Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser is Hijacked


  • Please log in to reply
7 replies to this topic

#1 Max K

Max K

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 05 January 2009 - 02:45 PM

A popup came up on my screen this morning saying that I needed to download Windows Media Player Codecs. There was a picture of the Windows Media Player so I thought the program was legit. I think I insteaded downloaded some Malware and I can't remove it. My browser is hijacked. I think the program I downloaded was called viewsource but I am not 100% sure since I deleted it this morning. Please help. When I search yahoo I get to the search page with different website choices. When I click on one of the chioces I get sent to random websites.


DDS (Version 1.1.0) - NTFSx86
Run by ESG at 13:35:40.77 on Mon 01/05/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.925 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Users\ESG\AppData\Local\Temp\matrix33401.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\ESG\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = \SOFTWARE\Microsoft\Internet Explorer\Search
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080618
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080618
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-18 111616]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-2-26 29183504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-6-18 73728]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-5 356920]

=============== Created Last 30 ================

2009-01-05 10:42 <DIR> --d----- c:\program files\Trend Micro
2009-01-05 10:20 <DIR> --dshr-- C:\resycled
2009-01-05 09:53 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-01-05 09:53 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-05 09:53 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-01-05 09:36 <DIR> a-d----- c:\programdata\TEMP
2009-01-05 09:36 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-05 09:36 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-05 09:36 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-05 09:36 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-05 09:36 <DIR> --d----- c:\users\esg\appdata\roaming\PC Tools
2009-01-05 09:36 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-05 09:29 <DIR> --d----- c:\program files\IE Protector And Tracks Eraser
2009-01-05 08:57 255 ---shr-- C:\autorun.inf
2008-12-29 20:04 140,824 a------- c:\windows\system32\secman.dll
2008-12-29 20:04 2,767,872 a------- c:\windows\system32\Redemption.dll
2008-12-29 20:04 <DIR> --d----- c:\program files\Recovery Toolbox for Outlook
2008-12-20 11:45 <DIR> --d----- c:\program files\Walmart MP3 Music Downloads
2008-12-12 10:58 2,048 a------- c:\windows\system32\tzres.dll

==================== Find3M ====================

2008-10-31 21:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 21:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 21:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 21:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 21:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-31 21:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-10-31 19:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-29 00:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-21 21:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-20 23:25 296,960 a------- c:\windows\system32\gdi32.dll
2008-10-20 23:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 14:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 14:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-10-15 22:47 827,392 a------- c:\windows\system32\wininet.dll
2008-10-01 15:16 86,016 a------- c:\windows\inf\infstrng.dat
2008-10-01 15:16 51,200 a------- c:\windows\inf\infpub.dat
2008-10-01 15:16 86,016 a------- c:\windows\inf\infstor.dat
2008-09-10 13:01 56,912 a------- c:\users\esg\g2mdlhlpx.exe
2008-06-26 12:01 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 20:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:36:14.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:06 PM

Posted 11 January 2009 - 03:11 PM

Hello Max K,

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member Max K only. If you are a lurker, do NOT try this on your system!
If you are not Max K and have a similar problem, do NOT post here; start your own topic
.

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=

Start Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click on Tools, then click on the Resident Icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
Click on the "System Startup" icon in the List
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done.

You have Vista which has Windows Defender as well. Keep Tea Timer permanently OFF as you do not need it.


Click the Spyware Doctor icon in the System Tray.
Click Settings.
Click Startup Settings under Pick a Category.
Uncheck "Run at Windows startup".
Click Apply and Exit Spyware Doctor.
From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".

(When we are completely done with this case, you can reenable Spyware Doctor)

Having either Tea Timer or the real-time monitor of Spyware Doctor as active gets in the way of malware cleanups by the tools we'll use.
=
Since this is on Vista, in most all the tools I will have you use, you will need to First, do a RIGHT-Click on the program shortcut, link, or the executable .... and then select RUN As Administrator
Please always remember that !!

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:
http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe
  • RIGHT-click FixPolicies.exe and select RUN As Administrator.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then RIGHT-click the file within: Fix_Policies.cmdand select RUN As Administrator.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • RIGHT-click on avenger.exe and select RUN As Administrator to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    C:\autorun.inf
    
    Folders to delete:
    C:\resycled
    D:\resycled
    e:\resycled
    f:\resycled
    g:\resycled
    h:\resycled
    i:\resycled
    
    Drivers to delete:
    tdss
    tdssserv
    TDSSserv.SYS
    Service_TDSSSERV.SYS
    Legacy_TDSSSERV.SYS
    msqpdxserv.sys
    msqpdxserv
    
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\tdssserv
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata 
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss 
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys 
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys 
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv 
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV 
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
=
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • RIGHT-click on Combo-Fix.exe and and select RUN As Administrator & follow the prompts.
Make sure to watch as ComboFix runs, as you may will see messages which require your response, or the pressing of OK button, or at first, the agreement to the EULA.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copies of the C:\Avenger.txt
and C:\Combofix.txt

and, Tell me, How is your system now ?

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Edited by Maurice Naggar, 11 January 2009 - 03:48 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 Max K

Max K
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 11 January 2009 - 08:08 PM

Maurice,

I am not having success at all.
1. I cannot uncheck tea timer because it says I do not have administrator privlieges.
2. Spyware Doctor will not load at all. It prompts me to search for new updates, times out, and says startup failed
3. When I try to download your program Fixpolices.exe I am redirected to a random website.

Please advise, Thanks.

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:06 PM

Posted 11 January 2009 - 09:10 PM

You need to use another pc to download the utilities I listed, save them to CD/DVD or clean USB-flash-thumb drive, and copy them to the Desktop of infected pc.

At to login accounts, I'm assuming your login account has administrator rights to start with; however, we do need for you to get a hold of Fixpolicies and run it.

If still no joy, logoff and restart the system into Safe mode with Networking and retry the steps.

Obviously the malwares have put up several roadblocks which need to be overcome.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 Max K

Max K
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 11 January 2009 - 11:24 PM

Things are running great! What are your thoughts?

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "msqpdxserv.sys" found!
ImagePath: \systemroot\system32\drivers\msqpdxfiqpttpu.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

File "C:\autorun.inf" deleted successfully.
Folder "C:\resycled" deleted successfully.
Folder "D:\resycled" deleted successfully.

Error: could not open folder "e:\resycled"
Deletion of folder "e:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "f:\resycled"
Deletion of folder "f:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "g:\resycled"
Deletion of folder "g:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "h:\resycled"
Deletion of folder "h:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "i:\resycled"
Deletion of folder "i:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!
Deletion of driver "tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!
Deletion of driver "tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!
Deletion of driver "TDSSserv.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!
Deletion of driver "Service_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!
Deletion of driver "Legacy_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "msqpdxserv.sys" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!
Deletion of driver "msqpdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

ComboFix 09-01-10.03 - ESG 2009-01-11 22:11:31.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1159 [GMT -6:00]
Running from: c:\users\ESG\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\drivers\msqpdxfiqpttpu.sys
c:\windows\system32\msqpdxpeidwrmg.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\rdocurs.dll
D:\Autorun.inf
F:\autorun.inf
F:\resycled
f:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-11 22:09 . 2009-01-11 22:09 <DIR> d-------- C:\32788R22FWJFW
2009-01-11 21:48 . 2009-01-11 21:48 <DIR> d-------- c:\users\All Users\WinZipSE
2009-01-11 21:48 . 2009-01-11 21:48 <DIR> d-------- c:\programdata\WinZipSE
2009-01-11 21:48 . 2009-01-11 21:48 <DIR> d-------- c:\program files\WinZip Self-Extractor
2009-01-05 16:54 . 2009-01-05 16:53 410,984 --a------ c:\windows\System32\deploytk.dll
2009-01-05 10:42 . 2009-01-05 10:42 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 09:53 . 2009-01-05 10:21 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-01-05 09:53 . 2009-01-05 10:21 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-01-05 09:53 . 2009-01-05 09:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-05 09:36 . 2009-01-05 09:36 <DIR> d-------- c:\users\ESG\AppData\Roaming\PC Tools
2009-01-05 09:36 . 2009-01-11 19:12 <DIR> d-a------ c:\users\All Users\TEMP
2009-01-05 09:36 . 2009-01-11 19:12 <DIR> d-a------ c:\programdata\TEMP
2009-01-05 09:36 . 2009-01-05 09:36 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-05 09:36 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
2009-01-05 09:36 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
2009-01-05 09:36 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
2009-01-05 09:36 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
2009-01-05 09:29 . 2009-01-05 09:29 <DIR> d-------- c:\program files\IE Protector And Tracks Eraser
2008-12-29 20:04 . 2008-12-29 20:04 <DIR> d-------- c:\program files\Recovery Toolbox for Outlook
2008-12-29 20:04 . 2008-08-08 04:06 2,767,872 --a------ c:\windows\System32\Redemption.dll
2008-12-29 20:04 . 2007-02-07 08:59 140,824 --a------ c:\windows\System32\secman.dll
2008-12-29 18:01 . 2008-12-29 18:01 <DIR> dr-h----- C:\MSOCache
2008-12-20 11:45 . 2008-12-20 11:45 <DIR> d-------- c:\program files\Walmart MP3 Music Downloads
2008-12-13 14:01 . 2008-12-13 14:01 <DIR> d-------- c:\users\ESG\AppData\Roaming\CyberLink
2008-12-12 10:58 . 2008-10-21 19:22 2,048 --a------ c:\windows\System32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 03:58 --------- d-----w c:\programdata\WinZip
2009-01-05 22:53 --------- d-----w c:\program files\Java
2008-12-30 01:40 --------- d-----w c:\programdata\Microsoft Help
2008-12-24 07:01 --------- d-----w c:\program files\Microsoft Works
2008-12-13 20:02 --------- d-----w c:\programdata\CyberLink
2008-12-12 17:30 --------- d-----w c:\program files\Windows Mail
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 20:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 19:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-10 19:01 56,912 ----a-w c:\users\ESG\g2mdlhlpx.exe
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-18 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-06-18 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 972064]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-09-07 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AF20C3AD-AB9B-420B-8BFF-3AAAA3B0B7F6}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{28865AF1-863E-45C1-A88D-CFE7C21B0214}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{53154721-0D02-4BC8-B1E9-CCBD5F6A78D6}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{15966B0C-2421-40E0-B919-70E293E39CF4}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{01F11DCF-3714-4325-B588-D71938347B30}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{B3D9B019-361E-4DE9-A077-13A7E722A8B1}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{130F93C9-9632-446B-90E6-EC9CFEC705C4}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{2D86C8DB-816B-4532-B440-5A3F9F2CC49A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{DCECAC88-4B23-4C5C-9AD2-7A599DF7B902}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{EE9D40EF-2BEE-4649-A4CC-4CCE840EE164}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"TCP Query User{30336E7F-D3DB-456C-8075-9ADA37B4AEF1}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{5234C4CB-E4D4-4CC3-83E7-46B58E67A45A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{7A779E9D-1FA6-4B0E-94D3-0871223C22AF}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [2008-06-18 111616]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2008-06-18 73728]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-05 356920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fec4486-3d2f-11dd-aa50-806e6f6e6963}]
\shell\AutoRun\command - E:\Serger1034D.exe /autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6dafeb0-63fc-11dd-a91a-001d09473564}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL f:\resycled\boot.com f:
\shell\Open\command - f:\resycled\boot.com f:
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 22:14:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-11 22:16:34
ComboFix-quarantined-files.txt 2009-01-12 04:16:30

Pre-Run: 58,036,056,064 bytes free
Post-Run: 58,607,104,000 bytes free

157 --- E O F --- 2009-01-01 16:48:14

#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:06 PM

Posted 12 January 2009 - 07:56 AM

Kudos on being able to run the last apps. However, we aren't done yet. This had (has) an autorun/automount infection that also had some hidden rootkit-like co-infector. Avenger + Combofix has taken it out; but we must do more checking, and also have you do an antivirus scan.

This next Combofix run is to de-list Tea Timer as a startup item, but more, to remove references to automounts of your E & F drive.
You most likely have an infected flash-drive that was used and placed in the F drive.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Killall::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fec4486-3d2f-11dd-aa50-806e6f6e6963}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6dafeb0-63fc-11dd-a91a-001d09473564}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
=
Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


=
Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://www.techsupportforum.com/sectools/s...Disinfector.exe
There is no GUI interface or log file produced.
=

>
Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
=
Next, do a new set of DDS reports.

=
Reply with copies of C:\Combofix.txt
MBAM log,
Dr Web CureIt log,
and the new DDS reports.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 Max K

Max K
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 12 January 2009 - 11:10 PM

Things are running well.

ComboFix 09-01-11.04 - ESG 2009-01-12 11:33:19.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1119 [GMT -6:00]
Running from: c:\users\ESG\Desktop\Combo-Fix.exe
Command switches used :: c:\users\ESG\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-11 21:48 . 2009-01-11 21:48 <DIR> d-------- c:\users\All Users\WinZipSE
2009-01-11 21:48 . 2009-01-11 21:48 <DIR> d-------- c:\programdata\WinZipSE
2009-01-11 21:48 . 2009-01-11 21:48 <DIR> d-------- c:\program files\WinZip Self-Extractor
2009-01-05 16:54 . 2009-01-05 16:53 410,984 --a------ c:\windows\System32\deploytk.dll
2009-01-05 10:42 . 2009-01-05 10:42 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 09:53 . 2009-01-05 10:21 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-01-05 09:53 . 2009-01-05 10:21 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-01-05 09:53 . 2009-01-05 09:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-05 09:36 . 2009-01-05 09:36 <DIR> d-------- c:\users\ESG\AppData\Roaming\PC Tools
2009-01-05 09:36 . 2009-01-11 19:12 <DIR> d-a------ c:\users\All Users\TEMP
2009-01-05 09:36 . 2009-01-11 19:12 <DIR> d-a------ c:\programdata\TEMP
2009-01-05 09:36 . 2009-01-05 09:36 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-05 09:36 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
2009-01-05 09:36 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
2009-01-05 09:36 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
2009-01-05 09:36 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
2009-01-05 09:29 . 2009-01-05 09:29 <DIR> d-------- c:\program files\IE Protector And Tracks Eraser
2008-12-29 20:04 . 2008-12-29 20:04 <DIR> d-------- c:\program files\Recovery Toolbox for Outlook
2008-12-29 20:04 . 2008-08-08 04:06 2,767,872 --a------ c:\windows\System32\Redemption.dll
2008-12-29 20:04 . 2007-02-07 08:59 140,824 --a------ c:\windows\System32\secman.dll
2008-12-29 18:01 . 2008-12-29 18:01 <DIR> dr-h----- C:\MSOCache
2008-12-20 11:45 . 2008-12-20 11:45 <DIR> d-------- c:\program files\Walmart MP3 Music Downloads
2008-12-13 14:01 . 2008-12-13 14:01 <DIR> d-------- c:\users\ESG\AppData\Roaming\CyberLink
2008-12-12 10:58 . 2008-10-21 19:22 2,048 --a------ c:\windows\System32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 04:26 --------- d-----w c:\programdata\WinZip
2009-01-05 22:53 --------- d-----w c:\program files\Java
2008-12-30 01:40 --------- d-----w c:\programdata\Microsoft Help
2008-12-24 07:01 --------- d-----w c:\program files\Microsoft Works
2008-12-13 20:02 --------- d-----w c:\programdata\CyberLink
2008-12-12 17:30 --------- d-----w c:\program files\Windows Mail
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 20:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 19:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-10 19:01 56,912 ----a-w c:\users\ESG\g2mdlhlpx.exe
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2009-01-11_22.14.33.44 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 14:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2009-01-12 04:06:43 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-01-12 17:35:51 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-01-12 04:06:43 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-01-12 17:35:51 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-01-12 04:09:46 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-01-12 17:37:47 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-01-12 04:09:40 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-01-12 17:37:45 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-01-12 17:37:45 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-01-12 04:06:44 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-12 16:27:41 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-12 04:06:44 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-12 16:27:41 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-12 04:06:44 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-12 16:27:41 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-01-12 04:11:16 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-01-12 17:32:16 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2009-01-12 04:10:07 9,374 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2946543308-1473481432-3041554809-1000_UserData.bin
+ 2009-01-12 04:23:31 9,382 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2946543308-1473481432-3041554809-1000_UserData.bin
- 2009-01-12 04:10:07 72,094 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-01-12 04:23:31 72,214 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-01-12 04:10:04 42,902 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-01-12 04:23:29 43,100 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-01-12 04:00:02 226,466 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-01-12 16:26:51 226,732 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-18 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-06-18 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 972064]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-09-07 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AF20C3AD-AB9B-420B-8BFF-3AAAA3B0B7F6}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{28865AF1-863E-45C1-A88D-CFE7C21B0214}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{53154721-0D02-4BC8-B1E9-CCBD5F6A78D6}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{15966B0C-2421-40E0-B919-70E293E39CF4}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{01F11DCF-3714-4325-B588-D71938347B30}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{B3D9B019-361E-4DE9-A077-13A7E722A8B1}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{130F93C9-9632-446B-90E6-EC9CFEC705C4}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{2D86C8DB-816B-4532-B440-5A3F9F2CC49A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{DCECAC88-4B23-4C5C-9AD2-7A599DF7B902}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{EE9D40EF-2BEE-4649-A4CC-4CCE840EE164}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"TCP Query User{30336E7F-D3DB-456C-8075-9ADA37B4AEF1}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{5234C4CB-E4D4-4CC3-83E7-46B58E67A45A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{7A779E9D-1FA6-4B0E-94D3-0871223C22AF}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [2008-06-18 111616]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2008-06-18 73728]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-05 356920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 11:37:55
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\System32\wlanext.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-01-12 11:42:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 17:41:47
ComboFix2.txt 2009-01-12 04:16:35

Pre-Run: 58,232,008,704 bytes free
Post-Run: 58,098,737,152 bytes free

194 --- E O F --- 2009-01-12 16:29:31

Malwarebytes' Anti-Malware 1.32
Database version: 1646
Windows 6.0.6001 Service Pack 1

1/12/2009 11:47:43 AM
mbam-log-2009-01-12 (11-47-43).txt

Scan type: Quick Scan
Objects scanned: 51472
Time elapsed: 2 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS (Version 1.1.0) - NTFSx86
Run by ESG at 22:07:16.47 on Mon 01/12/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1139 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Windows\System32\igfxtray.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\STacSV.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\ESG\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-18 111616]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-2-26 29183504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-6-18 73728]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-5 356920]

=============== Created Last 30 ================

2009-01-12 12:03 <DIR> --d----- c:\users\esg\DoctorWeb
2009-01-12 11:59 <DIR> a-dshr-- C:\autorun.inf
2009-01-12 11:58 266,360 a------- c:\windows\system32\TweakUI.exe
2009-01-12 11:58 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-01-12 11:43 <DIR> --d----- c:\users\esg\appdata\roaming\Malwarebytes
2009-01-12 11:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-12 11:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-12 11:43 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-12 11:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-12 11:43 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-11 22:10 161,792 a------- c:\windows\SWREG.exe
2009-01-11 22:10 98,816 a------- c:\windows\sed.exe
2009-01-11 21:48 <DIR> --d----- c:\programdata\WinZipSE
2009-01-11 21:48 <DIR> --d----- c:\progra~2\WinZipSE
2009-01-11 21:48 <DIR> --d----- c:\program files\WinZip Self-Extractor
2009-01-05 16:54 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-05 10:42 <DIR> --d----- c:\program files\Trend Micro
2009-01-05 09:53 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-01-05 09:53 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-05 09:53 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-01-05 09:36 <DIR> a-d----- c:\programdata\TEMP
2009-01-05 09:36 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-05 09:36 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-05 09:36 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-05 09:36 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-05 09:36 <DIR> --d----- c:\users\esg\appdata\roaming\PC Tools
2009-01-05 09:36 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-05 09:29 <DIR> --d----- c:\program files\IE Protector And Tracks Eraser
2008-12-29 20:04 140,824 a------- c:\windows\system32\secman.dll
2008-12-29 20:04 2,767,872 a------- c:\windows\system32\Redemption.dll
2008-12-29 20:04 <DIR> --d----- c:\program files\Recovery Toolbox for Outlook
2008-12-20 11:45 <DIR> --d----- c:\program files\Walmart MP3 Music Downloads

==================== Find3M ====================

2008-10-31 21:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 21:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 21:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 21:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 21:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-31 21:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-10-31 19:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-29 00:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-21 21:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 19:22 2,048 a------- c:\windows\system32\tzres.dll
2008-10-20 23:25 296,960 a------- c:\windows\system32\gdi32.dll
2008-10-20 23:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 14:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 14:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-10-15 22:47 827,392 a------- c:\windows\system32\wininet.dll
2008-10-01 15:16 86,016 a------- c:\windows\inf\infstrng.dat
2008-10-01 15:16 51,200 a------- c:\windows\inf\infpub.dat
2008-10-01 15:16 86,016 a------- c:\windows\inf\infstor.dat
2008-09-10 13:01 56,912 a------- c:\users\esg\g2mdlhlpx.exe
2008-06-26 12:01 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 20:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:07:33.89 ===============

#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:06 PM

Posted 13 January 2009 - 07:26 AM

Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiem...orepolicies.zip
Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install.

Delete the download, the unzipped folder and all contents.

Next:

If you have a prior copy of SmitFraudFix, delete it now :!:
Please download SmitfraudFix (by S!Ri) Don't download SmitfraudFix until you're ready to run/use it. It's very important that you be using the most recent version (v2.388 or later as of this post).
Extract the contents of the exe file (a folder named SmitfraudFix) to your Desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual user account.
1. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

2. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

3. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

4. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

5. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

6. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply.
The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:
  • process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  • Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you're infected
=

Scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner

Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.
2) Accept the agreement
3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )
4) For XP SP2-SP3, click the Install button when prompted
5) The necessary files will be downloaded and installed. Please have plenty of patience.
6) After Kaspersky AntiVirus Database is updated, look at the Scan box.
7) Click the My Computer line
8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.
Re-enable your antivirus program.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or SmitFraudFix items, or ComboFix's Qoobox & quarantine.
Kaspersky is a report only and does not remove files.

reply with copy of the C:\rapport.txt and the Kaspersky.txt report.
How is your system now ?

Edited by Maurice Naggar, 13 January 2009 - 07:28 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users