TROJANS Win32.TDSS.rtk, Fraud.Sysguard, WinSpywareProtect [Archive]

BrianSPYBOT08

2010-05-13, 10:32

Can anyone help with these trojans?

My operating system is:
Microsoft Windows XP
Media Center Edition
Ver 2002 SP3

SBSD version 1.6.2

Norton 360 Premier Edition (expired 4-24-10)

Below is my DDS log:

Thank you,
Brian

DDS (Ver_10-03-17.01) - NTFSx86
Run by Brian S. Picou at 1:27:49.10 on Thu 05/13/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.430 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Norton 360 Premier Edition *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton 360 Premier Edition *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\ScanSoft\PaperPort\viperusb.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Nevo\NevoMedia Server\NevoMediaServer.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Nevo\NevoMedia Player\NevoMediaPlayer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Brian S. Picou\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/campaign.asp?cid=15734
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PPWebCap] c:\program files\scansoft\paperport\PPWebCap.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
mRun: [StrobePro] c:\program files\scansoft\paperport\viperusb.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360 premier edition\osCheck.exe"
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\brians~1.pic\startm~1\programs\startup\cyber-~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\brians~1.pic\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nevome~1.lnk - c:\program files\nevo\nevomedia server\NevoMediaServer.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-7-20 607576]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 athena;athena;c:\windows\system32\drivers\athena.sys [2006-10-31 107392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-7-6 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100422.040\NAVENG.SYS [2010-4-23 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100422.040\NAVEX15.SYS [2010-4-23 1324720]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-4-21 1245064]

=============== Created Last 30 ================

2010-04-28 22:42:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton

==================== Find3M ====================

2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 09:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 05:24:57 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-23 05:20:02 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-02-17 14:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2005-01-25 23:20:42 27787306 ----a-w- c:\program files\d2al10111uo.nbf
2005-01-21 00:03:58 643072 ----a-w- c:\program files\ROMUpdateUtility.exe
2005-01-20 23:25:08 4608 ----a-w- c:\program files\RUUGetInfo.exe
2005-01-20 16:22:12 851968 ----a-w- c:\program files\RUUResource.dll
2005-01-20 00:07:04 15210 ----a-w- c:\program files\README.doc
2003-11-27 03:18:32 30901 ----a-w- c:\program files\lic_US.rtf
2003-08-08 01:47:20 3584 ----a-w- c:\program files\EnterBootLoader.exe
1999-04-16 08:20:14 13824 ----a-w- c:\windows\inf\vizpnp\Vizapi2.dll
2007-11-28 03:25:18 88 --sh--r- c:\windows\system32\175D6793E4.sys
2007-11-28 03:25:27 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-01 08:10:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050120090502\index.dat

============= FINISH: 1:28:44.39 ===============

shelf life

2010-05-19, 01:03

hi,

Your log is a few days old. If you still need help simply reply to my post.

BrianSPYBOT08

2010-05-19, 08:46

Yes, I still need help...
Do you need a new DDS or hijack log?
Thanks,
Brian

shelf life

2010-05-20, 00:57

That DDS log will do for now, We will get a download to use. Link and directions:

Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

tashi

2010-06-02, 20:19

BrianSPYBOT08 this thread has been closed due to inactivity. As it has been four days or more since your last post, it will not be re-opened.

If you still require help, please start a new topic and include a DDS log with a link to your previous thread.

Please do not add any logs that might have been requested previously, you would be starting fresh.

Applies only to the original poster, anyone else with similar problems please start your own topic.