Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not Sure How To Start


  • This topic is locked This topic is locked
27 replies to this topic

#1 sl0whand

sl0whand

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:10:07 AM

Posted 21 June 2008 - 06:29 AM

I followed a link from an email that said:

Video ActiveX Object Error

Your Browser cannot play this video file. Click 'OK' to download and install missing video ActiveX object.

I then scanned the file with McAfee which did not detect a problem, so I installed it.

I know it was malware from the web, but can't get any spyware/malware removal tools to work w/o rebooting.

My Thinkpad R40 reboots whenever I run Dss.exe, but I was able to get a HijackThis log:

I will gladly make a donation to your site if you can help me with this problem!!!

Thanks in Advance!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:24 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\palmi\My Documents\My Downloads\Anti-Spyware\dss.exe
C:\DOCUME~1\palmi\MYDOCU~1\MYDOWN~1\ANTI-S~1\palmi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ibm.com/pc/support/site.wss/MIGR-44175.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://ntauth.agere.com/proxy/global.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /systrayIcon:on
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DiXiM Media Server - DigiOn - C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 9803 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:07 AM

Posted 21 June 2008 - 08:08 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

You must disable Spybot's Teatimer function before proceeding with this fix. Otherwise it will intefere with hijackthis.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm



=================


Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 sl0whand

sl0whand
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:10:07 AM

Posted 21 June 2008 - 02:17 PM

Thanks for helping Sam!

I ran hijackthis again and checked the boxes and selected fixed check. So Far so Good.

Then I downloaded ComboFix and shut down everything. I started ComboFix and after about 15 seconds the system blue-screened (said something about a fatal error and was shutting down to protect my system - only a few seconds to view) and then rebooted.

When Windows boots back up I get a window that says a Fatal Error has occurred and wants to notify Microsoft.

When I looked for a log from ComboFix, none exist so I assume the virus/malware/spyware is causing this?

Should I run hijackthis again?

Thanks in advance!!!

Dave

Edited by sl0whand, 21 June 2008 - 02:26 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:07 AM

Posted 21 June 2008 - 03:23 PM

Check to see if a log exists here - C:\Combofix.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 sl0whand

sl0whand
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:10:07 AM

Posted 21 June 2008 - 03:52 PM

No C:\Combofix.txt, nor is it in My Documents or the directory where Combofix.exe is. When I try to search for the file I get a ble-screen and it reboots.

Quite frustrating. I can't seem to make any headway.

Thanks for any help you can provide!

#6 sl0whand

sl0whand
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:10:07 AM

Posted 21 June 2008 - 07:36 PM

I notice that I have some "New" directories on my computer:

C:\QooBox
C:\VALUEADD
C:\Config.MSI
C:\ICONS

Looks like this post is related?

http://www.bleepingcomputer.com/forums/top...tml#entry850122

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:07 AM

Posted 22 June 2008 - 06:49 AM

Qoobox is created by combofix and is there to store backups and quarantined files that combofix removes. The other folders do not appear to be be malicious.

My concern is that your computer is overheating and that is causing the errors and the restarts whenever something is run that's heavy on the cpu. Make sure that your fan is running and not obstructed by anything that would prevent the venting of heated air in the case. Since you've got a laptop try elevating it by putting four small objects under the corners so that air can flow underneath.

If it's not an overheating issue then you may have malware that takes issue with combofix. For that we can try renaming combofix.exe to cf.exe and then run it.

Let me know how it goes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 sl0whand

sl0whand
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:10:07 AM

Posted 22 June 2008 - 07:04 AM

My fan seems to be running fine and I am using a docking station which keeps it elevated. Nothing within 6 inches of the laptop to prevent cooling. I will try renaming to cf.exe and try running again.

Thanks for your patience!

Dave

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:07 AM

Posted 22 June 2008 - 07:09 AM

Ok, so there shouldn't be a heating issue.
Let me know how it goes with renaming combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 sl0whand

sl0whand
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:10:07 AM

Posted 22 June 2008 - 07:29 AM

I disabled all of Bit useDefenxder Internet Security. ComboFix started to run and I say it could not find the specified file, then changed the clock and started removing a couple of files and then Blue Screened. I was able to focus on a lower part of the Blue Screen Text (displayed for only about 3 sec) which said something about a driver overrunning a stack pointer. Is there anywhere to fine the Blue Screen text or pause the screen to read it when it crashes?

No cf.txt file that I can find. I am trying it again in Safe Mode now.

#11 sl0whand

sl0whand
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:10:07 AM

Posted 22 June 2008 - 07:39 AM

Better Luck this time?

System cannot find the specified file

Completed Stage 1 - 43

Deleting:

MSVolume.dll

preparing log report

ComboFix Log popped up on my system.

I will switch systems and post the log.

Thanks!

#12 sl0whand

sl0whand
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:10:07 AM

Posted 22 June 2008 - 07:49 AM

:)

ComboFix 08-06-20.4 - palmi 2008-06-22 7:30:50.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.817 [GMT -5:00]
Running from: C:\Documents and Settings\palmi\Desktop\cf.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\MSVolume.dll
.
---- Previous Run -------
.
C:\WINDOWS\system32\tdidrv32.sys

.
((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.

2008-06-21 22:27 . 2008-06-21 22:50 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-06-21 18:02 . 2008-06-21 18:02 116 --a------ C:\WINDOWS\system32\SDRemoveDB.db
2008-06-21 18:01 . 2008-06-21 18:01 63 --a------ C:\WINDOWS\system\SysSD.dll
2008-06-21 17:56 . 2008-06-21 19:50 <DIR> d-------- C:\Program Files\SpywareDetector
2008-06-21 17:02 . 2008-06-21 17:02 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-06-21 06:51 . 2008-06-21 06:51 <DIR> d-------- C:\Program Files\AnswersThatWork
2008-06-21 06:51 . 2003-06-29 12:35 203,976 --a------ C:\WINDOWS\system32\RichTx32.ocx
2008-06-21 06:51 . 1998-06-23 22:00 108,336 --a------ C:\WINDOWS\system32\MSWinSck.ocx
2008-06-17 21:47 . 2008-06-17 21:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-17 21:47 . 2008-06-17 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-17 18:32 . 2008-06-17 18:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 23:08 . 2008-06-22 07:30 121 --a------ C:\WINDOWS\bdagent.INI
2008-06-16 22:46 . 2008-06-16 22:46 <DIR> d-------- C:\Documents and Settings\palmi\Application Data\BitDefender
2008-06-16 22:44 . 2008-06-16 22:44 <DIR> d-------- C:\Program Files\BitDefender
2008-06-16 22:44 . 2008-06-16 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-16 22:08 . 2008-06-17 18:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-16 22:08 . 2008-06-17 18:40 <DIR> d-------- C:\Documents and Settings\palmi\Application Data\SUPERAntiSpyware.com
2008-06-16 22:08 . 2008-06-16 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-16 21:38 . 2008-06-16 21:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-06-16 21:37 . 2008-06-16 21:37 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-06-16 21:33 . 2008-06-16 22:44 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-06-16 21:17 . 2008-06-17 21:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-15 16:51 . 2008-06-21 22:38 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-15 10:31 . 2008-06-15 18:26 <DIR> d-------- C:\WINDOWS\system32\162123
2008-06-15 10:31 . 2008-06-15 10:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-11 17:50 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 03:27 --------- d-----w C:\Documents and Settings\palmi\Application Data\U3
2008-06-21 12:18 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-18 01:03 --------- d-----w C:\Program Files\rFactorLexus
2008-06-18 01:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-15 23:15 --------- d-----w C:\Documents and Settings\palmi\Application Data\Image Zone Express
2008-06-15 19:39 --------- d-----w C:\Documents and Settings\palmi\Application Data\Apple Computer
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 07:04 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-21 07:04 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-04-21 07:04 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:04 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-17 10:52 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2007-04-15 14:15 51,984 ------w C:\Documents and Settings\palmi\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 17:52 495616]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 01:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-08-07 18:57 94208]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2002-11-01 04:31 64000]
"TPTRAY"="C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [2002-11-01 04:31 48640]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-03-27 05:06 53248]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-08-08 18:39 897024]
"TP4EX"="tp4ex.exe" [2002-09-04 02:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-11-01 05:00 204800]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 08:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-01-07 17:52 495616]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-10-23 11:15 86016]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 18:30 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 18:30 512000]
"ToolBoxFX"="C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 16:55 45056]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-17 18:25 360448]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-06-03 12:37 2131600]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Savings Bond Wizard\\SBWizard.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\DigiOn\\DiXiM Media Server\\dmsf.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2003-03-27 05:06]
S1 tdidrv32.sys;tdidrv32.sys;C:\WINDOWS\system32\tdidrv32.sys []
S1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2002-11-01 04:31]
S2 DiXiM Media Server;DiXiM Media Server;C:\Program Files\DigiOn\DiXiM Media Server\dmsf.exe [2006-09-28 17:10]
S2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2004-02-23 10:40]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2002-04-11 18:43]
S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-25 15:40]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-10-16 01:11]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;C:\WINDOWS\system32\DRIVERS\wg511nd5.sys [2005-07-25 17:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-08-25 11:59:38 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 07:34:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-22 7:35:59
ComboFix-quarantined-files.txt 2008-06-22 12:35:43

Pre-Run: 2,219,646,976 bytes free
Post-Run: 2,868,842,496 bytes free

141 --- E O F --- 2008-06-21 11:11:16


:thumbsup:

#13 sl0whand

sl0whand
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:10:07 AM

Posted 22 June 2008 - 08:01 AM

A-Squared Anti-Malware launched a scan and is finding risks:

Trace.Registry.KaZaA

Do I let these anti-malware programs run?

#14 sl0whand

sl0whand
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:10:07 AM

Posted 22 June 2008 - 10:02 AM

a-squared Anti-Malware - Version 3.5
Last update: 6/22/2008 7:47:39 AM

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 6/22/2008 7:52:22 AM

Key: HKEY_USERS\S-1-5-21-1966279292-3409754460-1801421424-1004\software\kazaa detected: Trace.Registry.KaZaA
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP405\A0052989.exe detected: Riskware.AdTool.Win32.MyWebSearch.cb

Scanned

Files: 147121
Traces: 411427
Cookies: 184
Processes: 49

Found

Files: 1
Traces: 1
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 6/22/2008 9:45:46 AM
Scan time: 1:53:24

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP405\A0052989.exe Deleted Riskware.AdTool.Win32.MyWebSearch.cb
Key: HKEY_USERS\S-1-5-21-1966279292-3409754460-1801421424-1004\software\kazaa Deleted Trace.Registry.KaZaA

Deleted

Files: 1
Traces: 1
Cookies: 0

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:07 AM

Posted 22 June 2008 - 06:02 PM

Yes, it's ok to let them run. It doesn't look like a2 came up with anything too threatening.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
tdidrv32.sys

File::
C:\WINDOWS\system32\tdidrv32.sys

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdidrv32.sys]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


How is your computer behaving? Are you still having the same issues?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users