Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Security 2009; win32.tds. rtk


  • This topic is locked This topic is locked
10 replies to this topic

#1 ArchAngelofHades

ArchAngelofHades

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 27 June 2009 - 12:02 PM

Hello. Last night I seem to have had System Security 2009 infect my computer. I have I have run SpyHunter, which found a problem but it was unable to remove it.

I then ran PC Doctor which also found a problem but want 40 dollars for the fix.

Spybot Search and Destroy finds Win32.tdss.rtk and win32.delf.rtk. Spybot S&D removes only win32.delf but upon restart, it is back along with Win32.tdss.

I tried to follow the directions for posting on this forum and look forward to any and all help. Thank you.

Here is the Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:28 AM, on 6/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [15194374] C:\Documents and Settings\All Users\Application Data\15194374\15194374.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKUS\S-1-5-18\..\Run: [kell] C:\Program Files\Manson\liser.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kell] C:\Program Files\Manson\liser.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152336472466
O20 - AppInit_DLLs: c:\progra~1\Manson\liser.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: jryjdrtjj6sjjyh4rthgdf80 - Unknown owner - C:\WINDOWS\jryjdrtjj6sjjyh4rthgdf81.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 5029 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:42 AM

Posted 30 June 2009 - 11:45 PM

Hello ArchAngelofHades,

Posted Image

You have a lot wrong here besides TDSS. :thumbup2: Can you get into normal mode?

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If ComboFix will not run the first time, then rename ComboFix.exe to ArchAngel.exe and try it again. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 ArchAngelofHades

ArchAngelofHades
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 01 July 2009 - 11:13 AM

Yes, at the time I first posted I was able to log into normal windows, It would trigger the System Security Program, so until I stopped the unnecessary garbage files from running, I did all the repairs from within safemode. I while waiting for a reply, I did some further research on fixes on this forum and I do believe I have had some success at getting rid of my computer's problems.

I will attempt to recreated and document the process I took remove System Security 2009 and the other programs that have infected my computers so that others may have this resource and hopefully the same the success I did.

After running spybot search and destroy and killing the programs that I did not recognize as normal during start up, I then tracked down, renamed, and deleted:

C:\WINDOWS\jryjdrtjj6sjjyh4rthgdf81.exe
C:\Program Files\Manson\liser.exe & all files in the in the Manson folder.

and any files related to System Security 2009

I did have to "unhide" some of the files.

I then ran MBAM, SuperAntiSpyware, and ATF CLeaner.

Today I ran ComboFix and here is the log. Hopefully it looks okay.

Thanks for the help.

ComboFix 09-06-30.03 - Heathen 07/01/2009 8:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.612 [GMT -7:00]
Running from: c:\documents and settings\Heathen\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus Personal Pro *On-access scanning disabled* (Outdated) {816CD617-99F4-4B18-828E-80582E4B044D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\UACaechvioiympvwqx.db
c:\windows\system32\uactmp.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-28 17:22 . 2009-06-28 18:34 117760 ----a-w- c:\documents and settings\Heathen\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-28 17:16 . 2009-06-28 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-28 17:15 . 2009-06-28 17:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-28 17:15 . 2009-06-28 17:15 -------- d-----w- c:\documents and settings\Heathen\Application Data\SUPERAntiSpyware.com
2009-06-28 16:56 . 2009-06-28 16:56 -------- d-----w- c:\documents and settings\Heathen\Application Data\Malwarebytes
2009-06-28 16:56 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 16:56 . 2009-06-28 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-28 16:56 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-28 16:56 . 2009-06-28 16:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 16:39 . 2009-06-27 16:39 -------- d-----w- c:\program files\Trend Micro
2009-06-27 08:10 . 2009-06-27 08:56 -------- d-----w- c:\program files\Enigma Software Group
2009-06-27 06:39 . 2005-05-18 23:58 11849 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal Pro\5.0\Bases\klstm.sys
2009-06-27 06:38 . 2005-05-20 00:22 10760 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal Pro\5.0\Bases\klcr.sys
2009-06-27 06:38 . 2005-05-19 21:48 62604 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal Pro\5.0\Bases\ids0005c.sys
2009-06-27 06:38 . 2005-05-18 23:58 17896 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal Pro\5.0\Bases\klfw.sys
2009-06-27 06:38 . 2009-06-27 06:38 -------- d-----w- c:\program files\Kaspersky Lab
2009-06-27 06:27 . 2009-06-27 06:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-23 05:56 . 2009-06-23 05:56 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-23 05:53 . 2009-02-25 22:15 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-06-23 05:46 . 2009-06-23 05:46 -------- d-----w- C:\ATI
2009-06-21 18:00 . 2009-06-21 18:00 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-21 18:00 . 2009-06-21 18:00 -------- d-----w- c:\documents and settings\Heathen\Application Data\SystemRequirementsLab
2009-06-21 18:00 . 2009-06-21 18:00 290816 ----a-w- c:\documents and settings\Heathen\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-06-21 18:00 . 2009-06-21 18:00 290816 ----a-w- c:\documents and settings\Heathen\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-06-21 18:00 . 2009-06-21 18:00 290816 ----a-w- c:\documents and settings\Heathen\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-06-21 18:00 . 2009-06-21 18:00 290816 ----a-w- c:\documents and settings\Heathen\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-06-16 00:24 . 2009-06-16 00:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-09 19:01 . 2009-06-09 19:01 -------- d-sh--w- c:\documents and settings\Heathen\PrivacIE
2009-06-09 19:01 . 2009-06-09 19:01 -------- d-sh--w- c:\documents and settings\Heathen\IECompatCache
2009-06-09 18:58 . 2009-06-09 18:58 -------- d-sh--w- c:\documents and settings\Heathen\IETldCache
2009-06-09 18:56 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 18:56 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 18:56 . 2009-06-09 18:56 -------- d-----w- c:\windows\ie8updates
2009-06-09 18:56 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-09 18:55 . 2009-06-09 18:55 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 17:44 . 2007-04-29 17:33 -------- d-----w- c:\documents and settings\Heathen\Application Data\Azureus
2009-06-28 18:31 . 2007-09-22 17:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-28 17:15 . 2007-04-19 04:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-27 08:58 . 2006-10-18 00:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-27 05:40 . 2006-07-09 05:34 -------- d-----w- c:\program files\Trillian
2009-06-23 02:30 . 2009-04-16 19:14 -------- d-----w- c:\documents and settings\Heathen\Application Data\uTorrent
2009-05-20 03:54 . 2006-07-08 07:43 263440 ----a-w- c:\documents and settings\Heathen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 17:22 . 2006-07-11 18:38 -------- d-----w- c:\documents and settings\Heathen\Application Data\dvdcss
2009-05-13 08:03 . 2007-04-29 17:39 -------- d-----w- c:\program files\Call of Duty 2
2009-05-13 05:15 . 2006-04-28 17:58 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:44 . 2002-08-29 03:41 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 19:32 . 2009-05-05 19:31 -------- d-----w- c:\program files\Aspell
2009-04-17 09:58 . 2002-08-29 02:14 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 19:13 . 2007-09-27 19:55 7114736 ----a-w- c:\documents and settings\Heathen\Application Data\Azureus\plugins\azemp\azmplay.exe
2009-04-15 15:11 . 2006-07-08 06:41 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 28672]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-28 19456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG311v2 Smart Configuration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG311v2 Smart Configuration.lnk
backup=c:\windows\pss\NETGEAR WG311v2 Smart Configuration.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"15194374"=c:\documents and settings\All Users\Application Data\15194374\15194374.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Program Files\\Doom2\\glLegacy.exe"=
"c:\\Program Files\\Rune\\System\\Rune.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Fasttrak;Fasttrak;c:\windows\system32\drivers\Fasttrak.sys [12/20/2001 11:49 AM 70528]
R1 Klmc;Klmc;c:\windows\system32\drivers\klmc.sys [8/4/2005 7:01 AM 10995]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [9/21/2008 5:58 PM 16288]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
S3 Idebbusxave;Idebbusxave; [x]
S3 Ndimafx;Ndimafx; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Heathen\Application Data\Mozilla\Firefox\Profiles\6o74weeg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.fastmail.fm/
FF - plugin: c:\documents and settings\Heathen\Local Settings\Application Data\HuluDesktop\instances\0.9.6.1\npHDPlg.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.11); user_pref(general.useragent.extra.zencast, Creative ZENcast v2.01.01.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 08:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\swearware\backup\winsock2]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3036)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-07-01 8:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-01 15:56

Pre-Run: 95,018,188,800 bytes free
Post-Run: 94,954,708,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

207 --- E O F --- 2009-06-09 21:02


and the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:16 PM, on 7/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152336472466
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4548 bytes

Edited by ArchAngelofHades, 01 July 2009 - 02:23 PM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:42 AM

Posted 01 July 2009 - 03:01 PM

Hello there,

WOW....what a massive difference in logs! :thumbup2: You worked your butt off and it shows. ComboFix got rid of the rest of the rootkit you had.......how is it running now?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 ArchAngelofHades

ArchAngelofHades
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 01 July 2009 - 10:51 PM

I think my system is running fine now, but as I was glancing through this thread again, I noticed in my last hijackthis log, "lsass.exe" is running. I am not familiar with that process so I did a quick google search and now am not sure if that one should concern me. There seems to be disagreement to if this program is good or bad.

Thanks again.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:42 AM

Posted 01 July 2009 - 11:05 PM

Hello,

It's all location, location, location for lsass.exe. :) Yours is fine.....nothing at all wrong with it. :thumbup2:

Still a couple of things to do :

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Also, have you run a scan with MBAM since you ran ComboFix? If not, then please make sure it's updated and do so. Post the report in your reply, if there is anything to post. If all is well then, then we'll finish up. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 ArchAngelofHades

ArchAngelofHades
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 02 July 2009 - 02:34 AM

I successfully updated Java and did an updated MBAM scan and everything came out clean. Thanks a million.

What program(s)do you recommend running in the background or using to scan on a regular basis for optimal protection? I am sure there has to be some sort of balance and it is probably based on individual needs, but is there a general rule of thumb or advice, that seems to work better than others?

Thanks. :thumbup2:

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:42 AM

Posted 02 July 2009 - 03:23 AM

Hello,

You're most welcome a million. :thumbup2:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

And I most assuredly do have some things for you. You already implement a couple of them, so I've left them out :

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

In order to protect yourself against spyware, you should consider installing and running one of the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Great tips and info-----> http://mvps.org/winhelp2002/unwanted.htm

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 ArchAngelofHades

ArchAngelofHades
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 02 July 2009 - 04:15 AM

Just on a whim I ran a full scan (I had previously been running quick scans) with MBAM and the following log was generated. MBAM fixed these problems. Is there any other program I should go back and rerun in a full scan?

Malwarebytes' Anti-Malware 1.38
Database version: 2361
Windows 5.1.2600 Service Pack 2

7/2/2009 2:04:46 AM
mbam-log-2009-07-02 (02-04-46).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 194655
Time elapsed: 46 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0210755.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0210756.dll (Adware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0210757.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0210758.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0210759.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0210760.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0211339.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0211942.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0212179.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0212580.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0213789.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0213861.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0214434.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0214435.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0214436.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0214437.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0214438.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{345c5870-24ef-4df4-9b6f-f1d00f733cd2}\RP631\A0214439.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

I hope you enjoy your thank you, I sent to your Paypal.

ArchAngelofHades / Hellraiser :thumbup2:

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:42 AM

Posted 02 July 2009 - 04:42 AM

Hi,

Those were/are no threat to you. They were in System Restore and not active. We can clear out all restore points so you're left with a clean one only. :thumbup2:

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

MBAM should come up squeaky clean now. :)

Thank you. :) I think I got it....sometimes it's hard to tell since the user names are different than e-mail names.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:42 AM

Posted 06 July 2009 - 07:01 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users