Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan horse Generic_c.TSW

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan horse Generic_c.TSW

Unread postby stisti » December 20th, 2008, 2:47 pm

i need help removing this virus, it has an icon on my desktop that reads "Gay Fetish Sex"
i already ran hijack this, and this is the results:

____________________________________________________________________
i actually solved that problem on my own i believe.
im not sure if i fixed it or not, but the icon is gone and i don't detect the virus anywhere on my computer.

but i still have another virus called trojan horse sheur2 or something like that. i will run another hijack this log and post it.
_______________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:11 PM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Creative\Shared Files\Software Update\AutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Creative Software Update] "C:\Program Files\Creative\Shared Files\Software Update\AutoUpdate.exe" /Silent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1292428093-796845957-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Admin')
O4 - HKUS\S-1-5-21-1292428093-796845957-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Admin')
O4 - HKUS\S-1-5-21-1292428093-796845957-839522115-1003\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User 'Admin')
O4 - HKUS\S-1-5-21-1292428093-796845957-839522115-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Admin')
O4 - HKUS\S-1-5-21-1292428093-796845957-839522115-1003\..\Run: [jsf8j34rgfght] C:\DOCUME~1\gaming\LOCALS~1\Temp\winloggn.exe (User 'Admin')
O4 - HKUS\S-1-5-21-1292428093-796845957-839522115-501\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Guest')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-21-1292428093-796845957-839522115-1003 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Admin')
O4 - S-1-5-21-1292428093-796845957-839522115-1003 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Admin')
O4 - Startup: Javasched.jar
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8100582656
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c9/v2 ... boax10.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 8131 bytes
stisti
Regular Member
 
Posts: 19
Joined: December 20th, 2008, 2:36 pm
Advertisement
Register to Remove

Re: Trojan horse Generic_c.TSW

Unread postby Axephilic » December 26th, 2008, 1:53 am

Hello ,

Welcome to the Malware Removal Forums! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  1. If at any point you don't understand something, please let me know and I will be glad to expain or go more into depth for you. :)
  2. I am still in training, so my responses may take more time than usual because all of my posts must be checked by an expaert or teacher.
    Also, please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  3. Please keep all of your replys in this topic/thread and do not make a new topic/thread, thanks!
  4. Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  5. If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.

Make an Uninstall List

Next, please make an uninstall list using HijackThis.
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply. Please also include a new HijackThis log.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan horse Generic_c.TSW

Unread postby stisti » December 26th, 2008, 3:33 am

Hi! and thank you for you help it is much appreciated.

1. New HIjack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:20 AM, on 12/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\MediaSource5\CTDetctu.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\winlogon.exe
C:\DOCUME~1\gaming\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\gaming\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\RunOnce: [StartMSu] "C:\Program Files\Creative\MediaSource5\Startmsu.exe" /s
O4 - HKCU\..\RunOnce: [CMSRegOu] "C:\Program Files\Creative\MediaSource5\CMSRegOu.exe" /r
O4 - HKUS\S-1-5-21-1292428093-796845957-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Admin')
O4 - HKUS\S-1-5-21-1292428093-796845957-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Admin')
O4 - HKUS\S-1-5-21-1292428093-796845957-839522115-1003\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User 'Admin')
O4 - HKUS\S-1-5-21-1292428093-796845957-839522115-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Admin')
O4 - HKUS\S-1-5-21-1292428093-796845957-839522115-1003\..\Run: [jsf8j34rgfght] C:\DOCUME~1\gaming\LOCALS~1\Temp\winloggn.exe (User 'Admin')
O4 - HKUS\S-1-5-21-1292428093-796845957-839522115-1003\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Admin\LOCALS~1\Temp\csrssc.exe (User 'Admin')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-21-1292428093-796845957-839522115-1003 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Admin')
O4 - S-1-5-21-1292428093-796845957-839522115-1003 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Admin')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8100582656
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c9/v2 ... boax10.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 7988 bytes

