Articles

Yet another Google redirect virus

December 15, 2008 at 19:02:11
Specs: XP Professional, Core 2 Duo/T7100

Unfortunately, I've gotten the virus and from looking at other posts here I see that the steps are somewhat customized to each user. Could one of you wizards please walk me through restoring my WIFE'S COMPUTER back to good health before she kills me? Many thanks, Ron

See More: Yet another Google redirect virus

Report •


#1
December 15, 2008 at 19:08:23

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
December 15, 2008 at 20:31:44

It appears that Anti-Malware did not load properly (nothing happens when I try to open it), and now I cannot even get it to uninstall itself so I can reload it. Tried downloading the installation program again, but that doesn't seem to work either. I'm totally screwed up here and SheWhoMustBeObeyed is asking questions...

Can you help? M'aidez!


Report •

#3
December 15, 2008 at 20:41:57

Download malwarebytes again, when the box opens that ask where to download the program to rename the mbam-setup.exe file to Ron.exe> click save.

If it installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.


Report •

Related Solutions

#4
December 16, 2008 at 03:54:42


Report •

#5
December 16, 2008 at 06:02:14

Hi, was trying to follow the instructions above in order to fix my google redirect problem but none of the links are working for me, which I suppose might be part of the virus. Please help. Thanks much :)

Report •

#6
December 16, 2008 at 08:34:55

M.Bowker, please start your own thread. Just state the problem, don't post any logs yet please.

Report •

#7
December 16, 2008 at 08:51:53

Tried downloading and renaming, but it appears to 'hang' during installation. I'm having some startup problems (XP Pro) and wondering if that is contributing. Can't get the Anti-Malware to run, or at least nothing seems to happen when I do. Shows up in my Processes, but no activity. Continuing help and advice appreciated!

Report •

#8
December 16, 2008 at 10:02:20

I am sorry - have created a new thread. Best luck, ron.

Report •

#9
December 16, 2008 at 15:07:12

Maybe it installed but could not run. Navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename the mbam.exe file then try to run it again, if still no luck rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.


Report •

#10
December 16, 2008 at 16:53:18

Thank you for your help. I'm not finished yet, but I did discover something important for those of us who are so completely hijacked that we can't download or run the anti-malware programs. My sister (aka "the LAN Goddess") found this on www.Troublefixers.com and I am copying it verbatim. It fixed my problems with loading and running the software, at least. Maybe now we can get to the bottom of this.

We have received a comment on this post which will again help you remove go.google.com redirect virus given below

Last Method to Remove Go.google.com virus

Go to Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.

Then search for “TDSSserv.sys”

Right click on it, and select “Disable”

Note: If you select Uninstall, it will install itself again when you reboot the system, so DON’T select Uninstall.

Restart your pc.

You can now update your Antirus/Malware/Rootkit softwares and the go.google rubbish will stop.

Its now up to the Anti-Virus/Malware/Spyware companies to make an effort to stop this, and not rely on simple basic home PC user’s like myself to save the world

In simple terms, TDSSserv.sys is a service/server redirecting all software updates to 127.0.0.1 (your own computer) so they won’t update.

Ron


Report •

#11
December 16, 2008 at 17:01:45

Here is a link to the Troublefixers post...

http://www.troublefixers.com/remove...


Report •

#12
December 16, 2008 at 17:15:31

Yes, we use that procedure all the time. It just appeared that you were getting onto the net and downloading. It appeared that running was the issue you had.

You may still need to rename the programs before they will operate properly.

You may also need to rename them at the time on the download and not after they are on your desktop so, if they will not install re-download them and rename them at the download site.


Report •

#13
December 16, 2008 at 18:50:58

They ran fine without renaming them.

Here are the logs:

Malwarebytes' Anti-Malware 1.31
Database version: 1508
Windows 5.1.2600 Service Pack 2

12/16/2008 8:26:34 PM
mbam-log-2008-12-16 (20-26-34).txt

Scan type: Quick Scan
Objects scanned: 57669
Time elapsed: 7 minute(s), 9 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 6
Registry Keys Infected: 46
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 7
Files Infected: 34

Memory Processes Infected:
C:\Documents and Settings\rmaxey\Local Settings\Temp\winloggn.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\rmaxey\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\ssqPjijI.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yfoxmhir.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nnnliGay.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\scprue.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nzntna.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rsekd83jde.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6a1850d5-48d8-43f4-a190-c1cb0456ec3d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6a1850d5-48d8-43f4-a190-c1cb0456ec3d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnligay (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{307a5fad-28ad-4f9e-ab7d-af5770e6d628} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{307a5fad-28ad-4f9e-ab7d-af5770e6d628} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2ffc8290-0553-4845-98c1-5e7bbb4fd3b5} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2ffc8290-0553-4845-98c1-5e7bbb4fd3b5} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6a1850d5-48d8-43f4-a190-c1cb0456ec3d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0015172f (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsgds4fgffght (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsgds4fgffght (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ssqpjiji -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqpjiji -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Network Monitor (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\rmaxey\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\rmaxey\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ssqPjijI.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\IjijPqss.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IjijPqss.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnliGay.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yfoxmhir.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rihmxofy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rsekd83jde.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\scprue.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nzntna.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\rmaxey\Local Settings\Temp\winloggn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\rmaxey\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Webtools\webtools.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tjbbkxwb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vdnsvxgr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\rmaxey\Local Settings\Temp\1170644504.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\rmaxey\Local Settings\Temp\3655186714.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\rmaxey\Local Settings\Temp\rcsowmenax.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\rmaxey\Local Settings\Temp\esnmworaxc.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\rmaxey\Local Settings\Temp\__25.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Network Monitor\netmon.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\rmaxey\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\rmaxey\Application Data\speedrunner\SRUninstall.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\rmaxey\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\atmtd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atmtd.dll._ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\uninstall_nmon.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\jmaxey\GoToAssist_chat2way__317_en.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\rmaxey\Local Settings\Temp\TDSSf711.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSdxcp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.

*************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:32 PM, on 12/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\ifxtcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\TEMP\CVC85C.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPMVTray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Documents and Settings\rmaxey\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/s...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/s...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?Lin...
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking] C:\DOCUME~1\jmaxey\LOCALS~1\Temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IFXSPMGT] C:\WINDOWS\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [HPMVTray] "C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPMVTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\rmaxey\Application Data\Microsoft\sqhbhhs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://dc01:8059/officescan/console...
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://dc01:8059/officescan/console...
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://dc01:8059/officescan/console...
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - http://dc01:8059/SMB/console/html/r...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = glassdoctor.local
O17 - HKLM\Software\..\Telephony: DomainName = glassdoctor.local
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = glassdoctor.local
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = glassdoctor.local
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = glassdoctor.local
O20 - AppInit_DLLs: APSHook.dll scprue.dll nzntna.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\ifxtcs.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

--
End of file - 10081 bytes


Report •

#14
December 16, 2008 at 19:09:52

Make sure you have the newest version of java, version 6 update 11. Go to start> control panel> java> general tab> about. If not click the update tab> update now.

Once you get SDFix downloaded go offline and turn of your antivirus and any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt


Report •

#15
December 16, 2008 at 19:39:57


[b]SDFix: Version 1.240 [/b]
Run by Administrator on Tue 12/16/2008 at 09:14 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

[b]Name [/b]:
TDSSserv.sys

[b]Path [/b]:
\systemroot\system32\drivers\TDSSpqlt.sys

TDSSserv.sys - Deleted

Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\WINDOWS\system32\drivers\TDSSpqlt.sys - Deleted
C:\WINDOWS\system32\TDSSmtve.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSMTVE.dat - Deleted

Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 21:23:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpqlt.sys"
"TDSSl"="\systemroot\system32\TDSSoity.dll"
"tdssservers"="\systemroot\system32\TDSSmtve.dat"
"tdssmain"="\systemroot\system32\TDSSarxx.dll"
"tdsslog"="\systemroot\system32\TDSSvoql.dll"
"tdssadw"="\systemroot\system32\TDSScfbv.dll"
"tdssinit"="\systemroot\system32\TDSSdxcp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxp.log"
"tdsspanels"="\systemroot\system32\TDSSsahc.dll"
"tdsserrors"="\systemroot\system32\TDSSxhyf.log"
"TDSSproc"="\systemroot\system32\TDSSkkai.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpqlt.sys"
"TDSSl"="\systemroot\system32\TDSSoity.dll"
"tdssservers"="\systemroot\system32\TDSSmtve.dat"
"tdssmain"="\systemroot\system32\TDSSarxx.dll"
"tdsslog"="\systemroot\system32\TDSSvoql.dll"
"tdssadw"="\systemroot\system32\TDSScfbv.dll"
"tdssinit"="\systemroot\system32\TDSSdxcp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxp.log"
"tdsspanels"="\systemroot\system32\TDSSsahc.dll"
"tdsserrors"="\systemroot\system32\TDSSxhyf.log"
"TDSSproc"="\systemroot\system32\TDSSkkai.log"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"="C:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe:*:Enabled:HPMVInstall"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe:*:Enabled:HPMVMonitor"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe:*:Enabled:HPMVSelector"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe:*:Enabled:HPMVDriveMapper"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe:*:Enabled:HPEasyBackup"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe:*:Enabled:HPMVCheck"
"C:\\Program Files\\NewTech Infosystems\\NTI Shadow 3\\Shadow.exe"="C:\\Program Files\\NewTech Infosystems\\NTI Shadow 3\\Shadow.exe:*:Enabled:NTIShadow"
"C:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\CDDIB32.exe"="C:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\CDDIB32.exe:*:Enabled:NTIDriveBackup"
"C:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\DIBExplor.exe"="C:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\DIBExplor.exe:*:Enabled:NTIDIBExplorer"
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\_is27.exe"="C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\_is27.exe:*:Enabled:Setup.exe"
"C:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\mstsc.exe"="C:\\WINDOWS\\system32\\mstsc.exe:*:Disabled:Remote Desktop Connection"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtRdp.exe"="C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtRdp.exe:*:Enabled:PowerTerm WebConnect RemoteView"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\hpmvcheck.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\hpmvcheck.exe:*:Enabled:HP Media Vault Automatic Firmware Check"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe:*:Enabled:HP Media Vault Monitor Application"
"C:\\WINDOWS\\system32\\mstsc.exe"="C:\\WINDOWS\\system32\\mstsc.exe:*:Enabled:Remote Desktop Connection"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe:*:Enabled:Media Vault Selection Application"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe:*:Enabled:NASDriveMapper Application"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtVnc.exe"="C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtVnc.exe:*:Enabled:PowerTerm WebConnect SupportView"
"C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\winvnc.exe"="C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\winvnc.exe:*:Enabled:VNC server for Win32"
"C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtRdp.exe"="C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtRdp.exe:*:Enabled:PowerTerm WebConnect RemoteView"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sun 14 Dec 2008 21,505 ...H. --- "C:\WINDOWS\csrssc.exe"
Wed 23 Jan 2008 1,024 ...HR --- "C:\WINDOWS\system32\NTIDIB4.dll"

[b]Finished![/b]


Report •

#16
December 16, 2008 at 19:46:02

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Trend Micro antivirus, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

#17
December 16, 2008 at 19:50:12


[b]SDFix: Version 1.240 [/b]
Run by Administrator on Tue 12/16/2008 at 09:14 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

[b]Name [/b]:
TDSSserv.sys

[b]Path [/b]:
\systemroot\system32\drivers\TDSSpqlt.sys

TDSSserv.sys - Deleted

Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\WINDOWS\system32\drivers\TDSSpqlt.sys - Deleted
C:\WINDOWS\system32\TDSSmtve.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSMTVE.dat - Deleted

Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 21:23:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpqlt.sys"
"TDSSl"="\systemroot\system32\TDSSoity.dll"
"tdssservers"="\systemroot\system32\TDSSmtve.dat"
"tdssmain"="\systemroot\system32\TDSSarxx.dll"
"tdsslog"="\systemroot\system32\TDSSvoql.dll"
"tdssadw"="\systemroot\system32\TDSScfbv.dll"
"tdssinit"="\systemroot\system32\TDSSdxcp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxp.log"
"tdsspanels"="\systemroot\system32\TDSSsahc.dll"
"tdsserrors"="\systemroot\system32\TDSSxhyf.log"
"TDSSproc"="\systemroot\system32\TDSSkkai.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpqlt.sys"
"TDSSl"="\systemroot\system32\TDSSoity.dll"
"tdssservers"="\systemroot\system32\TDSSmtve.dat"
"tdssmain"="\systemroot\system32\TDSSarxx.dll"
"tdsslog"="\systemroot\system32\TDSSvoql.dll"
"tdssadw"="\systemroot\system32\TDSScfbv.dll"
"tdssinit"="\systemroot\system32\TDSSdxcp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxp.log"
"tdsspanels"="\systemroot\system32\TDSSsahc.dll"
"tdsserrors"="\systemroot\system32\TDSSxhyf.log"
"TDSSproc"="\systemroot\system32\TDSSkkai.log"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"="C:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe:*:Enabled:HPMVInstall"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe:*:Enabled:HPMVMonitor"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe:*:Enabled:HPMVSelector"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe:*:Enabled:HPMVDriveMapper"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe:*:Enabled:HPEasyBackup"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe:*:Enabled:HPMVCheck"
"C:\\Program Files\\NewTech Infosystems\\NTI Shadow 3\\Shadow.exe"="C:\\Program Files\\NewTech Infosystems\\NTI Shadow 3\\Shadow.exe:*:Enabled:NTIShadow"
"C:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\CDDIB32.exe"="C:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\CDDIB32.exe:*:Enabled:NTIDriveBackup"
"C:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\DIBExplor.exe"="C:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\DIBExplor.exe:*:Enabled:NTIDIBExplorer"
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\_is27.exe"="C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\_is27.exe:*:Enabled:Setup.exe"
"C:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\mstsc.exe"="C:\\WINDOWS\\system32\\mstsc.exe:*:Disabled:Remote Desktop Connection"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtRdp.exe"="C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtRdp.exe:*:Enabled:PowerTerm WebConnect RemoteView"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\hpmvcheck.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\hpmvcheck.exe:*:Enabled:HP Media Vault Automatic Firmware Check"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe:*:Enabled:HP Media Vault Monitor Application"
"C:\\WINDOWS\\system32\\mstsc.exe"="C:\\WINDOWS\\system32\\mstsc.exe:*:Enabled:Remote Desktop Connection"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe:*:Enabled:Media Vault Selection Application"
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"="C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe:*:Enabled:NASDriveMapper Application"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtVnc.exe"="C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtVnc.exe:*:Enabled:PowerTerm WebConnect SupportView"
"C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\winvnc.exe"="C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\winvnc.exe:*:Enabled:VNC server for Win32"
"C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtRdp.exe"="C:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtRdp.exe:*:Enabled:PowerTerm WebConnect RemoteView"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sun 14 Dec 2008 21,505 ...H. --- "C:\WINDOWS\csrssc.exe"
Wed 23 Jan 2008 1,024 ...HR --- "C:\WINDOWS\system32\NTIDIB4.dll"

[b]Finished![/b]


Report •

#18
December 17, 2008 at 04:46:43


# From Ron_Maxey 20:30:02 12/16/2008 (reply).
I truly appreciate your help in getting my wife's machine fixed. "Happy Wife, Happy Life" is the correct saying, I believe.

The anti-spam filter is preventing me from posting this. Here is the Combofix log:

ComboFix 08-12-16.03 - rmaxey 2008-12-16 21:57:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.456 [GMT -6:00]
Running from: c:\documents and settings\rmaxey\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\rmaxey\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\rmaxey\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\rmaxey\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\108987494.exe
c:\windows\2684859586.exe
c:\windows\859725322.exe
c:\windows\csrssc.exe
c:\windows\system32\xxyxVNFy.dll
c:\windows\system32\yrwuwrjy.ini
c:\windows\Tasks\gglgcnuq.job
c:\windows\Tasks\pdqtjozx.job

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-16 21:54 . 2008-12-16 21:55 d-------- C:\32788R22FWJFW
2008-12-16 21:12 . 2008-12-16 21:12 d-------- c:\windows\ERUNT
2008-12-16 21:04 . 2008-12-16 21:25 d-------- C:\SDFix
2008-12-16 18:22 . 2008-12-16 18:22 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 18:22 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 18:22 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-16 18:21 . 2008-12-16 18:21 d-------- c:\documents and settings\rmaxey\Application Data\Malwarebytes
2008-12-16 17:16 . 2008-12-16 17:16 d-------- c:\program files\XoftSpySE
2008-12-15 22:34 . 2008-12-16 18:10 d--hs---- c:\windows\SmFuZSBNYXhleQ
2008-12-15 22:24 . 2008-12-16 18:10 d-------- c:\documents and settings\rmaxey\Application Data\Twain
2008-12-15 21:28 . 2008-12-16 18:32 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-15 20:37 . 2008-12-15 20:36 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-15 19:56 . 2008-12-15 19:56 d--h----- c:\windows\system32\GroupPolicy
2008-12-15 18:57 . 2008-12-15 18:57 70,144 --a------ c:\windows\system32\wvUmjggH.dll
2008-12-14 23:33 . 2008-12-16 18:19 160 --a------ c:\windows\o8w3jknuifedsdf.tmp
2008-12-14 23:33 . 2008-12-14 23:43 51 --a------ c:\windows\7hjhffd.bat
2008-12-14 22:08 . 2008-12-14 22:08 d-------- c:\temp\REX81
2008-12-14 22:08 . 2008-12-14 22:08 d-------- C:\Temp
2008-12-14 22:08 . 2008-12-14 22:08 10,752 --a------ c:\windows\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 03:25 --------- d-----w c:\documents and settings\rmaxey\Application Data\OpenOffice.org2
2008-12-16 02:36 --------- d-----w c:\program files\Java
2008-12-10 23:51 --------- d-----w c:\program files\PokerStars.NET
2008-12-10 12:50 --------- d-----w c:\documents and settings\jmaxey\Application Data\Ericom
2008-12-10 12:44 --------- d-----w c:\documents and settings\jmaxey\Application Data\OpenOffice.org2
2008-11-03 02:37 --------- d-----w c:\documents and settings\jmaxey\Application Data\COMCASTTOOLBAR
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 12:13 60,744 ----a-w c:\documents and settings\jmaxey\g2mdlhlpx.exe
2008-02-04 23:07 557,056 ----a-w c:\documents and settings\jmaxey\GoToAssist_phone__317_en.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Universal Installer"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 394952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]

c:\documents and settings\jmaxey\Start Menu\Programs\Startup\
Mainstreet Computers, Inc. - PowerTerm WebConnect Application Zone by Ericom.lnk - c:\powerterm webconnect 5.6\vmterm.mainstreetcomp.com\ptagent.exe [2008-04-15 2307400]
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216]

c:\documents and settings\rmaxey\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]
Program Neighborhood Agent.lnk - c:\program files\Citrix\ICA Client\pnagent.exe [2006-11-08 233744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-06 19:30 74240 c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll scprue.dll nzntna.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Shadow 3\\Shadow.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\CDDIB32.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\DIBExplor.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\PowerTerm WebConnect 5.6\\vmterm.mainstreetcomp.com\\PtRdp.exe"=

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-04-22 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-09 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-03-29 13696]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-01-23 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-04-22 5808]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2006-02-28 14336]
R2 HpFkCryptService;Drive Encryption Service;"c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe" [2007-04-22 221184]
R2 LinksysUpdater;Linksys Updater;"c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "c:\program files\Linksys\Linksys Updater\conf\wrapper.conf" [2008-01-15 204800]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R2 TmFilter;Trend Micro Filter;\??\c:\program files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [2007-09-17 205328]
R2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\Trend Micro\Client Server Security Agent\TmPreFlt.sys [2007-09-17 36368]
R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2008-01-23 36608]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2006-02-28 14336]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys [2008-01-23 33024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-12-10 10:37]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Verizon Custom Uninstall Tracking - c:\docume~1\jmaxey\LOCALS~1\Temp\InstallHelper.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe -

c:\windows\Downloaded Program Files\AtxEnc.dll - O16 -: {9BBB3919-F518-4D06-8209-299FC243FC30}
hxxp://dc01:8059/SMB/console/html/root/AtxEnc.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 22:03:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\Hewlett-Packard\IAM\bin\ocgina.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\bin\ItTal.dll
c:\program files\Hewlett-Packard\IAM\bin\ItReports.DLL
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\STEngine.dll
c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItVCClient.dll
c:\program files\Hewlett-Packard\IAM\Bin\AuthWiz.dll
c:\program files\Hewlett-Packard\IAM\Bin\TpmAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\TokenAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ittalsnap.DLL
c:\program files\Hewlett-Packard\IAM\Bin\ItVCard.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItAuth.dll
c:\windows\system32\xenroll.dll
c:\windows\system32\IFXTSP.dll
c:\windows\system32\IfxSpArc.dll
c:\windows\system32\IFXTCSps.dll
c:\windows\system32\IfxSpMgt.dll
c:\program files\Hewlett-Packard\Embedded Security Software\IfxSpURsUS.dll
c:\windows\system32\IFXTPMCP.dll
c:\program files\Hewlett-Packard\Embedded Security Software\IfxTRsUS.dll
c:\program files\Hewlett-Packard\Embedded Security Software\IfxTrsMs.dll
c:\windows\system32\capicom.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\SbHpNp.dll
c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
.
r Running Proce
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
c:\program files\Trend Micro\Client Server Security Agent\NTRtScan.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Trend Micro\Client Server Security Agent\TmListen.exe
c:\windows\system32\java.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
c:\windows\Temp\EBDA16.EXE
c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2008-12-16 22:05:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-17 04:05:36

Pre-Run: 72,022,601,728 bytes free
Post-Run: 72,301,436,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

235 --- E O F --- 2008-12-17 03:31:33


Report •

#19
December 17, 2008 at 04:58:25

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\wvUmjggH.dll
c:\windows\o8w3jknuifedsdf.tmp
c:\windows\7hjhffd.bat

Folder::
C:\32788R22FWJFW
c:\windows\SmFuZSBNYXhleQ
c:\temp\REX81
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\TDSSserv.sys\modules]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Post a new Combofix log and a new SDFix log following the previous directions.


Report •


Ask Question