Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spywareguard 2008 / MS Spyware 2009


  • This topic is locked This topic is locked
2 replies to this topic

#1 jazen

jazen

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 23 October 2009 - 04:49 PM

Hello, I'm trying to fix a computer for someone which seems to have various infections. OS is windows XP service pack 2. The most prevalent infection is Spyware Guard 2008. It pops up immediately after windows starts up. Other known issues include Regedit and Task Manager being disabled (re-enabled easily enough with vb script and registry key change, respectively); windows hanging for a good 2-3 minutes with just wallpaper and the cursor (after the welcome screen).

I've tried following the directions to remove Spyware Guard using MBAM but the program refuses to start. I've decided to leave the computer disconnected from the network and use a USB flash stick to transfer the programs over to try and do the repairs. Everytime I plug it into another computer 2 files are placed on the flash stick to try and infect more computers: system.exe and autorun.inf.

***UPDATE***

Using advice from another thread, I renamed mbam.exe to something else and it ran, I've removed all traces of the infection via MBAM. Thanks to all those who reviewed my logs.

I've included the logs that's been requested per the prep guide for posting:



DDS (Ver_09-10-13.01) - NTFSx86

Run by Owner at 14:12:33.85 on Fri 10/23/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.253 [GMT -7:00]



AV: Spy Sweeper with AntiVirus *On-access scanning disabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}



============== Running Processes ===============



C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Vitech Corporation\CORE NLM 43\nlmsvc43.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Creative\Shared Files\CTSched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe



============== Pseudo HJT Report ===============



uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com/

uSearch Bar = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://www.google.com/

mDefault_Search_URL = hxxp://www.google.com/

mSearch Page = hxxp://www.google.com/

mStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://www.google.com/ie

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,

TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\2.bin\ASKSBAR.DLL

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

mRun: [SoundMan] SOUNDMAN.EXE

mRun: [NeroFilterCheck] "c:\program files\common files\ahead\lib\NeroCheck.exe"

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray

mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"

mRunOnce: [SpywareGuardUninstall] "c:\program files\spyware guard 2009\uninstall.exe" un2uninstall

dRun: [MS AntiSpyware 2009] "c:\documents and settings\all users\application data\crucialsoft ltd\ms antispyware 2009\msas2009.exe" /autorun

uPolicies-explorer: NoFolderOptions = 1 (0x1)

uPolicies-system: NoDispBackgroundPage = 1 (0x1)

uPolicies-system: NoDispScrSavPage = 1 (0x1)

IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191585047468

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

TCP: {EF58F383-3748-4D5B-92D2-4D5D6DCDF602} = 208.67.222.222,208.67.220.220

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

STS: {D5BF4552-94F1-42BD-F434-3604812C807D} - No File

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

LSA: Notification Packages = scecli scecli

IFEO: explorer.exe - c:\program files\microsoft common\svchost.exe



============= SERVICES / DRIVERS ===============



R?2 NLMv43;Network License Manager 4.3.3;c:\program files\vitech corporation\core nlm 43\nlmsvc43.exe [2000-8-31 234496]

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-9 206256]

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-12-7 29808]

R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-10-9 348752]

S1 glaide32;glaide32;c:\windows\system32\drivers\glaide32.sys [2009-1-29 0]

S2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-1-29 1090936]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-9-29 29744]

S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [2008-9-27 23936]



=============== Created Last 30 ================



2009-10-23 13:55 268 a---h--- C:\sqmdata15.sqm

2009-10-23 13:55 244 a---h--- C:\sqmnoopt15.sqm

2009-10-23 11:57 268 a---h--- C:\sqmdata14.sqm

2009-10-23 11:57 244 a---h--- C:\sqmnoopt14.sqm

2009-10-23 11:42 268 a---h--- C:\sqmdata13.sqm

2009-10-23 11:42 244 a---h--- C:\sqmnoopt13.sqm

2009-10-16 11:10 268 a---h--- C:\sqmdata12.sqm

2009-10-16 11:10 244 a---h--- C:\sqmnoopt12.sqm

2009-10-16 00:45 268 a---h--- C:\sqmdata11.sqm

2009-10-16 00:45 244 a---h--- C:\sqmnoopt11.sqm

2009-10-15 11:57 268 a---h--- C:\sqmdata10.sqm

2009-10-15 11:57 244 a---h--- C:\sqmnoopt10.sqm

2009-10-15 11:22 268 a---h--- C:\sqmdata09.sqm

2009-10-15 11:22 244 a---h--- C:\sqmnoopt09.sqm

2009-10-15 01:56 <DIR> --d----- c:\windows\system32\scripting

2009-10-15 01:56 <DIR> --d----- c:\windows\l2schemas

2009-10-15 01:56 <DIR> --d----- c:\windows\system32\en

2009-10-15 01:56 <DIR> --d----- c:\windows\system32\bits

2009-10-15 01:48 472,064 a------- c:\windows\system32\dllcache\fastprox.dll

2009-10-15 01:47 114,688 a------- c:\windows\system32\dllcache\powercfg.cpl

2009-10-15 01:46 <DIR> --d----- c:\windows\EHome

2009-10-15 01:41 268 a---h--- C:\sqmdata08.sqm

2009-10-15 01:41 244 a---h--- C:\sqmnoopt08.sqm

2009-10-15 00:47 268 a---h--- C:\sqmdata07.sqm

2009-10-15 00:47 244 a---h--- C:\sqmnoopt07.sqm

2009-10-15 00:45 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-15 00:45 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-10-15 00:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-10-15 00:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-10-15 00:42 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys

2009-10-15 00:42 12,160 a------- c:\windows\system32\drivers\mouhid.sys

2009-10-09 21:07 268 a---h--- C:\sqmdata06.sqm

2009-10-09 21:07 244 a---h--- C:\sqmnoopt06.sqm

2009-10-09 21:05 <DIR> --d----- c:\program files\Spyware Guard 2009

2009-10-09 20:39 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys

2009-10-09 20:39 206,256 a------- c:\windows\system32\drivers\PCTCore.sys

2009-10-09 20:39 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys

2009-10-09 20:39 7,396 a------- c:\windows\system32\drivers\pctcore.cat

2009-10-09 20:39 <DIR> --d----- c:\program files\common files\PC Tools

2009-10-09 20:39 64,392 a------- c:\windows\system32\drivers\pctplsg.sys

2009-10-09 20:39 <DIR> --d----- c:\program files\Spyware Doctor

2009-10-09 20:39 <DIR> --d----- c:\docume~1\owner\applic~1\PC Tools

2009-10-09 20:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools

2009-10-09 19:21 268 a---h--- C:\sqmdata05.sqm

2009-10-09 19:21 244 a---h--- C:\sqmnoopt05.sqm

2009-10-09 19:11 268 a---h--- C:\sqmdata04.sqm

2009-10-09 19:11 244 a---h--- C:\sqmnoopt04.sqm

2009-10-09 19:10 <DIR> --d----- c:\windows\pss



==================== Find3M ====================



2009-10-23 14:12 98,668 a------- c:\windows\system32\drivers\68fc6a4a.sys

2009-10-15 11:04 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

2009-10-15 01:39 1,003,957 a------- c:\windows\sysexplorer.exe

2009-10-15 01:39 134,149 a------- c:\windows\reged.exe

2009-10-15 01:39 51,197 a------- c:\windows\spoolsystem.exe

2009-10-15 01:39 50,620 a------- c:\windows\sys.com

2009-10-15 01:39 47,872 a------- c:\windows\syscert.exe

2009-10-15 01:39 18,941 a------- c:\windows\vmreg.dll

2009-01-22 16:43 27,141 a------- c:\docume~1\alluse~1\applic~1\svhost.exe

2007-09-29 22:40 774,144 a------- c:\program files\RngInterstitial.dll

2009-01-29 07:06 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2009-01-27 18:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012720090128\index.dat

2009-01-29 18:31 32,768 a--sh--- c:\windows\temp\cookies\index.dat

2009-01-29 18:31 49,152 a--sh--- c:\windows\temp\history\history.ie5\index.dat

2009-01-29 18:31 65,536 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat



============= FINISH: 14:13:46.62 ===============



ark.txt:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/10/23 14:17

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP2

==================================================



Drivers

-------------------

Name: 68fc6a4a.sys

Image Path: C:\WINDOWS\System32\drivers\68fc6a4a.sys

Address: 0xF85B7000 Size: 53376 File Visible: No Signed: -

Status: -



Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xEEFE7000 Size: 98304 File Visible: No Signed: -

Status: -



Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF8A67000 Size: 8192 File Visible: No Signed: -

Status: -



Name: mchInjDrv.sys

Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys

Address: 0xF8C80000 Size: 2560 File Visible: No Signed: -

Status: -



Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEE4A4000 Size: 49152 File Visible: No Signed: -

Status: -



Name: TDSSpqlt.sys

Image Path: C:\WINDOWS\system32\drivers\TDSSpqlt.sys

Address: 0xEF237000 Size: 73728 File Visible: - Signed: -

Status: Hidden from the Windows API!



Hidden/Locked Files

-------------------

Path: C:\WINDOWS\system32\TDSSbrsr.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\system32\TDSSlxwp.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\system32\TDSSoiqh.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\system32\TDSSosvd.dat

Status: Invisible to the Windows API!



Path: C:\WINDOWS\system32\TDSSriqp.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\system32\TDSStkdu.log

Status: Invisible to the Windows API!



Path: C:\WINDOWS\system32\TDSSxfum.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\TDSS524c.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\TDSS550b.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\TDSS6a78.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\TDSS6d18.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\TDSS71ea.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\TDSS86ca.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\TDSS93d9.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\TDSSf6bd.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\TDSSf6fc.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\system32\drivers\68fc6a4a.sys

Status: Locked to the Windows API!



Path: C:\WINDOWS\system32\drivers\TDSSpqlt.sys

Status: Invisible to the Windows API!



Path: C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a.cat

Status: Invisible to the Windows API!



Path: C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a.Manifest

Status: Invisible to the Windows API!



Path: C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d.cat

Status: Invisible to the Windows API!



Path: C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d.Manifest

Status: Invisible to the Windows API!



Path: C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.cat

Status: Invisible to the Windows API!



Path: C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.Manifest

Status: Invisible to the Windows API!



Path: C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a.cat

Status: Invisible to the Windows API!



SSDT

-------------------

#: 017 Function Name: NtAllocateVirtualMemory

Status: Hooked by "<unknown>" at address 0x8237ea80



#: 035 Function Name: NtCreateEvent

Status: Hooked by "C:\WINDOWS\System32\drivers\68fc6a4a.sys" at address 0xf85bed15



#: 180 Function Name: NtQueueApcThread

Status: Hooked by "<unknown>" at address 0x8237eaf8



#: 186 Function Name: NtReadVirtualMemory

Status: Hooked by "<unknown>" at address 0x8237e990



#: 192 Function Name: NtRenameKey

Status: Hooked by "PCTCore.sys" at address 0xf8406c8a



#: 228 Function Name: NtSetInformationProcess

Status: Hooked by "<unknown>" at address 0x8237ee40



#: 229 Function Name: NtSetInformationThread

Status: Hooked by "<unknown>" at address 0x8237ec60



#: 253 Function Name: NtSuspendProcess

Status: Hooked by "<unknown>" at address 0x8237edc8



Stealth Objects

-------------------

Object: Hidden Module [Name: TDSSxfum.dll]

Process: winlogon.exe (PID: 684) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: services.exe (PID: 732) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: lsass.exe (PID: 744) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSoiqh.dll]

Process: svchost.exe (PID: 912) Address: 0x00a90000 Size: 81920



Object: Hidden Module [Name: TDSSxfum.dll]

Process: svchost.exe (PID: 912) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: svchost.exe (PID: 1064) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: spoolsv.exe (PID: 1496) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: CTsvcCDA.exe (PID: 1692) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: LSSrvc.exe (PID: 1740) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: mdm.exe (PID: 1772) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: nlmsvc43.exe (PID: 1792) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: pctsAuxs.exe (PID: 1864) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: pctsTray.exe (PID: 1976) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: wscntfy.exe (PID: 2168) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: SOUNDMAN.EXE (PID: 2504) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: hkcmd.exe (PID: 2644) Address: 0x00390000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: igfxpers.exe (PID: 2668) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: smax4pnp.exe (PID: 2708) Address: 0x00bf0000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: CTSched.exe (PID: 2964) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: ctfmon.exe (PID: 2996) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: explorer.exe (PID: 4032) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: pctsSvc.exe (PID: 2440) Address: 0x10000000 Size: 126976



Object: Hidden Module [Name: TDSSxfum.dll]

Process: RootRepeal.exe (PID: 3664) Address: 0x10000000 Size: 126976



Object: Hidden Code [ETHREAD: 0x8163c020]

Process: System Address: 0xef239d66 Size: 361



Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]

Process: System Address: 0x81d90a20 Size: 1282



Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x81d944b8 Size: 2888



Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]

Process: System Address: 0x8222a390 Size: 111



Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]

Process: System Address: 0x816600a8 Size: 1776



Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]

Process: System Address: 0x8165e0a8 Size: 1775



Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8165c0a8 Size: 1647



Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x81dc7c00 Size: 1026



Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]

Process: System Address: 0x820b7308 Size: 999



Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]

Process: System Address: 0x82040a78 Size: 885



Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8164e5c8 Size: 621



Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x81ffdb00 Size: 130



Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x820a62f8 Size: 1111



Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x816552d8 Size: 3370



Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x816569d8 Size: 1576



Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x81d992a0 Size: 117



Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]

Process: System Address: 0x81dc1858 Size: 1140



Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x81ffd978 Size: 522



Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]

Process: System Address: 0x81ffd900 Size: 642



Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x81ffd888 Size: 762



Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x81ffd6e8 Size: 1178



Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]

Process: System Address: 0x81ffd670 Size: 1298



Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]

Process: System Address: 0x81ffd5f8 Size: 1418



Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x81d6efa8 Size: 88



Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x81d6ef30 Size: 208



Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x81d6eeb8 Size: 328



Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]

Process: System Address: 0x81dc1020 Size: 614



Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]

Process: System Address: 0x81dc1148 Size: 318



Hidden Services

-------------------

Service Name: 68fc6a4a

Image Path: C:\WINDOWS\System32\drivers\68fc6a4a.sys



Service Name: TDSSserv.sys

Image Path: C:\WINDOWS\system32\drivers\TDSSpqlt.sys



==EOF==

And Attach.txt



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT



DDS (Ver_09-10-13.01)



Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 9/28/2007 1:58:19 PM

System Uptime: 10/23/2009 1:52:13 PM (1 hours ago)



Motherboard: Dell Computer Corp. | | 0N6381

Processor: Intel® Celeron® CPU 2.40GHz | Microprocessor | 2394/533mhz



==== Disk Partitions =========================



A: is Removable

C: is FIXED (NTFS) - 466 GiB total, 452.193 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is Removable



==== Disabled Device Manager Items =============



==== System Restore Points ===================



RP178: 10/14/2008 7:38:33 PM - Software Distribution Service 3.0

RP179: 10/23/2008 7:02:49 PM - Software Distribution Service 3.0

RP180: 10/28/2008 3:30:49 PM - System Checkpoint

RP181: 11/11/2008 12:50:56 PM - Software Distribution Service 3.0

RP182: 11/13/2008 4:37:23 AM - System Checkpoint

RP183: 11/16/2008 6:15:04 PM - System Checkpoint

RP184: 11/30/2008 10:14:36 AM - System Checkpoint

RP185: 12/4/2008 1:57:40 AM - Installed Costco Photo Organizer

RP186: 12/5/2008 7:52:16 AM - System Checkpoint

RP187: 12/11/2008 1:28:28 PM - Software Distribution Service 3.0

RP188: 12/14/2008 7:16:50 AM - System Checkpoint

RP189: 12/18/2008 1:16:18 AM - Software Distribution Service 3.0

RP190: 1/10/2009 1:44:19 PM - System Checkpoint



==== Installed Programs ======================



2007 Microsoft Office Suite Service Pack 1 (SP1)

Adobe Acrobat 5.0

Adobe Flash Player ActiveX

Ask Toolbar

CORE 5.0 University Edition

CORE Network License Manager 4.3

CORE Workstation 5.1.5

Costco Photo Organizer

Creative MediaSource 5

Creative Software AutoUpdate

Eviction Forms

Google Desktop

High Definition Audio Driver Package - KB835221

Highlight Viewer (Windows Live Toolbar)

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB914440)

Hotfix for Windows XP (KB915800)

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB926239)

Hotfix for Windows XP (KB952287)

Intel® 537EP V9x DF PCI Modem

Intel® Extreme Graphics 2 Driver

Intel® PRO Network Adapters and Drivers

InterVideo Installer

LightScribe 1.4.136.1

Malwarebytes' Anti-Malware

Map Button (Windows Live Toolbar)

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft FrontPage 2002

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Software Update for Web Folders (English) 12

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft User-Mode Driver Framework Feature Pack 1.0

ML-1200 Series

MSXML 4.0 SP2 (KB954430)

Nero 7 Essentials

PowerDVD

RealArcade

Security Update for 2007 Microsoft Office System (KB951550)

Security Update for 2007 Microsoft Office System (KB951944)

Security Update for 2007 Microsoft Office System (KB958439)

Security Update for Microsoft Office Excel 2007 (KB958437)

Security Update for Microsoft Office OneNote 2007 (KB950130)

Security Update for Microsoft Office PowerPoint 2007 (KB951338)

Security Update for Microsoft Office Publisher 2007 (KB950114)

Security Update for Microsoft Office system 2007 (KB954326)

Security Update for Microsoft Office system 2007 (KB956828)

Security Update for Microsoft Office Word 2007 (KB956358)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921503)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929123)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933729)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Security Update for Windows XP (KB936021)

Security Update for Windows XP (KB937143)

Security Update for Windows XP (KB938127)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB938829)

Security Update for Windows XP (KB939653)

Security Update for Windows XP (KB941202)

Security Update for Windows XP (KB941568)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB941644)

Security Update for Windows XP (KB941693)

Security Update for Windows XP (KB942615)

Security Update for Windows XP (KB943055)

Security Update for Windows XP (KB943460)

Security Update for Windows XP (KB943485)

Security Update for Windows XP (KB944653)

Security Update for Windows XP (KB945553)

Security Update for Windows XP (KB946026)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB948590)

Security Update for Windows XP (KB948881)

Security Update for Windows XP (KB950749)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

SigmaTel Audio

Smart Menus (Windows Live Toolbar)

Sound Blaster Audigy

SoundMAX

Spy Sweeper

Spy Sweeper Core

Update for Microsoft Office Outlook 2007 (KB952142)

Update for Office 2007 (KB946691)

Update for Outlook 2007 Junk Email Filter (kb959141)

Update for Windows XP (KB894391)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB904942)

Update for Windows XP (KB908531)

Update for Windows XP (KB910437)

Update for Windows XP (KB911164)

Update for Windows XP (KB911280)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB927891)

Update for Windows XP (KB930916)

Update for Windows XP (KB932823-v3)

Update for Windows XP (KB933360)

Update for Windows XP (KB936357)

Update for Windows XP (KB938828)

Update for Windows XP (KB942763)

Update for Windows XP (KB942840)

Update for Windows XP (KB946627)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB955839)

WebFldrs XP

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Live Favorites for Windows Live Toolbar

Windows Live installer

Windows Live Mail

Windows Live Messenger

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Toolbar

Windows Live Toolbar Extension (Windows Live Toolbar)

Windows Live Writer

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB885884

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781



==== Event Viewer Messages From Past Week ========



10/23/2009 2:04:31 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

10/23/2009 2:02:47 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

10/23/2009 2:02:23 PM, error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).

10/23/2009 2:02:09 PM, error: Service Control Manager [7034] - The Webroot Client Service service terminated unexpectedly. It has done this 1 time(s).

10/23/2009 11:39:46 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Webroot Spy Sweeper Engine service to connect.

10/23/2009 11:39:46 AM, error: Service Control Manager [7000] - The Webroot Spy Sweeper Engine service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

10/23/2009 11:39:46 AM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.



==== End Of File ===========================

Edited by jazen, 24 October 2009 - 04:43 AM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:24 AM

Posted 31 October 2009 - 09:17 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:24 AM

Posted 05 November 2009 - 07:44 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users