Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Antispyware 2009 infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 msmcfad

msmcfad

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 30 January 2009 - 10:10 PM

My kids' computer is infected with MS Antispyware 2009. I followed the guides instructing me to download Malwarebytes' Anti-malware. I was able to run it and it found many infected files. It was not able to clean them all, but there were fewer and fewer infected files after running it a few times. Then I became unable to run Anti-malware at all. I uninstalled and re-installed but I couldn't even download this program (the download would abort and Firefox would simply close) until I re-booted in safe mode. I had to enable safe mode through the msconfig command as the option disappeared from my boot options.

The Malwarebytes' Anti-malware program now shows 0 infected files. But this computer is still messed up and MS Antispyware keeps popping up. Random internet windows keep popping up also, and my CPU usage in Task Manager keeps showing 100%. I have to re-boot to be able to do anything, and then eventually it goes to 100% CPU usage once again.

Here is my DDS.txt log:


DDS (Ver_09-01-19.01) - NTFSx86
Run by Administrator at 21:51:04.14 on Fri 01/30/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.81 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\usbservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\sysrest324.exe
C:\Documents and Settings\Administrator\Application Data\intranetexplorer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX3\Codec_v.1003.7.exe
C:\Documents and Settings\Administrator\Application Data\_4f4fd7202daac89d73b7393a4b2ea4c0\down\mini000.exe
C:\Documents and Settings\Administrator\Application Data\_4f4fd7202daac89d73b7393a4b2ea4c0\down\im001.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {360417c1-5a8f-4938-a71f-75a5450bd037} - c:\windows\system32\nnnmjHaY.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: {d66fca1d-1699-4f64-a2dc-1e72c260f5c2} - c:\windows\system32\ssqPjjGX.dll
BHO: {ddd5bf74-5a80-4a19-914d-693ebcace382} - c:\windows\system32\awtQhgFv.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows USB Automatic Service] winusbservice.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Secure System Restore32] sysrest324.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Microsoft Intranet Patcher] c:\documents and settings\administrator\application data\intranetexplorer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [*svchostBoot] "c:\documents and settings\administrator\application data\svchost.exe"
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090123a.dll xccd16
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: sehddq.dll,mddsyr.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\hgGAponM

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\5vd29b4j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - plugin: c:\program files\google\google updater\2.4.1399.3742\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-28 38496]
S1 ca4170b6;ca4170b6;c:\windows\system32\drivers\ca4170b6.sys --> c:\windows\system32\drivers\ca4170b6.sys [?]
S1 d1afdaac;d1afdaac;c:\windows\system32\drivers\d1afdaac.sys --> c:\windows\system32\drivers\d1afdaac.sys [?]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-2-14 68922]

=============== Created Last 30 ================

2009-01-30 20:26 33 a------- c:\docume~1\admini~1\applic~1\__t.bin
2009-01-30 20:26 796,787 a------- c:\docume~1\admini~1\applic~1\svchost.exe
2009-01-30 20:24 85,504 a------- C:\1030.exe
2009-01-30 13:48 131,072 a------- C:\crypt2.exe
2009-01-30 10:22 131,072 a------- C:\crypt.exe
2009-01-30 02:01 91,648 ---shr-- c:\windows\sysrest324.exe
2009-01-29 15:17 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-01-29 15:08 88,576 a------- C:\ms2ag.exe
2009-01-29 14:53 <DIR> --d----- c:\documents and settings\administrator\ContentWatch
2009-01-29 14:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-28 21:51 <DIR> --d----- c:\windows\pss
2009-01-28 21:31 <DIR> --d----- c:\program files\WebShow
2009-01-28 21:26 151,040 a------- c:\windows\scvhost32.exe
2009-01-28 21:24 <DIR> --d----- c:\docume~1\admini~1\applic~1\_4f4fd7202daac89d73b7393a4b2ea4c0
2009-01-28 21:08 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-01-28 21:08 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-28 21:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-28 21:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 21:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-28 18:14 88,576 a------- C:\ms2.exe
2009-01-28 18:05 88,576 a------- C:\ms.exe
2009-01-28 18:03 126,976 a------- C:\ab2.exe
2009-01-28 18:02 126,976 a------- C:\ab.exe
2009-01-28 17:06 38,450 a------- C:\crim2.exe
2009-01-28 16:57 38,450 ---shr-- c:\windows\winusbservice.exe
2009-01-28 16:57 38,450 a------- C:\crim.exe
2009-01-28 12:33 81,931 a------- C:\ns2setup.exe
2009-01-28 12:32 20,018 a------- C:\dl1a.exe
2009-01-28 12:32 20,018 ---shr-- c:\windows\usbautotuner.exe
2009-01-28 03:36 41,522 ---shr-- c:\windows\usbservice.exe
2009-01-27 16:39 460 a------- c:\windows\xccwinsys.ini
2009-01-27 16:39 <DIR> --d----- c:\windows\system32\inf
2009-01-27 16:35 1,507,328 ---shr-- c:\docume~1\admini~1\applic~1\intranetexplorer.exe
2009-01-27 16:35 2 a------- C:\82987048
2009-01-27 16:35 1,507,328 a------- C:\dl1.exe
2009-01-27 16:35 36,864 a------- C:\euicjdcm.exe
2009-01-23 10:11 1,527,337 ---sh--- c:\windows\system32\rhjhfwij.ini
2009-01-22 10:06 1,434,061 a--sh--- c:\windows\system32\ijyhcycx.ini
2009-01-22 10:05 407,206 a--sh--- c:\windows\system32\MnopAGgh.ini2
2009-01-22 10:05 368,535 a--sh--- c:\windows\system32\MnopAGgh.ini
2009-01-21 17:39 1,434,061 a--sh--- c:\windows\system32\gjlafhiu.ini
2009-01-21 17:39 1,055,686 a--sh--- c:\windows\system32\YaHjmnnn.ini2
2009-01-21 17:39 1,055,686 a--sh--- c:\windows\system32\YaHjmnnn.ini
2009-01-20 16:25 1,100,580 a--sh--- c:\windows\system32\vFghQtwa.ini2
2009-01-20 16:25 459 a--sh--- c:\windows\system32\vFghQtwa.ini
2009-01-19 17:36 1,406,503 a--sh--- c:\windows\system32\blirpvsb.ini
2009-01-19 17:35 1,678,531 a--sh--- c:\windows\system32\XGjjPqss.ini2
2009-01-19 17:35 1,678,855 a--sh--- c:\windows\system32\XGjjPqss.ini
2009-01-19 13:35 <DIR> --d----- c:\program files\Aztec Bricks
2009-01-19 13:34 <DIR> --d----- c:\program files\ReflexiveArcade
2009-01-19 11:11 <DIR> --d----- C:\Downloads
2009-01-19 11:10 <DIR> --d----- c:\program files\BitComet
2009-01-18 19:15 4,096 a------- c:\windows\d3dx.dat
2009-01-18 18:52 <DIR> --d----- c:\program files\LEGO Software
2009-01-18 17:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\gamelab
2009-01-18 17:50 <DIR> --d----- c:\docume~1\admini~1\applic~1\gamelab
2009-01-18 17:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2009-01-18 17:49 <DIR> --d----- c:\program files\LEGO Fever

==================== Find3M ====================

2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-04 08:20 30,544 a------- c:\windows\dirdib.drv
2008-11-04 08:20 30,464 a------- c:\windows\macromix.dll
2008-03-14 22:12 26,882 a------- c:\program files\license.html
2008-03-14 22:12 25,776 a------- c:\program files\license.txt
2008-03-14 22:12 11,678 a------- c:\program files\readme.txt
2008-03-14 22:12 10,716 a------- c:\program files\readme.html
2008-02-08 16:40 349,271 a------- c:\program files\THIRDPARTYLICENSEREADME.html
2008-10-25 09:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102520081026\index.dat

============= FINISH: 21:52:08.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 msmcfad

msmcfad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 31 January 2009 - 04:07 PM

Wanted to add also that I am unable to access bleepingcomputer from the infected computer nor can I access any of the anti-virus websites - I keep getting re-directed to various "search" websites.

#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 01 February 2009 - 09:51 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#4 msmcfad

msmcfad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 01 February 2009 - 12:39 PM

Thank you for your help.

I am at a loss here. I cannot connect to bleepingcomputer.com from the infected computer. I can't connect to geekstogo or norton or symantec or any site you sent me to for the ComboFix download. I CAN connect to google or yahoo and any websites that would not be considered security or spyware removal help sites. Switching to Safe Mode does not help.

When I ping a site like bleepingcomputer.com I get the 127.0.0.1 redirect. This does not happen from our other computers.

I downloaded ComboFix from a non-infected computer to a usb drive (which I will destroy), renamed it Combo-Fix during the download, copied it onto the infected machine and it started to run. It told me there was rootkit activity and asked me to write down some files before it re-booted. The files are as follows:

C:\Windows\System32\drivers\TDSSpcuu.sys
C:\Windows\System32\TDSSktkl.dll
C:\Windows\System32\TDSSwgqt.dat
C:\Windows\System32\TDSSirxn.dll
C:\Windows\System32\TDSSrmjf.dll
C:\Windows\System32\TDSSocum.dll
C:\Windows\System32\TDSSxekj.dll
C:\Windows\System32\TDSSqrwn.log
C:\Windows\System32\TDSSnmxh.log
C:\Windows\System32\TDSSqahc.dll
C:\Windows\System32\TDSSshkx.log

The system re-booted and appears to be running ComboFix. My question is - how do I get the log from the ComboFix from the infected computer to this website without possibly infecting one of our other computers like the one I'm on right now? I can't connect to bleepingcomputer from the infected computer and I'm nervous to put the log on a USB drive and transfer it to an uninfected computer. I don't know enough about this malware to know if it can infect USB drives but I would guess it can.

Thanks again,

Susan

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 02 February 2009 - 01:38 AM

Well, can you connect to this website now with the computer?.. If not, just transfer the files/logs through thumbdrive or the best option is to burn it to a CD..


Please find the log at C:\combofix.txt and post its content here :thumbup2:

Edited by fenzodahl512, 02 February 2009 - 01:40 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 msmcfad

msmcfad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 02 February 2009 - 09:32 AM

Here is the log from ComboFix (I was able to access bleepingcomputer from the infected machine):


ComboFix 09-01-31.03 - Administrator 2009-02-01 12:30:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.239 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\update.exe
c:\windows\Pt.dll
c:\windows\system32\blirpvsb.ini
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system32\drivers\TDSSpcuu.sys
c:\windows\system32\gjlafhiu.ini
c:\windows\system32\ijyhcycx.ini
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\MnopAGgh.ini
c:\windows\system32\MnopAGgh.ini2
c:\windows\system32\rhjhfwij.ini
c:\windows\system32\TDSSirxn.dll
c:\windows\system32\TDSSktkl.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSocum.dll
c:\windows\system32\TDSSqahc.dll
c:\windows\system32\TDSSqrwn.log
c:\windows\system32\TDSSrmjf.dll
c:\windows\system32\TDSSshkx.log
c:\windows\system32\TDSSwgqt.dat
c:\windows\system32\TDSSxekj.dll
c:\windows\system32\vFghQtwa.ini
c:\windows\system32\vFghQtwa.ini2
c:\windows\system32\XGjjPqss.ini
c:\windows\system32\XGjjPqss.ini2
c:\windows\system32\YaHjmnnn.ini
c:\windows\system32\YaHjmnnn.ini2
c:\windows\Tasks\ieyvfqrq.job
c:\windows\xccwinsys.ini

----- BITS: Possible infected sites -----

hxxp://polfjymawjy.info
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys
-------\Legacy_SYSDRV32
-------\Service_sysdrv32


((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-02-01 12:13 . 2009-02-01 12:17 159,744 --a------ C:\msh.exe
2009-02-01 11:57 . 2009-02-01 12:36 112,624 --a------ c:\windows\system32\drivers\50463ec3.sys
2009-01-31 22:31 . 2009-01-31 22:31 <DIR> d-------- c:\program files\CCleaner
2009-01-31 22:03 . 2009-01-31 22:03 131,072 -r-hs---- c:\documents and settings\Administrator\Application Data\intranetexplorer.exe
2009-01-31 22:01 . 2009-02-01 11:36 82,432 --a------ C:\ching.exe
2009-01-31 19:56 . 2009-01-31 19:59 65 --a------ c:\documents and settings\Administrator\e.bat
2009-01-31 19:08 . 2009-01-31 19:08 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-31 18:21 . 2009-01-31 18:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MSNInstaller
2009-01-31 15:47 . 2009-01-31 15:26 812,344 --a------ C:\HJTInstall.exe
2009-01-31 15:16 . 2009-01-31 15:40 126,976 -r-hs---- c:\windows\winusbservicese.exe
2009-01-31 15:16 . 2009-01-31 18:02 126,976 --a------ C:\lbc.exe
2009-01-31 14:19 . 2009-01-31 14:19 1,527,296 --a------ C:\WindowsUpdateSP3.exe
2009-01-31 14:18 . 2009-01-31 14:18 135,168 -r-hs---- c:\windows\mssvs32.exe
2009-01-31 14:18 . 2009-01-31 14:18 135,168 --a------ C:\sp23.exe
2009-01-30 21:54 . 2009-02-01 12:36 112,624 --a------ c:\windows\system32\drivers\8ae5b78a.sys
2009-01-30 21:53 . 2009-01-30 21:53 15,000 --a------ c:\windows\system32\gsdrgfdrrgnd.dll
2009-01-30 20:26 . 2009-01-28 17:39 796,787 --a------ c:\documents and settings\Administrator\Application Data\svchost.exe
2009-01-30 20:26 . 2009-01-30 20:26 33 --a------ c:\documents and settings\Administrator\Application Data\__t.bin
2009-01-30 13:48 . 2009-01-30 21:54 131,072 --a------ C:\crypt2.exe
2009-01-30 10:22 . 2009-01-30 10:22 131,072 --a------ C:\crypt.exe
2009-01-30 02:01 . 2009-01-30 02:00 91,648 -r-hs---- c:\windows\sysrest324.exe
2009-01-29 15:17 . 2009-02-01 10:49 <DIR> d-------- c:\program files\Alwil Software
2009-01-29 15:17 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-29 15:08 . 2009-01-29 15:08 88,576 --a------ C:\ms2ag.exe
2009-01-29 14:53 . 2009-01-29 14:53 <DIR> d-------- c:\documents and settings\Administrator\ContentWatch
2009-01-29 14:06 . 2009-01-29 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-28 21:31 . 2009-01-28 21:31 <DIR> d-------- c:\program files\WebShow
2009-01-28 21:26 . 2009-01-28 21:26 151,040 --a------ c:\windows\scvhost32.exe
2009-01-28 21:24 . 2009-01-28 21:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\_4f4fd7202daac89d73b7393a4b2ea4c0
2009-01-28 21:08 . 2009-01-30 14:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 21:08 . 2009-01-28 21:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-28 21:08 . 2009-01-28 21:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-28 21:08 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-28 21:08 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-28 18:14 . 2009-01-29 15:08 88,576 --a------ C:\ms2.exe
2009-01-28 18:05 . 2009-01-29 09:47 88,576 --a------ C:\ms.exe
2009-01-28 18:03 . 2009-01-28 18:03 126,976 --a------ C:\ab2.exe
2009-01-28 18:02 . 2009-01-28 18:02 126,976 --a------ C:\ab.exe
2009-01-28 17:06 . 2009-01-28 17:36 38,450 --a------ C:\crim2.exe
2009-01-28 16:57 . 2009-01-28 16:57 38,450 -r-hs---- c:\windows\winusbservice.exe
2009-01-28 16:57 . 2009-01-28 16:57 38,450 --a------ C:\crim.exe
2009-01-28 12:33 . 2009-01-28 17:17 81,931 --a------ C:\ns2setup.exe
2009-01-28 12:32 . 2009-01-28 12:32 20,018 -r-hs---- c:\windows\usbautotuner.exe
2009-01-28 12:32 . 2009-01-28 15:54 20,018 --a------ C:\dl1a.exe
2009-01-28 03:36 . 2009-01-30 10:16 41,522 -r-hs---- c:\windows\usbservice.exe
2009-01-27 16:39 . 2009-02-01 12:31 <DIR> d-------- c:\windows\system32\inf
2009-01-27 16:35 . 2009-01-27 16:35 1,507,328 --a------ C:\dl1.exe
2009-01-27 16:35 . 2009-01-27 16:35 36,864 --a------ C:\euicjdcm.exe
2009-01-27 16:35 . 2009-01-27 16:35 2 --a------ C:\82987048
2009-01-19 13:35 . 2009-01-28 21:49 <DIR> d-------- c:\program files\Aztec Bricks
2009-01-19 13:34 . 2009-01-19 13:34 <DIR> d-------- c:\program files\ReflexiveArcade
2009-01-19 11:11 . 2009-01-19 11:28 <DIR> d-------- C:\Downloads
2009-01-19 11:10 . 2009-01-28 21:54 <DIR> d-------- c:\program files\BitComet
2009-01-18 19:15 . 2009-01-18 19:15 4,096 --a------ c:\windows\d3dx.dat
2009-01-18 18:52 . 2009-01-18 19:15 <DIR> d-------- c:\program files\LEGO Software
2009-01-18 17:50 . 2009-01-18 17:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-01-18 17:50 . 2009-01-18 17:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\gamelab
2009-01-18 17:50 . 2009-01-18 17:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\gamelab
2009-01-18 17:49 . 2009-01-18 17:50 <DIR> d-------- c:\program files\LEGO Fever

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 17:35 --------- d-----w c:\documents and settings\Administrator\Application Data\OpenOffice.org2
2009-02-01 15:48 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-01 00:40 --------- d-----w c:\program files\Google
2009-01-22 20:30 --------- d-----w c:\documents and settings\Administrator\Application Data\LEGO Company
2009-01-21 22:58 --------- d-----w c:\program files\FreeMind
2008-12-31 01:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-31 01:56 --------- d-----w c:\program files\Samsung
2008-12-31 01:55 --------- d-----w c:\documents and settings\Administrator\Application Data\InstallShield
2008-12-30 02:40 --------- d-----w c:\documents and settings\Administrator\Application Data\iScreensaver
2008-12-17 22:35 --------- d-----w c:\documents and settings\Administrator\Application Data\Leadertech
2008-12-17 22:32 --------- d-----w c:\program files\Atari
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-04 20:31 --------- d-----w c:\program files\Kids Cam Sticker Factory
2008-12-03 18:54 --------- d-----w c:\program files\MyDSC2
2008-12-03 18:54 --------- d-----w c:\program files\JL2005D
2008-12-03 18:54 --------- d-----w c:\program files\JL2005C
2008-11-04 13:20 30,544 ----a-w c:\windows\dirdib.drv
2008-11-04 13:20 30,464 ----a-w c:\windows\macromix.dll
2008-03-15 03:12 26,882 ----a-w c:\program files\license.html
2008-03-15 03:12 25,776 ----a-w c:\program files\license.txt
2008-03-15 03:12 11,678 ----a-w c:\program files\readme.txt
2008-03-15 03:12 10,716 ----a-w c:\program files\readme.html
2008-02-08 21:40 349,271 ----a-w c:\program files\THIRDPARTYLICENSEREADME.html
2008-10-25 14:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102520081026\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d5bf4552-94f1-42bd-f434-3604812c807d}]
2009-01-30 21:53 15000 --a------ c:\windows\system32\gsdrgfdrrgnd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32Update"="c:\recycler\S-1-5-21-2836660266-1131089735-328735954-5877\scrss.exe" [2009-01-04 89600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-22 39408]
"tezrtsjhfr84iusjfo84f"="c:\docume~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe" [2009-02-01 15553]
"MS AntiSpyware 2009"="c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" [2009-02-01 1126400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"*svchostBoot"="c:\documents and settings\Administrator\Application Data\svchost.exe" [2009-01-28 796787]
"sunjavaupdatesched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"phime2002async"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"phime2002a"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"imjpmig8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"adobe reader speed launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Microsoft Intranet Patcher"="c:\documents and settings\Administrator\Application Data\intranetexplorer.exe" [2009-01-31 131072]
"Windows USB Automatic Services"="winusbservicese.exe" [2009-01-31 c:\windows\winusbservicese.exe]
"windows usb automatic service"="winusbservice.exe" [2009-01-28 c:\windows\winusbservice.exe]
"secure system restore32"="sysrest324.exe" [2009-01-30 c:\windows\sysrest324.exe]
"microsoft service vince 32"="mssvs32.exe" [2009-01-31 c:\windows\mssvs32.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-07-23 393216]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{D5BF4552-94F1-42BD-F434-3604812C807D}"= "c:\windows\system32\gsdrgfdrrgnd.dll" [2009-01-30 15000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sehddq.dll,mddsyr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\dl1.exe"=
"c:\\dl1a.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\_4f4fd7202daac89d73b7393a4b2ea4c0\\down\\mini000.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23916:TCP"= 23916:TCP:BitComet 23916 TCP
"23916:UDP"= 23916:UDP:BitComet 23916 UDP

S1 ca4170b6;ca4170b6;c:\windows\system32\drivers\ca4170b6.sys --> c:\windows\system32\drivers\ca4170b6.sys [?]
S1 d1afdaac;d1afdaac;c:\windows\system32\drivers\d1afdaac.sys --> c:\windows\system32\drivers\d1afdaac.sys [?]
S2 Usb Service 2.0;Usb Service 2.0;c:\windows\usbservice.exe [2009-01-28 41522]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-28 38496]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - tdssserv.sys
*Deregistered* - tdssserv.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1aea2b4a-744b-11dd-9538-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c798cd7-f081-11dd-aa3f-0013d3b5bfa4}]
\shell\autorun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c798cd8-f081-11dd-aa3f-0013d3b5bfa4}]
\shell\autorun\command - f:\.autorun\835694854683549385398626893468946\Autorun.exe
\shell\open\command - f:\.autorun\835694854683549385398626893468946\Autorun.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: filehippo.com\www
Trusted Zone: kaspersky.com
Trusted Zone: trendmicro.com\housecall
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5vd29b4j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 12:34:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tdssserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpcuu.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\50463ec3]
"ImagePath"="\SystemRoot\System32\drivers\50463ec3.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\8ae5b78a]
"ImagePath"="\SystemRoot\System32\drivers\8ae5b78a.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aa268b5f]
"ImagePath"="\SystemRoot\System32\drivers\aa268b5f.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tdssserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\TDSSpcuu.sys"
"group"="file system"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3560)
c:\docume~1\ADMINI~1\LOCALS~1\Temp\uimgr90210update.tmp
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\documents and settings\Administrator\Application Data\_4f4fd7202daac89d73b7393a4b2ea4c0\down\im001.exe
c:\documents and settings\Administrator\Application Data\_4f4fd7202daac89d73b7393a4b2ea4c0\down\mini000.exe
C:\1030.exe
c:\docume~1\ADMINI~1\LOCALS~1\temp\setup.exe
c:\windows\system32\msiexec.exe
c:\docume~1\ADMINI~1\LOCALS~1\temp\winlognn.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2009-02-01 12:46:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 17:45:48

Pre-Run: 31,283,331,072 bytes free
Post-Run: 31,682,994,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

282 --- E O F --- 2009-01-17 23:06:03

#7 msmcfad

msmcfad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 02 February 2009 - 02:11 PM

Wanted to add that the system has started a cycle of constantly re-booting itself. I have turned it off!

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 02 February 2009 - 10:31 PM

That machine is one extremely very heavily infected.. Lets do this...


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
ca4170b6
d1afdaac
Usb Service 2.0
tdssserv.sys
50463ec3
8ae5b78a
aa268b5f

File::
c:\windows\System32\drivers\50463ec3.sys
c:\windows\System32\drivers\8ae5b78a.sys
c:\windows\System32\drivers\aa268b5f.sys
C:\msh.exe
c:\windows\system32\drivers\50463ec3.sys
c:\documents and settings\Administrator\Application Data\intranetexplorer.exe
C:\ching.exe
c:\documents and settings\Administrator\e.bat
c:\windows\winusbservicese.exe
C:\lbc.exe
C:\WindowsUpdateSP3.exe
c:\windows\mssvs32.exe
C:\sp23.exe
c:\windows\system32\drivers\8ae5b78a.sys
c:\windows\system32\gsdrgfdrrgnd.dll
c:\documents and settings\Administrator\Application Data\svchost.exe
c:\documents and settings\Administrator\Application Data\__t.bin
C:\crypt2.exe
C:\crypt.exe
c:\windows\sysrest324.exe
c:\windows\scvhost32.exe
C:\ms2.exe
C:\ms.exe
C:\ab2.exe
C:\ab.exe
C:\crim2.exe
c:\windows\winusbservice.exe
C:\crim.exe
C:\ns2setup.exe
c:\windows\usbautotuner.exe
C:\dl1a.exe
c:\windows\usbservice.exe
C:\dl1.exe
C:\euicjdcm.exe
C:\82987048
c:\recycler\S-1-5-21-2836660266-1131089735-328735954-5877\scrss.exe
C:\Documents and Settings\Administrator\Local Settings\temp\csrssc.exe
c:\documents and settings\Administrator\Application Data\svchost.exe
c:\windows\system32\drivers\ca4170b6.sys
c:\windows\system32\drivers\d1afdaac.sys
c:\windows\system32\drivers\TDSSpcuu.sys
C:\Documents and Settings\Administrator\Local Settings\temp\uimgr90210update.tmp
C:\Documents and Settings\Administrator\Local Settings\temp\setup.exe
C:\Documents and Settings\Administrator\Local Settings\temp\winlognn.exe
C:\1030.exe

Folder::
c:\documents and settings\Administrator\Application Data\_4f4fd7202daac89d73b7393a4b2ea4c0
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tdssserv.sys]

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d5bf4552-94f1-42bd-f434-3604812c807d}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32Update"=-
"tezrtsjhfr84iusjfo84f"=-
"MS AntiSpyware 2009"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"*svchostBoot"=-
"Microsoft Intranet Patcher"=-
"Windows USB Automatic Services"=-
"windows usb automatic service"=-
"secure system restore32"=-
"microsoft service vince 32"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{D5BF4552-94F1-42BD-F434-3604812C807D}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\dl1.exe"=-
"c:\\dl1a.exe"=-
"c:\\Documents and Settings\\Administrator\\Application Data\\_4f4fd7202daac89d73b7393a4b2ea4c0\\down\\mini000.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1aea2b4a-744b-11dd-9538-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c798cd7-f081-11dd-aa3f-0013d3b5bfa4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c798cd8-f081-11dd-aa3f-0013d3b5bfa4}]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tdssserv.sys]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\50463ec3]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\8ae5b78a]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aa268b5f]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 msmcfad

msmcfad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 02 February 2009 - 10:56 PM

:thumbup2:

I am once again unable to connect to bleepingcomputer.com. Also, the computer is re-booting itself within a minute or two of my starting it up. I re-booted in safe mode but am still unable to connect to bleepingcomputer.com (or any other security-related websites).

If I load the information from your last post onto a CD, is it possible to do what you've asked from safe mode? Otherwise the machine just re-boots in the middle of whatever I'm doing.

At what point do I need to consider wiping this hard drive and starting over? I'm beginning to wonder if I could ever trust this machine.

Thanks,

S

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 02 February 2009 - 11:37 PM

At what point do I need to consider wiping this hard drive and starting over? I'm beginning to wonder if I could ever trust this machine.


As I told you in my previous post, your computer is one super heavily infected ones.. If you think the best and fastest way is to wipe and reformat your hard disk, I'll be 100% agree... Don't forget to backup all your important data/pictures/movies/songs/documents/etc first! :thumbup2:


Tell me more about your desicion whether to continue with the cleaning process or to reformat the hard disk :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 msmcfad

msmcfad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 03 February 2009 - 09:50 PM

I do believe I'm going to have to re-format the hard drive and re-load everything. The machine is not cooperating at all and keeps shutting down randomly. I have requested a rescue disk from HP since the computer didn't come with one (I bought it from our local school system off-lease). Hopefully it will arrive soon. I think there's a guide here on BC for re-formatting?

Thank you for your help. I do have one question - do I need to worry about whatever this virus/malware is actually having infected my other computers via my home network? This virus was able to get through the router, firewall and AVG so I have no idea what it's capable of. I have scanned my other computers and nothing alarming showed up.

Thanks again,

S

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 03 February 2009 - 10:36 PM

I do have one question - do I need to worry about whatever this virus/malware is actually having infected my other computers via my home network? This virus was able to get through the router, firewall and AVG so I have no idea what it's capable of. I have scanned my other computers and nothing alarming showed up.


If you sharing files between networks, then its a possibility.. However, if those computers do not have any obvious symptoms and all scans comes out clean, you don't have to worry about it..


Anymore questions? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 msmcfad

msmcfad
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 03 February 2009 - 11:40 PM

Nope, thanks - I think that will do it for now.

Appreciate the help,

S

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 04 February 2009 - 12:27 AM

Thank you for notify us.. I will now close this topic.. Please pm any Moderator or HJT Team should you need to re-open this topic..


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users