Infected with TDSS Trojan and SpywareGuard (among others?)

#1 mariposa!


  • Members
  • 46 posts
  • Gender:Female
  • Location:OVERFLOW, OTHERWORLD-west oakland california
  • Local time:03:44 AM

Posted 13 January 2009 - 03:06 AM


Rigel from the 'am i infected, what do i do?" forum helped me try to clean up and remove various malware from my computer. we finally narrowed it down to TDSS, which he warned is a nasty infection and gave me rather unpleasant news about this particular type of trojan. he referred me here to see what we could do. even though my computer may never be fully clean again, i figure it cant hurt to try like hell to get rid of as much as possible.

here is the link to the thread between myself and rigel so you can see what we've done so far.

and now as requested here is the dds log

DDS (Ver_09-01-07.01) - NTFSx86
Run by jahmariposa at 23:50:12.41 on Mon 01/12/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.111 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Documents and Settings\jahmariposa\Desktop\procexp.exe
C:\Documents and Settings\jahmariposa\Desktop\HiJackThis_v2.exe
C:\Documents and Settings\jahmariposa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gmail.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5485bd9b-c0d0-443f-96c6-8855b19f367a} - c:\windows\system32\avmete.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Aim6]
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [TotalRecorderScheduler] "c:\program files\highcriteria\totalrecorder\TotRecSched.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\jahmar~1\startm~1\programs\startup\dropbox.lnk - c:\program files\dropbox\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartw~1.lnk - c:\program files\netgear\wg111 configuration utility\WG111CFG.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\jahmariposa\start menu\programs\>imvu\Run IMVU.lnk
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
TCP: {A532B77D-73DE-4344-A3EB-D7F68F3117F2} =
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: sxwfun.dll c:\windows\system32\jehosoga.dll jyegfn.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jahmar~1\applic~1\mozilla\firefox\profiles\6gjzgq1v.default\
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - www.gmail.com
FF - prefs.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\jahmariposa\application data\mozilla\firefox\profiles\6gjzgq1v.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07061050.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www10.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true

============= SERVICES / DRIVERS ===============

R0 yrjlyprv;yrjlyprv;c:\windows\system32\drivers\yrjlyprv.sys [2004-8-3 23424]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2005-7-15 11264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R3 EL59X;3Com Fast EtherLink 59x Adapter Driver;c:\windows\system32\drivers\el59x.sys [2005-7-15 39184]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-30 38496]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-26 24652]
S3 atirage;atirage;c:\windows\system32\drivers\atiragem.sys [2005-7-14 70528]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2006-11-28 96256]
S3 NAVAP;NAVAP;\??\c:\progra~1\symantec\sav\navap.sys --> c:\progra~1\symantec\sav\NAVAP.sys [?]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20080412.003\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20080412.003\NAVENG.sys [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20080412.003\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20080412.003\NAVEX15.sys [?]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2005-7-15 32840]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S4 a2free;a-squared Free Service;"c:\program files\a-squared free\a2service.exe" --> c:\program files\a-squared free\a2service.exe [?]
S4 gupdate1c91df4b697baa0;Google Update Service (gupdate1c91df4b697baa0);c:\program files\google\update\GoogleUpdate.exe [2008-9-23 133104]
S4 NAVAPEL;NAVAPEL;\??\c:\program files\symantec\sav\navapel.sys --> c:\program files\symantec\sav\NAVAPEL.SYS [?]
S4 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symantec\sav\rtvscan.exe --> c:\progra~1\symantec\sav\Rtvscan.exe [?]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-01-12 23:40 16,384 a------t c:\temp\Perflib_Perfdata_e50.dat
2009-01-02 07:26 16,832 a------- c:\windows\system32\amcompat.tlb
2009-01-02 07:26 23,392 a------- c:\windows\system32\nscompat.tlb
2008-12-30 02:45 441 a------- c:\windows\system32\TDSSwupe.dat
2008-12-30 02:40 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-30 02:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 02:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 02:38 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-30 02:38 1,409 a------- c:\windows\QTFont.for
2008-12-30 00:42 95,744 a------- c:\windows\system32\avmete.dll
2008-12-29 23:47 <DIR> --d----- c:\windows\ERUNT
2008-12-29 23:31 <DIR> --d----- C:\SDFix
2008-12-29 00:51 <DIR> --d----- c:\temp\CD1
2008-12-28 21:50 <DIR> --d----- c:\docume~1\jahmar~1\applic~1\Dropbox
2008-12-28 21:50 <DIR> --d----- c:\program files\Dropbox
2008-12-24 09:07 2,098 ---sh--- c:\windows\system32\kegezadu.exe
2008-12-23 08:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-23 08:27 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-23 08:27 <DIR> --d----- c:\docume~1\jahmar~1\applic~1\SUPERAntiSpyware.com
2008-12-23 08:25 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-22 13:23 <DIR> --dsh--- c:\windows\SmFoTWFyaXBvc2E

==================== Find3M ====================

2009-01-09 23:51 1,744 a------- c:\windows\system32\d3d9caps.dat
2008-12-22 14:05 62,587 a--sh--- c:\windows\system32\hunasuga.dll

============= FINISH: 23:51:26.89 ===============

#2 miekiemoes


    Malware Killer Dog

  • Malware Response Team
  • 19,420 posts
  • Gender:Female
  • Location:Belgium
  • Local time:12:44 PM

Posted 13 January 2009 - 05:46 AM


I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

* Please visit this webpage for instructions for downloading and running ComboFix:


Post the log from ComboFix in your next reply.

Edited by miekiemoes, 13 January 2009 - 05:47 AM.

#3 miekiemoes


    Malware Killer Dog

  • Malware Response Team
  • 19,420 posts
  • Gender:Female
  • Location:Belgium
  • Local time:12:44 PM

Posted 26 January 2009 - 06:40 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
