Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google redirecting and TDSS problem [RESOLVED]

Started by MVV , Oct 25 2008 08:03 PM

  • This topic is locked This topic is locked

#1
MVV
Posted 25 October 2008 - 08:03 PM

MVV

    Member

  • Member
  • PipPip
  • 87 posts
Google is redirecting me to ad sites and other crap, and even after using Malwarebytes I still get tdss as the problem. I also had a problem with AntiSpyware XP 2009.

Here is a HijackThis Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:21 PM, on 10/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\igfxpers.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Gotcha.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6285 bytes

Edited by MVV, 25 October 2008 - 09:32 PM.

  • 0

Advertisements

#2
Egwene
Posted 26 October 2008 - 01:49 AM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello MVV !

Welcome to the site! :) My name's Egwene and I'll be helping clean up your computer. :)

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Regards,
Egwene.
  • 0

#3
MVV
Posted 26 October 2008 - 02:12 AM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
Something bad just happened and I'm only able to log on through Safe Mode as the screen goes blue and says:

Stop: C0000218 Unknown Hard Error
Unknown Hard Error

How screwed am I?

Is it possible to use the ComboFix in Safe Mode?

Edited by MVV, 26 October 2008 - 02:40 AM.

  • 0

#4
Egwene
Posted 26 October 2008 - 04:57 AM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

Don't use combofix in safe mode, please use this tool instead :

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Reboot into normal mode.

Regards,
Egwene.
  • 0

#5
MVV
Posted 26 October 2008 - 02:07 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
I'm still getting the blue screen Stop: C0000218 Unknown Hard Error
Unknown Hard Error, when I try to boot normally.


SDFix: Version 1.237
Run by Mike on Sun 10/26/2008 at 03:45 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\MIKE\COOKIES\FAWOFEJY.DLL - Deleted
C:\DOCUME~1\MIKE\COOKIES\OTIWUZ~1.VBS - Deleted
C:\DOCUME~1\MIKE\COOKIES\YRIQUW~1.VBS - Deleted
C:\WINDOWS\system32\rtc.dat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-26 16:01:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqxt.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpqxt.sys"
"TDSSl"="\systemroot\system32\TDSSoiqh.dll"
"tdssservers"="\systemroot\system32\TDSSosvn.dat"
"tdssmain"="\systemroot\system32\TDSScfgb.dll"
"tdsslog"="\systemroot\system32\TDSSfpmp.dll"
"tdssadw"="\systemroot\system32\TDSSnmxa.dll"
"tdssinit"="\systemroot\system32\TDSSsbhc.dll"
"tdssurls"="\systemroot\system32\TDSSthym.log"
"tdsspanels"="\systemroot\system32\TDSStkdv.dll"
"tdssserf"="\systemroot\system32\TDSSbubx.dll"
"tdsserrors"="\systemroot\system32\TDSSvvbi.log"
"TDSSproc"="\systemroot\system32\TDSSbivk.log"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys)]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmaxt.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys)\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSmaxt.sys"
"TDSSl"="\systemroot\system32\TDSSofxh.dll"
"tdssservers"="\systemroot\system32\TDSSosvd.dat"
"tdssmain"="\systemroot\system32\TDSSnrsr.dll"
"tdsslog"="\systemroot\system32\TDSSriqp.dll"
"tdssadw"="\systemroot\system32\TDSScfum.dll"
"tdssinit"="\systemroot\system32\TDSSfxwp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsbhc.dll"
"tdssserf"="\systemroot\system32\TDSSrhym.dll"
"tdsserrors"="\systemroot\system32\TDSStkdv.log"
"TDSSproc"="\systemroot\system32\TDSSbubx.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqxt.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpqxt.sys"
"TDSSl"="\systemroot\system32\TDSSoiqh.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys)]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmaxt.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys)\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSmaxt.sys"
"TDSSl"="\systemroot\system32\TDSSofxh.dll"
"tdssservers"="\systemroot\system32\TDSSosvd.dat"
"tdssmain"="\systemroot\system32\TDSSnrsr.dll"
"tdsslog"="\systemroot\system32\TDSSriqp.dll"
"tdssadw"="\systemroot\system32\TDSScfum.dll"
"tdssinit"="\systemroot\system32\TDSSfxwp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsbhc.dll"
"tdssserf"="\systemroot\system32\TDSSrhym.dll"
"tdsserrors"="\systemroot\system32\TDSStkdv.log"
"TDSSproc"="\systemroot\system32\TDSSbubx.log"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\utorrent.exe"="C:\\Program Files\\utorrent.exe:*:Enabled:æTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 9 Aug 2003 49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Sat 9 Aug 2003 36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Sat 9 Aug 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Wed 28 Apr 2004 238,792 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Nov 2006 104 ..SH. --- "C:\WINDOWS\Microsoft.NET\ergafx.dll"
Sat 1 Jan 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 20 Apr 2006 782 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv18.bak"
Sun 23 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 9 Aug 2003 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"

