you have here. No logs please.

Report Offensive Follow Up For Removal

Possible Worm/Backdoor on...

New Virus/Trojan? Help ne...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Trojan-agent-tdss, among other viru

Help Removing: Trojan Agent Tdss

Summary

www.computing.net/answers/security/help-removing-trojan-agent-tdss/24321.html

trojan-agent-tdss, safe mode only

Summary

www.computing.net/answers/security/trojanagenttdss-safe-mode-only/23812.html

System infected: trojan-agent-tdss

Summary

www.computing.net/answers/security/system-infected-trojanagenttdss/24318.html

From the Geek Dictionary
RED X - BLOCKING IMAGES

Ask a Question!

Weekly Poll
Do you think suing spammers will make any difference?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
Uknown virus

Computer keeps restarting randomly

monitor doesent display anything on power on

Ethernet and more I think

Trying to recover HDDs using Knoppix 5.1 Live

All Awaiting Reply

Tom's News
A Single Text Message Can Cripple Your iPhone

Apple Shoots Down Obama's Hope

Japan Thinking of Making Quiet Hybrids Noisy

iPhone 3GS Jailbroken, Unlocked

Man Shoots Up Apple Store

More Tom's Guide News

Tom's Games
Redneck Olympics

Tasty Planet

More Tom's Games

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE