Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32 Trojan Tdss - MS Office, other apps close spontaneousl

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby DBaker » August 18th, 2009, 4:24 pm

I've run AdAware several times, and it keeps detecting Win32 Trojan Tdss, no matter how many times it's removed. Meantime, all of my MS Office apps will run only for a few minutes before spontaneously closing. This makes it very hard to work. Please help!

Here's my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:33 PM, on 8/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
c:\windows\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
F2 - REG:system.ini: Shell=c:\windows\explorer.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 2415 bytes
DBaker
Active Member
 
Posts: 12
Joined: August 18th, 2009, 4:14 pm
Advertisement
Register to Remove

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby Shaba » August 21st, 2009, 12:12 am

Hi DBaker

Download gmer.zip and save to your desktop.
alternate download site
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby DBaker » August 21st, 2009, 9:34 am

Thanks for your reply.

I tried running Gmer.exe both in normal and in safe mode, but nothing happened, although when I ran Task Manager, it did show that Gmer.exe was running. I'm attaching a screenshot showing my Processes tab in Task Manager.

Also, here's my current HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:03 AM, on 8/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Windows Live Sync] "C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" /background
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Promise Technology, Inc. - (no file)

--
End of file - 2158 bytes
You do not have the required permissions to view the files attached to this post.
DBaker
Active Member
 
Posts: 12
Joined: August 18th, 2009, 4:14 pm

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby Shaba » August 21st, 2009, 10:48 am

Please rename gmer.exe and let me know if it runs now.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby DBaker » August 21st, 2009, 11:42 am

That worked. The gmer.txt log was too long to include the text of it in this message, and the file is too large to attach. How do you want me to post it?
DBaker
Active Member
 
Posts: 12
Joined: August 18th, 2009, 4:14 pm

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby Shaba » August 21st, 2009, 12:07 pm

Please split it into multiple replies then :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby DBaker » August 21st, 2009, 12:28 pm

"Your message contains 3792457 characters. The maximum number of allowed characters is 100000."

It would take 38 replies to post the whole thing. The maximum file attachment size is 256 KB? Can I attach it as a zip file?
DBaker
Active Member
 
Posts: 12
Joined: August 18th, 2009, 4:14 pm

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby Shaba » August 21st, 2009, 12:50 pm

Was "Show all" checked when scanning?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby DBaker » August 21st, 2009, 12:58 pm

No
DBaker
Active Member
 
Posts: 12
Joined: August 18th, 2009, 4:14 pm

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby Shaba » August 21st, 2009, 1:16 pm

OK.

Then you can zip & attach it to your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby DBaker » August 21st, 2009, 3:07 pm

Files attached.

Sorry to be so much trouble - believe me, this is frustrating me, too...
You do not have the required permissions to view the files attached to this post.
DBaker
Active Member
 
Posts: 12
Joined: August 18th, 2009, 4:14 pm

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby Shaba » August 21st, 2009, 3:25 pm

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby DBaker » August 21st, 2009, 4:13 pm

C:\ComboFix.txt:

ComboFix 09-08-20.07 - D Frazier 08/21/2009 14:43.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.868 [GMT -5:00]
Running from: c:\documents and settings\D Frazier\Desktop\c-fixit.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fonts\acrsec.fon
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\Installer\1ea9a76.msi
c:\windows\Installer\44d2e28.msp
c:\windows\Installer\44d2e2f.msp
c:\windows\Installer\53aa662.msi
c:\windows\Installer\79787b.msi
c:\windows\patch.exe
c:\windows\run.log
c:\windows\system32\drivers\atmapi.sys
c:\windows\system32\drivers\UACekxjtqpyna.sys
c:\windows\system32\UACdsewwcojsn.dll
c:\windows\system32\UACgoiolmttju.dat
c:\windows\system32\UAChfqjuovakl.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACpmjiwmncnt.dll
c:\windows\system32\UACvppbcumexm.db
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-21 20:00 . 2009-08-21 20:00 -------- d-----w- C:\bb5d9dcdf4787c3c26e8bdc8
2009-08-20 19:25 . 2009-08-20 19:26 -------- d-s---w- C:\david
2009-08-20 12:17 . 2009-08-20 12:17 -------- d-----w- c:\documents and settings\D Frazier\Local Settings\Application Data\PCHealth
2009-08-19 09:58 . 2008-10-16 19:13 202776 ----a-w- c:\windows\system32\wuweb.dll
2009-08-19 09:58 . 2008-10-16 19:13 202776 ----a-w- c:\windows\system32\dllcache\wuweb.dll
2009-08-18 19:59 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-18 19:43 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-18 19:42 . 2009-08-18 19:42 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-18 17:41 . 2009-08-18 17:41 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PCHealth
2009-08-18 16:59 . 2009-08-18 16:59 -------- d-----w- C:\New Folder
2009-08-18 14:55 . 2009-08-18 14:55 -------- d-sh--w- c:\documents and settings\Admin\PrivacIE
2009-08-18 14:39 . 2009-08-18 14:39 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\AVG Security Toolbar
2009-08-18 14:39 . 2009-08-18 14:39 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Mozilla
2009-08-18 14:35 . 2009-08-18 14:35 -------- d-----w- c:\documents and settings\Admin\Application Data\comcasttb
2009-08-18 14:35 . 2009-08-18 14:35 -------- d-sh--w- c:\documents and settings\Admin\IETldCache
2009-08-18 13:39 . 2009-08-18 13:39 -------- d-sh--w- c:\documents and settings\User\PrivacIE
2009-08-18 13:39 . 2009-08-18 13:39 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2009-08-18 13:35 . 2009-08-18 13:35 114024 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-18 13:25 . 2009-08-18 13:25 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\BVRP Software
2009-08-18 12:59 . 2009-08-18 12:59 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\AVG Security Toolbar
2009-08-18 12:57 . 2009-08-18 12:57 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Mozilla
2009-08-18 12:42 . 2009-08-18 12:42 -------- d-----w- c:\documents and settings\User\Application Data\comcasttb
2009-08-18 12:41 . 2009-08-18 12:41 -------- d-----w- c:\documents and settings\User\Application Data\ASAP Utilities
2009-08-18 12:32 . 2009-08-18 12:32 -------- d-----w- c:\documents and settings\User\Application Data\HotSync
2009-08-18 12:32 . 2009-08-18 12:32 -------- d-----w- c:\documents and settings\User\Application Data\WinPatrol
2009-08-17 16:06 . 2009-08-17 16:06 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-17 15:29 . 2009-08-17 15:29 -------- d-----w- c:\docume~1\DFRAZI~1\APPLIC~1\AVG8
2009-08-17 15:27 . 2009-08-18 19:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-08-17 15:05 . 2009-08-17 15:05 -------- d-----w- c:\docume~1\DFRAZI~1\APPLIC~1\Lavasoft
2009-08-17 14:00 . 2009-08-17 14:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-15 08:06 . 2009-08-15 08:06 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-15 08:05 . 2009-08-15 08:05 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-15 08:05 . 2009-08-15 08:05 -------- d-----w- c:\program files\MSBuild
2009-08-15 08:05 . 2009-08-15 08:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 08:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-15 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-15 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-15 08:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-15 08:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-15 08:04 . 2009-08-15 08:05 -------- d-----w- C:\fc15872cf46b9d664a4ad086d3
2009-08-15 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-15 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-13 08:02 . 2009-08-13 08:02 -------- d-----w- c:\windows\ServicePackFiles
2009-08-12 11:32 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-03 12:34 . 2009-08-03 12:34 -------- d-----w- c:\program files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-21 19:54 . 2009-01-21 13:29 7304 ----a-w- c:\windows\TMP0001.TMP
2009-08-21 19:50 . 2004-08-04 10:00 577536 ----a-w- c:\windows\system32\user32.dll
2009-08-21 16:03 . 2007-02-26 13:59 -------- d-----w- c:\program files\Password Safe
2009-08-18 21:08 . 2008-06-18 12:19 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-08-18 19:42 . 2005-06-07 17:09 -------- d-----w- c:\program files\Lavasoft
2009-08-17 21:41 . 2009-06-29 21:01 -------- d-----w- c:\docume~1\DFRAZI~1\APPLIC~1\CallingID
2009-08-17 16:39 . 2009-02-09 17:21 114024 ----a-w- c:\documents and settings\D Frazier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 16:06 . 2008-06-18 12:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-17 16:06 . 2008-06-18 12:20 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-17 16:06 . 2006-11-22 13:08 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-17 14:52 . 2005-05-25 13:28 -------- d-----w- c:\program files\Yahoo!
2009-08-17 13:44 . 2009-08-17 13:44 1366097 ----a-w- c:\windows\system32\xa.tmp
2009-08-15 08:18 . 2009-02-02 13:57 -------- d-----w- c:\program files\Everything
2009-08-05 09:11 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 12:26 . 2007-09-24 13:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-29 22:47 . 2009-06-29 21:00 -------- d-----w- c:\docume~1\DFRAZI~1\APPLIC~1\comcasttb
2009-07-17 18:55 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 21:19 . 2009-07-15 21:19 -------- d-----w- c:\program files\Microsoft
2009-07-15 21:08 . 2009-07-15 21:08 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-14 14:15 . 2005-06-15 14:38 -------- d--h--r- c:\docume~1\ALLUSE~1\APPLIC~1\yahoo!
2009-07-14 14:15 . 2005-08-31 12:18 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2009-07-13 15:08 . 2004-08-04 10:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 10:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 12:49 . 2009-07-03 12:48 -------- d-----w- c:\program files\QuickTime
2009-07-03 12:48 . 2005-06-03 22:29 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer
2009-07-03 12:48 . 2009-07-03 12:48 -------- d-----w- c:\program files\Apple Software Update
2009-07-03 12:48 . 2009-07-03 12:48 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple
2009-06-29 21:01 . 2009-06-29 21:00 -------- d-----w- c:\program files\comcasttb
2009-06-29 21:00 . 2005-05-25 13:28 -------- d-----w- c:\program files\Common Files\Scanner
2009-06-29 21:00 . 2009-06-29 21:00 -------- d-----w- c:\program files\CA
2009-06-25 08:44 . 2004-08-04 10:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-04 10:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-04 10:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-04 10:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2004-08-04 10:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-04 10:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-22 11:34 . 2004-08-04 10:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2004-08-04 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2004-08-04 10:00 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-04 10:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2006-12-01 17:30 . 2006-12-01 17:33 360448 ----a-w- c:\program files\Uninstall My Web Search.dll
2000-06-05 23:47 . 2000-06-05 23:47 32768 ----a-w- c:\program files\mozilla firefox\plugins\AppSub32.dll
.
Infected c:\windows\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-17 2007832]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-07-27 341312]

c:\documents and settings\David Frazier\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\Hotsync.exe [2004-6-9 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 16:06 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"SQLWriter"=3 (0x3)
"ose"=3 (0x3)
"NetSvc"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"EdcSvr"=2 (0x2)
"avg8wd"=2 (0x2)
"APC UPS Service"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\David Frazier\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil_.exe"=
"c:\\Program Files\\RssBandit\\RSSBandit.exe"=
"c:\\Program Files\\Everything\\Everything.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"\\\\Dell-330-js\\tcp\\timesvr.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [8/18/2009 2:43 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/18/2008 7:20 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [8/17/2009 11:06 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/18/2008 7:19 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S2 AntiSpywareService;Comcast AntiSpyware; [x]
S4 EdcSvr;EdcSvr;c:\alohaqs\BIN\EdcSvr.exe [9/30/2008 10:54 AM 3715072]
S4 Fipse_l;Fipse_l;c:\windows\SYSTEM32\DRIVERS\mrxsmb.sys [5/19/2005 5:23 PM 453632]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\docume~1\DFRAZI~1\APPLIC~1\Mozilla\Firefox\Profiles\ffg8er62.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.communitybakery.com/|http://www.google.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/sear ... -web_us&p=
FF - component: c:\documents and settings\D Frazier\Application Data\Mozilla\Firefox\Profiles\ffg8er62.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\D Frazier\Application Data\Mozilla\Firefox\Profiles\ffg8er62.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 14:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(252)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\SYSTEM32\msiexec.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
.
**************************************************************************
.
Completion time: 2009-08-21 15:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 20:07

Pre-Run: 8,080,805,888 bytes free
Post-Run: 8,498,511,872 bytes free

302 --- E O F --- 2009-08-21 20:03


And HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:31 PM, on 8/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Promise Technology, Inc. - (no file)

--
End of file - 2557 bytes
DBaker
Active Member
 
Posts: 12
Joined: August 18th, 2009, 4:14 pm

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby DBaker » August 21st, 2009, 6:34 pm

I'll be gone for the weekend, but will check back in on Monday. Thanks for your help so far.
DBaker
Active Member
 
Posts: 12
Joined: August 18th, 2009, 4:14 pm

Re: Win32 Trojan Tdss - MS Office, other apps close spontaneousl

Unread postby Shaba » August 22nd, 2009, 5:18 am

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
c:\program files\Uninstall My Web Search.dll


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 296 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware