Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help


  • This topic is locked This topic is locked
18 replies to this topic

#1 kingcruiser

kingcruiser

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 21 November 2008 - 03:05 PM

It has a red icon at the bottom that says my computer is infected and I need special tools to remove. I did a search and it seems to be a zinap, but not sure.

Here is my hijack log.But I am on another computer due to this thing will not let me open spybot, malwarebytes and also messes with my browser. any help is needed and thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:28 PM, on 11/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSM32.EXE
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSMB32.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\FSGUI\fsguidll.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\brastk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\fsaua.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\FWES\Program\fsdfwd.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\fsus.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsav32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\Program Files\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [brastk] brastk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent
O4 - HKCU\..\Run: [Advanced WindowsCare 3] "C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Program Files\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\Program Files\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\Program Files\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/iss-loc/...ScannerCtrl.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) -
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {2DD509D1-9898-11D6-9A86-00A024463490} -
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {5CE72DD0-4695-4D18-A4D3-3367ACD37578} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} -
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -
O20 - AppInit_DLLs: karna.dat
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Program Files\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Program Files\ORSP Client\fsorsp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 10578 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:35 AM

Posted 21 November 2008 - 10:50 PM

Hello kingcruiser,

Download and Run RSIT
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Select Files and Folders created in last 1 month
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).
    info.txt can also be found at c:\RSIT\info.txt

Edited by SifuMike, 22 November 2008 - 11:17 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kingcruiser

kingcruiser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 22 November 2008 - 12:41 PM

I am not sure if all is gone yet. Here is the malware bytes log. Thank you again for helping me, I was on the verge of reformatting, you saved me loosing all photos and infoo.

malwarebyte log:Malwarebytes' Anti-Malware 1.30
Database version: 1415
Windows 5.1.2600 Service Pack 3

11/22/2008 12:07:05 PM
mbam-log-2008-11-22 (12-07-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 117862
Time elapsed: 1 hour(s), 27 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0b385ee3-ee18-4c69-bf55-6b6b406ef591} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\TDSSirxy.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSktkl.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSocun.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\TDSSpcuu.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\TDSSb8bc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\TDSSbd30.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\TDSSc85c.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\TDSScfaf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\TDSSd210.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\av.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wini108013.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Local Settings\Temp\TDSS70a0.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Local Settings\Temp\TDSS70b0.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\TDSSb437.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSqekn.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSqrwn.log (Trojan.TDSS) -> Quarantined and deleted successfully.

Edited by SifuMike, 22 November 2008 - 12:50 PM.
edited for clarity


#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:35 AM

Posted 22 November 2008 - 12:47 PM

Hi kingcruiser,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your F-SecureAntivirus before running ComboFix, as it will prevent it from running.
To disable F-Secure Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a blue Posted Image sign.
  • right click it-> select Unload.
  • The F-Secure sign should now be surrounded by a red striked through circle (looking like this: Posted Image )
You succesfully disabled the F-Secure Guard.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 22 November 2008 - 12:48 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 kingcruiser

kingcruiser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 22 November 2008 - 02:25 PM

Once again, I want to thank you.
Here is the Combo Log:

ComboFix 08-11-22.01 - steve 2008-11-22 14:01:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.184 [GMT -5:00]
Running from: c:\documents and settings\steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\steve\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\oeminfo.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.

2008-11-22 12:18 . 2008-11-22 12:18 <DIR> d-------- C:\rsit
2008-11-21 23:30 . 2008-11-21 23:36 <DIR> d-------- c:\program files\stevesstuffmalware
2008-11-21 22:39 . 2008-11-21 22:38 502,368 --a------ c:\windows\SYSTEM32\DRIVERS\amon.sys
2008-11-21 22:39 . 2008-11-21 22:38 274,432 --a------ c:\windows\SYSTEM32\imon.dll
2008-11-21 22:31 . 2008-11-21 22:31 <DIR> d-------- c:\documents and settings\steve\Application Data\ArcaBit
2008-11-21 13:54 . 2008-11-21 13:54 <DIR> d-------- C:\VundoFix Backups
2008-11-21 12:40 . 2008-11-21 12:39 410,976 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-11-21 11:48 . 2008-11-22 00:40 60,416 --a------ c:\windows\SYSTEM32\DRIVERS\TDSSpcuu.0ys
2008-11-21 11:48 . 2008-11-22 00:40 35,840 --a------ c:\windows\SYSTEM32\TDSSktkl.0ll
2008-11-21 11:48 . 2008-11-22 00:40 29,696 --a------ c:\windows\SYSTEM32\TDSSirxy.0ll
2008-11-21 11:48 . 2008-11-22 00:40 527 --a------ c:\windows\SYSTEM32\TDSSwgqe.dat
2008-11-17 22:40 . 2008-11-17 22:40 <DIR> d-------- c:\documents and settings\steve\Application Data\KodakCredentialStore
2008-11-17 22:39 . 2008-11-17 22:39 <DIR> d-------- c:\documents and settings\steve\Application Data\Skinux
2008-11-17 22:32 . 2008-11-17 22:32 <DIR> d-------- c:\documents and settings\steve\Application Data\ArcSoft
2008-11-17 22:32 . 2008-11-17 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\ArcSoft
2008-11-17 22:31 . 2008-11-17 22:32 <DIR> d-------- c:\program files\Common Files\ArcSoft
2008-11-17 22:31 . 2008-11-17 22:31 <DIR> d-------- c:\program files\ArcSoft
2008-11-17 22:30 . 2007-06-06 09:18 45,056 --a------ c:\windows\SYSTEM32\KPDDynCC.DLL
2008-11-17 22:30 . 2007-06-06 09:25 40,960 --a------ c:\windows\SYSTEM32\KPDLM.dll
2008-11-17 22:21 . 2008-05-02 08:25 465,920 --------- c:\windows\SYSTEM32\imapi2fs.dll
2008-11-17 22:21 . 2008-05-02 08:25 465,920 -----c--- c:\windows\SYSTEM32\DLLCACHE\imapi2fs.dll
2008-11-17 22:21 . 2008-05-02 08:25 317,952 --------- c:\windows\SYSTEM32\imapi2.dll
2008-11-17 22:21 . 2008-05-02 08:25 317,952 -----c--- c:\windows\SYSTEM32\DLLCACHE\imapi2.dll
2008-11-17 22:21 . 2008-05-02 05:49 62,976 -----c--- c:\windows\SYSTEM32\DLLCACHE\cdrom.sys
2008-11-11 16:44 . 2008-10-24 06:21 455,296 -----c--- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-11-11 16:43 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-11 13:06 . 2008-11-11 14:18 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-11-04 09:21 . 2008-11-04 09:21 30,856 --a------ c:\windows\SYSTEM32\DRIVERS\fsbts.sys
2008-11-04 09:10 . 2008-06-25 08:52 79,904 --a------ c:\windows\SYSTEM32\DRIVERS\fsdfw.sys
2008-10-30 10:10 . 2008-10-30 10:10 754 --a------ c:\windows\WORDPAD.INI
2008-10-24 09:02 . 2008-10-15 11:34 337,408 -----c--- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-22 10:21 . 2008-11-21 15:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-22 10:21 . 2008-10-22 10:21 <DIR> d-------- c:\documents and settings\steve\Application Data\Malwarebytes
2008-10-22 10:21 . 2008-10-22 10:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-22 10:21 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-22 10:21 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-22 17:49 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 17:33 --------- d-----w c:\documents and settings\steve\Application Data\MailWasherPro
2008-11-22 03:39 --------- d-----w c:\program files\ESET
2008-11-21 23:16 --------- d-----w c:\program files\Java
2008-11-21 21:22 --------- d-----w c:\program files\Enigma Software Group
2008-11-21 21:06 --------- d-----w c:\program files\NCH Swift Sound
2008-11-18 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2008-11-18 03:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-18 03:30 --------- d-----w c:\program files\Kodak
2008-11-18 03:28 --------- d-----w c:\program files\Common Files\Kodak
2008-11-14 04:22 --------- d-----w c:\program files\TTLite
2008-11-12 05:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-05 04:47 --------- d-----w c:\program files\RootKit Hook Analyzer
2008-11-04 14:09 --------- d-----w c:\documents and settings\All Users\Application Data\F-Secure
2008-11-04 14:08 --------- d-----w c:\documents and settings\All Users\Application Data\fssg
2008-10-31 12:27 --------- d-----w c:\program files\UPHClean
2008-10-29 21:29 --------- d--h--w c:\documents and settings\Administrator\Application Data\Gtek
2008-10-25 12:06 --------- d-----w c:\documents and settings\steve\Application Data\HouseCall 6.6
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 03:27 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-10-22 01:17 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-21 12:25 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 03:28 --------- d-----w c:\program files\Windows Live Safety Center
2008-10-17 04:13 --------- d-----w c:\program files\Panda Security
2008-10-01 03:39 --------- d-----w c:\program files\Analog Devices
2008-10-01 03:14 --------- d-----w c:\program files\Innovative Solutions
2008-10-01 03:09 --------- d-----w c:\program files\Digital Locker Assistant
2008-06-11 21:08 975 ----a-w c:\program files\ih8.cfg
2008-03-17 13:30 10,772 ----a-w c:\program files\hotfix.xml
2007-12-26 20:20 4,198,400 ----a-w c:\program files\WRT54GV2_3.01.3_US_code.exe
2007-12-14 13:48 19,023 ----a-w c:\program files\config.xml.P00000444
2007-12-14 13:42 4,972 ----a-w c:\program files\fssg.xml.P00000444
2007-12-04 15:43 12 ----a-w c:\documents and settings\steve\bitpim.dat
2007-04-05 12:43 5,154,816 ----a-w c:\program files\WindowsDefender.msi
2007-03-18 22:58 43,566,592 ----a-w c:\program files\Army.exe
2007-03-18 22:57 87 ----a-w c:\program files\Army.bat
2007-03-18 22:57 52,500,000 ----a-w c:\program files\Army.3
2007-03-18 22:57 52,500,000 ----a-w c:\program files\Army.2
2007-03-18 22:57 52,500,000 ----a-w c:\program files\Army.1
2007-03-18 22:57 52,500,000 ----a-w c:\program files\Army.0
2007-03-18 22:57 13,600,128 ----a-w c:\program files\Army.4
2007-03-18 15:46 4,991,776 ----a-w c:\program files\rminstall.exe
2005-11-03 20:35 20,921,040 ----a-w c:\program files\AdbeRdr705_enu_full.exe
2004-11-17 15:02 168,069 ----a-w c:\program files\ipupdate.tgz
1996-07-24 09:00 44,608 ----a-w c:\documents and settings\steve\SETUP.EXE
1996-04-29 13:25 5,984 ----a-w c:\documents and settings\steve\_SETUP.DLL
1995-09-08 01:22 8,192 ----a-w c:\documents and settings\steve\_ISDEL.EXE
2008-07-23 23:03 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008072320080724\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-05-02 198704]
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2008-10-02 5344088]
"Advanced WindowsCare 3"="c:\program files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" [2008-08-05 2166648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-05-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-05-25 126976]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 106496]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-08-14 2235720]
"F-Secure Manager"="c:\program files\Charter High-Speed Security Suite\Program Files\Common\FSM32.EXE" [2008-06-25 182936]
"F-Secure TNB"="c:\program files\Charter High-Speed Security Suite\Program Files\FSGUI\TNBUtil.exe" [2008-06-25 957024]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-10-17 162304]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-09-10 864256]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-21 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2008-11-04 30856]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-11-04 79904]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-16 28544]
R1 F-Secure HIPS;F-Secure HIPS Driver;\??\c:\program files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys [2008-11-04 66720]
R2 ACDaemon;ArcSoft Connect Daemon;c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-11-17 109056]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\Charter High-Speed Security Suite\Program Files\Anti-Virus\minifilter\fsgk.sys [2008-11-04 72288]
R3 FSORSPClient;F-Secure ORSP Client;"c:\program files\Charter High-Speed Security Suite\Program Files\ORSP Client\fsorsp.exe" [2008-11-04 55904]
S2 FZCFKUDA;FZCFKUDA; []
S3 RSPSC;RSPSC;c:\windows\system32\drivers\rspsc.sys [2007-06-27 9472]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\DRIVERS\sustucam.sys [2006-02-03 37632]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\DRIVERS\sustucap.sys [2006-02-03 37632]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\Charter High-Speed Security Suite\Program Files\Anti-Virus\Win2K\FSfilter.sys [2008-11-04 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\Charter High-Speed Security Suite\Program Files\Anti-Virus\Win2K\FSrec.sys [2008-11-04 25184]
.
Contents of the 'Scheduled Tasks' folder

2008-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-22 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\CHARTE~1\PROGRA~1\ANTI-V~1\fsav.exe [2008-06-25 08:52]

2008-11-22 c:\windows\Tasks\User_Feed_Synchronization-{9A53AB5F-2EB3-428C-971F-63D555DF64CC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4E7BD74F-2B8D-469E-85AB-AF21F3D9AE2F} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.charter.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
LSP: c:\program files\Charter High-Speed Security Suite\Program Files\FSPS\program\FSLSP.DLL
LSP: c:\windows\system32\imon.dll

- c:\windows\Downloaded Program Files\WscWlanScannerCtrl_cab.inf

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab

O16 -: {215B8138-A3CF-44C5-803F-8226143CFC0A}

O16 -: {233C1507-6A77-46A4-9443-F871F945D258}

O16 -: {2DD509D1-9898-11D6-9A86-00A024463490}

c:\windows\SYSTEM32\ArcaMicroScanUpdater.exe - c:\windows\SYSTEM32\ArcaOnlineUninstall.exe
O16 -: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D}
hxxp://arcaonline.arcabit.com/ArcaOnline.cab
c:\windows\Downloaded Program Files\ArcaOnline.inf

O16 -: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
c:\windows\Downloaded Program Files\gtdownde_110.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 14:08:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

PROCESS: c:\windows\system32\lsass.exe
-> c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

PROCESS: c:\windows\explorer.exe
-> c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsgk32st.exe
c:\program files\Charter High-Speed Security Suite\Program Files\Common\FSMA32.EXE
c:\program files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsgk32.exe
c:\program files\Charter High-Speed Security Suite\Program Files\Common\FSMB32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Charter High-Speed Security Suite\Program Files\Common\FCH32.EXE
c:\program files\ESET\nod32krn.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Charter High-Speed Security Suite\Program Files\Common\FAMEH32.EXE
c:\program files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsqh.exe
c:\program files\Charter High-Speed Security Suite\Program Files\FSPC\fspc.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fssm32.exe
c:\program files\Lexmark 3100 Series\lxbrbmon.exe
c:\program files\Lexmark 3100 Series\lxbrcmon.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Charter High-Speed Security Suite\Program Files\FWES\program\fsdfwd.exe
c:\program files\Charter High-Speed Security Suite\Program Files\FSGUI\fsguidll.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Charter High-Speed Security Suite\Program Files\FSAUA\program\fsaua.exe
c:\program files\Charter High-Speed Security Suite\Program Files\FSAUA\program\fsus.exe
c:\program files\Google\Web Accelerator\GoogleWebAccClient.exe
c:\program files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2008-11-22 14:20:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-22 19:19:27
ComboFix2.txt 2008-01-18 20:45:23
ComboFix3.txt 2007-12-17 01:51:42
ComboFix4.txt 2007-11-15 15:40:31
ComboFix5.txt 2008-11-22 18:58:09

Pre-Run: 17,431,547,904 bytes free
Post-Run: 17,329,905,664 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

263 --- E O F --- 2008-11-12 03:23:13

#6 kingcruiser

kingcruiser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 22 November 2008 - 02:33 PM

I think that I may have screwed up. I clicked the no button install recovery console. Should I go back and redo the whole thing or wait.

Thanks.

I think that I may have screwed up. I clicked the no button install recovery console. Should I go back and redo the whole thing or wait.

Thanks.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:35 AM

Posted 22 November 2008 - 02:52 PM

I think that I may have screwed up. I clicked the no button install recovery console. Should I go back and redo the whole thing or wait.


No, dont do anything.
It looks like you already have recovery console installed.
When you boot your computer there should be a screen that appears that asks you if you want to use Recovery Console or Windows XP.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:35 AM

Posted 22 November 2008 - 03:05 PM

Hi kingcruiser,


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\SYSTEM32\DRIVERS\TDSSpcuu.0ys
c:\windows\SYSTEM32\TDSSktkl.0ll
c:\windows\SYSTEM32\TDSSirxy.0ll
c:\windows\SYSTEM32\TDSSwgqe.dat

Folder:: 
C:\VundoFix Backups


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 kingcruiser

kingcruiser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 22 November 2008 - 04:00 PM

ComboFix 08-11-22.01 - steve 2008-11-22 15:46:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.190 [GMT -5:00]
Running from: c:\documents and settings\steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\steve\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\DRIVERS\TDSSpcuu.0ys
c:\windows\SYSTEM32\TDSSirxy.0ll
c:\windows\SYSTEM32\TDSSktkl.0ll
c:\windows\SYSTEM32\TDSSwgqe.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
c:\windows\SYSTEM32\DRIVERS\TDSSpcuu.0ys
c:\windows\SYSTEM32\TDSSirxy.0ll
c:\windows\SYSTEM32\TDSSktkl.0ll
c:\windows\SYSTEM32\TDSSwgqe.dat

.
((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.

2008-11-22 12:18 . 2008-11-22 12:18 <DIR> d-------- C:\rsit
2008-11-21 23:30 . 2008-11-21 23:36 <DIR> d-------- c:\program files\stevesstuffmalware
2008-11-21 22:39 . 2008-11-21 22:38 502,368 --a------ c:\windows\SYSTEM32\DRIVERS\amon.sys
2008-11-21 22:39 . 2008-11-21 22:38 274,432 --a------ c:\windows\SYSTEM32\imon.dll
2008-11-21 22:31 . 2008-11-21 22:31 <DIR> d-------- c:\documents and settings\steve\Application Data\ArcaBit
2008-11-21 12:40 . 2008-11-21 12:39 410,976 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-11-17 22:40 . 2008-11-17 22:40 <DIR> d-------- c:\documents and settings\steve\Application Data\KodakCredentialStore
2008-11-17 22:39 . 2008-11-17 22:39 <DIR> d-------- c:\documents and settings\steve\Application Data\Skinux
2008-11-17 22:32 . 2008-11-17 22:32 <DIR> d-------- c:\documents and settings\steve\Application Data\ArcSoft
2008-11-17 22:32 . 2008-11-17 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\ArcSoft
2008-11-17 22:31 . 2008-11-17 22:32 <DIR> d-------- c:\program files\Common Files\ArcSoft
2008-11-17 22:31 . 2008-11-17 22:31 <DIR> d-------- c:\program files\ArcSoft
2008-11-17 22:30 . 2007-06-06 09:18 45,056 --a------ c:\windows\SYSTEM32\KPDDynCC.DLL
2008-11-17 22:30 . 2007-06-06 09:25 40,960 --a------ c:\windows\SYSTEM32\KPDLM.dll
2008-11-17 22:21 . 2008-05-02 08:25 465,920 --------- c:\windows\SYSTEM32\imapi2fs.dll
2008-11-17 22:21 . 2008-05-02 08:25 465,920 -----c--- c:\windows\SYSTEM32\DLLCACHE\imapi2fs.dll
2008-11-17 22:21 . 2008-05-02 08:25 317,952 --------- c:\windows\SYSTEM32\imapi2.dll
2008-11-17 22:21 . 2008-05-02 08:25 317,952 -----c--- c:\windows\SYSTEM32\DLLCACHE\imapi2.dll
2008-11-17 22:21 . 2008-05-02 05:49 62,976 -----c--- c:\windows\SYSTEM32\DLLCACHE\cdrom.sys
2008-11-11 16:44 . 2008-10-24 06:21 455,296 -----c--- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-11-11 16:43 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-11 13:06 . 2008-11-11 14:18 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-11-04 09:21 . 2008-11-04 09:21 30,856 --a------ c:\windows\SYSTEM32\DRIVERS\fsbts.sys
2008-11-04 09:10 . 2008-06-25 08:52 79,904 --a------ c:\windows\SYSTEM32\DRIVERS\fsdfw.sys
2008-10-30 10:10 . 2008-10-30 10:10 754 --a------ c:\windows\WORDPAD.INI
2008-10-24 09:02 . 2008-10-15 11:34 337,408 -----c--- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-22 10:21 . 2008-11-21 15:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-22 10:21 . 2008-10-22 10:21 <DIR> d-------- c:\documents and settings\steve\Application Data\Malwarebytes
2008-10-22 10:21 . 2008-10-22 10:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-22 10:21 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-22 10:21 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-22 17:49 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 17:33 --------- d-----w c:\documents and settings\steve\Application Data\MailWasherPro
2008-11-22 03:39 --------- d-----w c:\program files\ESET
2008-11-21 23:16 --------- d-----w c:\program files\Java
2008-11-21 21:22 --------- d-----w c:\program files\Enigma Software Group
2008-11-21 21:06 --------- d-----w c:\program files\NCH Swift Sound
2008-11-18 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2008-11-18 03:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-18 03:30 --------- d-----w c:\program files\Kodak
2008-11-18 03:28 --------- d-----w c:\program files\Common Files\Kodak
2008-11-14 04:22 --------- d-----w c:\program files\TTLite
2008-11-12 05:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-05 04:47 --------- d-----w c:\program files\RootKit Hook Analyzer
2008-11-04 14:09 --------- d-----w c:\documents and settings\All Users\Application Data\F-Secure
2008-11-04 14:08 --------- d-----w c:\documents and settings\All Users\Application Data\fssg
2008-10-31 12:27 --------- d-----w c:\program files\UPHClean
2008-10-29 21:29 --------- d--h--w c:\documents and settings\Administrator\Application Data\Gtek
2008-10-25 12:06 --------- d-----w c:\documents and settings\steve\Application Data\HouseCall 6.6
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 03:27 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-10-22 01:17 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-21 12:25 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 03:28 --------- d-----w c:\program files\Windows Live Safety Center
2008-10-17 04:13 --------- d-----w c:\program files\Panda Security
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-01 03:39 --------- d-----w c:\program files\Analog Devices
2008-10-01 03:14 --------- d-----w c:\program files\Innovative Solutions
2008-10-01 03:09 --------- d-----w c:\program files\Digital Locker Assistant
2008-09-30 21:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\SYSTEM32\wininet.dll
2008-06-11 21:08 975 ----a-w c:\program files\ih8.cfg
2008-03-17 13:30 10,772 ----a-w c:\program files\hotfix.xml
2007-12-26 20:20 4,198,400 ----a-w c:\program files\WRT54GV2_3.01.3_US_code.exe
2007-12-14 13:48 19,023 ----a-w c:\program files\config.xml.P00000444
2007-12-14 13:42 4,972 ----a-w c:\program files\fssg.xml.P00000444
2007-12-04 15:43 12 ----a-w c:\documents and settings\steve\bitpim.dat
2007-04-05 12:43 5,154,816 ----a-w c:\program files\WindowsDefender.msi
2007-03-18 22:58 43,566,592 ----a-w c:\program files\Army.exe
2007-03-18 22:57 87 ----a-w c:\program files\Army.bat
2007-03-18 22:57 52,500,000 ----a-w c:\program files\Army.3
2007-03-18 22:57 52,500,000 ----a-w c:\program files\Army.2
2007-03-18 22:57 52,500,000 ----a-w c:\program files\Army.1
2007-03-18 22:57 52,500,000 ----a-w c:\program files\Army.0
2007-03-18 22:57 13,600,128 ----a-w c:\program files\Army.4
2007-03-18 15:46 4,991,776 ----a-w c:\program files\rminstall.exe
2005-11-03 20:35 20,921,040 ----a-w c:\program files\AdbeRdr705_enu_full.exe
2004-11-17 15:02 168,069 ----a-w c:\program files\ipupdate.tgz
1996-07-24 09:00 44,608 ----a-w c:\documents and settings\steve\SETUP.EXE
1996-04-29 13:25 5,984 ----a-w c:\documents and settings\steve\_SETUP.DLL
1995-09-08 01:22 8,192 ----a-w c:\documents and settings\steve\_ISDEL.EXE
2008-07-23 23:03 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008072320080724\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-05-02 198704]
"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2008-10-02 5344088]
"Advanced WindowsCare 3"="c:\program files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" [2008-08-05 2166648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-05-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-05-25 126976]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 106496]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-08-14 2235720]
"F-Secure Manager"="c:\program files\Charter High-Speed Security Suite\Program Files\Common\FSM32.EXE" [2008-06-25 182936]
"F-Secure TNB"="c:\program files\Charter High-Speed Security Suite\Program Files\FSGUI\TNBUtil.exe" [2008-06-25 957024]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-10-17 162304]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-09-10 864256]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-21 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2008-11-04 30856]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-11-04 79904]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-16 28544]
R1 F-Secure HIPS;F-Secure HIPS Driver;\??\c:\program files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys [2008-11-04 66720]
R2 ACDaemon;ArcSoft Connect Daemon;c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-11-17 109056]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\Charter High-Speed Security Suite\Program Files\Anti-Virus\minifilter\fsgk.sys [2008-11-04 72288]
S2 FZCFKUDA;FZCFKUDA; []
S3 FSORSPClient;F-Secure ORSP Client;"c:\program files\Charter High-Speed Security Suite\Program Files\ORSP Client\fsorsp.exe" [2008-11-04 55904]
S3 RSPSC;RSPSC;c:\windows\system32\drivers\rspsc.sys [2007-06-27 9472]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\DRIVERS\sustucam.sys [2006-02-03 37632]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\DRIVERS\sustucap.sys [2006-02-03 37632]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\Charter High-Speed Security Suite\Program Files\Anti-Virus\Win2K\FSfilter.sys [2008-11-04 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\Charter High-Speed Security Suite\Program Files\Anti-Virus\Win2K\FSrec.sys [2008-11-04 25184]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-22 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\CHARTE~1\PROGRA~1\ANTI-V~1\fsav.exe [2008-06-25 08:52]

2008-11-22 c:\windows\Tasks\User_Feed_Synchronization-{9A53AB5F-2EB3-428C-971F-63D555DF64CC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 15:49:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-22 15:51:03
ComboFix-quarantined-files.txt 2008-11-22 20:50:43
ComboFix2.txt 2008-11-22 19:20:05
ComboFix3.txt 2008-01-18 20:45:23
ComboFix4.txt 2007-12-17 01:51:42
ComboFix5.txt 2008-11-22 20:12:41

Pre-Run: 17,309,753,344 bytes free
Post-Run: 17,295,622,144 bytes free

209 --- E O F --- 2008-11-12 03:23:13


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:10 PM, on 11/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\FWES\Program\fsdfwd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSLAUNCH.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\Program Files\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent
O4 - HKCU\..\Run: [Advanced WindowsCare 3] "C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Program Files\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\Program Files\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\Program Files\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/iss-loc/...ScannerCtrl.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) -
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {2DD509D1-9898-11D6-9A86-00A024463490} -
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {5CE72DD0-4695-4D18-A4D3-3367ACD37578} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} -
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Program Files\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Program Files\ORSP Client\fsorsp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 10824 bytes

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:35 AM

Posted 22 November 2008 - 06:26 PM

Hi kingcruiser,

Are you running TWO antivirus programs on this computer? :thumbsup: I see parts of NOD32 as well as F-Secure Anti-Virus


Please disable your antivirus before running Kaspersky Online Scanner.

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.

Edited by SifuMike, 22 November 2008 - 06:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 kingcruiser

kingcruiser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 22 November 2008 - 09:28 PM

No just f-secure. The nod32 is part of eset online scanner i use sometimes. I will run Kasperski scan now.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:35 AM

Posted 22 November 2008 - 10:37 PM

OK. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 kingcruiser

kingcruiser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 23 November 2008 - 11:52 AM

Here is the Kasperski log, still says that I am infected. Are we close to getting this thing out of here?

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 23, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 23, 2008 02:00:45
Records in database: 1404358
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 80441
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:44:50


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\TDSSpcuu.0ys.vir Infected: Backdoor.Win32.TDSS.bkw 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TDSSirxy.0ll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TDSSktkl.0ll.vir Infected: Backdoor.Win32.TDSS.blh 1

The selected area was scanned.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:35 AM

Posted 23 November 2008 - 01:31 PM

Hi,

Not to worry. :thumbsup: Kaspersky found quarentined files.

Lets do one more check.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..


Please paste this log directly into your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 kingcruiser

kingcruiser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 23 November 2008 - 02:44 PM

here is the log. It produced 2 different kind of logs, I will include both just in case.
Thanks again!

:2008-11-23 14:12:15 gmer.sys System [4]: LoadDriver system32\DRIVERS\ipnat.sys
2008-11-23 14:12:15 gmer.sys System [4]: LoadDriver system32\DRIVERS\wanarp.sys
2008-11-23 14:12:15 gmer.sys System [4]: CreateProcess C:\WINDOWS\SYSTEM32\smss.exe
2008-11-23 14:12:15 gmer.sys smss.exe [468]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Cdfs
2008-11-23 14:12:21 gmer.sys smss.exe [468]: CreateProcess C:\WINDOWS\SYSTEM32\csrss.exe
2008-11-23 14:12:21 gmer.sys csrss.exe [612]: LoadDriver \SystemRoot\System32\drivers\dxg.sys
2008-11-23 14:12:21 gmer.sys csrss.exe [612]: LoadDriver \SystemRoot\System32\ialmrnt5.dll
2008-11-23 14:12:21 gmer.sys csrss.exe [612]: LoadDriver \SystemRoot\System32\ialmdnt5.dll
2008-11-23 14:12:21 gmer.sys csrss.exe [612]: LoadDriver \SystemRoot\System32\vga.dll
2008-11-23 14:12:21 gmer.sys csrss.exe [612]: LoadDriver \SystemRoot\System32\ialmrnt5.dll
2008-11-23 14:12:21 gmer.sys csrss.exe [612]: LoadDriver \SystemRoot\System32\ialmdev5.DLL
2008-11-23 14:12:22 gmer.sys csrss.exe [612]: LoadDriver \SystemRoot\System32\ialmdd5.DLL
2008-11-23 14:12:22 gmer.sys smss.exe [468]: CreateProcess C:\WINDOWS\SYSTEM32\winlogon.exe
2008-11-23 14:12:22 gmer.sys winlogon.exe [636]: CreateProcess C:\WINDOWS\SYSTEM32\services.exe
2008-11-23 14:12:22 gmer.sys winlogon.exe [636]: CreateProcess C:\WINDOWS\SYSTEM32\lsass.exe
2008-11-23 14:12:22 gmer.sys csrss.exe [636]: LoadDriver \SystemRoot\System32\ATMFD.DLL
2008-11-23 14:12:22 gmer.sys services.exe [696]: LoadDriver system32\drivers\drvnddm.sys
2008-11-23 14:12:22 gmer.sys services.exe [696]: LoadDriver system32\dla\tfsndres.sys
2008-11-23 14:12:22 gmer.sys services.exe [696]: LoadDriver system32\dla\tfsnifs.sys
2008-11-23 14:12:22 gmer.sys services.exe [696]: LoadDriver system32\dla\tfsnopio.sys
2008-11-23 14:12:22 gmer.sys services.exe [696]: LoadDriver system32\dla\tfsnpool.sys
2008-11-23 14:12:22 gmer.sys services.exe [696]: LoadDriver system32\dla\tfsnboio.sys
2008-11-23 14:12:23 gmer.sys services.exe [696]: LoadDriver system32\dla\tfsncofs.sys
2008-11-23 14:12:23 gmer.sys services.exe [696]: LoadDriver system32\dla\tfsndrct.sys
2008-11-23 14:12:23 gmer.sys services.exe [696]: LoadDriver system32\dla\tfsnudf.sys
2008-11-23 14:12:23 gmer.sys services.exe [696]: LoadDriver system32\dla\tfsnudfa.sys
2008-11-23 14:12:23 gmer.sys services.exe [696]: CreateProcess C:\WINDOWS\SYSTEM32\svchost.exe
2008-11-23 14:12:23 gmer.sys services.exe [696]: CreateProcess C:\WINDOWS\SYSTEM32\svchost.exe
2008-11-23 14:12:23 gmer.sys services.exe [696]: CreateProcess C:\WINDOWS\SYSTEM32\svchost.exe
2008-11-23 14:12:23 gmer.sys services.exe [696]: CreateProcess C:\WINDOWS\SYSTEM32\svchost.exe
2008-11-23 14:12:23 gmer.sys winlogon.exe [636]: CreateProcess C:\WINDOWS\SYSTEM32\logonui.exe
2008-11-23 14:12:24 gmer.sys services.exe [696]: LoadDriver system32\DRIVERS\ndisuio.sys
2008-11-23 14:12:24 gmer.sys winlogon.exe [636]: CreateProcess C:\WINDOWS\SYSTEM32\userinit.exe
2008-11-23 14:12:25 gmer.sys userinit.exe [1384]: CreateProcess C:\WINDOWS\explorer.exe
2008-11-23 14:12:25 gmer.sys services.exe [696]: CreateProcess C:\WINDOWS\SYSTEM32\LEXBCES.EXE
2008-11-23 14:12:25 gmer.sys services.exe [696]: CreateProcess C:\WINDOWS\SYSTEM32\spoolsv.exe
2008-11-23 14:12:25 gmer.sys LEXBCES.EXE [1484]: CreateProcess C:\WINDOWS\SYSTEM32\LEXPPS.EXE
2008-11-23 14:12:25 gmer.sys svchost.exe [1048]: LoadDriver system32\DRIVERS\rdbss.sys
2008-11-23 14:12:25 gmer.sys svchost.exe [1048]: LoadDriver system32\DRIVERS\mrxsmb.sys
2008-11-23 14:12:27 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\verclsid.exe
2008-11-23 14:12:27 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\verclsid.exe
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\iTunes\iTunesHelper.exe
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\PROGRA~1\LEXMAR~1\lxbrksk.exe
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Microsoft IntelliPoint\ipoint.exe
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Analog Devices\Core\smax4pnp.exe
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSM32.EXE
2008-11-23 14:12:29 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSGUI\tnbutil.exe
2008-11-23 14:12:30 gmer.sys lxbrbmgr.exe [1880]: CreateProcess C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
2008-11-23 14:12:31 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\systray.exe
2008-11-23 14:12:32 gmer.sys csrss.exe [1872]: LoadDriver \SystemRoot\System32\vga.dll
2008-11-23 14:12:32 gmer.sys ipoint.exe [1932]: CreateProcess C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
2008-11-23 14:12:32 gmer.sys csrss.exe [1872]: LoadDriver \SystemRoot\System32\vga.dll
2008-11-23 14:12:32 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Java\jre6\bin\jusched.exe
2008-11-23 14:12:32 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\ctfmon.exe
2008-11-23 14:12:32 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Dell Support Center\bin\sprtcmd.exe
2008-11-23 14:12:32 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Innovative Solutions\DriverMax\devices.exe
2008-11-23 14:12:32 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe
2008-11-23 14:12:32 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
2008-11-23 14:12:32 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
2008-11-23 14:12:33 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
2008-11-23 14:12:33 gmer.sys services.exe [696]: CreateProcess C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
2008-11-23 14:12:34 gmer.sys services.exe [696]: CreateProcess C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
2008-11-23 14:12:34 gmer.sys services.exe [696]: CreateProcess C:\Program Files\Bonjour\mDNSResponder.exe
2008-11-23 14:12:34 gmer.sys services.exe [696]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsgk32st.exe
2008-11-23 14:12:34 gmer.sys services.exe [696]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSMA32.EXE
2008-11-23 14:12:34 gmer.sys services.exe [696]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\FZCFKUDA
2008-11-23 14:12:34 gmer.sys services.exe [696]: LoadDriver system32\DRIVERS\ipfltdrv.sys
2008-11-23 14:12:34 gmer.sys fsgk32st.exe [1104]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsgk32.exe
2008-11-23 14:12:34 gmer.sys services.exe [696]: CreateProcess C:\Program Files\Java\jre6\bin\jqs.exe
2008-11-23 14:12:34 gmer.sys FSMA32.EXE [1192]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSMB32.EXE
2008-11-23 14:12:34 gmer.sys services.exe [696]: CreateProcess C:\Program Files\ESET\nod32krn.exe
2008-11-23 14:12:34 gmer.sys services.exe [696]: CreateProcess C:\Program Files\Dell Support Center\bin\sprtsvc.exe
2008-11-23 14:12:34 gmer.sys svchost.exe [1048]: LoadDriver system32\DRIVERS\srv.sys
2008-11-23 14:12:34 gmer.sys services.exe [696]: LoadDriver \??\C:\WINDOWS\system32\drivers\tmcomm.sys
2008-11-23 14:12:34 gmer.sys services.exe [696]: CreateProcess C:\Program Files\UPHClean\uphclean.exe
2008-11-23 14:12:36 gmer.sys lxbrbmgr.exe [1880]: CreateProcess C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
2008-11-23 14:12:37 gmer.sys FSMA32.EXE [1192]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FCH32.EXE
2008-11-23 14:12:37 gmer.sys uphclean.exe [1692]: LoadDriver \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
2008-11-23 14:12:37 gmer.sys services.exe [696]: CreateProcess C:\WINDOWS\SYSTEM32\fxssvc.exe
2008-11-23 14:12:38 gmer.sys svchost.exe [1048]: LoadDriver system32\DRIVERS\ipnat.sys
2008-11-23 14:12:38 gmer.sys FSMA32.EXE [1192]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FAMEH32.EXE
2008-11-23 14:12:38 gmer.sys FSMA32.EXE [1192]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSHDLL32.EXE
2008-11-23 14:12:38 gmer.sys FSMA32.EXE [1192]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSGUI\fsstm.exe
2008-11-23 14:12:38 gmer.sys FSMA32.EXE [1192]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsqh.exe
2008-11-23 14:12:38 gmer.sys FSMA32.EXE [1192]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSPC\fspc.exe
2008-11-23 14:12:39 gmer.sys FSM32.EXE [1996]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSGUI\fsguidll.exe
2008-11-23 14:13:11 gmer.sys services.exe [696]: LoadDriver System32\Drivers\HTTP.sys
2008-11-23 14:13:12 gmer.sys services.exe [696]: CreateProcess C:\WINDOWS\SYSTEM32\svchost.exe
2008-11-23 14:13:12 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\verclsid.exe
2008-11-23 14:13:12 gmer.sys services.exe [696]: CreateProcess C:\WINDOWS\SYSTEM32\imapi.exe
2008-11-23 14:13:12 gmer.sys services.exe [696]: CreateProcess C:\Program Files\iPod\bin\iPodService.exe
2008-11-23 14:13:12 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\verclsid.exe
2008-11-23 14:13:13 gmer.sys services.exe [696]: LoadDriver \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\minifilter\fsgk.sys
2008-11-23 14:13:13 gmer.sys services.exe [696]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\fsaua.exe
2008-11-23 14:13:14 gmer.sys fsgk32.exe [1264]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fssm32.exe
2008-11-23 14:13:15 gmer.sys GoogleWebAccWar [444]: CreateProcess C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe
2008-11-23 14:13:16 gmer.sys services.exe [696]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\ORSP Client\fsorsp.exe
2008-11-23 14:13:16 gmer.sys services.exe [696]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FWES\program\fsdfwd.exe
2008-11-23 14:13:17 gmer.sys fsaua.exe [1728]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\fsauach.exe
2008-11-23 14:13:18 gmer.sys fsaua.exe [1728]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\VirusNews.exe
2008-11-23 14:13:18 gmer.sys fsaua.exe [1728]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\licmgr.exe
2008-11-23 14:13:18 gmer.sys fsaua.exe [1728]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\ih8.exe
2008-11-23 14:13:18 gmer.sys services.exe [696]: CreateProcess C:\WINDOWS\SYSTEM32\svchost.exe
2008-11-23 14:13:18 gmer.sys fsaua.exe [1728]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\fsus.exe
2008-11-23 14:13:19 gmer.sys fsaua.exe [1728]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\Common\FSRAH32.EXE
2008-11-23 14:13:19 gmer.sys services.exe [696]: CreateProcess C:\WINDOWS\SYSTEM32\alg.exe
2008-11-23 14:13:19 gmer.sys ih8.exe [2756]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\ih8run.exe
2008-11-23 14:13:21 gmer.sys fsus.exe [2916]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\fsus.exe
2008-11-23 14:13:24 gmer.sys svchost.exe [1048]: CreateProcess C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-11-23 14:13:27 gmer.sys winlogon.exe [636]: CreateProcess C:\WINDOWS\SYSTEM32\WgaTray.exe
2008-11-23 14:13:29 gmer.sys svchost.exe [892]: CreateProcess C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe
2008-11-23 14:13:39 gmer.sys fsaua.exe [1728]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\licmgr.exe
2008-11-23 14:14:33 gmer.sys services.exe [696]: LoadDriver \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsbldrv.sys
2008-11-23 14:14:37 gmer.sys FSMA32.EXE [1192]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\Anti-Virus\fsav32.exe
2008-11-23 14:15:04 gmer.sys fsaua.exe [1728]: CreateProcess C:\Program Files\Charter High-Speed Security Suite\Program Files\FSAUA\program\licmgr.exe
2008-11-23 14:15:17 gmer.sys explorer.exe [1452]: CreateProcess C:\Documents and Settings\steve\Desktop\gmer.exe
2008-11-23 14:17:48 gmer.sys explorer.exe [1452]: CreateProcess C:\Documents and Settings\steve\Desktop\gmer.exe
2008-11-23 14:18:01 gmer.sys svchost.exe [892]: CreateProcess C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe
2008-11-23 14:20:28 gmer.sys System [4]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Fastfat
2008-11-23 14:35:45 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\notepad.exe
2008-11-23 14:36:49 gmer.sys explorer.exe [1452]: CreateProcess C:\Program Files\Internet Explorer\iexplore.exe
2008-11-23 14:38:08 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\notepad.exe
2008-11-23 14:39:45 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\verclsid.exe
2008-11-23 14:39:46 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\notepad.exe
2008-11-23 14:39:57 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\verclsid.exe
2008-11-23 14:40:08 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\notepad.exe
2008-11-23 14:40:30 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\verclsid.exe
2008-11-23 14:40:36 gmer.sys explorer.exe [1452]: CreateProcess C:\WINDOWS\SYSTEM32\notepad.exe

#2 Log::::GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-23 14:35:40
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwCreateProcess [0xF7B52C26]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwCreateProcessEx [0xF7B52C40]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwCreateThread [0xF7B51DE4]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwLoadDriver [0xF7B5210C]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwMapViewOfSection [0xF7B51B30]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwOpenSection [0xF7B5253E]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwRenameKey [0xF7B537DC]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwSetSystemInformation [0xF7B5238E]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwSuspendProcess [0xF7B519B6]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwSuspendThread [0xF7B51E18]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwSystemDebugControl [0xF7B51F92]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwTerminateProcess [0xF7B51916]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwTerminateThread [0xF7B51A6C]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xEE7AA6D0]
SSDT \??\C:\Program Files\Charter High-Speed Security Suite\Program Files\HIPS\drivers\fshs.sys (F-Secure HIPS 32-bit Driver/F-Secure Corporation) ZwWriteVirtualMemory [0xF7B51EDC]

Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [ B6, 19, B5, F7, 18, 1E, B5, ... ]
PAGE ntoskrnl.exe!IoCreateDevice 8059FA61 5 Bytes JMP F843EFA8 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGE ntoskrnl.exe!ZwSetSystemInformation + 4 805A7BF1 1 Byte [ 6F ]
PAGENPNP NDIS.SYS!NdisRegisterProtocol F840F17F 5 Bytes JMP F843EDBA fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisOpenAdapter F840F399 5 Bytes JMP F843F342 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisCloseAdapter F8419642 5 Bytes JMP F843EEC6 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisDeregisterProtocol F8419821 5 Bytes JMP F843F15E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisReturnPackets F841C810 5 Bytes JMP F843FBF4 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisRequest F841C97B 5 Bytes JMP F843F55A fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisSend F841F986 5 Bytes JMP F8440574 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisSendPackets F841F9A3 5 Bytes JMP F8440646 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDSP NDIS.SYS!NdisTransferData F841F9BE 5 Bytes JMP F843FCF2 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoCreateVc F8426186 5 Bytes JMP F843EE24 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoDeleteVc F8427557 5 Bytes JMP F843EE92 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
PAGENDCO NDIS.SYS!NdisCoSendPackets F8427AF1 5 Bytes JMP F844035E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe[1988] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes [ DB, C8, C3, 83 ]

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \FileSystem\Fastfat \Fat EDE15D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.14 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users