XP Total Security 2011 possibly still lingering somewhere..
Hi,
After 2 years, I'm back again
Was just surfing on Thu evening (if I recall correctly) and I think I inadvertently visited a rogue website and suddenly this XP Total Security 2011 app window popped up and started scanning my PC for viruses. A modified Windows Security Center appeared, too. I've been using computers for the last 16 years so I could tell it was not legit almost immediately. What I initially (momentarily) thought was a very cleverly-and-cunningly-designed online advert, but was shocked when I found the app. icon beside my clock.
What follows were the actions I took to try to remedy the problem to the best of my memory, in chronological order:
1. Couldn't run an Malwarebytes scan as the virus seemed to have blocked the app. entirely (couldn't even start it)
2. Spybot scan in safe mode showed sys was clean (obviously wasn't!)
3. Bit of googling and I found a suggestion in a comment to try using a 'TDSS rootkit removing tool' by Kaspersky, which I downloaded off the Kaspersky website. That seemingly found the virus and said I'd need to restart the PC to finish the removal. If I remember correctly, after restarting after this scan was when I noticed my Start Menu was almost empty and that my desktop icons had disappeared. I found that my Start Menu folders where simply 'hidden', but strangely all icons both inside and outside each App folder was deleted. Desktop items were simply hidden, though.
4. Ran Malwarebytes full scan in Safe mode, showed sys was clean.
5. I then tried a spybot scan in normal mode, again showed sys was clean. Set it up to run a scan on next system start up.
6. This time it found the virus but after the scan it said it'd need to run again after a restart to fully remove it. Interestingly, about 20 secs or so after the scan had started, Spybot said smth along the lines of 'it'd be better to run it once again on next sys start up' so I selected OK there and the scan cont'd. But as I said, after the scan when it was trying to 'fix the selected problems' it asked for my permission to 'fix' the problem after another restart and I selected OK. Reason I mention is because after I restarted, Spybot didn't just open up and re-try to tackle the issue, it actually ran a whole scan again, but found nothing.
The icon has disappeared from my sys tray and Windows Security Center looks normal again. My Start Menu items are still missing, however. All 3 attempts to run a System Restore to a point before the virus entered were unsuccessful.
Now, I have a slight feeling that this virus hasn't been fully eradicated as, A. my Start Menu is still in its post-hacked state, B. 3 failed attempts as Sys Restore using 3 different dates, and C. the Quick Launch toolbar is set to 'show' but it's totally invisible, exactly as if it's been set to not show.
7. Here's my DDS log:
############DDS STARTS############
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by madPC at 1:20:20.15 on Sun 05/22/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3318.2143 [GMT 9.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Clarus\Samsung SecretZone\MSSvc.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Telstra\BigPond Wireless Broadband\TelstraUCM.exe
C:\Program Files\Telstra\BigPond Wireless Broadband\SwiApiMuxX.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\BI WinXP BU Data (4Dec09)\Documents\Virus 2011-05-18\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.telstra.com/
uWindow Title = Telstra BigPond Home Internet Explorer
uInternet Settings,ProxyServer = www-proxy.unisa.edu.au:8080
uInternet Settings,ProxyOverride = 127.0.0.1; localhost;;*.local; unisa.edu.au
BHO: AutorunsDisabled - No File
BHO: link filter bho - No File
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: BigPond Mobile Broadband Auto Dial: {db92ec3f-697d-4c3b-9a3b-3abbd23d4a85} - c:\program files\telstra\bigpond wireless broadband\bpwbb2ad.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [Tray Pilot Lite] "c:\program files\invention pilot\tray pilot lite\TrayPlt.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &Download All with FlashGet - h:\et 120gb 3.77gb\c\program files\flashget\jc_all.htm
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Download with FlashGet - h:\et 120gb 3.77gb\c\program files\flashget\jc_link.htm
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260277567218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: PSUTY - PSUWNP.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\madPC\applic~1\mozilla\firefox\profiles\8cyuvg60.default\
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\madPC\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-5-20 218688]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R2 MSR Service;Virtual Disk Service Manager;c:\program files\clarus\samsung secretzone\MSSvc.exe [2010-8-13 114688]
R2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files\sierra wireless inc\common\SwiCardDetect.exe [2010-9-2 230768]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2004-1-18 4864]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2010-2-19 10688]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-12-8 47448]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-12-8 44064]
R3 swiwdmbus;Sierra Wireless USB Composite Bus;c:\windows\system32\drivers\swiwdmbus.sys [2011-4-21 78720]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2011-4-21 201088]
R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2011-4-21 156544]
RUnknown mdf15;mdf15; [x]
RUnknown mvd20;mvd20; [x]
S2 LvIBTSvr;Logitech IBT Service;c:\program files\common files\logishrd\lvibtsvr\LvIBTSvr.exe [2007-4-3 76576]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-3-14 7680]
S3 MODRC;Ultima Infrared Receiver;c:\windows\system32\drivers\modrc.sys [2010-8-13 13440]
S3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2011-1-23 6609920]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2011-2-8 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2011-2-8 11104]
S3 Uplink;Uplink;c:\windows\system32\drivers\Uplink.sys [2010-8-4 31232]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [2010-1-2 30368]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2011-3-14 114688]
S4 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2009-12-8 7168]
.
=============== Created Last 30 ================
.
2011-05-21 05:17:07 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-21 05:17:07 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-21 05:10:02 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-05-21 03:15:12 -------- d-----w- C:\TDSSKiller reports
2011-05-19 18:18:55 -------- d-----w- c:\program files\BootLog XP
2011-05-19 15:44:57 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2011-05-19 15:43:56 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
2011-05-19 15:42:59 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2011-05-19 15:41:58 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2011-05-19 15:40:59 46592 -c--a-w- c:\windows\system32\dllcache\sspifilt.dll
2011-05-19 15:39:58 45568 -c--a-w- c:\windows\system32\dllcache\smb3w.dll
2011-05-19 15:38:58 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2011-05-19 15:38:57 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-05-19 15:38:28 221696 -c--a-w- c:\windows\system32\dllcache\seo.dll
2011-05-19 15:38:24 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2011-05-19 15:38:24 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2011-05-19 15:38:21 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-05-19 15:38:21 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2011-05-19 15:38:14 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2011-05-19 15:38:12 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2011-05-19 15:38:09 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2011-05-19 15:38:06 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2011-05-19 15:38:05 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2011-05-19 15:38:02 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2011-05-19 15:36:54 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
2011-05-19 15:35:57 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2011-05-19 15:34:58 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2011-05-19 15:33:57 60480 -c--a-w- c:\windows\system32\dllcache\neo20xx.dll
2011-05-19 15:32:59 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2011-05-19 15:31:59 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2011-05-19 15:30:59 45056 -c--a-w- c:\windows\system32\dllcache\icam5com.dll
2011-05-19 15:29:58 115807 -c--a-w- c:\windows\system32\dllcache\hsf_fsks.sys
2011-05-19 15:28:58 320384 -c--a-w- c:\windows\system32\dllcache\g200m.sys
2011-05-19 15:27:58 72192 -c--a-w- c:\windows\system32\dllcache\es1969.sys
2011-05-19 15:26:59 91305 -c--a-w- c:\windows\system32\dllcache\dimaint.sys
2011-05-19 15:25:59 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll
2011-05-19 15:24:59 377984 -c--a-w- c:\windows\system32\dllcache\ati2dvaa.dll
2011-05-19 15:20:50 8192 -c--a-w- c:\windows\system32\dllcache\staxmem.dll
2011-05-19 15:14:36 20538 -c--a-w- c:\windows\system32\dllcache\fpremadm.exe
2011-05-19 15:13:59 82035 -c--a-w- c:\windows\system32\dllcache\fp4anscp.dll
2011-05-19 15:13:58 184435 -c--a-w- c:\windows\system32\dllcache\fp4amsft.dll
2011-05-19 15:13:56 46592 -c--a-w- c:\windows\system32\dllcache\coadmin.dll
2011-05-19 15:13:56 188480 -c--a-w- c:\windows\system32\dllcache\cfgwiz.exe
2011-05-19 15:13:54 16439 -c--a-w- c:\windows\system32\dllcache\author.exe
2011-05-19 15:13:53 20540 -c--a-w- c:\windows\system32\dllcache\author.dll
2011-05-19 15:13:52 43520 -c--a-w- c:\windows\system32\dllcache\admwprox.dll
2011-05-19 15:13:52 290816 -c--a-w- c:\windows\system32\dllcache\adsiis51.dll
2011-05-19 15:13:52 16439 -c--a-w- c:\windows\system32\dllcache\admin.exe
2011-05-19 15:13:47 20540 -c--a-w- c:\windows\system32\dllcache\admin.dll
2011-05-19 15:04:23 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-05-19 15:03:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2011-05-17 02:50:29 7071056 ---ha-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4413dfc2-0d6d-41e9-ace5-9606719c4b1b}\mpengine.dll
2011-05-15 23:18:33 -------- d-----w- c:\program files\Invention Pilot
2011-05-12 22:46:11 -------- d--h--w- c:\docume~1\madPC\applic~1\Rovio
2011-05-11 13:13:31 -------- d-----w- c:\documents and settings\madPC\fastvoip
2011-05-11 13:11:05 -------- d-----w- c:\program files\FastVoip
2011-05-04 13:19:42 -------- d-----w- c:\docume~1\madPC\locals~1\applic~1\WMTools Downloaded Files
2011-05-04 11:02:49 -------- d-----w- c:\docume~1\madPC\locals~1\applic~1\SKIDROW
2011-05-04 11:02:44 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2011-05-04 11:02:44 -------- d-----w- c:\program files\OpenAL
2011-05-04 11:02:43 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2011-04-28 15:46:26 -------- d--h--w- c:\docume~1\madPC\applic~1\Nymgo4.0
2011-04-28 15:45:13 -------- d-----w- c:\program files\Nymgo4.0
.
==================== Find3M ====================
.
.
============= FINISH: 1:21:31.59 ===============
############DDS ENDS############
8. Attach.txt is zipped and attached
Few things:
i. ERUNT: As per forum instructions, I've backed up my registry
ii. Windows Updates: I've always tried to live by a very common rule in IT: "If it aint broken, don't fix it". That is to say I've disabled Windows Updates and I don't think I've downloaded even one, but I do have SP3 (and all that came with it). But other than that, I highly doubt so, not even IE7. After reading the sticky on this though, I plan to download all the 'critical' ones ONLY after we've rectified the current situation, however am happy to do so immediatey should you request so.
iii. Registry Cleaners: To be honest, before I read this on your forum yesterday, I used to use these apps quite regularly. A component of my copy of AVG PC utilities is such an app, so is CCleaner. My plan of action with these apps is the same as (ii) above.
Few Qs:
1. Would you know why Spybot takes only 30 mins to scan normally vs 3 hours when it does so on start-up?
2. For the last 5-6 months or so, Safe Boot takes literally 15 mins to start: I see all the drivers it's loading, the last being mup.sys and after that it looks frozen but there's a lot of HDD activity. Also when I choose to leave safe mode (shutdown/restart), again it takes 15 mins to exit Windows. Any ideas?
Tried sfc /scannow yesterday but didn't help.
Enabled boot logging and viewed the ntbtlog.txt and after showing Loaded driver with a few 'Did not load' in between, I then see a bunch of '20 or so Did not loads' repeat itself 38 times!
Any suggestions? I ask cuz anything you'd ask me to do in Safe mode would mean I'd have to go through this. Please don't misunderstand, it's not that I don't/wouldn't appreciate your assistance.In the often unpredictable world of IT, any sharing of past experience with a similar situation, or guidance are acts I always genuinely value.
It's just that if you happen to know anything, or think of something that just happens to fix this, it'd make for a more efficient resolution for both yourself and I.
Now it is. Sorry about that!Originally Posted by madPC
