Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser hijacked


  • This topic is locked This topic is locked
13 replies to this topic

#1 roadstar

roadstar

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 21 December 2008 - 08:34 AM

My browser got hijacked, running Mcafee online and Ad-aware but didn't help. I get redirected away from many of the sites I'm trying to go to and can't go to any computer security website, so I can't update definitions or try a different program. I don't know what virus infected my machine and I'm not familiar with removal procedures other than McAfee and Ad-Aware processes. So I'm looking for some help. My computer is pretty much useless now, it frequently locks up, displays tons of ads and I don't know what else its doing like searching for passwords or something. I ran it in safe mode to get the hijackthis log file.

Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:35 PM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode with network support

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
H:\WINDOWS\Explorer.EXE
h:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\HJTInstall.exe
H:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - H:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] "H:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "H:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "H:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [PDFPrint] "H:\Program Files\pdf24\PDF24Updater.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [000000af] rundll32.exe "H:\WINDOWS\system32\lvdrfnxy.dll",b
O4 - Global Startup: Configuration Utility.lnk = H:\Program Files\LINKSYS\Configuration Utility\Config.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = H:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://H:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: qomkjd.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - H:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c95d2ba26e2878) (gupdate1c95d2ba26e2878) - Unknown owner - H:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - h:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - H:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7596 bytes


Thanks for any help you can provide.

One last qestion: could this spread to other machines on my home network or through files on my usb drive?

Thanks again.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:44 PM

Posted 21 December 2008 - 02:56 PM

Hello roadstar,

Posted Image

It would probably be best to take the computer off the network to be safe. If you use a flash drive to transfer tools or reports we can clean it while we clean the computer, but make sure you don't have anything you don't want to lose stored on it....again, just to be safe.

While we're cleaning this, please run HijackThis in normal mode whenever possible. Safe mode doesn't show me everything I need to see.

We need to move HijackThis! to it's own permanent folder to ensure that we don't lose its backups. To make a permanent folder, double-click the My Computer icon on the desktop.
Click Local Disk C:.
File | New | Folder
A new folder called New Folder will be created.
Rename New Folder to HJT or HijackThis. Now move HijackThis! into the new folder you just created.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 roadstar

roadstar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 21 December 2008 - 10:40 PM

Tea,

Thanks, I tried downloading ComboFix directly from the web onto my infected computer and it blocked the sites. So I re-ran Hijackthis, the log file is below. I then downloaded ComboFix from another computer to a usb drive. Went back and booted the infected computer and got the following error message (This is the first time I've seen this):

"Rundll

Error loading H:\windows\system32\lvdrfnxy.dll
The specified module could not be found"

I copied the Combofix file to a desktop folder, double clicked the file but it would not run. I tried double clicking the file on the usb drive and nothing happened with that one either.

I took the usb drive back to my uninfected computer clicked on the combofix file and it started immediately. So the file is fine but the virus seems to stop it from executing. I also got this message from McAfee on my uninfected computer:

"McAfee has blocked a potentially unwanted program (PUP) on your computer. If you do not recognize it, we recommend that you remove the program.

About this Potentially Unwanted Program
Name: RemAdm-ProcLaunch!171
Location: C:\32788R22FWJFW\psexec.cfexe"

I don't know what this is. Could this be related to my breifly starting Combofix, although I started Combofix from the usb in drive k? Should I have McAfee "remove this program"?



Here's the hijackthis log. I'll wait for your response and again thanks for the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:08 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\Java\jre6\bin\jusched.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\Program Files\McAfee.com\Agent\mcagent.exe
H:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
H:\Program Files\Logitech\QuickCam\Quickcam.exe
H:\Program Files\pdf24\PDF24Updater.exe
H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\LINKSYS\Configuration Utility\Config.exe
H:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
H:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
H:\WINDOWS\system32\hpoipm07.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
h:\program files\common files\mcafee\mna\mcnasvc.exe
H:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\ups.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\DOCUME~1\Stan\LOCALS~1\Temp\csrssc.exe
H:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\McAfee\MPF\MPFSrv.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
H:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - H:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] "H:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "H:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "H:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [PDFPrint] "H:\Program Files\pdf24\PDF24Updater.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [000000af] rundll32.exe "H:\WINDOWS\system32\lvdrfnxy.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "H:\Documents and Settings\Stan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [jsf8j34rgfght] H:\DOCUME~1\Stan\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] H:\DOCUME~1\Stan\LOCALS~1\Temp\csrssc.exe
O4 - Global Startup: Configuration Utility.lnk = H:\Program Files\LINKSYS\Configuration Utility\Config.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = H:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &ieSpell Options - res://H:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://H:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://H:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://H:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://H:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: qomkjd.dll mcwanm.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - H:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c95d2ba26e2878) (gupdate1c95d2ba26e2878) - Unknown owner - H:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - h:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - H:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9629 bytes

#4 roadstar

roadstar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 22 December 2008 - 12:45 AM

I decided to try renaming combofix to see if it would run. I restartred my computer and received the following message:

" Exception processing message c00000a3 parameters 75b6bf7c 4 75b6bf7c 75b6bf7c" (never saw this before)

I clicked continue. Then received the same Rundll error as noted in the previous reply.

I renamed ComboFix and the application started immediately.

I received a message that ComboFix detected that I didn't have "Windows Recovery Console" It recommended that I install one but I was not connected to the internet. So I selected to continue.

ComboFix detected the presence of rootkit activity and needed to reboot the machine. I selected Ok and another message flashed that I couldn't read.

After reboot the blue box appeared but not my desktop nor the start bar. Combofix message stated "Please wait. Combofix was preparing to run. " It stayed at that message for 30 minutes. I'm calling it quits for the night and will try again in the morning.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:44 PM

Posted 22 December 2008 - 12:55 AM

Thanks for letting me know what's going on. Have patience.....sounds like you have the more recent rootkit going around and it's nasty. We'll get it. :thumbsup:

Post when you're ready, after some rest. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 roadstar

roadstar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 22 December 2008 - 08:23 AM

Good morning Tea,

Took a couple more trys but ComboFix ran. Here's the logs

ComboFix 08-12-21.04 - Stan 2008-12-22 8:03:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1553 [GMT -5:00]
Running from: h:\documents and settings\Stan\Desktop\test1.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\windows\a3kebook.ini
h:\windows\akebook.ini
h:\windows\ANS2000.INI
h:\windows\system32\byXOeEXr.dll
h:\windows\system32\dgfqol.dll
h:\windows\system32\jdjgbgnp.ini
h:\windows\system32\ljJyawUo.dll
h:\windows\system32\mcrh.tmp
h:\windows\system32\mcwanm.dll
h:\windows\system32\oUwayJjl.ini
h:\windows\system32\oUwayJjl.ini2
h:\windows\system32\pngbgjdj.dll
h:\windows\system32\prunnet.exe
h:\windows\system32\qomkjd.dll
h:\windows\system32\rbowywxp.dll
h:\windows\system32\rqRKEuRH.dll
h:\windows\system32\smbjylds.dll
h:\windows\system32\tyshb36rfjdf.dll
h:\windows\system32\urqPjhGy.dll
h:\windows\system32\uxjxoany.dll
h:\windows\system32\vycfjjht.dll
h:\windows\system32\ynaoxjxu.ini
h:\windows\system32\yxnfrdvl.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-21 21:49 . 2008-12-21 21:51 <DIR> d-------- H:\Hijackthis
2008-12-18 16:55 . 2008-12-18 16:55 <DIR> d-------- h:\documents and settings\Administrator
2008-12-07 09:56 . 2008-12-07 09:56 410,984 --a------ h:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 13:01 --------- d-----w h:\documents and settings\All Users\Application Data\McAfee
2008-12-18 01:10 --------- d-----w h:\documents and settings\Stan\Application Data\OpenOffice.org2
2008-12-10 11:34 --------- d-----w h:\program files\Tests
2008-12-07 14:56 --------- d-----w h:\program files\Java
2008-11-28 12:54 --------- d-----w h:\documents and settings\Stan\Application Data\U3
2008-11-22 01:32 --------- d-----w h:\program files\Mozilla Thunderbird
2008-11-03 01:31 --------- d-----w h:\program files\CosmoSoftware
2008-10-24 11:21 455,296 ----a-w h:\windows\system32\drivers\mrxsmb.sys
2008-10-24 02:22 --------- d-----w h:\program files\WM Converter
2008-04-02 12:07 106 ----a-w h:\documents and settings\Stan\Application Data\Fathom Preferences.dat
2007-11-27 02:50 5,883 ----a-w h:\program files\uninstal.log
2007-11-27 02:50 4,184 ----a-w h:\program files\setuplog.txt
2007-09-01 00:45 184 ----a-w h:\documents and settings\Stan\Application Data\TinkerPlots Preferences.dat
2008-06-02 00:27 27,976 ----a-w h:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-06-02 00:27 125,848 ----a-w h:\program files\mozilla firefox\plugins\atgpcext.dll
2008-06-02 00:28 98,712 ----a-w h:\program files\mozilla firefox\plugins\ieatgpc.dll
2006-05-03 09:06 163,328 --sha-r h:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r h:\windows\system32\msfDX.dll
2008-09-13 18:07 32,768 --sha-w h:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="h:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="h:\documents and settings\Stan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"SunJavaUpdateSched"="h:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"InCD"="h:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]
"NeroFilterCheck"="h:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"LogitechCommunicationsManager"="h:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="h:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"PDFPrint"="h:\program files\pdf24\PDF24Updater.exe" [2006-12-02 228670]
"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="h:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"nwiz"="nwiz.exe" [2006-10-31 h:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-29 h:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-15 h:\windows\SkyTel.exe]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
Configuration Utility.lnk - h:\program files\LINKSYS\Configuration Utility\Config.exe [2007-05-05 290816]
HPAiODevice(hp psc 700 series) - 1.lnk - h:\program files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [2002-04-30 491580]
Microsoft Office.lnk - h:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=qomkjd.dll mcwanm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.ffds"= ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Documents and Settings\\Stan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"h:\\Documents and Settings\\Stan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R3 ndcprtns;NDC Network Agent;h:\windows\system32\drivers\ndcprtns.sys [2007-05-05 9328]
S2 gupdate1c95d2ba26e2878;Google Update Service (gupdate1c95d2ba26e2878);"h:\program files\Google\Update\GoogleUpdate.exe" /svc []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

*Newly Created Service* - TDSSSERV.SYS
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-22 h:\windows\Tasks\User_Feed_Synchronization-{67C95E3D-90E0-432E-9735-C6C143EB839B}.job
- h:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - h:\windows\system32\rqRKEuRH.dll
BHO-{CA00C738-2DE2-4BF3-946A-99934BC3A7BB} - h:\windows\system32\ljJyawUo.dll
BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - h:\windows\system32\tyshb36rfjdf.dll
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-000000af - h:\windows\system32\lvdrfnxy.dll
SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - h:\windows\system32\tyshb36rfjdf.dll
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - h:\windows\system32\rqRKEuRH.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &ieSpell Options - h:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - h:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - h:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://h:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://h:\program files\ieSpell\wikipedia.HTM

h:\windows\Downloaded Program Files\WBEtoolsAX.dll - O16 -: Web-Based Email Tools
hxxp://email.secureserver.net/Download.CAB
h:\windows\Downloaded Program Files\OSD7C4D.OSD
FF - ProfilePath - h:\documents and settings\Stan\Application Data\Mozilla\Firefox\Profiles\h94cjgtn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en|http://mysciencespace.com/
FF - plugin: h:\documents and settings\Stan\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\npsnapfish.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 08:11:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"
.
------------------------ Other Running Processes ------------------------
.
h:\program files\Ahead\InCD\InCDsrv.exe
h:\program files\Lavasoft\Ad-Aware\aawservice.exe
h:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
h:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
h:\program files\Bonjour\mDNSResponder.exe
h:\program files\Java\jre6\bin\jqs.exe
h:\program files\Common Files\LightScribe\LSSrvc.exe
h:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
h:\windows\system32\nvsvc32.exe
h:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
h:\windows\system32\hpoipm07.exe
h:\program files\iPod\bin\iPodService.exe
h:\windows\system32\wscntfy.exe
h:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
h:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
h:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-12-22 8:13:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 13:13:47

Pre-Run: 113,597,415,424 bytes free
Post-Run: 113,810,132,992 bytes free

182 --- E O F --- 2008-12-22 13:13:35




Here's hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:08 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\Java\jre6\bin\jusched.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\Program Files\McAfee.com\Agent\mcagent.exe
H:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
H:\Program Files\Logitech\QuickCam\Quickcam.exe
H:\Program Files\pdf24\PDF24Updater.exe
H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\LINKSYS\Configuration Utility\Config.exe
H:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
H:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
H:\WINDOWS\system32\hpoipm07.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
h:\program files\common files\mcafee\mna\mcnasvc.exe
H:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\ups.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\DOCUME~1\Stan\LOCALS~1\Temp\csrssc.exe
H:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\McAfee\MPF\MPFSrv.exe
H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
H:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - H:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] "H:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "H:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "H:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [PDFPrint] "H:\Program Files\pdf24\PDF24Updater.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [000000af] rundll32.exe "H:\WINDOWS\system32\lvdrfnxy.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "H:\Documents and Settings\Stan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [jsf8j34rgfght] H:\DOCUME~1\Stan\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] H:\DOCUME~1\Stan\LOCALS~1\Temp\csrssc.exe
O4 - Global Startup: Configuration Utility.lnk = H:\Program Files\LINKSYS\Configuration Utility\Config.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = H:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &ieSpell Options - res://H:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://H:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://H:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://H:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://H:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: qomkjd.dll mcwanm.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - H:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c95d2ba26e2878) (gupdate1c95d2ba26e2878) - Unknown owner - H:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - h:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - H:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9629 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:44 PM

Posted 22 December 2008 - 02:32 PM

Hi there,

You did excellent, since it was as I thought. Legacy_TDSSSERV.SYS is the bad boy I was expecting to see. :thumbsup: Now, you're still way infected, but it'll be a bit easier to deal with now.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 roadstar

roadstar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 22 December 2008 - 03:45 PM

Tea,

Here are the reports:


SDFix: Version 1.240
Run by Stan on Mon 12/22/2008 at 03:28 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: H:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

H:\WINDOWS\system32\drivers\TDSSmqlt.sys - Deleted
H:\WINDOWS\system32\TDSSoiqt.dll - Deleted
H:\WINDOWS\system32\TDSShrxx.dll - Deleted
H:\WINDOWS\system32\TDSSvkql.dll - Deleted
H:\WINDOWS\system32\TDSSxfim.dll - Deleted
H:\WINDOWS\system32\TDSSlxep.dll - Deleted
H:\WINDOWS\system32\TDSSmtvd.dat - Deleted
H:\WINDOWS\system32\TDSSkkai.log - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 15:34:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4B5008F4-63B9-8584-6836-9EA67AE62E95}]
"eabkmhljef"=hex:66,61,64,69,6f,61,63,68,67,6e,62,69,00,31
"daejjmcd"=hex:64,62,66,68,63,65,63,6a,66,69,67,6c,63,6a,70,70,65,6a,6e,6a,61,..
"iajhmpdaokfholhmpa"=hex:69,61,67,6d,6e,68,61,6e,6c,70,70,62,6a,64,65,61,61,68,00,00
"halhgoleamijdeje"=hex:69,61,67,6d,6e,68,61,6e,6c,70,70,62,6a,64,65,61,61,68,00,00

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"H:\\WINDOWS\\system32\\usmt\\migwiz.exe"="H:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"H:\\Program Files\\Bonjour\\mDNSResponder.exe"="H:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"H:\\Program Files\\iTunes\\iTunes.exe"="H:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"H:\\Documents and Settings\\Stan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"="H:\\Documents and Settings\\Stan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll:*:Enabled:Google Talk Plugin"
"H:\\Documents and Settings\\Stan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"="H:\\Documents and Settings\\Stan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe:*:Enabled:Google Talk Plugin"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - H:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 3 May 2006 163,328 A.SHR --- "H:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007 31,232 A.SHR --- "H:\WINDOWS\system32\msfDX.dll"
Mon 6 Aug 2007 0 A.SH. --- "H:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Tue 27 Nov 2007 387,584 ...H. --- "H:\Documents and Settings\Stan\Application Data\Microsoft\Word\~WRL0162.tmp"
Wed 7 Nov 2007 1,203,712 ...H. --- "H:\Documents and Settings\Stan\Application Data\Microsoft\Word\~WRL0894.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "H:\Documents and Settings\Stan\Application Data\U3\temp\Launchpad Removal.exe"
Tue 27 Nov 2007 383,488 ...H. --- "H:\Documents and Settings\Stan\My Documents\School\Earth Science\~WRL2292.tmp"
Tue 12 Aug 2008 39,936 A..H. --- "H:\Documents and Settings\Stan\My Documents\School\CAG\Beginning of the Year\~WRL0001.tmp"
Tue 9 Sep 2008 262,656 A..H. --- "H:\Documents and Settings\Stan\My Documents\School\CAG\Beginning of the Year\~WRL0003.tmp"
Mon 22 Sep 2008 104,448 A..H. --- "H:\Documents and Settings\Stan\My Documents\School\CAG\Beginning of the Year\~WRL0004.tmp"
Tue 12 Aug 2008 37,376 A..H. --- "H:\Documents and Settings\Stan\My Documents\School\CAG\Beginning of the Year\~WRL0652.tmp"
Tue 12 Aug 2008 31,232 A..H. --- "H:\Documents and Settings\Stan\My Documents\School\CAG\Beginning of the Year\~WRL2401.tmp"
Tue 12 Aug 2008 38,400 A..H. --- "H:\Documents and Settings\Stan\My Documents\School\CAG\Beginning of the Year\~WRL2551.tmp"
Thu 30 Oct 2008 14,062 A..H. --- "H:\Documents and Settings\Stan\My Documents\School\CAG\Scientific Inquiry\~WRL0005.tmp"

Finished!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:13 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\Java\jre6\bin\jusched.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
H:\Program Files\Logitech\QuickCam\Quickcam.exe
H:\Program Files\pdf24\PDF24Updater.exe
H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\LINKSYS\Configuration Utility\Config.exe
H:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
H:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
H:\WINDOWS\system32\hpoipm07.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
H:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
H:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - H:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "H:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "H:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [PDFPrint] "H:\Program Files\pdf24\PDF24Updater.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Configuration Utility.lnk = H:\Program Files\LINKSYS\Configuration Utility\Config.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = H:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ieSpell Options - res://H:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://H:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://H:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://H:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://H:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: qomkjd.dll mcwanm.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c95d2ba26e2878) (gupdate1c95d2ba26e2878) - Unknown owner - H:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7998 bytes

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:44 PM

Posted 22 December 2008 - 04:07 PM

Hi there,

Getting there......starting to run any better? :)

One more scanner, please, then we'll take out anything that might be left. :thumbsup:

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Let me know how it's running also. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 roadstar

roadstar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 22 December 2008 - 08:34 PM

Tea,

Thanks for all the help my computer is running much better. I no longer get any error messages when I boot up. I can use my browser again, get to the sites I want, download and use the software you recommend without needing to rename them.

I deleted a googleupdate from the registry that kept looking for updates to programs I don't have any longer. I also uninstalled McAfee it was really messed up, none of the icons or buttons displayed. I'm thinking about installing Avast home version, is that a good choice? Anything else you recommend after we finish cleaning up my machine?

Here are the files:


Malwarebytes' Anti-Malware 1.31
Database version: 1533
Windows 5.1.2600 Service Pack 3

12/22/2008 8:19:50 PM
mbam-log-2008-12-22 (20-19-50).txt

Scan type: Quick Scan
Objects scanned: 51929
Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:50 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\Java\jre6\bin\jusched.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
H:\Program Files\Logitech\QuickCam\Quickcam.exe
H:\Program Files\pdf24\PDF24Updater.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\LINKSYS\Configuration Utility\Config.exe
H:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
H:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
H:\WINDOWS\system32\hpoipm07.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
H:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - H:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "H:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "H:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [PDFPrint] "H:\Program Files\pdf24\PDF24Updater.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] H:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Configuration Utility.lnk = H:\Program Files\LINKSYS\Configuration Utility\Config.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = H:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ieSpell Options - res://H:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://H:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://H:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://H:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://H:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: qomkjd.dll mcwanm.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c95d2ba26e2878) (gupdate1c95d2ba26e2878) - Unknown owner - H:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - H:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8113 bytes


Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:44 PM

Posted 22 December 2008 - 08:49 PM

Hello,

You're welcome. :thumbsup:

Yes, Avast! is good. AVG, Avira OR Avast are good FREE antivirus. I've used all 3, and my current one is Avira.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: http://*.mcafee.com
O20 - AppInit_DLLs: qomkjd.dll mcwanm.dll
O23 - Service: Google Updater Service (gusvc) - Unknown owner - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

* Using Windows Explorer, search for the following files and delete it if still present:

qomkjd.dll
mcwanm.dll


Reboot your computer.

I'd like for you to run the McAfee removal tool, as it usually leaves a mess behind:

Download and run the McAfee Consumer Products Removal tool (MCPR.exe).
Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005 and up versions of McAfee consumer products.
  • McAfee Security Center
  • McAfee VirusScan
  • McAfee Personal Firewall Plus
  • McAfee Privacy Service
  • McAfee SpamKiller
  • McAfee Wireless Network Security
  • McAfee SiteAdvisor
  • McAfee Data Backup
  • McAfee Network Manager
  • McAfee Easy Network
  • McAfee AntiSpyware
Download the removal tool from http://download.mcafee.com/products/licens...atches/MCPR.exe
  • Click Save and save the file to any folder on the computer.
  • Navigate to the folder where the file is saved.
  • Double-click MCPR.exe.
  • Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed.
    Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
    After the second window appears, the program will begin the cleanup.
  • Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
    The machine must reboot to complete the un-installation. Reboot now? [y.n]
  • Press Y on the keyboard.
  • Wait for the computer to restart.
All McAfee products are now removed from your computer.
These McAfee removal instructions can be found at http://ts.mcafeehelp.com/faq3.asp?docid=408302

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

This is what I tell everyone for protection choices :

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Let me know how you come out. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 roadstar

roadstar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 26 December 2008 - 08:19 PM

Twas the night before Christmas and all through the house not a creature was stirring not even my mouse. The viruses were dead and the Trojans contained, while visions of computer functionality danced in my head.

I hope you had a Merry Christmas!!

I have a netgear router with a firewall plus I had microsoft's firewall turned on. I turned off Microsoft's and installed Comodo, Spywareblaster and Avast.

I had Avast run a scan and it found the files listed below. I assume I should remove them.


H:\SDFix\backups\catchme.zip\TDSSmqlt.sys
H:\SDFix\backups\catchme.zip\TDSSoiqt.dll
H:\SDFix\backups\catchme.zip\TDSShrxx.dll
H:\SDFix\backups\catchme.zip\TDSSvkql.dll
H:\SDFix\backups\catchme.zip\TDSSxfim.dll

My computer has been working fine today, you have been a great help :thumbsup:

Thanks for everything,

Roger

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:44 PM

Posted 26 December 2008 - 08:37 PM

Hi there,

Brilliant poetry! :thumbsup: You're most welcome. :)

What Avast! found was not a threat. If you will, please delete SDFix all together and that will also get rid those old files. My bad for not asking you to do that earlier.

Have a great New Year!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:44 PM

Posted 31 December 2008 - 02:56 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users