2. Uninstall List:
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Flash Video Encoder
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Reader 8.1.2
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Apple Mobile Device Support
Apple Software Update
Belarc Advisor 7.2
Bonjour
Conexant D850 56K V.9x DFVc Modem
Creative MediaSource 5
Creative Software AutoUpdate
Creative System Information
Creative WaveStudio 7
getPlus(R) for Adobe
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
iTunes
J2SE Runtime Environment 5.0 Update 12
Java DB 10.3.1.4
Java(TM) 6 Update 3
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 6
Java(TM) SE Development Kit 6 Update 7
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 SR-1 Professional
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher 2007 Trial
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
MobileMe Control Panel
Mozilla Firefox (3.0.5)
MSXML 6.0 Parser (KB933579)
PDF Settings
QuickTime
Safari
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Sound Blaster Audigy
SoundMAX
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Ventrilo Client
Windows Defender
Windows Imaging Component
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
WinZip 11.2
World of Warcraft

(Sorry that uninstall list is incredibly large :P )
stisti
Regular Member
 
Posts: 19
Joined: December 20th, 2008, 2:36 pm

Re: Trojan horse Generic_c.TSW

Unread postby Axephilic » December 27th, 2008, 2:44 pm

Hi, just wanted to let you know that I am still working on a fix for you. I will post it as soon as I get approval. :)

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan horse Generic_c.TSW

Unread postby stisti » December 27th, 2008, 5:41 pm

that's fine, i understand you have a life of your own as well. :)
stisti
Regular Member
 
Posts: 19
Joined: December 20th, 2008, 2:36 pm

Re: Trojan horse Generic_c.TSW

Unread postby Axephilic » December 28th, 2008, 3:41 pm

Hello,

Please download FileLook by jpshortstuff from one of these mirrors:
Link 1
Link 2
  • Double-click FileLook.exe to run it.
  • Ensure that the BBCode Ouput checkbox is checked.
  • Copy the content of the following codebox into the main textfield:

    Code: Select all
    Javasched.jar /s

  • Click the FileLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at C:\fl_log.txt


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

No Anti-Virus!
I don't see an anti-virus program present on your system! You should pick ONE of the following and install it. Never install more than 1 anti-virus or firewall.


In your next reply, please include:
  1. ComboFix log
  2. FileLook log
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan horse Generic_c.TSW

Unread postby stisti » December 29th, 2008, 12:11 am

1.)ComboFix log

ComboFix 08-12-28.01 - gaming 2008-12-28 21:55:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.190 [GMT -6:00]
Running from: c:\documents and settings\gaming\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\gaming\LOCALS~1\Temp\@2.tmp
c:\documents and settings\Admin\Application Data\addon.dat
c:\documents and settings\gaming\Application Data\addon.dat
c:\documents and settings\gaming\Application Data\ShoppingReport
c:\documents and settings\gaming\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\gaming\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Guest\Application Data\addon.dat
c:\program files\ShoppingReport
c:\windows\KB8888239.log
c:\windows\system32\mdm.exe
c:\windows\system32\tyshb36rfjdf.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-24 21:15 . 2008-12-24 21:15 <DIR> d-------- c:\program files\iTunes
2008-12-24 21:15 . 2008-12-24 21:15 <DIR> d-------- c:\program files\iPod
2008-12-24 21:15 . 2008-12-24 21:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 14:01 . 2008-12-22 14:01 <DIR> d-------- c:\program files\Ventrilo
2008-12-22 14:01 . 2008-12-22 14:01 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-22 14:00 . 2008-12-22 14:00 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-22 12:24 . 2008-12-26 23:32 <DIR> d-------- c:\program files\World of Warcraft
2008-12-22 02:59 . 2008-12-22 02:59 <DIR> d-------- C:\WoW-2.0.0-enUS-Installer
2008-12-22 02:59 . 2008-12-22 10:21 <DIR> d-------- c:\program files\WoW-2.0.0-enUS-Installer
2008-12-22 02:54 . 1999-12-13 01:01 44,032 --------- c:\windows\system32\CTSVCCDA.EXE
2008-12-22 02:54 . 1999-11-18 01:00 25,088 --------- c:\windows\system32\CTSVCCTL.EXE
2008-12-22 02:49 . 2008-12-22 02:49 2,560 --a------ c:\windows\_MSRSTRT.EXE
2008-12-21 22:01 . 2008-12-21 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-21 11:02 . 2008-12-28 10:55 31 --a------ c:\documents and settings\gaming\jagex_runescape_preferences.dat
2008-12-20 21:21 . 2008-12-20 21:22 63 --a------ c:\windows\system\SysSD.dll
2008-12-20 16:45 . 2008-12-20 16:46 <DIR> d-------- C:\autoruns
2008-12-20 12:29 . 2008-12-20 12:29 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 22:38 . 2008-12-18 22:38 <DIR> d-------- C:\79ed93fe6a3a7a3c5e06
2008-12-18 01:08 . 2008-12-19 14:58 <DIR> d-------- C:\Temp
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 03:17 --------- d-----w c:\program files\Bonjour
2008-12-25 03:15 --------- d-----w c:\program files\Common Files\Apple
2008-12-25 03:12 --------- d-----w c:\program files\QuickTime
2008-12-25 03:03 --------- d-----w c:\program files\Safari
2008-12-22 20:03 --------- d-----w c:\documents and settings\gaming\Application Data\Ventrilo
2008-12-22 18:28 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-22 08:56 --------- d--h--w c:\program files\Creative Installation Information
2008-12-22 08:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-18 23:26 --------- d-----w c:\program files\LimeWire
2008-12-18 16:37 --------- d-----w c:\documents and settings\Admin\Application Data\LimeWire
2008-12-17 16:10 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2008-12-03 22:24 --------- d-----w c:\documents and settings\gaming\Application Data\LimeWire
2008-11-24 21:40 --------- d-----w c:\program files\POL
2008-11-24 15:32 --------- d-----w c:\program files\3.0.1.8874 US PTR Installer
2008-11-15 18:17 --------- d-----w c:\program files\Common Files\Adobe
2008-11-14 15:59 --------- d-----w c:\documents and settings\Admin\Application Data\Apple Computer
2008-11-13 16:17 --------- d-----w c:\documents and settings\gaming\Application Data\Apple Computer
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-03-01 02:03 795,278,976 ----a-w c:\program files\ADBEILSTCS3_WWE.exe
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-20 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-08 53340]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-04-28 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"43594:TCP"= 43594:TCP:your-scape
"2:TCP"= 2:TCP:70.254.167.163
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 Gcr432;Gcr432;c:\windows\system32\Drivers\gcr432.sys [2001-10-04 53701]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-18 33752]

*Newly Created Service* - CREATIVE_SERVICE_FOR_CDROM_ACCESS
*Newly Created Service* - IPOD_SERVICE
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Win32]
c:\windows\system32\system32\svchost.exe s
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\gaming\Application Data\Mozilla\Firefox\Profiles\qya73d2v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - myspace.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 21:58:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\igfxdev.dll
.
Completion time: 2008-12-28 22:00:05
ComboFix-quarantined-files.txt 2008-12-29 03:58:59

Pre-Run: 32,441,184,256 bytes free
Post-Run: 35,959,230,464 bytes free

170 --- E O F --- 2008-12-26 04:53:34

2.) File Look Log

FileLook.exe v2.0 by jpshortstuff
Log created at 22:00 on 28/12/2008
==================================
FileLook - "avasched.jar"

Unable to find file.

==============================

=EOF=

3.)Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:26 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gaming\Desktop\setupeng.exe
C:\DOCUME~1\gaming\LOCALS~1\Temp\_av_sfx.tm~a01984\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8100582656
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c9/v2 ... boax10.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 6996 bytes
stisti
Regular Member
 
Posts: 19
Joined: December 20th, 2008, 2:36 pm

Re: Trojan horse Generic_c.TSW

Unread postby Axephilic » December 29th, 2008, 11:29 pm

Hello,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
c:\windows\system\SysSD.dll

Folder::
c:\documents and settings\Admin\Application Data\LimeWire
c:\documents and settings\gaming\Application Data\LimeWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"=-

DirLook::
c:\program files\POL


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Update Java
Your JRE is out of date. The current version is Java Runtime Environment (JRE) 6 Update 11.

  1. Click on Start > Control Panel and double click on Add/Remove Programs. Locatethe following entries and click on Change/Remove to uninstall them:

    J2SE Runtime Environment 5.0 Update 12
    Java DB 10.3.1.4
    Java(TM) 6 Update 3
    Java(TM) 6 Update 6
    Java(TM) 6 Update 7
    Java(TM) SE Development Kit 6 Update 6
    Java(TM) SE Development Kit 6 Update 7

  2. Click here to visit Java's website.
  3. Select Windows from the drop-down list for Platform.
  4. Select Multi-language from the drop-down list for Language.
  5. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  6. Click on jre-6u11-windows-i586-p.exe link to download it and save this to a convenient location.
  7. Run this installation to update your Java.

You will also need to install the SDK (developer kit) if you wish to.



Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9.
Please uninstall all old versions of Adobe Reader and then you can download the newest version from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop Album Starter Edition.


Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

In your next reply, please include:
  1. ComboFix log
  2. Kaspersky report
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan horse Generic_c.TSW

Unread postby stisti » December 30th, 2008, 4:04 am

Hello!

I am having problems with the following-

1.) ComboFix Log-
i dragged the specified word file onto the .exe and it ran an up date for combofix.
after that it appeared to do the same steps as the first time i did a combofix log. im not sure if this is the log or not but here you go, this is what i was given.

ComboFix 08-12-29.02 - gaming 2008-12-30 1:02:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.237 [GMT -6:00]
Running from: c:\documents and settings\gaming\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gaming\Desktop\CFScript.txt

FILE ::
c:\windows\system\SysSD.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\LimeWire
c:\documents and settings\Admin\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Admin\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Admin\Application Data\LimeWire\downloads.dat
c:\documents and settings\Admin\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Admin\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Admin\Application Data\LimeWire\filters.props
c:\documents and settings\Admin\Application Data\LimeWire\installation.props
c:\documents and settings\Admin\Application Data\LimeWire\library.dat
c:\documents and settings\Admin\Application Data\LimeWire\limewire.props
c:\documents and settings\Admin\Application Data\LimeWire\mojito.props
c:\documents and settings\Admin\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Admin\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Admin\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\Admin\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\Admin\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Admin\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Admin\Application Data\LimeWire\questions.props
c:\documents and settings\Admin\Application Data\LimeWire\simpp.xml
c:\documents and settings\Admin\Application Data\LimeWire\tables.props
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Admin\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Admin\Application Data\LimeWire\version.xml
c:\documents and settings\Admin\Application Data\LimeWire\versions.props
c:\documents and settings\gaming\Application Data\LimeWire
c:\documents and settings\gaming\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\gaming\Application Data\LimeWire\createtimes.cache
c:\documents and settings\gaming\Application Data\LimeWire\downloads.dat
c:\documents and settings\gaming\Application Data\LimeWire\fileurns.bak
c:\documents and settings\gaming\Application Data\LimeWire\fileurns.cache
c:\documents and settings\gaming\Application Data\LimeWire\filters.props
c:\documents and settings\gaming\Application Data\LimeWire\gnutella.net
c:\documents and settings\gaming\Application Data\LimeWire\installation.props
c:\documents and settings\gaming\Application Data\LimeWire\library.dat
c:\documents and settings\gaming\Application Data\LimeWire\limewire.props
c:\documents and settings\gaming\Application Data\LimeWire\mojito.props
c:\documents and settings\gaming\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\gaming\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\gaming\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\gaming\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\gaming\Application Data\LimeWire\questions.props
c:\documents and settings\gaming\Application Data\LimeWire\responses.cache
c:\documents and settings\gaming\Application Data\LimeWire\simpp.xml
c:\documents and settings\gaming\Application Data\LimeWire\spam.dat
c:\documents and settings\gaming\Application Data\LimeWire\tables.props
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\gaming\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\gaming\Application Data\LimeWire\ttrees.cache
c:\documents and settings\gaming\Application Data\LimeWire\ttroot.cache
c:\documents and settings\gaming\Application Data\LimeWire\version.xml
c:\documents and settings\gaming\Application Data\LimeWire\versions.props
c:\documents and settings\gaming\Application Data\LimeWire\xml\data\audio.sxml2
c:\windows\system\SysSD.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-28 22:08 . 2008-12-28 22:08 <DIR> d-------- c:\program files\Alwil Software
2008-12-28 22:08 . 2003-03-18 15:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-12-24 21:15 . 2008-12-24 21:15 <DIR> d-------- c:\program files\iTunes
2008-12-24 21:15 . 2008-12-24 21:15 <DIR> d-------- c:\program files\iPod
2008-12-24 21:15 . 2008-12-24 21:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 14:01 . 2008-12-22 14:01 <DIR> d-------- c:\program files\Ventrilo
2008-12-22 14:01 . 2008-12-22 14:01 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-22 14:00 . 2008-12-22 14:00 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-22 12:24 . 2008-12-26 23:32 <DIR> d-------- c:\program files\World of Warcraft
2008-12-22 02:59 . 2008-12-22 02:59 <DIR> d-------- C:\WoW-2.0.0-enUS-Installer
2008-12-22 02:59 . 2008-12-22 10:21 <DIR> d-------- c:\program files\WoW-2.0.0-enUS-Installer
2008-12-22 02:54 . 1999-12-13 01:01 44,032 --------- c:\windows\system32\CTSVCCDA.EXE
2008-12-22 02:54 . 1999-11-18 01:00 25,088 --------- c:\windows\system32\CTSVCCTL.EXE
2008-12-22 02:49 . 2008-12-22 02:49 2,560 --a------ c:\windows\_MSRSTRT.EXE
2008-12-21 22:01 . 2008-12-21 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-21 11:02 . 2008-12-28 22:14 31 --a------ c:\documents and settings\gaming\jagex_runescape_preferences.dat
2008-12-20 16:45 . 2008-12-20 16:46 <DIR> d-------- C:\autoruns
2008-12-20 12:29 . 2008-12-20 12:29 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 22:38 . 2008-12-18 22:38 <DIR> d-------- C:\79ed93fe6a3a7a3c5e06
2008-12-18 01:08 . 2008-12-19 14:58 <DIR> d-------- C:\Temp
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll
2008-11-24 09:13 . 2008-11-24 09:32 <DIR> d-------- c:\program files\3.0.1.8874 US PTR Installer
2008-11-11 15:49 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 15:47 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 03:17 --------- d-----w c:\program files\Bonjour
2008-12-25 03:15 --------- d-----w c:\program files\Common Files\Apple
2008-12-25 03:12 --------- d-----w c:\program files\QuickTime
2008-12-25 03:03 --------- d-----w c:\program files\Safari
2008-12-22 20:03 --------- d-----w c:\documents and settings\gaming\Application Data\Ventrilo
2008-12-22 18:28 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-22 08:56 --------- d--h--w c:\program files\Creative Installation Information
2008-12-22 08:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-18 23:26 --------- d-----w c:\program files\LimeWire
2008-12-17 16:10 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2008-11-24 21:40 --------- d-----w c:\program files\POL
2008-11-15 18:17 --------- d-----w c:\program files\Common Files\Adobe
2008-11-14 15:59 --------- d-----w c:\documents and settings\Admin\Application Data\Apple Computer
2008-11-13 16:17 --------- d-----w c:\documents and settings\gaming\Application Data\Apple Computer
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-03-01 02:03 795,278,976 ----a-w c:\program files\ADBEILSTCS3_WWE.exe
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\program files\POL ----

2008-11-24 08:48 2140 --a------ c:\program files\POL\POL.002
2008-11-24 08:45 8660 --a------ c:\program files\POL\POL.005
2008-11-24 08:41 1375059 --a------ c:\program files\POL\POL.009
2008-11-23 23:14 2590 --a------ c:\program files\POL\POL.001


((((((((((((((((((((((((((((( snapshot@2008-12-28_21.58.32.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-28 16:55:27 315,392 ----a-w c:\windows\.jagex_cache_32\runescape\jogl.dll
+ 2008-12-29 04:14:13 315,392 ----a-w c:\windows\.jagex_cache_32\runescape\jogl.dll
- 2008-12-28 16:55:27 20,480 ----a-w c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
+ 2008-12-29 04:14:13 20,480 ----a-w c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2008-11-26 17:15:35 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:25 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:25 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:29 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-20 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-08 53340]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-04-28 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"43594:TCP"= 43594:TCP:your-scape
"2:TCP"= 2:TCP:70.254.167.163

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 Gcr432;Gcr432;c:\windows\system32\Drivers\gcr432.sys [2001-10-04 53701]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-18 33752]

*Newly Created Service* - CATCHME
*Newly Created Service* - CREATIVE_SERVICE_FOR_CDROM_ACCESS
*Newly Created Service* - IPOD_SERVICE
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Win32]
c:\windows\system32\system32\svchost.exe s
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\gaming\Application Data\Mozilla\Firefox\Profiles\qya73d2v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - myspace.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 01:06:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\igfxdev.dll
.
Completion time: 2008-12-30 1:07:52
ComboFix-quarantined-files.txt 2008-12-30 07:06:49
ComboFix2.txt 2008-12-29 04:00:06

Pre-Run: 35,847,610,368 bytes free
Post-Run: 35,834,363,904 bytes free

294 --- E O F --- 2008-12-26 04:53:34

2.) I am having problems updating Adobe & Java-

it appears to be when i try to update java, something is causing the download manager to lose connection.

when i download adobe, it also is not functioning properly.


3.) connecting to the kaspersky.com site-

i cannot connect to the Kaspersky.com website.

4.) HiJack This Log-

with all of the above issues im not sure if you want this log still but here it is.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:15 AM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8100582656
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c9/v2 ... boax10.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 7046 bytes
stisti
Regular Member
 
Posts: 19
Joined: December 20th, 2008, 2:36 pm

Re: Trojan horse Generic_c.TSW

Unread postby Axephilic » December 30th, 2008, 1:36 pm

Yes, that is just fine for ComboFix, it ran just as expected. :) Thank you for letting me know that though.

Did you install a keylogger knowingly?

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.

They allow outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:
  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a keylogger, the worst kind.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063

Please let me know what you decide.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan horse Generic_c.TSW

Unread postby stisti » December 30th, 2008, 2:43 pm

I did in fact download a Keylogger known as Ardamax Keylogger purposely for use that was necessarily at the time.
Although i thought i uninstalled it.
I would Reformat my computer, but i don't have the Disc for my Operating System.
stisti
Regular Member
 
Posts: 19
Joined: December 20th, 2008, 2:36 pm

Re: Trojan horse Generic_c.TSW

Unread postby Axephilic » December 30th, 2008, 4:38 pm

Hello,

Run ComboFix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
Folder::
c:\program files\POL
c:\program files\LimeWire



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Run GMER
Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.
  6. Double click on gmer.exe to run it.
  7. Select the Rootkit tab.
  8. On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  9. Select all drives that are connected to your system to be scanned.
  10. Click on the Scan button.
  11. When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  12. Open Notepad or a similar text editor.
  13. Paste the clipboard contents into the text editor.
  14. Save the Gmer scan log and post it in your next reply.
  15. Close Gmer.
  16. Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  17. In Command Prompt, type in net stop gmer. Press Enter.
  18. Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.

In your next reply, please include:
  1. ComboFix log
  2. GMER log
  3. A new HijackThis log

Regards,
Adam


Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan horse Generic_c.TSW

Unread postby stisti » December 30th, 2008, 9:16 pm

1.)ComboFix Log-

ComboFix 08-12-29.02 - gaming 2008-12-30 18:35:31.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.178 [GMT -6:00]
Running from: c:\documents and settings\gaming\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gaming\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWire
c:\program files\LimeWire\commons-httpclient.jar.tmp
c:\program files\LimeWire\commons-pool.jar.tmp
c:\program files\LimeWire\hs_err_pid2300.log
c:\program files\LimeWire\hs_err_pid2672.log
c:\program files\LimeWire\hs_err_pid480.log
c:\program files\LimeWire\httpcore-nio.jar.tmp
c:\program files\LimeWire\httpcore.jar.tmp
c:\program files\LimeWire\id3v2.jar.tmp
c:\program files\POL
c:\program files\POL\POL.001
c:\program files\POL\POL.002
c:\program files\POL\POL.005
c:\program files\POL\POL.009

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-30 01:45 . 2008-12-30 01:45 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-30 01:27 . 2008-12-30 01:53 <DIR> d-------- c:\documents and settings\gaming\.SunDownloadManager
2008-12-30 01:17 . 2007-05-02 04:01 49,265 --a------ c:\windows\system32\jpicpl32.cpl
2008-12-28 22:08 . 2008-12-28 22:08 <DIR> d-------- c:\program files\Alwil Software
2008-12-28 22:08 . 2003-03-18 15:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-12-24 21:15 . 2008-12-24 21:15 <DIR> d-------- c:\program files\iTunes
2008-12-24 21:15 . 2008-12-24 21:15 <DIR> d-------- c:\program files\iPod
2008-12-24 21:15 . 2008-12-24 21:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 14:01 . 2008-12-22 14:01 <DIR> d-------- c:\program files\Ventrilo
2008-12-22 14:01 . 2008-12-22 14:01 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-22 14:00 . 2008-12-22 14:00 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-22 12:24 . 2008-12-26 23:32 <DIR> d-------- c:\program files\World of Warcraft
2008-12-22 02:59 . 2008-12-22 02:59 <DIR> d-------- C:\WoW-2.0.0-enUS-Installer
2008-12-22 02:59 . 2008-12-22 10:21 <DIR> d-------- c:\program files\WoW-2.0.0-enUS-Installer
2008-12-22 02:54 . 1999-12-13 01:01 44,032 --------- c:\windows\system32\CTSVCCDA.EXE
2008-12-22 02:54 . 1999-11-18 01:00 25,088 --------- c:\windows\system32\CTSVCCTL.EXE
2008-12-22 02:49 . 2008-12-22 02:49 2,560 --a------ c:\windows\_MSRSTRT.EXE
2008-12-21 22:01 . 2008-12-21 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-21 11:02 . 2008-12-28 22:14 31 --a------ c:\documents and settings\gaming\jagex_runescape_preferences.dat
2008-12-20 16:45 . 2008-12-20 16:46 <DIR> d-------- C:\autoruns
2008-12-20 12:29 . 2008-12-20 12:29 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 22:38 . 2008-12-18 22:38 <DIR> d-------- C:\79ed93fe6a3a7a3c5e06
2008-12-18 01:08 . 2008-12-19 14:58 <DIR> d-------- C:\Temp
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll
2008-11-24 09:13 . 2008-11-24 09:32 <DIR> d-------- c:\program files\3.0.1.8874 US PTR Installer
2008-11-11 15:49 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 15:47 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 07:21 --------- d-----w c:\program files\Java
2008-12-25 03:17 --------- d-----w c:\program files\Bonjour
2008-12-25 03:15 --------- d-----w c:\program files\Common Files\Apple
2008-12-25 03:12 --------- d-----w c:\program files\QuickTime
2008-12-25 03:03 --------- d-----w c:\program files\Safari
2008-12-22 20:03 --------- d-----w c:\documents and settings\gaming\Application Data\Ventrilo
2008-12-22 18:28 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-22 08:56 --------- d--h--w c:\program files\Creative Installation Information
2008-12-22 08:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 16:10 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2008-11-15 18:17 --------- d-----w c:\program files\Common Files\Adobe
2008-11-14 15:59 --------- d-----w c:\documents and settings\Admin\Application Data\Apple Computer
2008-11-13 16:17 --------- d-----w c:\documents and settings\gaming\Application Data\Apple Computer
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-03-01 02:03 795,278,976 ----a-w c:\program files\ADBEILSTCS3_WWE.exe
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-12-28_21.58.32.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-28 16:55:27 315,392 ----a-w c:\windows\.jagex_cache_32\runescape\jogl.dll
+ 2008-12-29 04:14:13 315,392 ----a-w c:\windows\.jagex_cache_32\runescape\jogl.dll
- 2008-12-28 16:55:27 20,480 ----a-w c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
+ 2008-12-29 04:14:13 20,480 ----a-w c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
- 2008-12-25 14:30:51 705,928 ----a-w c:\windows\SoftwareDistribution\Download\Install\mpas-d.exe
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2008-11-26 17:15:35 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:25 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:25 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:29 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
- 2008-06-10 06:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2007-05-02 08:22:52 49,248 ----a-w c:\windows\system32\java.exe
- 2008-06-10 06:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2007-05-02 08:23:00 53,346 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 07:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2007-05-02 10:01:20 127,078 ----a-w c:\windows\system32\javaws.exe
- 2008-03-25 03:21:18 2,889,088 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2008-03-25 03:21:20 218,496 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-08-22 07:07:54 70,264 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-12-30 08:11:19 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-20 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-08 53340]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-04-28 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"43594:TCP"= 43594:TCP:your-scape
"2:TCP"= 2:TCP:70.254.167.163

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 Gcr432;Gcr432;c:\windows\system32\Drivers\gcr432.sys [2001-10-04 53701]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-18 33752]

*Newly Created Service* - CATCHME
*Newly Created Service* - CREATIVE_SERVICE_FOR_CDROM_ACCESS
*Newly Created Service* - IPOD_SERVICE
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Win32]
c:\windows\system32\system32\svchost.exe s
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\gaming\Application Data\Mozilla\Firefox\Profiles\qya73d2v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - myspace.com
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 18:37:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\igfxdev.dll
.
Completion time: 2008-12-30 18:39:14
ComboFix-quarantined-files.txt 2008-12-31 00:38:09
ComboFix2.txt 2008-12-31 00:31:42
ComboFix3.txt 2008-12-30 07:07:54
ComboFix4.txt 2008-12-29 04:00:06

Pre-Run: 36,156,125,184 bytes free
Post-Run: 36,141,363,200 bytes free

223 --- E O F --- 2008-12-26 04:53:34


2.) Gmer Log-

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-30 18:58:14
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???5????Security Center?????192.168.0.1??????+??????????????????????USB Mass Storage Driver?????time.windows.com,7ac6c47?????????????s??? ???+???????????????????+???????????e??LocalSystem??W??LocalSystem?????%systemroot%\system32\svchost.exe -k netsvcs????????? ???+???????????????+???+??Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. ?r?S???????+???a?????nSD??RpcSs?winmgmt?????????Z??+???A????hIPB???? ??+??????????????????????t???C:\WINDOWS\system32\w32time.dll???????Z??+????????h????????????????????????????t?????????+???8?????????69.???????????????????????+???????????e???6?5?6??HIDClass????%SystemRoot%\System32\svchost.exe -k netsvcs????%SystemRoot%\System32\svchost.exe -k netsvcs????? ???7???r??????s???????????Se??????????????Provides automatic configuration for the 802.11 adapters????192.168.0.1?4?5????
Reg HKLM\SOFTWARE\Classes\AVG.AvgKernel@ Avg Kernel Class
Reg HKLM\SOFTWARE\Classes\AVG.AvgKernel\CLSID
Reg HKLM\SOFTWARE\Classes\AVG.AvgKernel\CLSID@ {41564737-3200-1071-989B-0000E87B4FB1}
Reg HKLM\SOFTWARE\Classes\AVG.AvgKernel\CurVer
Reg HKLM\SOFTWARE\Classes\AVG.AvgKernel\CurVer@ AVG.AvgKernel.7
Reg HKLM\SOFTWARE\Classes\AVG.AvgKernel.7@ Avg Kernel Class
Reg HKLM\SOFTWARE\Classes\AVG.AvgKernel.7\CLSID
Reg HKLM\SOFTWARE\Classes\AVG.AvgKernel.7\CLSID@ {41564737-3200-1071-989B-0000E87B4FB1}
Reg HKLM\SOFTWARE\Classes\Qboax10.QBO@ QuickBooks Online Edition Utilities Class v10
Reg HKLM\SOFTWARE\Classes\Qboax10.QBO\CLSID
Reg HKLM\SOFTWARE\Classes\Qboax10.QBO\CLSID@ {843EE768-3A97-455c-9076-741BA3AD7B62}
Reg HKLM\SOFTWARE\Classes\Qboax10.QBO\CurVer
Reg HKLM\SOFTWARE\Classes\Qboax10.QBO\CurVer@ Qboax10.QBO.1
Reg HKLM\SOFTWARE\Classes\Qboax10.QBO.1@ QuickBooks Online Edition Utilities Class v10
Reg HKLM\SOFTWARE\Classes\Qboax10.QBO.1\CLSID
Reg HKLM\SOFTWARE\Classes\Qboax10.QBO.1\CLSID@ {843EE768-3A97-455c-9076-741BA3AD7B62}

---- EOF - GMER 1.0.14 ----

3.)HiJack This Log-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:04 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8100582656
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c9/v2 ... boax10.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 7079 bytes
stisti
Regular Member
 
Posts: 19
Joined: December 20th, 2008, 2:36 pm

Re: Trojan horse Generic_c.TSW

Unread postby Axephilic » December 31st, 2008, 2:35 pm

Hello,

Let's try Kaserpersky again.

Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


In your next reply, please include:
  1. Kaspersky report
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Trojan horse Generic_c.TSW

Unread postby stisti » January 1st, 2009, 6:01 pm

kaspersky is still not working.
stisti
Regular Member
 
Posts: 19
Joined: December 20th, 2008, 2:36 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware