Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans, Malaware, and annoying ads!


  • This topic is locked This topic is locked
31 replies to this topic

#1 s1owcomputer

s1owcomputer

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 16 December 2008 - 07:40 PM

Hello, I'm new to this forum, first I would like to thank the wonderful tech support guys that take time from their schedule to help people in need! Thank you all very much! I am very new to this, and I'm really starting to get paranoid about typing or even inputting personal information where a sneaky trojan could be hiding and trying to take that information.

I have an HP desktop, and Windows Vista.

Well, the majority of my problems started a few days ago (November 21, 2008 to be precise) when my Symantec AntiVirus located 4 Trojan Horses trying to enter my computer. The big problem was that all it did was mention their presence, but it did not quarantine or delete the pesky invaders.

I panicked and started locating other programs that would help me stop them, one of those was called Regrun Partizan, and it pretty much located bad files and asked me if I wanted to permantently delete them. It had a meter that told you the percentage of how bad or good these suspicious files were and I obviously got rid of the bad ones. After that was done, I closed the program and it asked me to restart the computer.

As soon as the computer started again, I got a black screen and was being informed of the files that I had recently gotten rid of. The computer started again, and all of my desktop icons were scattered out of order (I really wonder if that was the work of the Trojan Horse. x__x) and found just two new folders one about MSN and another one called Web Folders when I open "Computer."

Symantec Antivirus seemed to work after the restart and it located 3 Trojan Horses and immediately sent them to quarantine, I deleted them completely a few days later. I have been doing full scans these past few days, Symantec Antivirus hasn't located any threats... But I heard that some Trojan Horses are really well hidden... So I'm really worried now.

Here's another thing that may be helpful, but perhaps not... I have two "csrss.exe" running, and wondered if that was normal. I looked it up and a few sources indicated that it was a Trojan or a bad file. Although, there were other sources that said that two are suppose to be running especially if it's on Vista. Not sure what to think right now, but I still have those two there. Ending the task of either of them would really screw over my computer.

Now I'm getting several pop-ups and almost every website I visit I'm getting these annoying "Vimax Pills - bleep Enlargment" advertisments. I really need to have this looked at... My younger brother uses this computer too! :(

One more thing, my symantec antivirus seems to always locate "W32.Todserv" and cleaned by deleting it. But everytime I reboot it always seems to locate it. Is it just regenerating after being deleted? This has me really worried also.

Anyway, thank you for taking the time to read this! I really hope I could get some help locating any Trojans! Thank you again!

Please help!

Here's my log from HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:46 PM, on 12/16/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\kbd.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\vVX1000.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Users\Rosana\Program Files\DNA\btdna.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [VX1000] C:\Windows\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [HPAdvisor] "C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Rosana\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Rosana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O13 - Gopher Prefix:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DAFC918-5168-40AF-A053-C26C352B7085}: NameServer = 85.255.114.46;85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.46;85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.46;85.255.112.210
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adpsmb2cauvn - Adaptec, Inc. - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\Windows\system32\Wacom_Tablet.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10790 bytes

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 25 December 2008 - 06:23 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
Download and Run OTViewit
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Run Kaspersky Online Scanner
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

In your next reply please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Kaspersky's Log

Important Note: For other users who are reading this topic,the instructions provided in this topic are for the original topic starter ONLY. Even if you have similar problems or even log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic and feel free to link to any relevant topics as needed.Please Do NOT follow the instructions provided for this topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 s1owcomputer

s1owcomputer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 27 December 2008 - 11:45 PM

Unfortunately, I had made changes to my computer 4 days ago. Since my problems were getting worse, I scanned with Malawarebytes and Symantec as well. Malawarebytes found some threats and I immediately removed them. As for the several pop-ups and almost every website having the annoying "Vimax Pills - bleep Enlargment" advertisments, another person had a similar problem and surprisingly my HijackThis found the same exact file names and I removed them. So that problem was solved.

Now my symantec antivirus STILL continues to locate "W32.Todserv" and cleaned by deleting it. Everytime I reboot my computer it always seems to locate the same exact "W32.Todserv." Is it just regenerating after being deleted? This has me really worried also. Now at startup, I'm getting an error message that my Symantec Antivirus has stopped working, and I have to open it in order to prevent it from completely closing itself. Then it tells me that there seems to be a problem at some "EndPoint Protection" or something, I don't really recall, I'll try figuring it out on the next reboot.

I also updated a Windows Pack on Christmas Eve (December 24, 2008), forgot what it was called, and the computer restarted like it was supposed to. It managed to work with the first update, but when it reached the second one, my computer blue screened and said something about "Crash Dump" or something about the memory. I manually restarted the computer and turned it back on, and it recommended to do a Startup Repair. I did so, and it took several minutes to finally complete. A black screen came up, pretty much listing all of the files I had on this computer and it soon started working again. Somehow it continued the update, but was updating the third update. This is when my Symantec Antivirus started getting this "Symantec AntiVirus has stopped working" and it immediately closed. It's still working, but I have to have the program open everytime I get this "Symantec Antivirus has stopped working."

I still tried out your recommended scans, but...
Posted Image
This is what comes up when I start the OTViewIt by OldTimer scan. In other words, it stops responding, so I really can't do much about it.

Although I was able to use the Kaspersky Online Scanner 7 so here is the log.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 28, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 28, 2008 03:49:30
Records in database: 1523061
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan statistics:
Files scanned: 242011
Threat name: 7
Infected objects: 97
Suspicious objects: 0
Duration of the scan: 03:45:50


File name / Threat name / Threats count
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC80000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D380000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E300000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EFC0000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F540000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F8C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F900000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F940000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11280000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11840000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0000\59CF43F8.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11900001\59B7F866.VBN Infected: Trojan.Win32.Inject.kxx 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C00000\59F21BF3.VBN Infected: Trojan-Downloader.JS.Iframe.ul 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C00001\59F22660.VBN Infected: Trojan-Downloader.JS.Iframe.ul 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C00002\59F22674.VBN Infected: Trojan-Downloader.JS.Agent.cpa 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C00003\59F22687.VBN Infected: Trojan-GameThief.Win32.Magania.gen 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11E00000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\129C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\130C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\134C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13800000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13800001\5BC88BE0.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13880000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13BC0000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\140C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14140000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14800000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14B40000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14C40000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14D40000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14D80000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15200000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15240000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\152C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15340000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15340001.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15580000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15580001.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15700000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15740000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15980000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15C40000\5DE7787E.VBN Infected: Packed.Win32.VBCrypt.i 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15C40001\5DE77899.VBN Infected: Packed.Win32.VBCrypt.i 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15EC0000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16340000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\170C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\174C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17B40000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC80000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D380000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E300000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EFC0000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F540000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F8C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F900000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F940000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11280000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11840000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0000\59CF43F8.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11900001\59B7F866.VBN Infected: Trojan.Win32.Inject.kxx 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C00000\59F21BF3.VBN Infected: Trojan-Downloader.JS.Iframe.ul 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C00001\59F22660.VBN Infected: Trojan-Downloader.JS.Iframe.ul 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C00002\59F22674.VBN Infected: Trojan-Downloader.JS.Agent.cpa 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C00003\59F22687.VBN Infected: Trojan-GameThief.Win32.Magania.gen 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11E00000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\129C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\130C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\134C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13800000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13800001\5BC88BE0.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13880000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13BC0000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\140C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14140000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14800000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14B40000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14C40000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14D40000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14D80000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15200000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15240000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\152C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15340000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15340001.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15580000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15580001.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15700000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15740000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15980000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15C40000\5DE7787E.VBN Infected: Packed.Win32.VBCrypt.i 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15C40001\5DE77899.VBN Infected: Packed.Win32.VBCrypt.i 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\15EC0000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16340000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\170C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\174C0000.VBN Infected: Packed.Win32.Krap.d 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17B40000.VBN Infected: Packed.Win32.Krap.d 1
J:\Share10_ex2.zip Infected: not-a-virus:Client-P2P.Win32.Share.a 1

The selected area was scanned.


-----------

Well, it seems to have found several threats and infected objects when I turned off Symantec antivirus. Though, most of these threats have been quarantined. So should I simply delete them? I'll wait until you give me any further command.

Another thing I have noticed, while I had my Symantec AntiVirus off, for some reason all of my hidden files and extensions for file types were visible and I had to hide them again. Is someone actually tampering with my system? :(

Thank you again for your help! Really hope I could get these problems solved! And sorry for the delay.

Edited by s1owcomputer, 28 December 2008 - 03:26 PM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 29 December 2008 - 08:10 PM

Hello.

Sorry for the delay. I had to leave somewhere and then became sick :thumbsup:

Thanks for the descriptive information on your computer.

Yes, you can remove everything that Symantec quarantined.

Let's try something else, please run GMER and RSIT by follow the instructions below:

Download and Run RSIT
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both
    log.txt (<<will be maximized)
    info.txt (<<will be minimized)
The RSIT logs can also be found in the folder, C:\RSIT

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Please post back with:
-RSIT logs
-GMER logs


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 s1owcomputer

s1owcomputer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 30 December 2008 - 12:39 PM

Ok, once again one of the programs gave me a problem. The Gmer one was working well for a while, that is until I rebooted my computer. It gave me a bluescreen indicated a recently installed program caused the problem, and the crash dump once again. I did the recommended Startup Repair again, but this time it asked if I wished to do a System Restore. I really didn't want to risk it, so I cancelled it and waited until the repair was complete. It said that it was unable to fix my errors and it restarted my computer. I tried the Start Windows Normally, but I got the blue screen again and this time it shut down my computer.

I was really worried and tried to uninstall/delete the recently installed programs (the ones you recommended) on Safe Mode. I tried to start Windows normally again, but I got the blue screen again. My only option was to do a system restore, but before I did that I looked up options to access my computer without having to start from scratch. The option was called "Last Known Good Configuration." It luckily got me back to my regular windows, but now I'm just afraid to make anymore changes like updating or installing things on my computer.

Here are the RSIT logs:



I really don't think I wish to try the Gmer one, even on Safe Mode, I don't want to have to go through with that scare again. :thumbsup:

A bit more problems have occured, when I tried searching for everything Symantec quarantined, I realized that my Search was missing from the Start Menu. I tried replacing the Help and Support with it, and when I clicked on Search I got this message: "This file does not have a program associated with it for performing this action. Create an association in the Set Associations control panel." Luckily I found the quarantined files in a Symantec hidden file, and deleted them.

From what I looked up, it probably happened because of the Windows update I had on Christmas Eve. Although, all the update did was remove "Search" from the Start Menu and that was it. But mine doesn't work at all, even with I press F3.


Symantec antivirus STILL continues to locate "W32.Todserv" and cleaned by deleting it. Everytime I reboot my computer it always seems to locate the same exact "W32.Todserv." So this is starting to be a problem as well.

Symantec Endpoint Protection. Everytime I startup my computer, at the startup Symantec Antivirus continues to have this "Cannot respond" error. It says that, but it is still active in my Notification Area on the Task Bar. Also, it has times were it turns off by itself... But that has only happened on Startup.

Thanks again for you help, I really want to get all these problems solved. X__x;

Edited by s1owcomputer, 30 December 2008 - 12:53 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 31 December 2008 - 06:49 PM

Hello again.

Sorry for the delay.

I don't know what happened but does sound supicious..

I really don't think I wish to try the Gmer one, even on Safe Mode, I don't want to have to go through with that scare again.

okay, but we may need to run it later again making sure not Rootkits are invovled with this.

Symantec antivirus STILL continues to locate "W32.Todserv" and cleaned by deleting it. Everytime I reboot my computer it always seems to locate the same exact "W32.Todserv." So this is starting to be a problem as well.

Not sure what exactly that infection is but could you tell me where it's pointing to? What I mean by that is what file is it flagging as "W32 Todserv"?

Symantec Endpoint Protection. Everytime I startup my computer, at the startup Symantec Antivirus continues to have this "Cannot respond" error. It says that, but it is still active in my Notification Area on the Task Bar. Also, it has times were it turns off by itself... But that has only happened on Startup.

Strange, we may need to uninstall it afterwards because it may be damaged by the malware in someway.

Also regarding the BSOD, I want to see what it is. You can find the BSOD error code by using this link. It has alot of information that can help you on finding the error code :thumbsup:

Your log looks okay but there are some leftover work we may need to do afterwards.

Please post back with the answers to my question and the error code please.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 s1owcomputer

s1owcomputer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 01 January 2009 - 05:26 PM

Happy New Years, extremeboy!

And it's ok, I'm very patient. :thumbsup:

So let's start with the W32.Tidserv (I apologize for mispelling it! I just realized that I have been calling it "W32.TOdserv" My apologies once again.), but yeah, the file name that's being flagged is msqpdxjcgaghei.dll... It's actually somehow reviving itself considering, Symantec has caught it more than once.

Here's a screencap, just in case.
Posted Image

Now on to your next question. Well, I haven't had a BSOD attack (last one was on December 30)... But from the links you gave me I managed to find a decent log from the Event Viewer. I only gathered the Errors from December 30 and 29, the time I got the BSOD when I used the Gmer program. I hope it's enough information for you, if not, I'll continue looking through. I've noticed that there have been way more errors than just those two days.

The Event Viewer Log. December 29 - 30
Attached File  errors.txt   11.5KB   26 downloads

Thank you so much for you time! ^^

Edited by s1owcomputer, 01 January 2009 - 06:27 PM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 02 January 2009 - 12:04 PM

Hello again.

Ah, makes more sence now, I never heard of TODSERV before, it's related to Toshiba like my computer if you are talking about TODSERV :thumbsup:

You have a nasty infection here, and it's fairly new.

Posted ImageBackdoor Threat
Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue please follow instructions below:

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back:
-Combofix log
-GMEr log
-New OTViewiT logs


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 s1owcomputer

s1owcomputer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 02 January 2009 - 02:36 PM

Great... I was hoping something like that wouldn't attack my computer. Anyway I ran the ComboFix one, it did it's job. I was kinda expecting a BSOD when they asked to restart, and what do you know? It happened. I had to manually restart the computer, but luckily ComboFix ran either way! I'm glad I didn't have to go through another scare. I was actually wondering where everything went when ComboFix started scanning the computer (The desktop was all black and nothing besides the ComboFix scan was visible... Is that supposed to happen?) and as soon as it was done, everything returned and the log was there! Also it didn't ask me anything about the "Windows Recovery Console," so I'm guessing I already have it on my computer. It seemed to finish pretty fast, I was expecting it to be longer, but it took like about 10 minutes to complete. Is that good?

ComboFix Log
Attached File  Combofixlog.txt   27.18KB   15 downloads

And I guess, I'll just have to use my laptop if I wish to do anything regarding banking or financial transactions, this also may include private information. But I just hope ComboFix managed to find all of it. Symantec is still messing up at startup, but I'm glad it stopped finding "W32.Tidserv" meaning that problem is out of the way. I may restart the computer again just in case it's not gone, but overall I think it may have gotten rid of it.

Finally, the Gmer one. Like I said in the previous posts, I'm kinda scared to used that one again. But I still want to try it out once more... But I want to ask you first before I do anything! So would a BSOD be there if I follow your instructions for Gmer through Safe Mode? Would everything still work the same if I use it on SafeMode? I don't really think the computer likes Gmer when it runs regularly. :thumbsup:

Once again, the OTViewIT is giving me a problem. It's not responding and just freezes when it's not even half way done.
Just a slight change in the error code:
Posted Image

UPDATE!!!
Well, I restarted the computer for a second time and "W32.Tidserv" wasn't found by Symantec, meaning ComboFix may have completely gotten rid of it. So that's a relief. One thing that caught my attention, though. On my second restart, all of my hidden files and extensions were visible. Is that supposed to happen? (I had to hide them once again.)

By the way, was "W32.Tidserv" that the nasty infection that's fairly new

Edited by s1owcomputer, 02 January 2009 - 05:42 PM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 03 January 2009 - 01:07 PM

Hello again.

(The desktop was all black and nothing besides the ComboFix scan was visible... Is that supposed to happen?)

Yes.

Also it didn't ask me anything about the "Windows Recovery Console," so I'm guessing I already have it on my computer.

Yup.

It seemed to finish pretty fast, I was expecting it to be longer, but it took like about 10 minutes to complete. Is that good?

That doesn't mean anything. It's not good or bad. Some machines take longer than others due to many factors. One factor is how infected your machine is and also how much you have on your machine. Anyways, Combofix did a good job on removing those infections that your AV detected.

On my second restart, all of my hidden files and extensions were visible. Is that supposed to happen? (I had to hide them once again.)


Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case TorrentMan and BitTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Finally, the Gmer one. Like I said in the previous posts, I'm kinda scared to used that one again. But I still want to try it out once more... But I want to ask you first before I do anything! So would a BSOD be there if I follow your instructions for Gmer through Safe Mode? Would everything still work the same if I use it on SafeMode? I don't really think the computer likes Gmer when it runs regularly

Yes I would like you to try it once more. Try it in Normal Mode first. Also BSOD's are a way to give information for you not to scare you or anything. Think of it as the system is trying to communicate with you that something is wrong and we need to FIX it. If you do get the BSOD please WRITE it down so I know.

Post back with:
-GMER log
-Any problems you had while running GMER


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 07 January 2009 - 04:21 PM

Hello.

From your PM you said that you will not be able to reply until the weekends, I'll leave this topic a bit longer, however if you take too long to respond back I may need to close it to be fair to the other members as well. You can always Pm me back asking me to re-open it though :thumbsup:

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 10 January 2009 - 02:04 PM

Hello.

Also since it has been a while, please post back with a fresh set of RSIT logs for me as well, in addition to what I requested above. If you have any questions please ask before proceeding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 s1owcomputer

s1owcomputer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 January 2009 - 08:17 PM

Alright, sorry for the long delay! But well, the Gmer one failed again. Both on safe and normal mode, it blue screened no matter what I did. When on normal mode, it pretty much blue screened at restart. The safe mode one blue screen as soon as I opened the Gmer program. :thumbsup:

Here's what I managed to get, but I didn't get all the information.
"Page Fault in no paged area" I'm not sure if that's what it said, but my hand was trembling and I was in a rush to get the rest. I'm not sure if this is accurate, but I think it's somewhere around there.
" 0x00000050, 0xt88575A0, 0x0000000, 0x823c9F07, 0x00000002 " That's some odd code that was listed, I really don't know what that meant, but I thought that was important.

Well, here's the event viewer log, just in case the information above didn't help.
Event Viewer Log:
Attached File  error.txt   5.06KB   27 downloads


The RSIT one worked perfectly like last time, and here are the logs for it as well!
RSIT logs:
Attached File  info.txt   21.39KB   26 downloads
Attached File  log.txt   33.8KB   30 downloads

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 12 January 2009 - 05:00 PM

Hello.

GMER failed again.. Try renaming it and try running it again.. If it still fails we will try another rootkit scan.

Rename it to Scanner.com please and try it again.

What Problems do you currently have? That BSOD may not be malware related. I did a quick research on that error code. That error seems and usually is related to some kind of memory problem.

Take a read here: http://support.microsoft.com/?kbid=183169&sd=RMVP
http://support.microsoft.com/kb/329293

Don't follow the instructions in that article. Tell me what problems you still have.

Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

If GMER still doesn't work try F-Secure Black light please.

Download and Run F-Secure Blacklight

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.
Post back with:
-DDS scan logs
-Problems you still have
-Try GMER once last time if it fails then give me the F-Secure log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 s1owcomputer

s1owcomputer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 16 January 2009 - 12:05 PM

Here are the problems I'm still having:

When I tried searching for everything Symantec quarantined, I realized that my Search was missing from the Start Menu. I tried replacing the Help and Support with it, and when I clicked on Search I got this message: "This file does not have a program associated with it for performing this action. Create an association in the Set Associations control panel." Luckily I found the quarantined files in a Symantec hidden file, and deleted them.

From what I looked up, it probably happened because of the Windows update I had on Christmas Eve. Although, all the update did was remove "Search" from the Start Menu and that was it. But mine doesn't work at all, even with I press F3
Symantec Endpoint Protection.

Symantec Antivirus continues to have this "Cannot respond" error everytime I restart the computer. It says that, but it is still active in my Notification Area on the Task Bar. Also, it has times were it turns off by itself... But that has only happened on Startup.

Also, whenever I wish to start Windows Media Player, I have to either disable the UAC (User Account Control) or always type: regsvr32 jscript.dll , and then regsvr32 vbscript.dll to make it work if I have UAC enabled. This usually happens at start up, whenever I reboot the computer.

---

Luckily all of the programs you recommended worked perfectly.

Here are the two DDS scan logs:
Attached File  DDS.txt   11.21KB   25 downloads
Attached File  Attach.zip   3.75KB   22 downloads (For some reason, it asked me not to put it here. And also it asked me to Zip it... I'm not sure what exactly it wanted. If anything, I'll remove it if you ask.)

---

Gmer failed, even being renamed... However, F-Secure worked. I'm scared to say that it had located over 1,000 rookits, but some of those files are just images, so I don't know how those could be harmful. I didn't do anything, I have the log... But for some reason it surpasses the maximum capacity required to upload. So I will send you it in two parts.

Here are the F-Secure Logs:
Attached File  fsbl_20090116192126__part_1_.txt   116.59KB   25 downloads
Attached File  fsbl_20090116192126__part_2_.txt   147.89KB   29 downloads




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users