Finished!

Edited by MVV, 26 October 2008 - 02:11 PM.

  • 0

#6
Egwene
Posted 26 October 2008 - 04:42 PM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

Please try running combofix in safe mode now and post me the repport.

Regards,
Egwene.
  • 0

#7
MVV
Posted 26 October 2008 - 04:46 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
It asked me if I want to download an updated version of ComboFix, should I do it or would it matter?
  • 0

#8
Egwene
Posted 26 October 2008 - 04:59 PM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts

It asked me if I want to download an updated version of ComboFix, should I do it or would it matter?


Yep, download the updated version and scan with it :)
  • 0

#9
MVV
Posted 26 October 2008 - 05:11 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
The updated copy failed to download. So I just went ahead with the older version.

ComboFix 08-10-24.02 - Mike 2008-10-26 18:54:14.7 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.351 [GMT -6:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\Drivers\TDSSmaxt.sys
C:\WINDOWS\system32\TDSSbivk.log
C:\WINDOWS\system32\TDSSbubx.dll
C:\WINDOWS\system32\TDSSbubx.log
C:\WINDOWS\system32\TDSScfgb.dll
C:\WINDOWS\system32\TDSScfum.dll
C:\WINDOWS\system32\TDSSfpmp.dll
C:\WINDOWS\system32\TDSSfxwp.dll
C:\WINDOWS\system32\TDSSnmxa.dll
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSnrsr.dll
C:\WINDOWS\system32\TDSSofxh.dll
C:\WINDOWS\system32\TDSSoiqh.dll
C:\WINDOWS\system32\TDSSosvd.dat
C:\WINDOWS\system32\TDSSosvn.dat
C:\WINDOWS\system32\TDSSrhym.dll
C:\WINDOWS\system32\TDSSriqp.dll
C:\WINDOWS\system32\TDSSsbhc.dll
C:\WINDOWS\system32\TDSSthym.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS)
-------\Service_TDSSserv.sys)


((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.

2008-10-26 15:40 . 2008-10-26 15:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-26 15:37 . 2008-10-26 16:05 <DIR> d-------- C:\SDFix
2008-10-23 18:04 . 2008-10-23 18:04 18,773 --a------ C:\WINDOWS\uvozysyje.inf
2008-10-23 18:04 . 2008-10-23 18:04 18,434 --a------ C:\Documents and Settings\Mike\Application Data\boxuwyder.reg
2008-10-23 18:04 . 2008-10-23 18:04 18,124 --a------ C:\WINDOWS\SYSTEM32\hasy.vbs
2008-10-23 18:04 . 2008-10-23 18:04 16,834 --a------ C:\Documents and Settings\All Users\Application Data\ocyqyxal.dat
2008-10-23 18:04 . 2008-10-23 18:04 16,490 --a------ C:\Documents and Settings\All Users\Application Data\gohypiwuvi.dat
2008-10-23 18:04 . 2008-10-23 18:04 15,226 --a------ C:\WINDOWS\reha.lib
2008-10-23 18:04 . 2008-10-23 18:04 14,378 --a------ C:\WINDOWS\SYSTEM32\cawavip.bin
2008-10-23 18:04 . 2008-10-23 18:04 14,095 --a------ C:\WINDOWS\macajeb._dl
2008-10-23 18:04 . 2008-10-23 18:04 14,033 --a------ C:\WINDOWS\acowyjuj.reg
2008-10-23 18:04 . 2008-10-23 18:04 13,317 --a------ C:\WINDOWS\jyza.reg
2008-10-23 18:04 . 2008-10-23 18:04 11,939 --a------ C:\Program Files\Common Files\libegisu.exe
2008-10-23 18:04 . 2008-10-23 18:04 11,276 --a------ C:\WINDOWS\yriw.ban
2008-10-23 18:04 . 2008-10-23 18:04 11,004 --a------ C:\WINDOWS\lude._sy
2008-10-23 17:55 . 2008-10-23 17:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\AVGTOOLBAR
2008-10-06 19:47 . 2008-10-06 19:46 33,846 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.bmp
2008-10-06 19:47 . 2008-10-06 19:47 3,400 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2008-10-06 19:45 . 2008-10-06 19:46 10,886,008 --a------ C:\Program Files\dBpoweramp-Codec-WMA10Pro.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-25 06:46 --------- d-----w C:\Program Files\Soulseek
2008-10-25 01:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-24 02:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-10-24 01:36 --------- d-----w C:\Program Files\SpywareBlaster
2008-10-24 00:04 14,302 ----a-w C:\Program Files\Common Files\doleteq._sy
2008-10-24 00:04 12,061 ----a-w C:\Program Files\Common Files\uqegakeji._dl
2008-10-21 06:38 --------- d-----w C:\Documents and Settings\Mike\Application Data\uTorrent
2008-10-17 07:03 --------- d--h--w C:\Documents and Settings\Mike\Application Data\Move Networks
2008-10-04 04:06 --------- d-----w C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-09-26 05:55 --------- d-----w C:\Program Files\ratDVD
2008-09-26 05:48 4,730,740 ----a-w C:\Program Files\ratDVDSetup-0.78.1444.exe
2008-09-09 03:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-09 03:20 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-08 06:11 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-08 06:11 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-04 23:50 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-08-30 11:55 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-29 21:15 --------- d-----w C:\Documents and Settings\Lucy63\Application Data\AVGTOOLBAR
2008-08-28 21:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-28 06:54 --------- d-----w C:\Program Files\iTunes
2008-08-28 06:53 --------- d-----w C:\Program Files\iPod
2008-08-28 06:52 --------- d-----w C:\Program Files\QuickTime
2008-08-28 06:52 --------- d-----w C:\Program Files\Bonjour
2008-08-28 06:36 --------- d-----w C:\Program Files\Safari
2008-08-28 05:04 --------- d-----w C:\Program Files\Apple Software Update
2008-08-27 02:56 --------- d-----w C:\Documents and Settings\Mike\Application Data\AVGTOOLBAR
2008-08-10 03:20 267,056 ----a-w C:\Program Files\utorrent.exe
2008-08-05 23:55 2,869,536 ----a-w C:\Program Files\spywareblastersetup41.exe
2008-08-03 21:41 9,346,664 ----a-w C:\Program Files\zlsSetup_60_667_000.exe
2008-08-03 04:28 50,688 ----a-w C:\Program Files\ATF-Cleaner.exe
2008-08-03 03:09 4,614,888 ----a-w C:\Program Files\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
2008-08-02 21:55 48,367,896 ----a-w C:\Program Files\avg_free_stf_en_8_138a1332.exe
2008-07-30 05:01 6,046,584 ----a-w C:\Program Files\Firefox Setup 2.0.0.16.exe
2008-07-29 00:28 812,344 ----a-w C:\Program Files\HJTInstall.exe
2008-06-14 10:39 128,368 ----a-w C:\Program Files\Download_mbam-setup.exe
2008-06-12 07:26 4,257,184 ----a-w C:\Program Files\registryboosteraff.exe
2008-06-11 22:33 9,722,720 ----a-w C:\Program Files\spybotsd152.exe
2008-05-13 08:13 486,108,144 ----a-w C:\Program Files\ADBEPHSPCS3_WWE.exe
2008-05-05 03:36 304,957 ----a-w C:\Program Files\hjsplit.zip
2008-04-29 04:04 1,071,480 ----a-w C:\Program Files\dBpoweramp-Codec-m4a.exe
2008-03-26 23:37 6,104,632 ----a-w C:\Program Files\picasaweb-current-setup.exe
2008-03-26 23:23 13,445,041 ----a-w C:\Program Files\ps701up.exe
2008-03-13 02:33 90,044,946 ----a-w C:\Program Files\ableton_live_demo_702_en.zip
2008-01-17 23:19 1,958 ----a-w C:\Program Files\AT&T Self Support Tool.lnk
2008-01-17 23:19 1,741 ----a-w C:\Program Files\AT&T Help.lnk
2007-12-25 23:35 54,330,664 ----a-w C:\Program Files\iTunesSetup.exe
2007-12-20 02:08 5,914,648 ----a-w C:\Program Files\SUPERAntiSpyware.exe
2007-10-05 03:35 842,672 ----a-w C:\Program Files\slsk156c.exe
2007-09-30 22:01 6,016,952 ----a-w C:\Program Files\Firefox Setup 2.0.0.7.exe
2007-09-21 07:59 5,651,713 ----a-w C:\Program Files\The-Codecs-5.0.zip
2007-09-21 05:26 23,769,896 ----a-w C:\Program Files\DivXInstaller.exe
2007-06-12 02:57 4,044,152 ----a-w C:\Program Files\dBpoweramp-encoder-helix.exe
2007-06-12 02:52 4,112,760 ----a-w C:\Program Files\dMC-r12[1].1.exe
2007-05-18 23:16 3,362,502 ----a-w C:\Program Files\cxp_free.exe
2007-05-16 04:44 1,055,648 ----a-w C:\Program Files\qmpsetup_win_ie_07010901.exe
2007-04-10 05:52 206,039 ----a-w C:\Program Files\RAR.zip
2007-03-18 05:43 877,976 ----a-w C:\Program Files\7z444.exe
2007-03-18 03:18 1,202,303 ----a-w C:\Program Files\wrar37b4.exe
2007-02-28 00:06 881 ----a-w C:\Program Files\fixreg.zip
2007-02-13 02:57 4,964,776 ----a-w C:\Program Files\Windows-KB890830-V1.24.exe
2007-02-02 00:02 313,344 ----a-w C:\Program Files\hjsplit.exe
2006-12-29 04:29 40,409,184 ----a-w C:\Program Files\MIS_9_0_183_1_trial30OEM_Release.exe
2006-12-26 13:22 70,873,480 ----a-w C:\Program Files\tis2007_trial.exe
2006-12-24 11:50 4,813,736 ----a-w C:\Program Files\Windows-KB890830-V1.23.exe
2004-11-07 21:58 0 -c--a-w C:\Documents and Settings\Lucy63\4.dat
2004-11-07 21:58 0 -c--a-w C:\Documents and Settings\Lucy63\3.dat
2004-11-07 03:56 0 -c--a-w C:\Documents and Settings\Jen\4.dat
2004-11-07 03:56 0 -c--a-w C:\Documents and Settings\Jen\3.dat
2006-11-22 20:13 104 --sh--w C:\WINDOWS\Microsoft.NET\ergafx.dll
.

------- Sigcheck -------

2002-08-29 04:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-10-23 17:55 502272 9b1bd82bd0761b5ba986af66d2809c30 C:\WINDOWS\SYSTEM32\winlogon.exe

2002-08-29 04:00 200192 fe84e045a09a4abc4deef7270448b64e C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll
2004-08-04 01:56 295424 b60c877d16d9c880b952fda04adf16e6 C:\WINDOWS\ServicePackFiles\i386\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
2008-10-23 17:55 295424 40ffc19a8d4875e9e19cecdc76ef9201 C:\WINDOWS\SYSTEM32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-04 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-09-20 114688]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"LexPPS.exe"="C:\WINDOWS\system32\lexpps.exe" [2003-05-02 174592]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-09-20 36953]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-09-20 24576]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-01-17 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 15:47 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"msacm.avis"= ff_acm.acm
"vidc.i263"= C:\WINDOWS\system32\i263_32.drv
"msacm.imc"= C:\WINDOWS\system32\imc32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\utorrent.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
S1 mssmbioss;mssmbioss;C:\WINDOWS\system32\drivers\mssmbioss.sys [ ]
S2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 875288]
S2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
S2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-02 76040]
.
Contents of the 'Scheduled Tasks' folder

2008-10-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\w7ntqjtq.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-26 18:59:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpqxt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-10-26 19:08:24 - machine was rebooted [Mike]
ComboFix-quarantined-files.txt 2008-10-27 01:08:22

Pre-Run: 41,686,433,792 bytes free
Post-Run: 41,708,421,120 bytes free

219 --- E O F --- 2008-10-23 21:32:03

Edited by MVV, 26 October 2008 - 05:11 PM.

  • 0

#10
Egwene
Posted 26 October 2008 - 05:23 PM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

Good work, Combofix worked very well.

It's time for me to go to bed, i will answer you tomorrow.

Regards,
Egwene.

Edited by Egwene, 26 October 2008 - 05:24 PM.

  • 0

Advertisements

#11
MVV
Posted 26 October 2008 - 05:30 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
Alright talk to you tomorrow.

And thank you, I'm able to boot normally now.
  • 0

#12
Egwene
Posted 27 October 2008 - 05:50 AM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

Please do the following handling in normal mode :)

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo.com/forum/Google-redirecting-TDSS-problem-t215653.html&gopid=1360223#entry1360223

KillAll::

Driver::
mssmbioss
TDSSserv.sys

Collect::
C:\WINDOWS\uvozysyje.inf
C:\Documents and Settings\Mike\Application Data\boxuwyder.reg
C:\WINDOWS\SYSTEM32\hasy.vbs
C:\Documents and Settings\All Users\Application Data\ocyqyxal.dat
C:\Documents and Settings\All Users\Application Data\gohypiwuvi.dat
C:\WINDOWS\reha.lib
C:\WINDOWS\SYSTEM32\cawavip.bin
C:\WINDOWS\macajeb._dl
C:\WINDOWS\acowyjuj.reg
C:\WINDOWS\jyza.reg
C:\Program Files\Common Files\libegisu.exe
C:\WINDOWS\yriw.ban
C:\WINDOWS\lude._sy
C:\Program Files\Common Files\doleteq._sy
C:\Program Files\Common Files\uqegakeji._dl

File::
C:\WINDOWS\system32\drivers\mssmbioss.sys
C:\WINDOWS\system32\drivers\TDSSpqxt.sys


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Regards,
Egwene.
  • 0

#13
MVV
Posted 27 October 2008 - 11:56 AM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
ComboFix 08-10-25.01 - Mike 2008-10-27 13:26:39.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.218 [GMT -6:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\drivers\mssmbioss.sys
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\gohypiwuvi.dat
C:\Documents and Settings\All Users\Application Data\ocyqyxal.dat
C:\Documents and Settings\Mike\Application Data\boxuwyder.reg
C:\Program Files\Common Files\doleteq._sy
C:\Program Files\Common Files\libegisu.exe
C:\Program Files\Common Files\uqegakeji._dl
C:\WINDOWS\acowyjuj.reg
C:\WINDOWS\jyza.reg
C:\WINDOWS\lude._sy
C:\WINDOWS\macajeb._dl
C:\WINDOWS\reha.lib
C:\WINDOWS\SYSTEM32\cawavip.bin
C:\WINDOWS\SYSTEM32\hasy.vbs
C:\WINDOWS\uvozysyje.inf
C:\WINDOWS\yriw.ban

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSMBIOSS
-------\Service_mssmbioss
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.

2008-10-26 15:40 . 2008-10-26 15:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-26 15:37 . 2008-10-26 16:05 <DIR> d-------- C:\SDFix
2008-10-23 17:55 . 2008-10-23 17:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\AVGTOOLBAR
2008-10-06 19:47 . 2008-10-06 19:46 33,846 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.bmp
2008-10-06 19:47 . 2008-10-06 19:47 3,400 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2008-10-06 19:45 . 2008-10-06 19:46 10,886,008 --a------ C:\Program Files\dBpoweramp-Codec-WMA10Pro.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 05:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-25 06:46 --------- d-----w C:\Program Files\Soulseek
2008-10-24 02:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-10-24 01:36 --------- d-----w C:\Program Files\SpywareBlaster
2008-10-21 06:38 --------- d-----w C:\Documents and Settings\Mike\Application Data\uTorrent
2008-10-17 07:03 --------- d--h--w C:\Documents and Settings\Mike\Application Data\Move Networks
2008-10-04 04:06 --------- d-----w C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-09-26 05:55 --------- d-----w C:\Program Files\ratDVD
2008-09-26 05:48 4,730,740 ----a-w C:\Program Files\ratDVDSetup-0.78.1444.exe
2008-09-09 03:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-09 03:20 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-08 06:11 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-08 06:11 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-04 23:50 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-08-30 11:55 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-29 21:15 --------- d-----w C:\Documents and Settings\Lucy63\Application Data\AVGTOOLBAR
2008-08-28 21:22 --------- d-----w C:\Documents and Settings\Mike\Application Data\Apple Computer
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-28 06:54 --------- d-----w C:\Program Files\iTunes
2008-08-28 06:53 --------- d-----w C:\Program Files\iPod
2008-08-28 06:52 --------- d-----w C:\Program Files\QuickTime
2008-08-28 06:52 --------- d-----w C:\Program Files\Bonjour
2008-08-28 06:36 --------- d-----w C:\Program Files\Safari
2008-08-28 05:04 --------- d-----w C:\Program Files\Apple Software Update
2008-08-27 02:56 --------- d-----w C:\Documents and Settings\Mike\Application Data\AVGTOOLBAR
2008-08-10 03:20 267,056 ----a-w C:\Program Files\utorrent.exe
2008-08-05 23:55 2,869,536 ----a-w C:\Program Files\spywareblastersetup41.exe
2008-08-03 21:41 9,346,664 ----a-w C:\Program Files\zlsSetup_60_667_000.exe
2008-08-03 04:28 50,688 ----a-w C:\Program Files\ATF-Cleaner.exe
2008-08-03 03:09 4,614,888 ----a-w C:\Program Files\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
2008-08-02 21:55 48,367,896 ----a-w C:\Program Files\avg_free_stf_en_8_138a1332.exe
2008-07-30 05:01 6,046,584 ----a-w C:\Program Files\Firefox Setup 2.0.0.16.exe
2008-07-29 00:28 812,344 ----a-w C:\Program Files\HJTInstall.exe
2008-06-14 10:39 128,368 ----a-w C:\Program Files\Download_mbam-setup.exe
2008-06-12 07:26 4,257,184 ----a-w C:\Program Files\registryboosteraff.exe
2008-06-11 22:33 9,722,720 ----a-w C:\Program Files\spybotsd152.exe
2008-05-13 08:13 486,108,144 ----a-w C:\Program Files\ADBEPHSPCS3_WWE.exe
2008-05-05 03:36 304,957 ----a-w C:\Program Files\hjsplit.zip
2008-04-29 04:04 1,071,480 ----a-w C:\Program Files\dBpoweramp-Codec-m4a.exe
2008-03-26 23:37 6,104,632 ----a-w C:\Program Files\picasaweb-current-setup.exe
2008-03-26 23:23 13,445,041 ----a-w C:\Program Files\ps701up.exe
2008-03-13 02:33 90,044,946 ----a-w C:\Program Files\ableton_live_demo_702_en.zip
2008-01-17 23:19 1,958 ----a-w C:\Program Files\AT&T Self Support Tool.lnk
2008-01-17 23:19 1,741 ----a-w C:\Program Files\AT&T Help.lnk
2007-12-25 23:35 54,330,664 ----a-w C:\Program Files\iTunesSetup.exe
2007-12-20 02:08 5,914,648 ----a-w C:\Program Files\SUPERAntiSpyware.exe
2007-10-05 03:35 842,672 ----a-w C:\Program Files\slsk156c.exe
2007-09-30 22:01 6,016,952 ----a-w C:\Program Files\Firefox Setup 2.0.0.7.exe
2007-09-21 07:59 5,651,713 ----a-w C:\Program Files\The-Codecs-5.0.zip
2007-09-21 05:26 23,769,896 ----a-w C:\Program Files\DivXInstaller.exe
2007-06-12 02:57 4,044,152 ----a-w C:\Program Files\dBpoweramp-encoder-helix.exe
2007-06-12 02:52 4,112,760 ----a-w C:\Program Files\dMC-r12[1].1.exe
2007-05-18 23:16 3,362,502 ----a-w C:\Program Files\cxp_free.exe
2007-05-16 04:44 1,055,648 ----a-w C:\Program Files\qmpsetup_win_ie_07010901.exe
2007-04-10 05:52 206,039 ----a-w C:\Program Files\RAR.zip
2007-03-18 05:43 877,976 ----a-w C:\Program Files\7z444.exe
2007-03-18 03:18 1,202,303 ----a-w C:\Program Files\wrar37b4.exe
2007-02-28 00:06 881 ----a-w C:\Program Files\fixreg.zip
2007-02-13 02:57 4,964,776 ----a-w C:\Program Files\Windows-KB890830-V1.24.exe
2007-02-02 00:02 313,344 ----a-w C:\Program Files\hjsplit.exe
2006-12-29 04:29 40,409,184 ----a-w C:\Program Files\MIS_9_0_183_1_trial30OEM_Release.exe
2006-12-26 13:22 70,873,480 ----a-w C:\Program Files\tis2007_trial.exe
2006-12-24 11:50 4,813,736 ----a-w C:\Program Files\Windows-KB890830-V1.23.exe
2004-11-07 21:58 0 -c--a-w C:\Documents and Settings\Lucy63\4.dat
2004-11-07 21:58 0 -c--a-w C:\Documents and Settings\Lucy63\3.dat
2004-11-07 03:56 0 -c--a-w C:\Documents and Settings\Jen\4.dat
2004-11-07 03:56 0 -c--a-w C:\Documents and Settings\Jen\3.dat
2006-11-22 20:13 104 --sh--w C:\WINDOWS\Microsoft.NET\ergafx.dll
.

------- Sigcheck -------

2002-08-29 04:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-10-23 17:55 502272 9b1bd82bd0761b5ba986af66d2809c30 C:\WINDOWS\SYSTEM32\winlogon.exe

2002-08-29 04:00 200192 fe84e045a09a4abc4deef7270448b64e C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll
2004-08-04 01:56 295424 b60c877d16d9c880b952fda04adf16e6 C:\WINDOWS\ServicePackFiles\i386\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
2008-10-23 17:55 295424 40ffc19a8d4875e9e19cecdc76ef9201 C:\WINDOWS\SYSTEM32\termsrv.dll
.
((((((((((((((((((((((((((((( snapshot@2008-10-26_19.08.04.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-27 19:33:03 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_5a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-04 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-09-20 114688]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-09-20 36953]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-09-20 24576]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-01-17 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 15:47 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"msacm.avis"= ff_acm.acm
"vidc.i263"= C:\WINDOWS\system32\i263_32.drv
"msacm.imc"= C:\WINDOWS\system32\imc32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\utorrent.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-02 76040]
.
Contents of the 'Scheduled Tasks' folder

2008-10-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 13:43:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-27 13:53:42 - machine was rebooted [Mike]
ComboFix-quarantined-files.txt 2008-10-27 19:53:31
ComboFix2.txt 2008-10-27 01:08:25

Pre-Run: 41,104,912,384 bytes free
Post-Run: 41,126,719,488 bytes free

214 --- E O F --- 2008-10-23 21:32:03
  • 0

#14
Egwene
Posted 27 October 2008 - 12:29 PM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

You can tell a BIG thank you to sUBs, the developper of combofix, for his great tool ! :)

