Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Tidserv, Trojan.Knowedel, Perfect Defender 2009


  • This topic is locked This topic is locked
7 replies to this topic

#1 devin br

devin br

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 19 January 2009 - 09:18 PM

Hi and thanks in advance for your help!

A day or two before Thanksgiving (I believe it was 11-26-08) I started receiving pop-ups which appeared to be my Windows Firewall claiming I had a keylogger on my computer. It directed me to download a program, Perfect Defender 2009, which I foolishly did (the free version only). I ran a virus scan with Symantec Endpoint Protection and it found several files, some of which were quarantined, some deleted, and some not fixed. The files it found are as follows:

SafeStrip Quarantined A0030448.exe
AntiVirus2008 Quarantined A0030447.exe
Backdoor.Tidserv Restart Processing Unavailable
Trojan Horse Restart Processing a0030243.sys
Trojan Horse Quarantined TDSSmhfe.sys
Backdoor.Tidserv Cleaned by deletion A0030259.dll
Backdoor.Tidserv Cleaned by deletion A0030258.dll
Backdoor.Tidserv Cleaned by deletion A0030257.dll
Trojan Horse Restart Required - Cleaned A0030243.sys
Trojan.Knowedel No repair currently available TDSS6b45.tmp c:\Documents and Settings\Devin\Local Settings\Temp\
Backdoor.Tidserv Cleaned by deletion TDSSyoqu.dll
Backdoor.Tidserv Cleaned by deletion TDSSoitu.dll
Backdoor.Tidserv Restart Required - Cleaned by deletion TDSSarxx.dll

After downloading Comodo Firewall, I became nervous that there were still several malware files on my computer that Symantec or Webroot Spysweeper have not picked up on (it frequently warned of suspicious activity and intrusion attempts). I also scanned my computer with PCTools Spyware Doctor and that was able to remove the rogue virus software. I manually deleted the following programs, which seemed to be generating the fake Windows Firewall pop-ups (I noticed this file was active as it repeatedly came up on Comodo):

C:\Documents and Settings\Devin\Application Data\Google\ijdkq13324484.exe
and spclrp.dll (I believe this was in the same folder).

Finally, I disabled the following startup processes, some of which seemed suspicious to me (others were just nuisances, but I can't remember which were which right now):
hpztsb09 C:\WINDOWS\system 32\spool\drivers\w32x86\hpztsb09.exe
ijdkq13324484 C:\Documents and Settings\Devin\Application Data\Google\ijdkq13324484.exe
WKUfind C:\Program Files\Common Files\Microsoft Shared\Works Shared\WKUFind.exe
hpcmpmgr C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
WksSb C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
OrbTray C:\Program Files\Winamp Remote\bin\OrbTray.exe /background

Hopefully this is helpful. I am no expert at computers, so I am a bit lost as to how to proceed right now. Any help is greatly appreciated! Here is my DDS log:


DDS (Ver_09-01-18.01) - NTFSx86
Run by Devin at 19:32:38.70 on Mon 01/19/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.399 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Documents and Settings\Devin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] "c:\program files\toshiba\toscdspd\toscdspd.exe"
uRun: [Aim6]
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] "c:\windows\system32\TDispVol.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [THotkey] "c:\program files\toshiba\toshiba applet\thotkey.exe"
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [LtMoh] "c:\program files\ltmoh\Ltmoh.exe"
mRun: [AGRSMMSG] "c:\windows\AGRSMMSG.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Tvs] "c:\program files\toshiba\tvs\TvsTray.exe"
mRun: [TPSMain] "c:\windows\system32\TPSMain.exe"
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] "c:\program files\toshiba\toshiba zooming utility\SmoothView.exe"
mRun: [dla] "c:\windows\system32\dla\DLACTRLW.exe"
mRun: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [WorksFUD] "c:\program files\microsoft works\wkfud.exe"
mRun: [MSKDetectorExe] "c:\program files\mcafee\spamkiller\MSKDetct.exe" /uninstall
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UserFaultCheck] "c:\windows\system32\dumprep.exe" 0 -u
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\devin\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\devin\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\guard32.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-11-26 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-11-26 31504]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-11-26 160792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-7 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090119.033\NAVENG.SYS [2009-1-19 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090119.033\NAVEX15.SYS [2009-1-19 876112]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R4 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2008-11-26 618232]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-9-11 2436536]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-15 24652]
R4 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2008-11-12 3667312]
R4 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2008-11-26 1086840]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-11-25 16512]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-3 23888]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-11-26 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-11-26 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-11-26 81288]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-11-26 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-11-26 1079176]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================


==================== Find3M ====================

2009-01-19 19:30 22,854 a------- c:\docume~1\devin\applic~1\wklnhst.dat
2009-01-08 19:52 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-01-08 19:52 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-01-07 15:29 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-04 09:57 147,192 a------- c:\windows\system32\guard32.dll
2008-12-04 09:57 101,776 a------- c:\windows\system32\drivers\cmdguard.sys
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-01 19:55 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-01 19:55 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-01 19:55 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-11-27 12:35 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-27 12:35 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-11-27 12:35 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-27 12:35 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-11-26 19:59 31,504 a------- c:\windows\system32\drivers\cmdhlp.sys
2008-11-26 18:42 164 a------- C:\install.dat
2008-11-26 05:01 161 a------- c:\documents and settings\devin\nah_log.dat
2008-11-26 00:57 507,904 a------- c:\windows\system32\winlogon.exe
2008-11-26 00:57 295,424 a------- c:\windows\system32\termsrv.dll
2008-11-13 17:11 1,553,272 a------- c:\windows\WRSetup.dll
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-08-19 11:45 49,752 a------- c:\docume~1\devin\applic~1\GDIPFONTCACHEV1.DAT
2008-09-30 11:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008093020081001\index.dat

============= FINISH: 19:34:02.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 30 January 2009 - 02:12 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
If you already have a copy of DDS, there is not need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 devin br

devin br
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 31 January 2009 - 02:01 PM

Hi Propaganda Panda,
Thanks so much with your help on this. There have not been many new symptoms on my computer. Comodo Firewall still says there are 'suspicious events' which occur from time to time (today, it mentions C:\\WINDOWS\system32\wbem\wmiprvse.exe had as its target C:\\WINDOWS\system32\wrLZMA.dll, which it blocked). I'm not familiar with those processes, so I don't know if it's safe or not. Otherwise, it sometimes picks up on inbound connections that I also don't recognize. Also, in the past week the computer occasionally freezes up, though it hasn't happened for a few days. Basically, I'm just not sure if there are problematic files and processes on my computer or not. Again, thanks for all of your help.


DDS (Ver_09-01-18.01) - NTFSx86
Run by Devin at 12:47:53.21 on Sat 01/31/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.419 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Devin\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] "c:\program files\toshiba\toscdspd\toscdspd.exe"
uRun: [Aim6]
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] "c:\windows\system32\TDispVol.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [THotkey] "c:\program files\toshiba\toshiba applet\thotkey.exe"
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [LtMoh] "c:\program files\ltmoh\Ltmoh.exe"
mRun: [AGRSMMSG] "c:\windows\AGRSMMSG.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Tvs] "c:\program files\toshiba\tvs\TvsTray.exe"
mRun: [TPSMain] "c:\windows\system32\TPSMain.exe"
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] "c:\program files\toshiba\toshiba zooming utility\SmoothView.exe"
mRun: [dla] "c:\windows\system32\dla\DLACTRLW.exe"
mRun: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [WorksFUD] "c:\program files\microsoft works\wkfud.exe"
mRun: [MSKDetectorExe] "c:\program files\mcafee\spamkiller\MSKDetct.exe" /uninstall
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UserFaultCheck] "c:\windows\system32\dumprep.exe" 0 -u
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\devin\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\devin\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
TCP: {7D40536D-8A04-4579-B830-D18F0C0BEE31} = 128.206.10.3,128.206.10.2
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\guard32.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-11-26 40840]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-11-26 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-11-26 31504]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-11-26 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-11-26 81288]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-11-26 160792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-7 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090130.041\NAVENG.SYS [2009-1-31 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090130.041\NAVEX15.SYS [2009-1-31 876112]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R4 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2008-11-26 618232]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-11-26 356920]
R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-11-26 1079176]
R4 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-9-11 2436536]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-15 24652]
R4 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2008-11-12 3667312]
R4 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2008-11-26 1086840]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-11-25 16512]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-3 23888]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]

=============== Created Last 30 ================


==================== Find3M ====================

2009-01-31 10:02 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-01-31 10:02 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-01-30 14:51 22,854 a------- c:\docume~1\devin\applic~1\wklnhst.dat
2009-01-07 15:29 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-04 09:57 147,192 a------- c:\windows\system32\guard32.dll
2008-12-04 09:57 101,776 a------- c:\windows\system32\drivers\cmdguard.sys
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-27 12:35 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-11-26 18:42 164 a------- C:\install.dat
2008-11-26 05:01 161 a------- c:\documents and settings\devin\nah_log.dat
2008-11-26 00:57 507,904 a------- c:\windows\system32\winlogon.exe
2008-11-26 00:57 295,424 a------- c:\windows\system32\termsrv.dll
2008-11-13 17:11 1,553,272 a------- c:\windows\WRSetup.dll
2008-08-19 11:45 49,752 a------- c:\docume~1\devin\applic~1\GDIPFONTCACHEV1.DAT
2008-09-30 11:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008093020081001\index.dat

============= FINISH: 12:49:22.98 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 31 January 2009 - 02:20 PM

Hello.

There is definately some sign of infection.

Were you able to run GMER?

With Regards,
The Panda

#5 devin br

devin br
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 31 January 2009 - 02:31 PM

I have attached a copy of the log from the GMER scan.

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 31 January 2009 - 02:41 PM

Hello.

From what you describe, some malware is there. However, it is not seen in you logs, so it's likely not active.

Let's leave it for a few days. Tell me if anything comes up.

With Regards,
The Panda

#7 devin br

devin br
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 31 January 2009 - 02:48 PM

Good news. Thanks for taking the time to help out!

- D

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 09 February 2009 - 05:04 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users