Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help removing TDSS viruses

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help removing TDSS viruses

Unread postby kanakaboyus » July 5th, 2009, 12:04 pm

I have already run a Sophos scan and it quarantined 6 TDSS viruses, however Sophos doesn't seem to be able to actually clean up these files for me! Please help!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:41 AM, on 7/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINDOWS\system32\glidew32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: BHO - {8567EDFA-408C-43e9-B929-4C25C04F5003} - C:\WINDOWS\system32\iehelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ask and Record FLV Service] "C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe" /run
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-2485643383-4133149871-2139128564-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'HP_Administrator')
O4 - HKUS\S-1-5-21-2485643383-4133149871-2139128564-1008\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'HP_Administrator')
O4 - HKUS\S-1-5-21-2485643383-4133149871-2139128564-1008\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'HP_Administrator')
O4 - HKUS\S-1-5-21-2485643383-4133149871-2139128564-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'old admin')
O4 - HKUS\S-1-5-21-2485643383-4133149871-2139128564-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 2556477203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2556525015
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 11498 bytes
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm
Advertisement
Register to Remove

Re: Help removing TDSS viruses

Unread postby Axephilic » July 8th, 2009, 4:08 pm

Welcome to the Malware Removal Forums! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  1. If at any point you don't understand something, please let me know and I will be glad to explain or go more into depth for you. :)
  2. Please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  3. Please keep all of your replies in this topic/thread and do not make a new topic/thread, thanks!
  4. Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  5. If you don't reply within three days after my last instructions this topic will be closed. If you will not be able to reply within three days please tell me so the topic will not be closed.
  6. Please do not run other tools to remove the malware unless I ask you to until I give you the all clean. They will just mess up my fixes and make things more complicated, not fix the problem.


Download and Run ComboFix
Please visit this page to download and run Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Save it to your desktop.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.

    Image

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please include:
  1. ComboFix log
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Help removing TDSS viruses

Unread postby kanakaboyus » July 8th, 2009, 8:48 pm

Thank you, here is the Combfix log followed by a new HijackThis report.

ComboFix 09-07-08.04 - Tom 07/08/2009 17:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2561 [GMT -7:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix1.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Tom\LOCALS~1\Temp\install_flash_player.exe
c:\documents and settings\Tom\Application Data\~tmp.html
c:\documents and settings\Tom\Application Data\config.cfg
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101465749.dat
c:\windows\Installer\10248a.msi
c:\windows\Installer\1268f.msi
c:\windows\Installer\1308e.msi
c:\windows\Installer\14089b5.msi
c:\windows\Installer\157a5d.msi
c:\windows\Installer\159e1cb.msi
c:\windows\Installer\187f52.msi
c:\windows\Installer\1aefff.msi
c:\windows\Installer\1b53a2.msp
c:\windows\Installer\1c8e02.msi
c:\windows\Installer\1f64d2.msi
c:\windows\Installer\1f6521.msi
c:\windows\Installer\1f6753.msi
c:\windows\Installer\1f6759.msi
c:\windows\Installer\1f6832.msi
c:\windows\Installer\222b58c.msi
c:\windows\Installer\23874.msi
c:\windows\Installer\27bf91.msi
c:\windows\Installer\28a072.msi
c:\windows\Installer\28a07e.msi
c:\windows\Installer\290066f.msi
c:\windows\Installer\2dd72f5.msi
c:\windows\Installer\30f4f9.msi
c:\windows\Installer\30f4fa.msp
c:\windows\Installer\30f4fb.msp
c:\windows\Installer\30f4fc.msp
c:\windows\Installer\30f4fd.msp
c:\windows\Installer\30f4fe.msp
c:\windows\Installer\30f4ff.msp
c:\windows\Installer\30f500.msp
c:\windows\Installer\30f501.msp
c:\windows\Installer\30f502.msp
c:\windows\Installer\32ebb.msi
c:\windows\Installer\32ec1.msi
c:\windows\Installer\32ec7.msi
c:\windows\Installer\32ecd.msi
c:\windows\Installer\3684b4.msi
c:\windows\Installer\38620a.msi
c:\windows\Installer\3a16b6.msi
c:\windows\Installer\3ae2cc.msi
c:\windows\Installer\3d0ac.msi
c:\windows\Installer\40de89.msi
c:\windows\Installer\47b253.msi
c:\windows\Installer\55ea3b.msp
c:\windows\Installer\754487.msi
c:\windows\Installer\83ecba.msp
c:\windows\Installer\850947.msi
c:\windows\Installer\9f4893.msi
c:\windows\Installer\ad5729.msi
c:\windows\Installer\d7ad9f.msi
c:\windows\kb913800.exe
c:\windows\system32\drivers\UACxehilxwboetqlrsth.sys
c:\windows\system32\UACbjfbytpdmjfsnbroa.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACktnodrujgavfqakgy.dll
c:\windows\system32\UACosrrjkvpppxnwfbco.dat
c:\windows\system32\UACrqoyoapxesfqhuqlr.dll
c:\windows\system32\UACtukcloteajanrodyl.dll
c:\windows\system32\UACudinyfoymvmtbaiqm.dll
c:\windows\Sysvxd.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_DRV
-------\Service_drv


((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 00:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-09 00:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-04 16:17 . 2009-07-04 16:17 1 ---h--w- c:\windows\jmmark2.dat
2009-07-04 16:17 . 2009-07-04 16:17 1 ---h--w- c:\windows\bf23567.dat
2009-07-04 15:02 . 2009-07-04 15:02 -------- d-----w- c:\program files\wildtangent
2009-07-03 16:40 . 2009-07-03 16:40 -------- d-sh--w- c:\documents and settings\Tom\PrivacIE
2009-07-03 16:40 . 2009-07-03 16:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-03 16:39 . 2009-07-03 16:39 -------- d-sh--w- c:\documents and settings\Tom\IETldCache
2009-07-03 16:37 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-03 16:36 . 2009-07-03 16:36 -------- d-----w- c:\windows\ie8updates
2009-07-03 16:36 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 16:36 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 16:35 . 2009-07-03 16:36 -------- dc-h--w- c:\windows\ie8
2009-07-03 03:28 . 2009-07-05 15:54 -------- d-----w- c:\documents and settings\Tom\Application Data\MalwareRemovalBot
2009-07-03 03:28 . 2009-07-09 00:11 -------- d-----w- c:\program files\MalwareRemovalBot
2009-07-03 02:39 . 2009-07-05 02:39 -------- d-----w- c:\program files\drv
2009-06-20 01:27 . 2009-06-20 15:40 -------- d-----w- c:\program files\Free Photo Viewer
2009-06-20 01:25 . 2009-06-20 01:25 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Forrest_Croce
2009-06-20 01:22 . 2009-06-20 01:26 -------- d-----w- c:\program files\exif
2009-06-13 15:47 . 2009-07-09 00:05 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\FLVService
2009-06-13 15:47 . 2009-06-13 15:47 -------- d-----w- c:\program files\AskBarDis
2009-06-13 15:46 . 2009-06-13 15:47 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-06-13 15:46 . 2009-06-13 15:46 -------- d-----w- c:\windows\Ask & Record Toolbar
2009-06-13 15:45 . 2009-06-13 15:46 7349744 ----a-w- c:\program files\FLV PlayerATBSetup.exe
2009-06-13 15:45 . 2009-06-13 15:45 -------- d-----w- c:\program files\FLV Player
2009-06-13 15:45 . 2009-06-13 15:45 -------- d-----w- c:\windows\Applian FLV Player
2009-06-13 14:32 . 2009-06-13 14:32 152576 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 00:28 . 2008-12-14 17:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-07 00:28 . 2008-12-14 17:54 -------- d-----w- c:\program files\SpywareBlaster
2009-06-13 14:33 . 2005-11-22 14:50 -------- d-----w- c:\program files\Java
2009-05-21 18:33 . 2008-12-14 17:33 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-13 05:15 . 2004-08-10 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 01:08 . 2009-05-10 15:09 -------- d-----w- c:\program files\AntToolbar
2009-05-07 15:32 . 2004-08-10 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 14:02 . 2008-09-28 14:15 436 ----a-w- c:\documents and settings\Tom\Application Data\wklnhst.dat
2009-04-17 12:26 . 2004-08-10 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-10 01:38 . 2009-04-10 01:38 152576 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2008-08-23 17:34 . 2008-08-23 17:34 382352 ----a-w- c:\program files\jre-6u7-windows-i586-p-iftw.exe
2008-08-23 16:44 . 2008-08-23 16:44 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-08-17 15:55 . 2008-08-17 15:55 812344 ----a-w- c:\program files\HJTInstall.exe
2006-03-19 23:40 . 2006-03-20 00:40 22 --sha-w- c:\windows\SMINST\HPCD.sys
2008-09-10 02:34 . 2008-09-10 02:34 62976 --sha-w- c:\windows\system32\kotafeka.dll.tmp
2008-09-10 02:34 . 2008-09-10 02:34 62976 --sha-w- c:\windows\system32\tevaziva.dll.tmp
2008-09-10 02:34 . 2008-09-10 02:34 62976 --sha-w- c:\windows\system32\zizatewa.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-02-11 21:40 365960 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-05 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"CirqueGesture"="c:\program files\Touchpad\Gesture.exe" [2005-10-03 123904]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"Glide"="glidew32.exe" - c:\windows\system32\glidew32.exe [2005-10-03 81920]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-22 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-22 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\arpwrmsg.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\Touchpad\\Gesture.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\WINDOWS\\system32\\glidew32.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:drv

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [9/30/2008 3:36 AM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [9/30/2008 3:36 AM 38528]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [5/7/2009 8:12 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 3:36 AM 98304]
R3 glidesvc;GlidePoint Mouseclass Service;c:\windows\system32\drivers\glidesvc.sys [10/3/2005 1:06 AM 38183]
R3 gpmoups2;GlidePoint PS2 Touchpad Service;c:\windows\system32\drivers\gpmoups2.sys [10/3/2005 1:06 AM 14063]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 3:36 AM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-11-26 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009Core.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]

2009-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009UA.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]

2009-07-03 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe [2009-07-02 19:22]

2009-07-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2007-09-25 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 17:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2856)
c:\windows\system32\WININET.dll
c:\docume~1\Tom\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Tom\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-09 17:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 00:39

Pre-Run: 195,709,366,272 bytes free
Post-Run: 196,077,318,144 bytes free

302 --- E O F --- 2009-07-03 16:37



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:12 PM, on 7/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINDOWS\system32\glidew32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ask and Record FLV Service] "C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe" /run
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 2556477203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2556525015
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 10335 bytes
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm

Re: Help removing TDSS viruses

Unread postby kanakaboyus » July 8th, 2009, 11:12 pm

Something re-infected my computer since I did the last Combofix. My Sophos alerted me that there wre 6 virus files. I re-ran Combofix and HijackThis. Here are the log files. I hope I didn't mess something up by re-running these programs!

ComboFix 09-07-08.04 - Tom 07/08/2009 19:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2351 [GMT -7:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix1.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Tom\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Tom\Local Settings\Temp\IadHide5.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 00:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-09 00:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-04 16:17 . 2009-07-04 16:17 1 ---h--w- c:\windows\jmmark2.dat
2009-07-04 16:17 . 2009-07-04 16:17 1 ---h--w- c:\windows\bf23567.dat
2009-07-04 15:02 . 2009-07-04 15:02 -------- d-----w- c:\program files\wildtangent
2009-07-03 16:40 . 2009-07-03 16:40 -------- d-sh--w- c:\documents and settings\Tom\PrivacIE
2009-07-03 16:40 . 2009-07-03 16:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-03 16:39 . 2009-07-03 16:39 -------- d-sh--w- c:\documents and settings\Tom\IETldCache
2009-07-03 16:37 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-03 16:36 . 2009-07-03 16:36 -------- d-----w- c:\windows\ie8updates
2009-07-03 16:36 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 16:36 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 16:35 . 2009-07-03 16:36 -------- dc-h--w- c:\windows\ie8
2009-07-03 03:28 . 2009-07-05 15:54 -------- d-----w- c:\documents and settings\Tom\Application Data\MalwareRemovalBot
2009-07-03 03:28 . 2009-07-09 00:11 -------- d-----w- c:\program files\MalwareRemovalBot
2009-07-03 02:39 . 2009-07-05 02:39 -------- d-----w- c:\program files\drv
2009-06-20 01:27 . 2009-06-20 15:40 -------- d-----w- c:\program files\Free Photo Viewer
2009-06-20 01:25 . 2009-06-20 01:25 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Forrest_Croce
2009-06-20 01:22 . 2009-06-20 01:26 -------- d-----w- c:\program files\exif
2009-06-13 15:47 . 2009-07-09 01:24 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\FLVService
2009-06-13 15:47 . 2009-06-13 15:47 -------- d-----w- c:\program files\AskBarDis
2009-06-13 15:46 . 2009-06-13 15:47 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-06-13 15:46 . 2009-06-13 15:46 -------- d-----w- c:\windows\Ask & Record Toolbar
2009-06-13 15:45 . 2009-06-13 15:46 7349744 ----a-w- c:\program files\FLV PlayerATBSetup.exe
2009-06-13 15:45 . 2009-06-13 15:45 -------- d-----w- c:\program files\FLV Player
2009-06-13 15:45 . 2009-06-13 15:45 -------- d-----w- c:\windows\Applian FLV Player
2009-06-13 14:32 . 2009-06-13 14:32 152576 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 00:28 . 2008-12-14 17:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-07 00:28 . 2008-12-14 17:54 -------- d-----w- c:\program files\SpywareBlaster
2009-06-13 14:33 . 2005-11-22 14:50 -------- d-----w- c:\program files\Java
2009-05-21 18:33 . 2008-12-14 17:33 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-13 05:15 . 2004-08-10 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 01:08 . 2009-05-10 15:09 -------- d-----w- c:\program files\AntToolbar
2009-05-07 15:32 . 2004-08-10 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 14:02 . 2008-09-28 14:15 436 ----a-w- c:\documents and settings\Tom\Application Data\wklnhst.dat
2009-04-17 12:26 . 2004-08-10 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-08-23 17:34 . 2008-08-23 17:34 382352 ----a-w- c:\program files\jre-6u7-windows-i586-p-iftw.exe
2008-08-23 16:44 . 2008-08-23 16:44 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-08-17 15:55 . 2008-08-17 15:55 812344 ----a-w- c:\program files\HJTInstall.exe
2006-03-19 23:40 . 2006-03-20 00:40 22 --sha-w- c:\windows\SMINST\HPCD.sys
2008-09-10 02:34 . 2008-09-10 02:34 62976 --sha-w- c:\windows\system32\kotafeka.dll.tmp
2008-09-10 02:34 . 2008-09-10 02:34 62976 --sha-w- c:\windows\system32\tevaziva.dll.tmp
2008-09-10 02:34 . 2008-09-10 02:34 62976 --sha-w- c:\windows\system32\zizatewa.dll.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-07-09_00.36.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-09 03:00 . 2008-07-22 18:48 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll
+ 2009-07-09 03:00 . 2008-07-22 18:48 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-07-09 03:00 . 2008-07-22 18:48 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll
+ 2009-07-09 03:00 . 2008-07-22 18:48 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-07-09 03:00 . 2008-07-22 18:48 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-07-09 03:00 . 2008-07-22 18:48 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-07-09 03:00 . 2009-07-09 03:00 16384 c:\windows\temp\Perflib_Perfdata_3c4.dat
- 2009-07-09 00:34 . 2009-06-11 08:39 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat
+ 2009-07-09 03:00 . 2009-06-11 08:39 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat
- 2009-07-09 00:34 . 2008-12-24 11:33 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-07-09 03:00 . 2008-12-24 11:33 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-07-09 03:00 . 2008-07-22 18:48 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL
- 2009-07-09 00:34 . 2008-07-22 18:48 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL
- 2009-07-09 00:34 . 2008-07-22 18:48 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-07-09 03:00 . 2008-07-22 18:48 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-07-09 03:00 . 2008-07-22 18:48 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll
- 2009-07-09 00:34 . 2008-12-23 19:47 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-07-09 03:00 . 2008-12-23 19:47 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-07-09 03:00 . 2008-12-24 11:34 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-07-09 00:34 . 2008-12-24 11:34 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll
+ 2009-07-09 03:00 . 2009-06-11 08:36 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll
- 2009-07-09 00:34 . 2009-06-11 08:36 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll
- 2009-07-09 00:34 . 2009-06-11 08:37 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe
+ 2009-07-09 03:00 . 2009-06-11 08:37 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-02-11 21:40 365960 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-05 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"CirqueGesture"="c:\program files\Touchpad\Gesture.exe" [2005-10-03 123904]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"Glide"="glidew32.exe" - c:\windows\system32\glidew32.exe [2005-10-03 81920]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-22 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-22 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\arpwrmsg.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\Touchpad\\Gesture.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\WINDOWS\\system32\\glidew32.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:drv

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [9/30/2008 3:36 AM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [9/30/2008 3:36 AM 38528]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [5/7/2009 8:12 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 3:36 AM 98304]
R3 glidesvc;GlidePoint Mouseclass Service;c:\windows\system32\drivers\glidesvc.sys [10/3/2005 1:06 AM 38183]
R3 gpmoups2;GlidePoint PS2 Touchpad Service;c:\windows\system32\drivers\gpmoups2.sys [10/3/2005 1:06 AM 14063]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 3:36 AM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-11-26 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009Core.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009UA.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]

2009-07-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2007-09-25 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 20:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3972)
c:\windows\system32\WININET.dll
c:\documents and settings\Tom\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-09 20:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 03:06
ComboFix2.txt 2009-07-09 00:39

Pre-Run: 196,024,082,432 bytes free
Post-Run: 195,974,365,184 bytes free

262 --- E O F --- 2009-07-03 16:37




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:12 PM, on 7/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINDOWS\system32\glidew32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ask and Record FLV Service] "C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe" /run
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 2556477203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2556525015
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 10368 bytes
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm

Re: Help removing TDSS viruses

Unread postby Axephilic » July 9th, 2009, 3:19 am

Hi there,

From now on please do not rerun tools without me asking you to. ;)

Fix HijackThis lines

  • Run HijackThis!
  • Click on Do a System Scan only
  • Place a tick next to the following lines:

    R3 - URLSearchHook: (no name) - - (no file)
Close all open windows and click on Fix checked and when you get a popup window click on Yes.

Run ComboFix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
c:\windows\jmmark2.dat
c:\windows\bf23567.dat
c:\windows\system32\kotafeka.dll.tmp
c:\windows\system32\tevaziva.dll.tmp
c:\windows\system32\zizatewa.dll.tmp
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
Folder::
c:\program files\MalwareRemovalBot
c:\documents and settings\Tom\Application Data\MalwareRemovalBot
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

In your next reply, please include:
  1. ComboFix log
  2. MBAM log
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Help removing TDSS viruses

Unread postby kanakaboyus » July 9th, 2009, 11:48 am

Oops! I will obey from now on! Thank you for your patience. Here are the logs:

ComboFix 09-07-08.07 - Tom 07/09/2009 7:34.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2482 [GMT -7:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix1.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

FILE ::
"c:\windows\bf23567.dat"
"c:\windows\jmmark2.dat"
"c:\windows\system32\kotafeka.dll.tmp"
"c:\windows\system32\tevaziva.dll.tmp"
"c:\windows\system32\zizatewa.dll.tmp"
"c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Tom\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Tom\Application Data\MalwareRemovalBot
c:\documents and settings\Tom\Application Data\MalwareRemovalBot\Log\2009 Jul 08 - 05_11_00 PM_125.log
c:\documents and settings\Tom\Application Data\MalwareRemovalBot\Settings\IgnoreList.stg
c:\documents and settings\Tom\Local Settings\temp\IadHide5.dll
c:\program files\MalwareRemovalBot
c:\program files\MalwareRemovalBot\DataBase.ref
c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe
c:\program files\MalwareRemovalBot\MalwareRemovalBot.url
c:\program files\MalwareRemovalBot\vistaCPtasks.xml
c:\windows\bf23567.dat
c:\windows\jmmark2.dat
c:\windows\system32\kotafeka.dll.tmp
c:\windows\system32\tevaziva.dll.tmp
c:\windows\system32\zizatewa.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 00:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-09 00:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-04 15:02 . 2009-07-04 15:02 -------- d-----w- c:\program files\wildtangent
2009-07-03 16:40 . 2009-07-03 16:40 -------- d-sh--w- c:\documents and settings\Tom\PrivacIE
2009-07-03 16:40 . 2009-07-03 16:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-03 16:39 . 2009-07-03 16:39 -------- d-sh--w- c:\documents and settings\Tom\IETldCache
2009-07-03 16:37 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-03 16:36 . 2009-07-03 16:36 -------- d-----w- c:\windows\ie8updates
2009-07-03 16:36 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 16:36 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 16:35 . 2009-07-03 16:36 -------- dc-h--w- c:\windows\ie8
2009-07-03 02:39 . 2009-07-05 02:39 -------- d-----w- c:\program files\drv
2009-06-20 01:27 . 2009-06-20 15:40 -------- d-----w- c:\program files\Free Photo Viewer
2009-06-20 01:25 . 2009-06-20 01:25 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Forrest_Croce
2009-06-20 01:22 . 2009-06-20 01:26 -------- d-----w- c:\program files\exif
2009-06-13 15:47 . 2009-07-09 01:24 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\FLVService
2009-06-13 15:47 . 2009-06-13 15:47 -------- d-----w- c:\program files\AskBarDis
2009-06-13 15:46 . 2009-06-13 15:47 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-06-13 15:46 . 2009-06-13 15:46 -------- d-----w- c:\windows\Ask & Record Toolbar
2009-06-13 15:45 . 2009-06-13 15:46 7349744 ----a-w- c:\program files\FLV PlayerATBSetup.exe
2009-06-13 15:45 . 2009-06-13 15:45 -------- d-----w- c:\program files\FLV Player
2009-06-13 15:45 . 2009-06-13 15:45 -------- d-----w- c:\windows\Applian FLV Player
2009-06-13 14:32 . 2009-06-13 14:32 152576 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 00:28 . 2008-12-14 17:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-07 00:28 . 2008-12-14 17:54 -------- d-----w- c:\program files\SpywareBlaster
2009-06-13 14:33 . 2005-11-22 14:50 -------- d-----w- c:\program files\Java
2009-05-21 18:33 . 2008-12-14 17:33 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-13 05:15 . 2004-08-10 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 01:08 . 2009-05-10 15:09 -------- d-----w- c:\program files\AntToolbar
2009-05-07 15:32 . 2004-08-10 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 14:02 . 2008-09-28 14:15 436 ----a-w- c:\documents and settings\Tom\Application Data\wklnhst.dat
2009-04-17 12:26 . 2004-08-10 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-08-23 17:34 . 2008-08-23 17:34 382352 ----a-w- c:\program files\jre-6u7-windows-i586-p-iftw.exe
2008-08-23 16:44 . 2008-08-23 16:44 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-08-17 15:55 . 2008-08-17 15:55 812344 ----a-w- c:\program files\HJTInstall.exe
2006-03-19 23:40 . 2006-03-20 00:40 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-09_00.36.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-09 14:43 . 2008-07-22 18:48 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll
+ 2009-07-09 14:43 . 2008-07-22 18:48 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll
+ 2009-07-09 14:43 . 2008-07-22 18:48 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-07-09 14:43 . 2008-07-22 18:48 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-07-09 14:43 . 2008-07-22 18:48 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-07-09 14:43 . 2008-07-22 18:48 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-07-09 14:43 . 2009-07-09 14:43 16384 c:\windows\temp\Perflib_Perfdata_b80.dat
+ 2009-07-09 14:43 . 2009-07-09 14:43 16384 c:\windows\temp\Perflib_Perfdata_630.dat
- 2009-07-09 00:34 . 2009-06-11 08:39 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat
+ 2009-07-09 14:43 . 2009-06-11 08:39 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat
- 2009-07-09 00:34 . 2008-12-24 11:33 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-07-09 14:43 . 2008-12-24 11:33 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL
+ 2009-07-09 14:43 . 2008-07-22 18:48 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL
- 2009-07-09 00:34 . 2008-07-22 18:48 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-07-09 14:43 . 2008-07-22 18:48 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL
- 2009-07-09 00:34 . 2008-07-22 18:48 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll
+ 2009-07-09 14:43 . 2008-07-22 18:48 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll
- 2009-07-09 00:34 . 2008-12-23 19:47 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-07-09 14:43 . 2008-12-23 19:47 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-07-09 14:43 . 2008-12-24 11:34 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-07-09 00:34 . 2008-12-24 11:34 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-07-09 00:34 . 2009-06-11 08:36 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-07-09 14:43 . 2009-06-11 08:36 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-07-09 14:43 . 2009-06-11 08:37 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe
- 2009-07-09 00:34 . 2009-06-11 08:37 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-02-11 21:40 365960 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-05 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"CirqueGesture"="c:\program files\Touchpad\Gesture.exe" [2005-10-03 123904]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"Glide"="glidew32.exe" - c:\windows\system32\glidew32.exe [2005-10-03 81920]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-22 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-22 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\arpwrmsg.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\Touchpad\\Gesture.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\WINDOWS\\system32\\glidew32.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [9/30/2008 3:36 AM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [9/30/2008 3:36 AM 38528]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [5/7/2009 8:12 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 3:36 AM 98304]
R3 glidesvc;GlidePoint Mouseclass Service;c:\windows\system32\drivers\glidesvc.sys [10/3/2005 1:06 AM 38183]
R3 gpmoups2;GlidePoint PS2 Touchpad Service;c:\windows\system32\drivers\gpmoups2.sys [10/3/2005 1:06 AM 14063]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 3:36 AM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-11-26 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009Core.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009UA.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]

2009-07-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2007-09-25 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 07:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1676)
c:\windows\system32\WININET.dll
c:\documents and settings\Tom\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-07-09 7:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 14:47
ComboFix2.txt 2009-07-09 03:06
ComboFix3.txt 2009-07-09 00:39

Pre-Run: 195,938,111,488 bytes free
Post-Run: 195,896,344,576 bytes free

274 --- E O F --- 2009-07-03 16:37



Malwarebytes' Anti-Malware 1.38
Database version: 2398
Windows 5.1.2600 Service Pack 3

7/9/2009 8:39:55 AM
mbam-log-2009-07-09 (08-39-55).txt

Scan type: Full Scan (C:\|D:\|K:\|)
Objects scanned: 287078
Time elapsed: 41 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9d3cf193-58e5-40d5-ba60-233f4c216e37} (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\50e90ec4ec063d44bb935a0d02415732 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e6ce2825-3f5f-4390-b9fd-13b68cf295f9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\50e90ec4ec063d44bb935a0d02415732 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{9d3cf193-58e5-40d5-ba60-233f4c216e37} (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1f26a7a704abd8f4f8801f37167d691f (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\aa02c0f5889834c42886c1a98ea53266 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\b575e3c1288dd9e4a83e9e064562cdc1 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\d37f1f5d110c2ea4c85ec64e702394b9 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_DRVDRV (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\malwareremovalbot\ (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\malwareremovalbot\ (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\drv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\All Users\Start Menu\Programs\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\drv\drv.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Tom\my documents\downloads\setupxv.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\Tom\application data\malwareremovalbot\quarantine\04-07-2009-08-13-19\0.qit.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\Tom\application data\malwareremovalbot\quarantine\04-07-2009-08-13-19\1.qit.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\Tom\application data\malwareremovalbot\quarantine\04-07-2009-08-59-53\0.qit.vir (Worm.Koobface) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\Tom\application data\malwareremovalbot\quarantine\04-07-2009-16-10-12\0.qit.vir (Worm.Koobface) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACktnodrujgavfqakgy.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACrqoyoapxesfqhuqlr.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACtukcloteajanrodyl.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACudinyfoymvmtbaiqm.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\UACxehilxwboetqlrsth.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP232\A0066625.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP232\A0066626.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP232\A0066627.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP232\A0066628.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP232\A0066629.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP201\A0054191.dll (Adware.BHO) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\malwareremovalbot\MalwareRemovalBot on the Web.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\malwareremovalbot\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\all users\Desktop\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:22 AM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINDOWS\system32\glidew32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ask and Record FLV Service] "C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe" /run
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 2556477203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2556525015
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 10257 bytes
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm

Re: Help removing TDSS viruses

Unread postby Axephilic » July 10th, 2009, 3:29 am

Hello,

Run ComboFix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
Folder::
c:\program files\drv


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

In your next reply, please include:
  1. ComboFix log
  2. Kaspersky report
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Help removing TDSS viruses

Unread postby kanakaboyus » July 10th, 2009, 11:40 pm

ComboFix 09-07-09.08 - Tom 07/10/2009 16:38.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2482 [GMT -7:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix1.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Tom\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Tom\Local Settings\temp\IadHide5.dll
c:\program files\drv

.
((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 14:53 . 2009-07-09 14:53 -------- d-----w- c:\documents and settings\Tom\Application Data\Malwarebytes
2009-07-09 14:53 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 14:53 . 2009-07-09 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-09 14:53 . 2009-07-09 14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 14:53 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-09 00:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-09 00:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-04 15:02 . 2009-07-04 15:02 -------- d-----w- c:\program files\wildtangent
2009-07-03 16:40 . 2009-07-03 16:40 -------- d-sh--w- c:\documents and settings\Tom\PrivacIE
2009-07-03 16:40 . 2009-07-03 16:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-03 16:39 . 2009-07-03 16:39 -------- d-sh--w- c:\documents and settings\Tom\IETldCache
2009-07-03 16:37 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-03 16:36 . 2009-07-03 16:36 -------- d-----w- c:\windows\ie8updates
2009-07-03 16:36 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 16:36 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 16:35 . 2009-07-03 16:36 -------- dc-h--w- c:\windows\ie8
2009-06-20 01:27 . 2009-06-20 15:40 -------- d-----w- c:\program files\Free Photo Viewer
2009-06-20 01:25 . 2009-06-20 01:25 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Forrest_Croce
2009-06-20 01:22 . 2009-06-20 01:26 -------- d-----w- c:\program files\exif
2009-06-13 15:47 . 2009-07-09 01:24 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\FLVService
2009-06-13 15:47 . 2009-06-13 15:47 -------- d-----w- c:\program files\AskBarDis
2009-06-13 15:46 . 2009-06-13 15:47 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-06-13 15:46 . 2009-06-13 15:46 -------- d-----w- c:\windows\Ask & Record Toolbar
2009-06-13 15:45 . 2009-06-13 15:46 7349744 ----a-w- c:\program files\FLV PlayerATBSetup.exe
2009-06-13 15:45 . 2009-06-13 15:45 -------- d-----w- c:\program files\FLV Player
2009-06-13 15:45 . 2009-06-13 15:45 -------- d-----w- c:\windows\Applian FLV Player
2009-06-13 14:32 . 2009-06-13 14:32 152576 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 00:28 . 2008-12-14 17:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-07 00:28 . 2008-12-14 17:54 -------- d-----w- c:\program files\SpywareBlaster
2009-06-13 14:33 . 2005-11-22 14:50 -------- d-----w- c:\program files\Java
2009-05-21 18:33 . 2008-12-14 17:33 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-13 05:15 . 2004-08-10 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-10 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 14:02 . 2008-09-28 14:15 436 ----a-w- c:\documents and settings\Tom\Application Data\wklnhst.dat
2009-04-17 12:26 . 2004-08-10 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-08-23 17:34 . 2008-08-23 17:34 382352 ----a-w- c:\program files\jre-6u7-windows-i586-p-iftw.exe
2008-08-23 16:44 . 2008-08-23 16:44 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-08-17 15:55 . 2008-08-17 15:55 812344 ----a-w- c:\program files\HJTInstall.exe
2006-03-19 23:40 . 2006-03-20 00:40 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-09_00.36.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-10 23:46 . 2008-07-22 18:48 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-07-10 23:46 . 2008-07-22 18:48 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll
+ 2009-07-10 23:46 . 2008-07-22 18:48 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-07-10 23:46 . 2008-07-22 18:48 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-07-10 23:46 . 2008-07-22 18:48 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-07-10 23:46 . 2008-07-22 18:48 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-07-10 23:46 . 2009-07-10 23:46 16384 c:\windows\temp\Perflib_Perfdata_c54.dat
+ 2009-07-10 23:46 . 2009-07-10 23:46 16384 c:\windows\temp\Perflib_Perfdata_65c.dat
- 2009-07-09 00:34 . 2009-06-11 08:39 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat
+ 2009-07-10 23:46 . 2009-06-11 08:39 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat
- 2009-07-09 00:34 . 2008-12-24 11:33 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-07-10 23:46 . 2008-12-24 11:33 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL
+ 2009-07-10 23:46 . 2008-07-22 18:48 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL
- 2009-07-09 00:34 . 2008-07-22 18:48 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-07-10 23:46 . 2008-07-22 18:48 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL
- 2009-07-09 00:34 . 2008-07-22 18:48 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll
+ 2009-07-10 23:46 . 2008-07-22 18:48 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll
- 2009-07-09 00:34 . 2008-12-23 19:47 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-07-10 23:46 . 2008-12-23 19:47 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-07-10 23:46 . 2008-12-24 11:34 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-07-09 00:34 . 2008-12-24 11:34 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-07-09 00:34 . 2009-06-11 08:36 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-07-10 23:46 . 2009-06-11 08:36 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-07-10 23:46 . 2009-06-11 08:37 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe
- 2009-07-09 00:34 . 2009-06-11 08:37 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-02-11 21:40 365960 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-05 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"CirqueGesture"="c:\program files\Touchpad\Gesture.exe" [2005-10-03 123904]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"Glide"="glidew32.exe" - c:\windows\system32\glidew32.exe [2005-10-03 81920]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-22 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-22 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\arpwrmsg.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\Touchpad\\Gesture.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\WINDOWS\\system32\\glidew32.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [9/30/2008 3:36 AM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [9/30/2008 3:36 AM 38528]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [5/7/2009 8:12 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 3:36 AM 98304]
R3 glidesvc;GlidePoint Mouseclass Service;c:\windows\system32\drivers\glidesvc.sys [10/3/2005 1:06 AM 38183]
R3 gpmoups2;GlidePoint PS2 Touchpad Service;c:\windows\system32\drivers\gpmoups2.sys [10/3/2005 1:06 AM 14063]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 3:36 AM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-11-26 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009Core.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009UA.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]

2009-07-10 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2007-09-25 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 16:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3072)
c:\windows\system32\WININET.dll
c:\documents and settings\Tom\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-07-10 16:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 23:50
ComboFix2.txt 2009-07-09 14:47
ComboFix3.txt 2009-07-09 03:06
ComboFix4.txt 2009-07-09 00:39

Pre-Run: 195,842,146,304 bytes free
Post-Run: 195,826,634,752 bytes free

255 --- E O F --- 2009-07-03 16:37


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 10, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, July 11, 2009 01:48:44
Records in database: 2458385

--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 158088
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:55:18


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Tom\Application Data\MalwareRemovalBot\Quarantine\04-07-2009-20-01-24\0.qit.vir Infected: Trojan.Win32.BHO.vkp 1
C:\Qoobox\Quarantine\[4]-Submit_2009-07-09_07.34.02.zip Infected: Packed.Win32.Mondera.b 3

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:16 PM, on 7/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINDOWS\system32\glidew32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ask and Record FLV Service] "C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe" /run
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 2556477203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2556525015
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 10257 bytes
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm

Re: Help removing TDSS viruses

Unread postby Axephilic » July 11th, 2009, 12:48 am

Congratulations, you are now all clean! To help to prevent from becoming reinfected, please follow the instructions below in order. If you have any questions, please feel free to ask them. If after 48 hours you have not responded to this, then I will assume you have no questions and have the topic closed.

First, lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Flush the system restore points

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Check (tick) Turn off system restore on all drives box.
  4. Click Apply.
  5. Uncheck (untick) Turn off system restore on all drives box.
  6. Click OK.
  7. Restart your computer.
Note: Do this only ONCE, don't flush it regularly.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update


Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

I also recommend, if it's not already on, to enable Automatic updates. It will notify you whenever there are new updates available. Here's how:

  1. Go to Start > Control Panel > Automatic Updates
  2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  2. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  3. Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.

  4. SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Happy surfing and stay clean!

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Help removing TDSS viruses

Unread postby kanakaboyus » July 11th, 2009, 9:36 am

Thank you very much for your help. One more question, my antivirus software still shows that I have some TDSS viruses in quarantine. Should I go ahead and instruct my antivirus software to "clean" those files? Should I also uninstall my antivirus software and reload a new copy? Could it have been corrupted somewhere throughout this process?
kanakaboyus
Regular Member
 
Posts: 48
Joined: August 17th, 2008, 12:44 pm

Re: Help removing TDSS viruses

Unread postby Axephilic » July 11th, 2009, 2:05 pm

kanakaboyus wrote:Thank you very much for your help. One more question, my antivirus software still shows that I have some TDSS viruses in quarantine. Should I go ahead and instruct my antivirus software to "clean" those files? Should I also uninstall my antivirus software and reload a new copy? Could it have been corrupted somewhere throughout this process?


Please do clean those. Delete you quarantine.

You should not need to reload your AV, although if you want to do it there is no harm in doing so.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Help removing TDSS viruses

Unread postby Gary R » July 15th, 2009, 3:42 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware