A New Virus ---- Help !

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post.

- BleepingComputer Management

BleepingComputer.com > Security > HijackThis Logs and Malware Removal > Misplaced HJT Logs

A New Virus ---- Help !, certainly infected -- adaware fails, f-secure fails

Options

TrojanLover View Member Profile	Sep 7 2008, 07:11 AM Post #1
New Member Group: Members Posts: 4 Joined: 7-September 08 Member No.: 236,702	Hello every1 now how can i start telling you my story, well, it all started with rapidshare searching... i was just browsing, no downloading no installs, suddenly a ballon popped up saying the windows firewall is not enabled and by the two seconds or so that i got to the correct window to enable it again, it somehow enabled itself again. this was very suspicious... but i moved on ignoring. while i searched in google a very strange thing started to happen. all google results seem to take me to the same website...woops..has google been hacked... every link on the google result page seemed to start with <http://go.google.com> and when clicked i was being redirected via so many domains so i was getting concerned. the proxy setting in IE found to be empty and i found no dodgy middleware. i have F-secure antivirus GENUINE, adaware 2008 free version and both on full scan found no problems..however when i try to visit the site http://lavasoft.com/ the browser fails to connect although dns resolved to correct ip address. so... i installed Fiddler, to view whats happenining to HTTP sessions. as you may know fiddler acts as a proxy and internet explorer connects to it via 127.0.0.1:8888 now with fiddler INSTALLED and IE using it i can visit the lavasoft.com site perfectly whereas firefox which is not using fiddler as its proxy gives me same connection error... strange !! my hijack log seemed ok however PROCESS EXPLORER revealed something important. svchost.exe had launched an instance of internet explorer. so i booted to safe mode and scanned again with f-secure and found a trojan...happy moments...was so relieved...but now all the google results appear fine, i still cant connect to lavasoft.com if not using fiddler. so i suspected that some system files had been compromised. so i un-installed the SP3 and upon reboot wet to safemoded command prompt (F8 at boot time) and installed SP3 again. now the problem is still here. if my firefox and IE are connected via fiddler, it can connect to lavasoft, otherwise not. hosts file is clean and dns resolves just fine. i'm sure the trojan is waiting to be f**d please help !! This post has been edited by Orange Blossom**: Sep 18 2008, 07:52 PM Reason for edit: Deactivate link. ~ OB

TrojanLover View Member Profile	Sep 7 2008, 07:49 AM Post #2
New Member Group: Members Posts: 4 Joined: 7-September 08 Member No.: 236,702	these programs are clean ATK0100\.exe (ASUS laptop hotkeys) Salaat Time\SalaatTime.exe ccservice.exe (cryptoExpert) HTML Logfile of HijackThis v1.99.1 Scan saved at 12:43:23, on 06/09/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Windows folder: C:\WINDOWS System folder: C:\WINDOWS\SYSTEM32 Hosts file: C:\WINDOWS\System32\drivers\etc\hosts Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Nero 6\InCD\InCDsrv.exe C:\WINDOWS\system32\S24EvMon.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ATK0100\Hcontrol.exe C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Salaat Time\SalaatTime.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE C:\WINDOWS\system32\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe C:\WINDOWS\system32\mmc.exe C:\Documents and Settings\Ahsan\My Documents\desktop icons\HijackThis.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8888;https=127.0.0.1:8888; O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (filesize 501136 bytes, MD5 D6137540BDF0F9F9B9055C60ADD8007A) O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exeC:\WINDOWS\ATK0100\Hcontrol.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (filesize 208952 bytes, MD5 7BBE4CF421AECC7F0226EDD75F12079F) O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC (filesize 59392 bytes, MD5 1B17E09C1223F6D17336D2DD7A1AF4F4) O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC (filesize 455168 bytes, MD5 024DC0F68DF5FD6AE9DD82DFBAF479D6) O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName (filesize 455168 bytes, MD5 024DC0F68DF5FD6AE9DD82DFBAF479D6) O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash (filesize 122929 bytes, MD5 855E795383BED05C481575BD0C1C0D37) O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW (filesize 700416 bytes, MD5 9153905D790DC0ADC7B992D0C948D247) O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot (filesize 372736 bytes, MD5 D90838CBC9F7412EE26DCC17617E4D17) O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" (filesize 132496 bytes, MD5 896E712A34D654A337C8CBB9DEB07200) O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent (filesize 33280 bytes, MD5 037B1E7798960E0420003D05BB577EE6) O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exeC:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [News Service] "C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe" (filesize 356352 bytes, MD5 329F9DE88C88917E08F7F3D75704F23B) O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SalaatTime] C:\Program Files\Salaat Time\SalaatTime.exeC:\Program Files\Salaat Time\SalaatTime.exe O4 - Global Startup: F-Secure 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe (filesize 36903 bytes, MD5 CC2939B255697B4762A062AEB0B3E91E) O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm (filesize 380 bytes, MD5 7D6B44419CEBF7B26CC106BAF0BE19B7) O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll (filesize 49204 bytes, MD5 50F5BB31D5C3335822735E5B757AAB3E) O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll (filesize 49204 bytes, MD5 50F5BB31D5C3335822735E5B757AAB3E) O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing) O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXEC:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE O23 - Service: cc service (ccservice) - Unknown owner - C:\WINDOWS\system32\ccserv.exeC:\WINDOWS\system32\ccserv.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exeC:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exeC:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exeC:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXEC:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero 6\InCD\InCDsrv.exeC:\Program Files\Nero 6\InCD\InCDsrv.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exeC:\WINDOWS\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exeC:\WINDOWS\system32\S24EvMon.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exe this report was generated by F-SECURE after it found and f**d it HTML <!-- ack=0--> <!-- time=1220652335--> <!-- product=1.3.6.1.4.1.2213.12--> <!-- severity=5--> <!-- user=MONSTERS\Ahsa--> <!-- version=2--> <!-- encoding=ISO-8859-1--> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <html> <font style="COLOR: black; FONT: 10pt verdana"> <head> <title>F-Secure Anti-Virus 2006 6.12 - Scanning Report - 05 September 2008 23:05:35</title> </head> <h1><font face="Arial">Scanning Report</font></h1> <h2><font face="Arial">05 September 2008 23:02:40 - 23:02:40</font></h2> <p> Computer name: MONSTERS <br>Scanning type: Scan target for viruses <br>Target: C:\ <hr noshade> <h2><font face="Arial" color="#5A6ED2">Result: 12 malware found</font></h2> <a href="http://www.Europe.F-Secure.com/cgi-bin/AT-Wdescssearch.cgi?search=Trojan-Downloader">Trojan-Downloader.Win32.Small.acxh</a> (virus) <ul> <li>C:\WINDOWS\system32\a.exe Action: deleted</ul> <a href="http://www.Europe.F-Secure.com/cgi-bin/AT-Wdescssearch.cgi?search=Trojan-Downloader">Trojan-Downloader.JS.Agent.cnn</a> (virus) <ul> <li>C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UJS5OLMR\ac[1].htm Action: deleted<li>C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2JMJWDQH\ac[1].htm Action: deleted<li>C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UJS5OLMR\ac[2].htm Action: deleted<li>C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2JMJWDQH\ac[2].htm Action: deleted<li>C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UJS5OLMR\ac[3].htm Action: deleted<li>C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2JMJWDQH\midroll[1].htm Action: deleted<li>C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UJS5OLMR\Near-Death-Experience[1].htm Action: deleted<li>C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MZUJQR4D\showadvertising[1].htm Action: deleted<li>C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CPU1IHKX\showadvertising[1].htm Action: deleted<li>C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UJS5OLMR\stats_js[1].htm Action: deleted<li>C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CPU1IHKX\zfillers_990_500[1].htm Action: deleted</ul> </ul> <p> </ul> <p> <hr noshade> <h2><font face="Arial" color="#5A6ED2">Statistics</font></h2> Scanned: <ul> <li>Files: 31559 <li>System: 0 <li>Not scanned: 15 </ul> Result: <ul> <li>Viruses: 12 <li>Spyware: 0 <li>Suspicious items: 0 </ul> Actions: <ul> <li>Disinfected: 0 <li>Renamed: 0 <li>Deleted: 12 <li>Quarantined: 0 <li>Failed: 0 </ul> Boot Sectors: <ul> <li>Scanned: 1 <li>Infected: 0 <li>Suspicious items: 0 <li>Disinfected: 0 </ul> Files not scanned: <ul> <li>Cannot open file C:\hiberfil.sys<li>Cannot open file C:\WINDOWS\system32\config\default<li>Scanning of C:\WINDOWS\Driver Cache\i386\driver.cab was aborted [F-Secure AVP]<li>Cannot open a file in archive C:\Program Files\Nero 6\InCD\dma.bin<li>Cannot open a file in archive C:\Program Files\Nero 6\InCD\gaa.bin<li>Cannot open a file in archive C:\Program Files\Nero 6\InCD\lgc.bin<li>Cannot open a file in archive C:\Program Files\Mosby\Oral Pathology Clinical Pathologic Correlations, 4e\images\image 13.pct<li>Cannot open a file in archive C:\Program Files\Mosby\Oral Pathology Clinical Pathologic Correlations, 4e\BoardReview\images\image 13.pct<li>Scanning of C:\Program Files\mobile PhoneTools\widcomm\Data1.cab was aborted [F-Secure AVP]<li>Scanning of C:\Program Files\Java\jre1.6.0_02\lib\rt.jar was aborted [F-Secure AVP]<li>Scanning of C:\Program Files\Java\jre1.5.0_06\lib\rt.jar was aborted [F-Secure AVP]<li>Scanning of C:\Program Files\F-Secure Internet Security\backweb\4476822\Users\Default\Data\707a\1060a610\pex_6.12-90.jar was aborted [F-Secure AVP]<li>Cannot open a file in archive C:\Documents and Settings\All Users\Application Data\BVRP Software\mobile PhoneTools\faxres.cmd<li>Cannot open a file in archive C:\Documents and Settings\All Users\Application Data\BVRP Software\mobile PhoneTools\Profiles\#Default Profile.cab\C:\Documents and Settings\All Users\Application Data\BVRP Software\mobile PhoneTools\fax0mid.mid<li>Cannot open a file in archive C:\Documents and Settings\All Users\Application Data\BVRP Software\mobile PhoneTools\Profiles\#Default Profile.cab\C:\Documents and Settings\All Users\Application Data\BVRP Software\mobile PhoneTools\Profile.reg</ul> <p> <hr noshade> <h2><font face="Arial" color="#5A6ED2">Options</font></h2> Definitions version:<ul> <li>Viruses: 2008-09-05_02 <li>Spyware: 2008-07-18_08 </ul> Scanning Engines:<ul> <li>F-Secure AVP: 6.00.169, 2008-09-05 <li>F-Secure Libra: 2.04.04, 2008-09-02 <li>F-Secure Orion: 1.02.37, 2008-09-05 <li>F-Secure Draco: 1.00.35, 2008-07-18 </ul>Scanning options: <ul> <li>Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF { PDF ZL? XML ANI AVB BAT CEO CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR TGZ ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX <li>Scan inside archives </ul></ul>Actions:<ul> <li>Viruses: Ask after scan <li>Spyware: Ask after scan </ul> <hr noshade> <ul><h6>Copyright © 1998-2005 <a href="http://support.f-secure.com/">Product support</a> \| <a href="http://support.f-secure.com/enu/home/virusproblem/sample/">Send virus sample to F-Secure</a></h6> <h6>F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability. </h6></ul></body> </font> </html>

TrojanLover View Member Profile	Sep 7 2008, 08:08 AM Post #3
New Member Group: Members Posts: 4 Joined: 7-September 08 Member No.: 236,702	at the moment i am capuring traffic on the network card and after a while my connection stops working, ping to the router times out and browser fails connect. but when i stop and start NETWORK MONITOR the traffic begins to flow again... very strange.. the files i folder containing virus files and the cookies set by svchost launched IE were in SYSTEM PROFILE and i have put them up here... DONT DOWNLOAD unless u know what u're doing http://rapidshare.com/files/143346437/systemprofile.zip.html reveals the target domains, the AD servers that make this imposed advertising policy possible

garmanma View Member Profile	Sep 7 2008, 01:59 PM Post #4
Computer Masochist Group: Moderator Posts: 8,472 Joined: 27-January 07 From: Cleveland, Ohio Member No.: 108,618	I have moved your Topic that includes a HijackThis log here to the Misplaced HJT Logs forum. You posted your log in a forum not intended for HijackThis logs analysis and probably missed the directions we provide to those who require assistance. We can only allow topics with such logs in the HijackThis Logs and Malware Removal forum. This restriction is to ensure you get the best help available, from those who specialize in malware anlaysis and removal. It also should prevent you from receiving ineffective or even potentially dangerous advice, whether well meaning or not. Prior to posting a HJT log, we ask that you please read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. Following the steps in this Guide will allow the HJT Team to quickly help you with specific fixes for what may remain on your system. Please complete all the steps in the Guide. If you have performed some of them already, then just continue with the next. If you can't perform a step, then skip it and continue with the next. The last step will include downloading and using the most current version of HijackThis if the first line of your log does not appear as follows: Logfile of Trend Micro HijackThis v2.0.2 Please note that it is important that HijackThis be run and a log created while in normal mode. If you run it and create your log while in safe mode, you will be asked to redo it again properly. When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Guide to post a new log. Please DO NOT post any more logs to this topic, or post a log again in the wrong forum. This Misplaced HJT Logs forum is strictly a holding area where the BC Staff can assist you with preparations for and to properly post your log. If you have a question or encounter a problem in the Prep Guide, please do post back to this topic; that is what it is here for. When your new HJT log is posted in the proper forum, please reply to this topic with a link to your new topic. Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done. Thanks for your cooperation and good luck. The BC Staff -------------------- Mark why won't my laptop work? Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around Avatar by Handplane

TrojanLover View Member Profile	Sep 12 2008, 12:36 AM Post #5
New Member Group: Members Posts: 4 Joined: 7-September 08 Member No.: 236,702	truly amazed with the ComboFix utility. it detected presence of a rootkit that other BIG BRAND antivirus programs could not. i guess F-secure would have kicked out this rootkit after a month or so when they update their definition files, but thats not good enough for me. combofix detected these files and deleted them. C:\WINDOWS\system32\tdssadw.dll C:\WINDOWS\system32\tdssinit.dll C:\WINDOWS\system32\tdssl.dll C:\WINDOWS\system32\tdsslog.dll C:\WINDOWS\system32\tdssmain.dll C:\WINDOWS\system32\tdssserf.dll C:\WINDOWS\system32\tdssservers.dat

rigel View Member Profile	Sep 12 2008, 09:20 PM Post #6
BC 1st Responder Group: Moderator Posts: 5,165 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "*used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.* Part 2 IMPORTANT NOTE: One or more of the identified infections (tdssserf.dll) was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read: • "When should I re-format? How should I reinstall?" • "Help: I Got Hacked. Now What Do I Do?" • "Where to draw the line? When to recommend a format and reinstall?" Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed. rigel BleepingComputer Forums Moderator Edit: Added rootkit warning after noticing file This post has been edited by rigel: Sep 12 2008, 09:24 PM -------------------- "In a world where you can be anything, be yourself." ~ unknown

« Next Oldest · Misplaced HJT Logs · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 22nd November 2008 - 10:21 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides