The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

Unknown Virus on Laptop

Posted 11/26/2008 8:35 AM
#68966
User avatar

Plight Member

Date Joined Nov 2016
Total Posts: 5
Hello

I'm not completely sure how but I have a virus on my Dell laptop that hijacks all google or yahoo (others probably) searches. If I cut and paste the websites instead of clicking on the hyperlink then it's usually okay. Also, I cannot create a system restore point. I'm told to toggle the capability and reboot but have already done so. I'm not sure what else since it's not been that long. I have run numerous anti-virus checks and have deleted some things. I've also deleted cookies and files and the like. CCClean also. But, something is still hijacking my web searches and preventing the restore points.

I've attached my Hijackthis.log file. Thank you for any help you can give me. Cheers!

Plight
Post attachments:
Posted 11/26/2008 8:50 AM
#68967
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello :smile:





Download malwarebyte

[color=#800080>https://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968[/url]



Or here:

https://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968[/color]


Save the file as setup.exe


Run the setup.exe file,
When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.
Go into the Malware folder in through Program Files
Rename the mbam.exe or what not file to mab.exe update and run it.
Do a full computer scan
Check all and remove/fix/delete them.


Restart your computer and post the log


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/26/2008 9:07 AM
#68970
User avatar

Plight Member

Date Joined Nov 2016
Total Posts: 5
Thanks for your quick reply. Awesome!

I'm running the scan now. However, it didn't go quite according to what you said. It never froze like you said it would. It went straight through with no delay. It's already covered about 25000 objects and has found 2 of them infected so far.

I did want to add something that I just remembered. My AVG file also says that control file is missing. I am pretty sure it's related to this virus or spyware infection.

I might be going to bed pretty soon. I wanted to thank you - wish you a Happy Thanksgiving - and let you know I'll be back to follow through tomorrow, if I do decide to duck out. Cheers!

Plight
Posted 11/26/2008 5:59 PM
#68982
User avatar

Plight Member

Date Joined Nov 2016
Total Posts: 5
Hello Touch

I believe it has fixed my problems. I do have a few questions if you don't mind. I have a "need" to know these things. First, my log file:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

11/26/2008 9:21:40 AM
mbam-log-2008-11-26 (09-21-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 172269
Time elapsed: 1 hour(s), 1 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\a1dc0fc00707a5a47b1b8c47064e8e01 (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\a1dc0fc00707a5a47b1b8c47064e8e01 (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\registrysmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Philip\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Delete on reboot.
C:\Documents and Settings\Philip\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Delete on reboot.

Files Infected:
C:\Program Files\RegistrySmart\DataBase.ref (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\RegCleaner.dll (Rogue.RegistrySmart) -> Delete on reboot.
C:\Program Files\RegistrySmart\RegistrySmart.exe (Rogue.RegistrySmart) -> Delete on reboot.
C:\Program Files\RegistrySmart\RegistrySmart.url (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\TCL.dll (Rogue.RegistrySmart) -> Delete on reboot.
C:\Program Files\RegistrySmart\zlib.dll (Rogue.RegistrySmart) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart\RegistrySmart on the Web.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart\RegistrySmart.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Philip\Application Data\RegistrySmart\Log\2008 Nov 25 - 03_30_02 AM_046.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Philip\Application Data\RegistrySmart\Log\2008 Nov 25 - 12_40_44 PM_968.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\RegistrySmart.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.dwy (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSotub.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSovba.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSqomd.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSStnyq.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSurkv.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSxnpb.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSrfct.sys (Rootkit.Agent) -> Delete on reboot.

Now, to start with, I don't believe any of the RegistrySmart items are viruses or spyware. I believe I downloaded it as a tool to get better and the Malware application thought they were a problem. Is that correct?

Also, on the line that has a heuristics.reserved.word.exploit issue with svchost.dwy, I wanted to see if I created a problem. I suspected this file and could not delete it so renamed it from an executable (svchost.exe). Did I screw things up? I have a feeling it was deleted and maybe that will come back to bite me.

Lastly, what kind of Trojan Agent did I have? A TDSS? What's that?

Thanks so much for all of your help. I'd been messing with it by myself way too long. If I'm not mistaken I did try to run this but it would not launch. Last question: is that why you had me rename the application to mab from mbam? Thanks again.

Plight
Posted 11/27/2008 4:49 AM
#69000
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Please read this:
https://blogs.zdnet.com/threatchaos/?p=537

TDSS is a rootkit, I´ll therefore suggest you post a combofix log.

"is that why you had me rename the application to mab from mbam" -> Yes :smile:




Please download Combofix:

https://download.bleepingcomputer.com/sUBs/ComboFix.exe





And save to the desktop.


Close all other browser windows.









Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".





Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.



Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.


When finished, it will produce a logfile located at C:\combofix.txt.




Post the contents of that log in your next reply




[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/27/2008 6:18 AM
#69007
User avatar

Plight Member

Date Joined Nov 2016
Total Posts: 5
Hello Touch

Thanks for your help and follow through on this problem. It's much appreciated. Here is the log file from ComboFix.

ComboFix 08-11-26.05 - Philip 2008-11-26 21:08:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.449 [GMT -8:00]
Running from: c:\documents and settings\Philip\Desktop\ComboFix.exe
* Created a new restore point

[COLOR=RED]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/COLOR]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache
c:\windows\system32\TDSSbeat.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-26 00:58 . 2008-11-26 00:58 d-------- C:\Malaware
2008-11-26 00:09 . 2008-11-26 00:11 d-------- C:\Hijack
2008-11-24 22:56 . 2007-06-11 23:04 2,267,368 --a------ c:\windows\system32\Flash.ocx
2008-11-24 22:56 . 2003-11-19 14:59 512,688 --a------ c:\windows\system32\XceedCry.dll
2008-11-24 22:56 . 2004-05-11 10:56 423,784 --a------ c:\windows\system32\XceedBkp.dll
2008-11-24 22:56 . 2004-02-05 21:53 389,120 --a------ c:\windows\system32\ACTSKN43.OCX
2008-11-24 22:56 . 2004-03-09 00:00 131,856 --a------ c:\windows\system32\MSADODC.ocx
2008-11-24 22:56 . 2000-07-15 06:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL
2008-11-24 22:56 . 2001-03-28 23:02 89,088 --a------ c:\windows\system32\ProgressBar4.ocx
2008-11-24 22:56 . 1999-01-26 20:36 11,012 --a------ c:\windows\system32\threadapi.tlb
2008-11-23 23:21 . 2008-11-23 23:21 d-------- c:\program files\AskSBar
2008-11-23 23:21 . 2008-11-23 23:21 249,592 --a------ c:\windows\system32\cssdll32.dll
2008-11-23 23:20 . 2008-11-26 21:17 d-------- c:\program files\COMODO
2008-11-23 23:20 . 2008-11-26 21:17 d-------- c:\documents and settings\Philip\Application Data\Comodo
2008-11-23 00:06 . 2008-11-23 00:06 d-------- c:\program files\Lavasoft
2008-11-23 00:06 . 2008-11-26 15:19 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-22 23:59 . 2008-11-22 23:59 dr-h----- c:\documents and settings\Admin!!\Application Data\yahoo!
2008-11-21 11:22 . 2008-11-21 11:22 d-------- c:\program files\XML Notepad 2007
2008-11-18 18:37 . 2008-11-26 09:21 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-18 18:37 . 2008-11-26 09:53 d-------- c:\documents and settings\Philip\Application Data\Malwarebytes
2008-11-18 18:37 . 2008-11-18 18:37 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-18 18:37 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-18 18:37 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-11 13:00 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 12:59 . 2008-09-04 09:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-10-28 21:44 . 2008-10-28 21:44 262,144 --a------ C:\ntuser.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-27 05:55 --------- d-----w c:\program files\BOINC
2008-11-27 05:23 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-27 00:18 --------- d-----w c:\program files\Lx_cats
2008-11-23 11:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-01 16:26 --------- d--h--r c:\documents and settings\Philip\Application Data\yahoo!
2008-10-29 17:26 60,744 ----a-w c:\documents and settings\Philip\g2mdlhlpx.exe
2008-10-29 05:44 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:42 --------- d-----w c:\documents and settings\Philip\Application Data\FileZilla
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-12-08 3096576]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-20 200704]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-01 29744]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-23 185896]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-08-03 1032192]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\Philip\Start Menu\Programs\Startup\
BOINC Manager.lnk - c:\program files\BOINC\boincmgr.exe [2007-03-01 3604480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2006-11-03 1941579]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-24 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 07:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE.exe]
--------- 2005-02-23 12:57 57344 c:\program files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 02:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-08-01 16:00 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-12-13 06:41 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 06:45 118784 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 06:44 98304 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-09 23:24 20480 c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-07-12 16:05 1117184 c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2006-08-22 12:32 184320 c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
--a------ 2008-10-07 07:23 111856 c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-12 19:10 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-08 15:48 761947 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\Remote Debugger\\x86\\msvsmon.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4500:UDP"= 4500:UDP:IPsec (IKE NAT-T)
"500:UDP"= 500:UDP:IPsec (IKE)
"135:TCP"= 135:TCP:RPC Endpoint Mapper and DCOM infrastructure
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"1433:TCP"= 1433:TCP:ISP

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-04 97928]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-06 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-06 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-04 76040]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQLEXPRESS [2006-08-27 92952]
R2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);"c:\program files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2008-08-05 16912]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-24 29744]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2006-12-01 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4dd5cde-7117-11db-b653-0015c56e4d80}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a57d96da-267f-11dd-b759-0015c56e4d80}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a57d96dc-267f-11dd-b759-0015c56e4d80}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-26 c:\windows\Tasks\RegistrySmart Scheduled Scan.job
- c:\program files\RegistrySmart\RegistrySmart.exe []

2008-11-26 c:\windows\Tasks\RegistrySmart Scheduled Scan.job
- c:\program files\RegistrySmart []

2008-11-17 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-02-21 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-Bezeq - c:\program files\wow250\WOW.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-McRegWiz - c:\progra~1\mcafee.com\agent\mcregwiz.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-RegistrySmart - c:\program files\RegistrySmart\RegistrySmart.exe
MSConfigStartUp-SVCHOST - c:\windows\system32\drivers\svchost.exe
MSConfigStartUp-Uniblue SpeedUpMyPC - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Philip\Application Data\Mozilla\Firefox\Profiles\doltw0kr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-11-26 21:53:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\3cfb88b6-1eba-485d-a7ed-1f2a9560c47b.tmp 46390 bytes executable
c:\windows\TEMP\6406db5b-50c2-408c-b100-4b773faef887.tmp 357657 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\msftesql$SQLEXPRESS]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLEXPRESS"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\lxcgcoms.exe
c:\program files\BOINC\boinc.exe
c:\windows\system32\dwwin.exe
c:\program files\BOINC\projects\setiathome.berkeley.edu\astropulse_5.00_windows_intelx86.exe
c:\program files\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe
.
**************************************************************************
.
Completion time: 2008-11-26 22:00:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-27 06:00:31

Pre-Run: 39,519,498,240 bytes free
Post-Run: 39,388,225,536 bytes free

259 --- E O F --- 2008-11-19 11:02:30


Also, do I need a svchost.exe file at: C:\WINDOWS\system32\drivers\svchost.exe. I deleted it.
Posted 11/27/2008 6:26 AM
#69009
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Clean log. combofix got rid of the remnants from TDSSSERV infection.


No, you don´t need C:\WINDOWS\system32\drivers\svchost.exe.



The legal Windows file are located here:
C:\WINDOWS\system32\svchost.exe.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/27/2008 6:28 AM
#69010
User avatar

Plight Member

Date Joined Nov 2016
Total Posts: 5
Thanks again. I am amazed.

Plight
Posted 11/28/2008 3:50 AM
#69039
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
My pleasure :smile:





Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files. And resets System Restore again.



Also, please read this article by Tony Klein: How I got Infected in the First Place

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Monday, August 8, 2022, 1:04 PM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
16 Guest(s), 0 Registered Member(s) are currently online.