Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32Backdoor.TDSS


  • This topic is locked This topic is locked
8 replies to this topic

#1 galem

galem

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 26 January 2009 - 11:54 PM

Hello,

I am unable to delete this trojan from my computer. When I run Ad-Aware it comes up with Win32Backdoor.TDSS and says the computer needs to be rebooted in order to fix the issue. When I restart and run the scan again it is still there. Here is the HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:12 PM, on 1/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\gsdrgfdrrgnd.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\gsdrgfdrrgnd.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Michael\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Michael\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\Michael\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3504] command /c del "C:\WINDOWS\etb\etb.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4378] cmd /c del "C:\WINDOWS\etb\etb.ini"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125326564031
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\gsdrgfdrrgnd.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - Nemesis - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9709 bytes


Thanks for your help!

MG

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:36 AM

Posted 27 January 2009 - 04:07 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

The same applies for Adwatch.

Disable AD-AWARE AD-WATCH

* Right click on the Ad-Watch icon in the system tray.
* At the bottom of the screen there will be two checkable items called Active and Automatic.
o Active: This will turn Ad-Watch On\Off without closing it.
o Automatic: Suspicious activity will be blocked automatically.
* Uncheck both of those boxes.
* (When done, you can re-enable it using the same steps but this time check both boxes.)

And, do the same for Windows defender - same reason.
To turn real-time protection off
Open Windows Defender. (Click Start, click Programs, and then click Windows Defender.)
Click Tools, and then click General Settings.
Under Real-time protection options, Uncheck the Turn on real-time protection (recommended) check box.
Then click Save.

When your hijackthislog is clean again, please turn on the realtime protection again.


As a matter of fact, once we are done here, only enable one again. I mean, or your enable Teatimer again, or you enable Adwatch again, or you enable Windows defender again. This because both are doing exactly the same and only interfere with eachother if both are enabled.


Also, I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Edited by miekiemoes, 27 January 2009 - 04:07 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 galem

galem
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 27 January 2009 - 10:52 PM

OK. Here is my ComboFix log:

ComboFix 09-01-21.04 - Michael 2009-01-27 22:26:25.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.303 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\3ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090125201617328.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090125202611328.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
c:\windows\etb
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\TDSShrxm.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSrhyp.log
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\wpv331232895520.cpx
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-26 21:18 . 2009-01-26 21:18 <DIR> d-------- c:\program files\SpywareBlaster
2009-01-26 21:18 . 2009-01-26 21:18 680,960 --a------ c:\windows\is-ULMST.exe
2009-01-26 21:18 . 2009-01-26 21:18 10,453 --a------ c:\windows\is-ULMST.msg
2009-01-26 21:18 . 2009-01-26 21:18 301 --a------ c:\windows\is-ULMST.lst
2009-01-26 20:51 . 2009-01-26 20:51 <DIR> d-------- C:\!KillBox
2009-01-25 20:15 . 2009-01-25 20:15 21,504 --ahs---- c:\documents and settings\Michael\protect.dll
2009-01-25 19:42 . 2009-01-25 19:42 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 19:26 . 2009-01-25 17:42 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-25 17:42 . 2009-01-25 17:42 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-25 17:37 . 2009-01-25 17:37 <DIR> d-------- c:\program files\Lavasoft
2009-01-25 17:37 . 2009-01-25 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-25 16:55 . 2009-01-25 17:37 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-25 16:39 . 2009-01-25 16:45 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-25 16:39 . 2009-01-25 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-25 16:14 . 2005-04-10 05:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-25 16:14 . 2005-04-10 05:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-01-25 16:14 . 2009-01-25 16:14 <DIR> d-------- c:\documents and settings\Administrator
2009-01-25 15:37 . 2009-01-25 15:37 <DIR> d-------- C:\c95a24884eb9b2b8132e
2009-01-25 15:37 . 2009-01-25 15:37 <DIR> dr-h----- C:\AHCache
2009-01-25 15:37 . 2009-01-25 15:38 <DIR> d-------- C:\21ccf992a4118ab1fea3
2009-01-22 23:27 . 2009-01-22 23:27 <DIR> d-------- c:\windows\system32\scripting
2009-01-22 23:27 . 2009-01-22 23:27 <DIR> d-------- c:\windows\system32\en
2009-01-22 23:27 . 2009-01-22 23:27 <DIR> d-------- c:\windows\system32\bits
2009-01-22 23:27 . 2009-01-22 23:27 <DIR> d-------- c:\windows\l2schemas
2009-01-22 23:20 . 2009-01-22 23:27 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-22 23:01 . 2009-01-22 23:01 <DIR> d-------- c:\windows\EHome
2009-01-22 22:05 . 2009-01-22 22:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-22 21:58 . 2009-01-22 21:58 <DIR> d-------- c:\program files\Bonjour
2009-01-22 21:52 . 2009-01-22 21:57 <DIR> d-------- c:\program files\QuickTime
2009-01-22 15:38 . 2004-08-04 00:29 25,471 --------- c:\windows\system32\drivers\watv10nt.sys
2009-01-22 15:38 . 2004-08-04 00:29 22,271 --------- c:\windows\system32\drivers\watv06nt.sys
2009-01-22 15:38 . 2004-08-04 00:29 11,935 --------- c:\windows\system32\drivers\wadv11nt.sys
2009-01-22 15:38 . 2004-08-04 00:29 11,871 --------- c:\windows\system32\drivers\wadv09nt.sys
2009-01-22 15:38 . 2004-08-04 00:29 11,807 --------- c:\windows\system32\drivers\wadv07nt.sys
2009-01-22 15:38 . 2004-08-04 00:29 11,295 --------- c:\windows\system32\drivers\wadv08nt.sys
2009-01-22 15:37 . 2004-08-04 00:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys
2009-01-22 15:37 . 2004-08-04 00:41 1,309,184 --------- c:\windows\system32\drivers\mtlstrm.sys
2009-01-22 15:37 . 2004-08-04 00:29 452,736 --------- c:\windows\system32\drivers\mtxparhm.sys
2009-01-22 15:37 . 2004-08-04 00:41 404,990 --------- c:\windows\system32\drivers\slntamr.sys
2009-01-22 15:37 . 2004-08-04 00:41 180,360 --------- c:\windows\system32\drivers\ntmtlfax.sys
2009-01-22 15:37 . 2004-08-04 00:29 166,912 --------- c:\windows\system32\drivers\s3gnbm.sys
2009-01-22 15:37 . 2004-08-04 00:41 129,535 --------- c:\windows\system32\drivers\slnt7554.sys
2009-01-22 15:37 . 2004-08-04 00:41 126,686 --------- c:\windows\system32\drivers\mtlmnt5.sys
2009-01-22 15:37 . 2004-08-04 00:41 95,424 --------- c:\windows\system32\drivers\slnthal.sys
2009-01-22 15:37 . 2004-07-17 11:35 67,866 --------- c:\windows\system32\drivers\netwlan5.img
2009-01-22 15:37 . 2004-08-04 00:41 13,776 --------- c:\windows\system32\drivers\recagent.sys
2009-01-22 15:37 . 2004-08-04 00:41 13,240 --------- c:\windows\system32\drivers\slwdmsup.sys
2009-01-22 15:36 . 2004-08-04 00:41 1,041,536 --------- c:\windows\system32\drivers\hsfdpsp2.sys
2009-01-22 15:36 . 2004-08-04 00:41 685,056 --------- c:\windows\system32\drivers\hsfcxts2.sys
2009-01-22 15:36 . 2004-08-04 00:41 220,032 --------- c:\windows\system32\drivers\hsfbs2s2.sys
2009-01-22 15:36 . 2004-07-17 22:55 129,045 --------- c:\windows\system32\drivers\cxthsfs2.cty
2009-01-22 14:49 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-01-22 14:49 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-01-22 14:46 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2009-01-22 14:45 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-22 14:45 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-22 14:45 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-22 14:45 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-22 14:44 . 2008-12-12 12:01 3,067,904 --------- c:\windows\system32\dllcache\mshtml.dll
2009-01-22 14:44 . 2008-10-15 20:00 1,499,136 --------- c:\windows\system32\dllcache\shdocvw.dll
2009-01-22 14:44 . 2008-10-15 20:00 666,112 --------- c:\windows\system32\dllcache\wininet.dll
2009-01-22 14:44 . 2008-10-15 20:00 619,520 --------- c:\windows\system32\dllcache\urlmon.dll
2009-01-22 14:36 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2009-01-22 14:36 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-22 14:36 . 2008-12-11 05:57 333,952 --------- c:\windows\system32\dllcache\srv.sys
2009-01-22 14:36 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2009-01-22 14:34 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2009-01-22 14:21 . 2009-01-22 14:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-05 16:18 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2009-01-05 16:18 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 18:47 --------- d-----w c:\documents and settings\Michael\Application Data\Viewpoint
2009-01-27 18:47 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-27 18:46 --------- d-----w c:\program files\Viewpoint
2009-01-27 04:45 --------- d-----w c:\documents and settings\Michael\Application Data\U3
2009-01-25 20:27 --------- d-----w c:\program files\Windows Defender
2009-01-25 06:01 --------- d-----w c:\documents and settings\Michael\Application Data\Apple Computer
2009-01-23 05:12 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-23 03:08 --------- d-----w c:\program files\iTunes
2009-01-23 03:06 --------- d-----w c:\program files\iPod
2009-01-23 03:06 --------- d-----w c:\program files\Common Files\Apple
2009-01-23 02:45 --------- d-----w c:\program files\Apple Software Update
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-08 07:02 13,166 -c--a-w c:\documents and settings\Michael\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-02 68856]
"Google Update"="c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-25 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-07 180269]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 198184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-25 507224]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
ChkDisk.dll [2009-01-25 21504]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2004-08-04 33280]
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2006-07-28 1527887]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\WINDOWS\\system32"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\LunaImaging\\jres\\Sun\\1.4.1\\bin\\javaw.exe"=
"c:\\Program Files\\myTunes Redux\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Soulseek-Test\\slsk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-25 64160]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-09-06 58464]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 942416]
R4 MobilePreInstallerService;MobilePre Installer;c:\program files\M-Audio MobilePre\Install\MPInst.exe [2005-09-08 57344]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [2002-11-28 39048]
S4 pciinfo;HP Pci Information;\??\c:\docume~1\Michael\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Michael\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-25 17:42]

2009-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-148601095-2666429203-2819916471-1006.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-25 00:43]

2009-01-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-autochk - c:\windows\system32\autochk.dll
MSConfigStartUp-System service68 - c:\windows\etb\pokapoka68.exe
MSConfigStartUp-stratas - lockx.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\wrnx2eu2.default\
FF - plugin: c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 22:34:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?9?2?0??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(772)
c:\windows\system32\EntApi.dll

- - - - - - - > 'explorer.exe'(540)
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-27 22:45:04 - machine was rebooted [Michael]
ComboFix-quarantined-files.txt 2009-01-28 03:44:50

Pre-Run: 32,737,079,296 bytes free
Post-Run: 32,188,678,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

283 --- E O F --- 2009-01-27 01:24:39



Thank you again for helping!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:36 AM

Posted 28 January 2009 - 05:22 AM

Hi,

Not sure if you have read my previous post to uninstall Viewpoint - so please uninstall it first (unless you want to keep it)

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\documents and settings\Michael\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Michael\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\Michael\protect.dll
DDS::
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
Folder::
C:\!KillBox
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 galem

galem
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 28 January 2009 - 10:51 AM

Yes, I did delete Viewpoint. Here is my new ComboFix log:


ComboFix 09-01-21.04 - Michael 2009-01-28 10:22:51.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.106 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\3ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFSCRIPT.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\documents and settings\Michael\protect.dll
c:\documents and settings\Michael\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Michael\Start Menu\Programs\Startup\ChkDisk.lnk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\!KillBox
c:\!killbox\Logs\kb.log
c:\documents and settings\Michael\protect.dll
c:\documents and settings\Michael\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Michael\Start Menu\Programs\Startup\ChkDisk.lnk

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-26 21:18 . 2009-01-26 21:18 <DIR> d-------- c:\program files\SpywareBlaster
2009-01-26 21:18 . 2009-01-26 21:18 680,960 --a------ c:\windows\is-ULMST.exe
2009-01-26 21:18 . 2009-01-26 21:18 10,453 --a------ c:\windows\is-ULMST.msg
2009-01-26 21:18 . 2009-01-26 21:18 301 --a------ c:\windows\is-ULMST.lst
2009-01-25 19:42 . 2009-01-25 19:42 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 19:26 . 2009-01-25 17:42 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-25 17:42 . 2009-01-25 17:42 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-25 17:37 . 2009-01-25 17:37 <DIR> d-------- c:\program files\Lavasoft
2009-01-25 17:37 . 2009-01-25 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-25 16:55 . 2009-01-25 17:37 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-25 16:39 . 2009-01-25 16:45 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-25 16:39 . 2009-01-25 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-25 16:14 . 2005-04-10 05:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-25 16:14 . 2005-04-10 05:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-01-25 16:14 . 2009-01-25 16:14 <DIR> d-------- c:\documents and settings\Administrator
2009-01-25 15:37 . 2009-01-25 15:37 <DIR> d-------- C:\c95a24884eb9b2b8132e
2009-01-25 15:37 . 2009-01-25 15:37 <DIR> dr-h----- C:\AHCache
2009-01-25 15:37 . 2009-01-25 15:38 <DIR> d-------- C:\21ccf992a4118ab1fea3
2009-01-22 23:27 . 2009-01-22 23:27 <DIR> d-------- c:\windows\system32\scripting
2009-01-22 23:27 . 2009-01-22 23:27 <DIR> d-------- c:\windows\system32\en
2009-01-22 23:27 . 2009-01-22 23:27 <DIR> d-------- c:\windows\system32\bits
2009-01-22 23:27 . 2009-01-22 23:27 <DIR> d-------- c:\windows\l2schemas
2009-01-22 23:20 . 2009-01-22 23:27 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-22 23:01 . 2009-01-22 23:01 <DIR> d-------- c:\windows\EHome
2009-01-22 22:05 . 2009-01-22 22:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-22 21:58 . 2009-01-22 21:58 <DIR> d-------- c:\program files\Bonjour
2009-01-22 21:52 . 2009-01-22 21:57 <DIR> d-------- c:\program files\QuickTime
2009-01-22 15:38 . 2004-08-04 00:29 25,471 --------- c:\windows\system32\drivers\watv10nt.sys
2009-01-22 15:38 . 2004-08-04 00:29 22,271 --------- c:\windows\system32\drivers\watv06nt.sys
2009-01-22 15:38 . 2004-08-04 00:29 11,935 --------- c:\windows\system32\drivers\wadv11nt.sys
2009-01-22 15:38 . 2004-08-04 00:29 11,871 --------- c:\windows\system32\drivers\wadv09nt.sys
2009-01-22 15:38 . 2004-08-04 00:29 11,807 --------- c:\windows\system32\drivers\wadv07nt.sys
2009-01-22 15:38 . 2004-08-04 00:29 11,295 --------- c:\windows\system32\drivers\wadv08nt.sys
2009-01-22 15:37 . 2004-08-04 00:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys
2009-01-22 15:37 . 2004-08-04 00:41 1,309,184 --------- c:\windows\system32\drivers\mtlstrm.sys
2009-01-22 15:37 . 2004-08-04 00:29 452,736 --------- c:\windows\system32\drivers\mtxparhm.sys
2009-01-22 15:37 . 2004-08-04 00:41 404,990 --------- c:\windows\system32\drivers\slntamr.sys
2009-01-22 15:37 . 2004-08-04 00:41 180,360 --------- c:\windows\system32\drivers\ntmtlfax.sys
2009-01-22 15:37 . 2004-08-04 00:29 166,912 --------- c:\windows\system32\drivers\s3gnbm.sys
2009-01-22 15:37 . 2004-08-04 00:41 129,535 --------- c:\windows\system32\drivers\slnt7554.sys
2009-01-22 15:37 . 2004-08-04 00:41 126,686 --------- c:\windows\system32\drivers\mtlmnt5.sys
2009-01-22 15:37 . 2004-08-04 00:41 95,424 --------- c:\windows\system32\drivers\slnthal.sys
2009-01-22 15:37 . 2004-07-17 11:35 67,866 --------- c:\windows\system32\drivers\netwlan5.img
2009-01-22 15:37 . 2004-08-04 00:41 13,776 --------- c:\windows\system32\drivers\recagent.sys
2009-01-22 15:37 . 2004-08-04 00:41 13,240 --------- c:\windows\system32\drivers\slwdmsup.sys
2009-01-22 15:36 . 2004-08-04 00:41 1,041,536 --------- c:\windows\system32\drivers\hsfdpsp2.sys
2009-01-22 15:36 . 2004-08-04 00:41 685,056 --------- c:\windows\system32\drivers\hsfcxts2.sys
2009-01-22 15:36 . 2004-08-04 00:41 220,032 --------- c:\windows\system32\drivers\hsfbs2s2.sys
2009-01-22 15:36 . 2004-07-17 22:55 129,045 --------- c:\windows\system32\drivers\cxthsfs2.cty
2009-01-22 14:49 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-01-22 14:49 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-01-22 14:46 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2009-01-22 14:45 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-22 14:45 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-22 14:45 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-22 14:45 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-22 14:44 . 2008-12-12 12:01 3,067,904 --------- c:\windows\system32\dllcache\mshtml.dll
2009-01-22 14:44 . 2008-10-15 20:00 1,499,136 --------- c:\windows\system32\dllcache\shdocvw.dll
2009-01-22 14:44 . 2008-10-15 20:00 666,112 --------- c:\windows\system32\dllcache\wininet.dll
2009-01-22 14:44 . 2008-10-15 20:00 619,520 --------- c:\windows\system32\dllcache\urlmon.dll
2009-01-22 14:36 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2009-01-22 14:36 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-22 14:36 . 2008-12-11 05:57 333,952 --------- c:\windows\system32\dllcache\srv.sys
2009-01-22 14:36 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2009-01-22 14:34 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2009-01-22 14:21 . 2009-01-22 14:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-05 16:18 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2009-01-05 16:18 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 18:47 --------- d-----w c:\documents and settings\Michael\Application Data\Viewpoint
2009-01-27 18:47 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-27 18:46 --------- d-----w c:\program files\Viewpoint
2009-01-27 04:45 --------- d-----w c:\documents and settings\Michael\Application Data\U3
2009-01-25 20:27 --------- d-----w c:\program files\Windows Defender
2009-01-25 06:01 --------- d-----w c:\documents and settings\Michael\Application Data\Apple Computer
2009-01-23 05:12 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-23 03:08 --------- d-----w c:\program files\iTunes
2009-01-23 03:06 --------- d-----w c:\program files\iPod
2009-01-23 03:06 --------- d-----w c:\program files\Common Files\Apple
2009-01-23 02:45 --------- d-----w c:\program files\Apple Software Update
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-08 07:02 13,166 -c--a-w c:\documents and settings\Michael\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-27_22.42.04.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-28 03:38:48 53,166 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-28 15:16:04 53,166 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-28 03:38:49 380,918 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-28 15:16:04 380,918 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-02 68856]
"Google Update"="c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-25 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-07 180269]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 198184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-25 507224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2006-07-28 1527887]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\LunaImaging\\jres\\Sun\\1.4.1\\bin\\javaw.exe"=
"c:\\Program Files\\myTunes Redux\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Soulseek-Test\\slsk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-25 64160]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-09-06 58464]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 942416]
R4 MobilePreInstallerService;MobilePre Installer;c:\program files\M-Audio MobilePre\Install\MPInst.exe [2005-09-08 57344]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [2002-11-28 39048]
S4 pciinfo;HP Pci Information;\??\c:\docume~1\Michael\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Michael\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5086f24c-ec2d-11dd-b1ba-bfc914e685a6}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-25 17:42]

2009-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-148601095-2666429203-2819916471-1006.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-25 00:43]

2009-01-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\wrnx2eu2.default\
FF - plugin: c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 10:28:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?9?2?0??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(600)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-01-28 10:32:46
ComboFix-quarantined-files.txt 2009-01-28 15:32:26
ComboFix2.txt 2009-01-28 03:45:24

Pre-Run: 32,132,055,040 bytes free
Post-Run: 32,117,043,200 bytes free

245 --- E O F --- 2009-01-27 01:24:39

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:36 AM

Posted 28 January 2009 - 10:56 AM

Hi,

Go to start > run and copy and paste next command in the field:

sc delete "Viewpoint Manager Service"

Hit enter

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 galem

galem
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 28 January 2009 - 03:48 PM

It appears to be in good shape now. I'm going to run another full scan and see if anything turns up. Thanks for all your help!

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:36 AM

Posted 29 January 2009 - 03:28 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:36 AM

Posted 30 January 2009 - 05:16 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users