1) Viruscan :

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

  • Please go to VirScan
  • Copy and paste the following file path into the Suspicious files to scan box.
    o C:\WINDOWS\SYSTEM32\winlogon.exe
  • Click on the Upload button
  • Once the Scan has completed, click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • Do the same thing for :
    o C:\WINDOWS\SYSTEM32\termsrv.dll

2) Run LopSD option 1 :

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

3) Get an uninstall list :

Please open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Regards,
Egwene.
  • 0

#15
MVV
Posted 27 October 2008 - 01:42 PM

MVV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 87 posts
I couldn't get the clipboard copy. And I'm not getting any results for C:\WINDOWS\SYSTEM32\termsrv.dll.

File information
File Name : winlogon.exe
File Size : 502272 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 9b1bd82bd0761b5ba986af66d2809c30
SHA1 : f4f78eb62985200220188a15223186e31e4e5fbb

Scanner results
Scanner results : 8% Scanner(3/36) found malware!
Time : 2008/09/18 19:09:34 (EDT)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.0.0.14 2008.09.17 2008-09-17
-
1.440
AhnLab V3 2008.09.19.00 2008.09.19 2008-09-19
-
0.945
AntiVir 7.8.1.34 7.0.6.180 2008-09-18
-
2.308
Arcavir 1.0.5 200809181409 2008-09-18
-
1.224
AVAST! 3.0.1 080918-0 2008-09-18
-
0.708
AVG 7.5.52.442 270.7.0/1679 2008-09-18
-
1.581
BitDefender 7.60825.1765611 7.20959 2008-09-19
Application.WLHack.A
3.097
CA (VET) 9.0.0.143 31.6.6094 2008-09-18
-
5.118
ClamAV 0.94 8284 2008-09-19
-
0.130
Comodo 2.11 2.0.0.650 2008-09-18
-
0.436
CP Secure 1.1.0.715 2008.09.19 2008-09-19
-
5.858
Dr.Web 4.44.0.9170 2008.09.18 2008-09-18
-
3.171
ewido 4.0.0.2 2008.09.18 2008-09-18
-
2.732
F-Prot 4.4.4.56 20080918 2008-09-18
-
1.340
F-Secure 5.51.6100 2008.09.18.07 2008-09-18
-
3.401
Fortinet 2.81-3.113 9.563 2008-09-18
-
0.286
Ikarus T3.1.01.34 2008.09.18.71483 2008-09-18
-
3.481
JiangMin 11.0.706 2008.09.18 2008-09-18
-
1.225
Kaspersky 5.5.10 2008.09.18 2008-09-18
-
0.051
KingSoft 2008.1.14.15 2008.9.18.20 2008-09-18
-
0.615
McAfee 5.3.00 5387 2008-09-18
-
1.914
Microsoft 1.3903 2008.09.18 2008-09-18
-
4.085
mks_vir 2.01 2008.09.18 2008-09-18
-
2.620
Norman 5.93.01 5.93.00 2008-09-18
-
5.483
nProtect 2008-09-18.00 2118370 2008-09-18
Application.WLHack.A
4.172
Panda 9.05.01 2008.09.18 2008-09-18
-
2.195
Quick Heal 9.50 2008.09.17 2008-09-17
-
1.880
Rising 20.0 20.62.32.00 2008-09-18
-
0.790
Sophos 2.78.0 4.33 2008-09-19
Troj/WLhack-F
1.817
Sunbelt 3.1.1647.1 2241 2008-09-18
-
0.612
Symantec 1.3.0.24 20080918.008 2008-09-18
-
0.081
The Hacker 6.3.0.9 v00088 2008-09-18
-
0.462
Trend Micro 8.700-1004 5.550.14 2008-09-18
-
0.027
VBA32 3.12.8.5 20080918.0815 2008-09-18
-
1.569
ViRobot 20080918 2008.09.18 2008-09-18
-
0.403
VirusBuster 4.5.11.10 10.87.17/635387 2008-09-18
-
1.155
NOTICE: It may be false positive by some scanners when they found a malware, so you should judge it by yourself.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP