MBAM Detected Trojan.TDSS [Archive] - Safer-Networking Forums

View Full Version : MBAM Detected Trojan.TDSS

Thertras

2009-07-23, 05:20

Can't remove Trojan.TDss - Here is the HIJACK This log and an excerpt from the MBAM Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:50 PM, on 7/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Eufotic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Eufotic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Eufotic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Eufotic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Eufotic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Eufotic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Eufotic\My Documents\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
R3 - URLSearchHook: (no name) - {811FB681-61C2-4442-9C96-9F164F619ED7} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: TBSB07183 - {6C621F09-DFF3-415A-B7D1-142678EFEB34} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O3 - Toolbar: Fast Browser Search - {C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181256416625
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181608896828
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} (Toontown TestServer Installer ActiveX Control) - http://download.test.toontown.com/sv1.0.32.2.test/tt_test.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9496 bytes

MBAM Log
Malwarebytes' Anti-Malware 1.39
Database version: 2477
Windows 5.1.2600 Service Pack 3

7/22/2009 11:05:49 PM
mbam-log-2009-07-22 (23-05-49).txt

Scan type: Quick Scan
Objects scanned: 94542
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruilxoqvnis.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruilxoqvnis.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

Sincerely,
Thertras

ken545

2009-07-23, 13:32

Hello Thertras

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Download: DelDomains (http://mvps.org/winhelp2002/DelDomains.inf) and save it to the desktop.

Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer
Internet Explorer is needed to run this program properly.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Thertras

2009-07-23, 14:39

Logs you requested.

ComboFix 09-07-22.05 - Eufotic 07/23/2009 8:26.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1633 [GMT -4:00]
Running from: c:\documents and settings\Eufotic\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\64147d6c.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\404Fix.exe
c:\windows\system32\BReWErS.dll
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\drivers\hjgruiduwrxrns.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\hjgruicusuvmif.dat
c:\windows\system32\hjgruiektvoddw.dll
c:\windows\system32\hjgruilxoqvnis.dll
c:\windows\system32\hjgruiodhayksr.dat
c:\windows\system32\IEDFix.exe
c:\windows\system32\MabryObj.dll
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruimpehnmaw

((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
.

2009-07-23 01:56 . 2009-07-23 01:56 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-23 01:42 . 2009-07-23 01:42 -------- d-----w- c:\windows\ERUNT
2009-07-23 01:39 . 2009-07-23 02:53 -------- d-----w- C:\SDFix
2009-07-23 00:49 . 2009-07-23 00:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-23 00:49 . 2009-07-23 00:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-16 23:08 . 2009-07-16 23:08 -------- d-----w- c:\documents and settings\Eufotic\Local Settings\Application Data\Temp
2009-07-14 15:52 . 2009-07-14 15:52 -------- d-----w- c:\windows\system32\NtmsData
2009-07-10 20:33 . 2009-07-10 20:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-30 17:46 . 2009-07-19 13:48 -------- d-----w- c:\program files\Evil Invasion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 16:33 . 2009-06-19 22:38 -------- d-----w- c:\program files\Sony Online Entertainment
2009-07-19 13:50 . 2007-07-30 23:49 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-19 13:50 . 2007-07-30 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-19 13:50 . 2009-06-16 23:42 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-19 13:17 . 2008-10-15 01:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 13:17 . 2008-12-24 20:33 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-17 22:32 . 2007-06-09 15:17 -------- d-----w- c:\documents and settings\Eufotic\Application Data\uTorrent
2009-07-16 22:53 . 2008-05-22 10:34 -------- d-----w- c:\program files\World of Warcraft
2009-07-16 15:54 . 2009-02-27 12:19 -------- d-----w- c:\program files\World of Warcraft Public Test
2009-07-14 15:50 . 2007-06-09 19:12 -------- d-----w- c:\program files\Citrix
2009-07-14 15:41 . 2007-12-21 13:36 103720 ----a-w- c:\documents and settings\Eufotic\GoToAssistDownloadHelper.exe
2009-07-14 14:05 . 2007-06-10 17:04 -------- d-----w- c:\documents and settings\Eufotic\Application Data\Ahead
2009-07-13 17:36 . 2008-10-15 01:58 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2008-10-15 01:58 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-06 16:34 . 2007-06-09 15:04 -------- d-----w- c:\program files\Steam
2009-06-19 00:44 . 2009-06-18 21:27 -------- d-----w- c:\program files\SnailMail_at
2009-06-19 00:44 . 2009-06-18 21:48 -------- d-----w- c:\program files\TurtleOdyssey2_at
2009-06-18 21:24 . 2009-04-11 21:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-18 20:37 . 2009-06-18 20:37 -------- d-----w- c:\documents and settings\Eufotic\Application Data\Aveyond 3
2009-06-18 00:50 . 2007-06-08 02:41 -------- d-----w- c:\program files\PC Protection Plus
2009-06-18 00:45 . 2008-02-02 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-06-18 00:44 . 2009-04-11 21:15 -------- d-----w- c:\program files\ElfBowlingHolidayBundle_at
2009-06-16 23:43 . 2007-07-30 23:49 -------- d-----w- c:\program files\Symantec
2009-06-16 23:43 . 2007-12-11 02:57 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-16 23:43 . 2007-12-11 02:57 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-16 23:43 . 2007-07-30 23:49 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-16 23:43 . 2007-07-30 23:49 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-08 23:18 . 2009-06-08 23:18 -------- d-----w- c:\documents and settings\Eufotic\Application Data\MMOUI
2009-06-08 23:18 . 2009-06-08 23:18 -------- d-----w- c:\program files\MMOUI Minion
2009-06-08 23:18 . 2008-05-23 02:38 -------- d-----w- c:\program files\Curse
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 04:09 . 2009-04-24 18:22 -------- d-----w- c:\program files\ChickenInvaders2_at
2009-06-03 04:09 . 2009-05-09 23:58 -------- d-----w- c:\program files\xeno_assault2_trial
2009-06-03 04:08 . 2009-05-12 16:24 -------- d-----w- c:\program files\Restaurant Empire
2009-06-03 04:07 . 2009-05-12 20:57 -------- d-----w- c:\program files\TastyPlanet_at
2009-06-03 04:06 . 2009-06-03 04:03 -------- d-----w- c:\program files\4 Elements
2009-05-13 05:15 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 17:32 . 2009-05-12 17:32 4096 ----a-w- c:\windows\d3dx.dat
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 21:06 . 2007-06-08 03:11 74584 ----a-w- c:\documents and settings\Eufotic\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-07-03 126976]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-07-13 414992]

c:\documents and settings\Eufotic\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2009-2-6 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-14 15:41 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\mobsync.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [9/9/2007 3:45 PM 91136]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2008 9:58 PM 211216]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2008 9:58 PM 19096]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [10/14/2008 9:58 PM 38160]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [9/9/2007 3:44 PM 23180]
S3 Winacusb;Winacusb;c:\windows\system32\drivers\WINACUSB.sys [7/9/2007 11:33 AM 784047]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1844237615-725345543-1003Core.job
- c:\documents and settings\Eufotic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 23:37]

2009-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1844237615-725345543-1003UA.job
- c:\documents and settings\Eufotic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 23:37]

2009-07-23 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Eufotic.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-15 17:36]

2009-07-23 c:\windows\Tasks\Malwarebytes' Scheduled Update for Eufotic.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-15 17:36]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{811FB681-61C2-4442-9C96-9F164F619ED7} - (no file)
Notify-NavLogon - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} - hxxp://download.test.toontown.com/sv1.0.32.2.test/tt_test.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-23 08:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-1844237615-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:99,c6,a6,f2,40,4d,a0,e9,0f,a4,ac,77,9f,10,fe,b7,5f,2b,6d,bc,59,ea,51,
97,8c,31,f7,60,92,9b,36,6e,6e,50,29,f4,54,39,59,54,b7,fc,34,73,c7,bd,7f,38,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-839522115-1844237615-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:fc,04,f9,73,dd,9f,f2,c1,47,1e,08,1e,8e,e7,10,d0,b0,62,b5,92,8b,
16,e2,99,8e,be,69,11,b3,9b,35,34,a6,90,85,86,40,e2,86,a0,4f,96,88,4e,18,65,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
.
Completion time: 2009-07-23 8:35
ComboFix-quarantined-files.txt 2009-07-23 12:35

Pre-Run: 12,662,796,288 bytes free
Post-Run: 12,778,627,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

195 --- E O F --- 2009-07-16 07:03

_________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:41 AM, on 7/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\java.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Eufotic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Eufotic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Eufotic\My Documents\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181256416625
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181608896828
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} (Toontown TestServer Installer ActiveX Control) - http://download.test.toontown.com/sv1.0.32.2.test/tt_test.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8063 bytes

ken545

2009-07-23, 18:33

Hey,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - Startup: PowerReg Scheduler V3.exe

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

TDSS is Rootkit infection and very nasty, Combofix removed it, its gone and the rest of your logs look fine.

uTorrent Want to point this out to you, this is how you may have gotten infected. Your call to uninstall it. Knowing what I know I would never download anything from a File Sharing Program

We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.

We do not ask you to do this without reason.

P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

How are things running now??

Thertras

2009-07-24, 00:43

Thank you for your help. I understand your policies concerning P2P sharing. I am careful about what I download using utorrent but these are your policies and I do agree with them. I haven't used my utorrent in over a week and this infection happened yesterday. I believe my son downloaded something from the web or it came from a website of sorts.

I reran my MalwareBytes Scan and it did come out clean.

TDSS - You mentioned it was nasty but what does it do specifically. It was infected but I didn't seem to experience anything out of the ordinary though.

Another question. I have only MalwareBytes right now and did pay for the full version but can I use this as my antivirus needs? or should I run another along side it like McAfee. Also besides MalwareBytes what do you consider the best consumer Antivirus program currently. I use to have norton but it seems to be almost useless and doesn't stop or detect any viruses it seems. The best product I found so far has been malwareBytes which is why I purchased the full version.

Malwarebytes' Anti-Malware 1.39
Database version: 2486
Windows 5.1.2600 Service Pack 3

7/23/2009 6:38:03 PM
mbam-log-2009-07-23 (18-38-03).txt

Scan type: Quick Scan
Objects scanned: 93313
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

ken545

2009-07-24, 02:06

TDSS - You mentioned it was nasty but what does it do specifically. It was infected but I didn't seem to experience anything out of the ordinary though. A Rootkit is installed in away that it hides from most scans so goes undetected. Some will even block most removal tools from working, case in point, most likely if we did not rename Combofix it may not have worked. Some are designed to steal personal info like passwords and bank account log ins, credit card numbers. If you do any online banking or purchase from sites with a credit card it may not be a bad idea to change all your passwords.

Malwarebytes is one of the better programs to come down the pike in awhile, but it will not replace your Anti Virus software, there two different animals. You have Norton installed, make sure you keep it up todate and run a scan about once a week.

SweetIM is not recommended, you need to go to there site and read the EULA (End User License Agreement)
http://www.sweetim.com/eula.html

Read the whole thing , especially 3 and 4

TFC <--Yours to keep, run it about once aweek to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

Click START then RUN
Now type Combo-fix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

ken545

2009-07-27, 10:48

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.