Unknown Spyware or Virus - think it's related to ebay

I actually have two computers I'm working with and both of them seem to have the same type of viruse or spyware. Both of these computers are used to list products on ebay. Both have a suspicious service named ci that points to a file named c:\windows\system32\tcim.exe. On one of the systems I keep getting a popup with chinese writing that looks like an instant messenger program (but isn't) I had already run combofix and malware bytes antimalware as well as super antispyware but I can't get rid of it.


Here are my logs.

P.S. I also get a 0x0000008 blue screen on one of the systems in normal mode shortly after logging in related to ntfs.sys but it does not happen in safe mode.


DDS (Ver_09-01-18.01) - NTFSx86
Run by Dona Brickles at 22:01:51.51 on Tue 01/20/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.701 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Dona Brickles\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 192.168.0.1;<local>
uInternet Settings,ProxyServer = http=192.168.0.1:87
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTb.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTb.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl03a\BrStDvPt.exe
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [eBayToolbar] c:\program files\ebay\ebay toolbar2\eBayTBDaemon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
mExplorerRun: [llajyn_df] c:\windows\system\lljyn090113.exe
mExplorerRun: [zhqbastart] rundll32.exe c:\windows\system\zhnahsdf090101c.dll a16zhqb
mExplorerRun: [ming9astart] c:\windows\system\ming9a090110.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartui.lnk - c:\program files\scansoft\paperport\smartui\SmartUI.exe
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: live.com\safety
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-6 99376]
R4 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2007-12-13 18944]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
S0 aovb;aovb;c:\windows\system32\drivers\nrh.sys --> c:\windows\system32\drivers\nrh.sys [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2005-7-2 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2005-7-2 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2005-7-2 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2005-7-2 10368]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090115.040\NAVENG.SYS [2009-1-16 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090115.040\NAVEX15.SYS [2009-1-16 876112]
S4 mycode1983;Remote TCP/IP3;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S4 tcim;ci;c:\windows\system32\tcim.exe --> c:\windows\system32\tcim.exe [?]
S4 wowsystemcode123;Remote TCP/IP;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]

=============== Created Last 30 ================

2009-01-20 18:12 <DIR> --d----- c:\program files\RogueRemover FREE
2009-01-20 17:57 <DIR> --d----- c:\docume~1\donabr~1\applic~1\Malwarebytes
2009-01-20 17:55 135,168 a------- c:\windows\system32\igfxres.dll
2009-01-20 17:39 31,232 ac------ c:\windows\system32\dllcache\weitekp9.sys
2009-01-20 17:39 41,600 ac------ c:\windows\system32\dllcache\weitekp9.dll
2009-01-20 17:39 48,256 ac------ c:\windows\system32\dllcache\w32.dll
2009-01-20 17:39 14,336 ac------ c:\windows\system32\dllcache\tsprof.exe
2009-01-20 17:39 455,168 ac------ c:\windows\system32\dllcache\tintsetp.exe
2009-01-20 17:39 44,032 ac------ c:\windows\system32\dllcache\tintlphr.exe
2009-01-20 17:39 10,240 ac------ c:\windows\system32\dllcache\tmigrate.dll
2009-01-20 17:39 571,392 ac------ c:\windows\system32\dllcache\tintlgnt.ime
2009-01-20 17:39 19,464 ac------ c:\windows\system32\dllcache\tdspx.sys
2009-01-20 17:39 21,896 ac------ c:\windows\system32\dllcache\tdipx.sys
2009-01-20 17:39 13,192 ac------ c:\windows\system32\dllcache\tdasync.sys
2009-01-20 17:37 18,432 ac------ c:\windows\system32\dllcache\jupiw.dll
2009-01-20 17:36 598,071 ac------ c:\windows\system32\dllcache\fpmmc.dll
2009-01-20 17:35 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-01-20 17:34 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-01-20 17:34 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-20 17:34 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-01-20 17:34 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-01-20 17:31 5,208 a------- c:\windows\system32\pid.PNF
2009-01-20 16:43 25,088 a------- c:\windows\system32\ntdl1.dll
2009-01-20 15:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-20 15:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 15:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 15:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-20 15:01 <DIR> --d----- c:\windows\system32\CatRoot2
2009-01-20 14:27 161,792 a------- c:\windows\SWREG.exe
2009-01-20 14:27 98,816 a------- c:\windows\sed.exe
2009-01-20 14:26 <DIR> --d----- C:\ComboSix
2009-01-20 03:57 <DIR> --d----- c:\docume~1\donabr~1\applic~1\SUPERAntiSpyware.com
2009-01-19 10:58 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-19 10:44 2,768 a------- C:\autorun.PNF
2009-01-19 07:19 <DIR> --dsh--- C:\found.000
2009-01-17 07:47 1,017,648 a------- c:\documents and settings\dona brickles\dsc.exe.exe
2009-01-16 19:18 83,360 a------- c:\documents and settings\dona brickles\OSA.EXE.exe
2009-01-16 19:18 714,608 a------- c:\documents and settings\dona brickles\osCheck.exe.exe
2009-01-16 19:18 86,016 a------- c:\documents and settings\dona brickles\MMDiag.exe.exe
2009-01-16 12:36 <DIR> --d----- c:\windows\pss
2009-01-16 11:39 389,120 a------- c:\windows\system32\ming9tmpdf0.exe
2009-01-16 11:37 16,384 a------- c:\documents and settings\dona brickles\dsca.exe.exe
2009-01-16 10:22 389,120 a------- c:\windows\system32\ming9tmpdf2.exe
2009-01-16 09:38 389,120 a------- c:\windows\system32\zhqbtmpdf1.exe
2009-01-16 07:31 3,328 a------- C:\x1.tmp
2009-01-16 07:31 3,328 a------- C:\x.tmp
2009-01-16 07:09 1,598 a------- C:\GK.TMP
2009-01-16 07:08 47,529 a---h--- c:\windows\system32\svchest.exe
2009-01-16 07:07 65,536 a------- c:\windows\system32\wow964_846.dll
2009-01-16 07:07 20 a------- c:\windows\mj
2009-01-16 07:07 4,504,616 a------- c:\windows\FunshionInstall_C46681.exe
2009-01-16 07:07 1,598 a------- C:\12~~.tmp
2009-01-15 10:24 20 a------- c:\windows\syscheck
2008-12-22 13:10 <DIR> --d----- c:\windows\system32\scripting
2008-12-22 13:09 <DIR> --d----- c:\windows\l2schemas
2008-12-22 13:09 <DIR> --d----- c:\windows\system32\en
2008-12-22 13:09 <DIR> --d----- c:\windows\system32\bits
2008-12-22 13:05 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-22 12:59 <DIR> --d----- c:\windows\EHome

==================== Find3M ====================

2009-01-20 18:07 67,992 a------- c:\windows\system32\spoolsv.exe
2009-01-20 17:34 23,444 a------- c:\windows\system32\emptyregdb.dat
2009-01-20 12:44 9,032 a--shr-- c:\windows\tasks\0x01xx8p.exe
2009-01-19 15:35 9 ---shr-- c:\program files\Desktop_1.ini
2009-01-16 07:07 73,382 a------- c:\windows\java\classes\clipsrvz.exe
2009-01-08 19:52 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 19:52 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-08 19:52 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 19:52 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-08 11:56 31,074 a------- c:\docume~1\donabr~1\applic~1\wklnhst.dat
2008-12-22 13:18 78,519 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2007-11-21 17:03 100,696 a------- c:\docume~1\donabr~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 22:02:15.04 ===============

Edited by shinomen, 20 January 2009 - 10:24 PM.

So after fighting and fighting with this computer I finally gave up and reinstalled windows. I was able to get it removed from one computer using a combination of bartpe, combofix, malwarebytes, and manual removal of suspect things, but apparently this virus infects .exe files and if run, brings the virus back full blown.

I found info on it at the following site: LINK Edit: Fixed link.

I see many chinese, russian, and other sites talking about this but no one seems to have a fix.

Edited by shinomen, 27 January 2009 - 08:36 PM.

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results, click no to the Optional_Scan
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K