Help!!! Win32trojanTDSS

View previous topic View next topic Go down

Help!!! Win32trojanTDSS

Post by speedyp on Mon Jul 13, 2009 10:36 pm

Help my pc is infected with Win32trojanTDSS
My pc is infected with Win32trojanTDSS and I can't remove it with Ad-ware or AVG virus scan. When I scan my pc it comes up, but tells me that it will be removed after a reboot, but it is still there. I have Malwarebytes but can't use it because it will not open???? I also have hijackthis, but don't know how to use it. I have to use my work pc to post on this forum. I am posting the log file from hijackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:13 PM, on 7/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\DOCUME~1\test\LOCALS~1\Temp\b.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
c:\program files\logitech\quickcam\lu\LogitechUpdate.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: (no name) - *{57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - (no file)
R3 - URLSearchHook: (no name) - *{1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 antispy.microsoft.com
O1 - Hosts: 209.44.111.62 antiaware-pro.com
O1 - Hosts: 209.44.111.62 [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: XBTP01621 - {F6104497-54FD-4688-9162-5115CC8AB0FB} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll (file missing)
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [PowerMgr] "C:\WINDOWS\system32\Rundll32.exe" "C:\DOCUME~1\test\LOCALS~1\Temp\tmp1C6.tmp",Init
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: PMCRemoteLauncher.lnk = C:\Documents and Settings\test\Local Settings\Application Data\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: PMCRemoteLauncher.lnk = C:\Documents and Settings\test\Local Settings\Application Data\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe (User 'Default user')
O4 - Startup: PMCRemoteLauncher.lnk = C:\Documents and Settings\test\Local Settings\Application Data\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12897 bytes
hhhhhh

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by Origin on Tue Jul 14, 2009 12:48 am

Hello speedyp,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

  • If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  • If you have any cracked/pirated software in your computer delete them or we will not help you.
  • Only follow advise from Geek Police Staff and not a regular member.
  • Do NOT run any tool without Geek Police supervision as it could hinder your system useless.



  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - *{57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - (no file)
    R3 - URLSearchHook: (no name) - *{1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 209.44.111.62 antispy.microsoft.com
    O1 - Hosts: 209.44.111.62 antiaware-pro.com
    O1 - Hosts: 209.44.111.62 ww.antiaware-pro.com
    O2 - BHO: XBTP01621 - {F6104497-54FD-4688-9162-5115CC8AB0FB} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll (file missing)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [PowerMgr] "C:\WINDOWS\system32\Rundll32.exe" "C:\DOCUME~1\test\LOCALS~1\Temp\tmp1C6.tmp",Init
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


  • Press "Fix Checked"
  • Close Hijack This.


Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Tue Jul 14, 2009 2:42 pm

Thanks, Origin
I will try this when I get home and I will let you know what is up.

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Wed Jul 15, 2009 4:03 am

I tried to run Malwarebytes' Anti-Malware, but it won't run. I even deleted the program and tried to fool the virus by installing the file under the name bubble.exe. The luck I did run hijackthis and remove/fixed those files. Adware still is picking up the Win32trojanTDSS. You been helpful any more advice?

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by Belahzur on Wed Jul 15, 2009 2:41 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Wed Jul 15, 2009 6:56 pm

Combofix has detected the presence of rootkit activity and needs to reboot the machine. Kindly note down on paper, the name of each file. We may need it later
C:\WINDOWS\system32\drivers\hjgruifciunpxi.sys
C:\WINDOWS\system32\hjgruijeswtxvu.dll
C:\WINDOWS\system32\hjgruiepgvpucu.dat
C:\WINDOWS\system32\hjgruirksdtpwo.dll
C:\WINDOWS\system32\hjgruivpewixlb.dat
C:\WINDOWS\system32\drivers\UACkjmtokmeyojmjdpxs.sys
C:\WINDOWS\system32\UACpppkcyhmokkjaaafs.dll
C:\WINDOWS\system32\UACoeavuoelxlqgwqvhp.dll
C:\WINDOWS\system32\UACyxkqhyixmayknkemm.dat
C:\WINDOWS\system32\UACxeivmewornulnexsn.dll
C:\WINDOWS\system32\UACsaqixrsnwojlnqjnq.dll
C:\WINDOWS\system32\UACnbjbigetpfogbbkfh.db
C:\WINDOWS\system32\UACeorvojswejgrmlkgr.dll

I just posted this encase we need it.

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Wed Jul 15, 2009 7:27 pm

Thank heavens! It looked that worked. I am now running Malwarebytes' Anti-Malware and will later running ad-ware and AVG virus scanner to see if I got everything. You guys are frick-in' awesome!!!!!!!!!

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by Origin on Thu Jul 16, 2009 4:05 pm

Hello can you please post the ComboFix.txt log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Sat Jul 18, 2009 1:31 am

ComboFix 09-07-14.08 - test 07/15/2009 14:58.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.589 [GMT -4:00]
Running from: c:\documents and settings\test\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\10764844
c:\docume~1\ALLUSE~1\APPLIC~1\10764844\10764844.exe
c:\recycler\S-1-5-21-1708537768-602609370-725345543-500
c:\recycler\S-1-5-21-2103933001-3860206229-321726408-500
c:\windows\emMON.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\drivers\hjgruifciunpxi.sys
c:\windows\system32\drivers\UACkjmtokmeyojmjdpxs.sys
c:\windows\system32\hjgruiepgvpucu.dat
c:\windows\system32\hjgruijeswtxvu.dll
c:\windows\system32\hjgruirksdtpwo.dll
c:\windows\system32\hjgruivpewixlb.dat
c:\windows\system32\pcmstub.sys
c:\windows\system32\UACeorvojswejgrmlkgr.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACnbjbigetpfogbbkfh.db
c:\windows\system32\UACoeavuoelxlqgwqvhp.dll
c:\windows\system32\UACpppkcyhmokkjaaafs.dll
c:\windows\system32\UACsaqixrsnwojlnqjnq.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACxeivmewornulnexsn.dll
c:\windows\system32\UACyxkqhyixmayknkemm.dat
c:\windows\TEMP\logishrd\LVPrcInj02.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruidrjtidvm
-------\Service_UACd.sys
-------\Legacy_6TO4
-------\Legacy_MSNCACHE
-------\Legacy_PCMSTUB
-------\Legacy_SOPIDKC
-------\Service_pcmstub


((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))
.

2009-07-15 19:08 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-15 19:08 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-13 21:14 . 2009-07-15 18:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 18:47 . 2009-07-02 18:47 -------- d-----w- c:\documents and settings\test\Application Data\Malwarebytes
2009-07-02 18:47 . 2009-07-02 18:47 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-02 18:35 . 2009-07-02 18:35 -------- d-----w- c:\program files\Trend Micro
2009-07-02 16:26 . 2009-07-02 16:26 36480 ----a-w- c:\windows\system32\drivers\srenum.sys
2009-07-02 16:22 . 2009-07-02 16:22 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2009-06-25 14:35 . 2009-06-25 14:35 -------- d-----w- c:\documents and settings\test\Local Settings\Application Data\AVG Security Toolbar
2009-06-25 14:31 . 2009-07-13 22:01 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-06-16 14:55 . 2009-06-16 14:55 82432 ------w- c:\windows\system32\dllcache\fontsub.dll
2009-06-16 14:55 . 2009-06-16 14:55 119808 ------w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 19:16 . 2009-03-30 01:26 -------- d-----w- c:\documents and settings\test\Application Data\Skype
2009-07-11 04:47 . 2009-01-28 22:19 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-07-10 20:57 . 2007-03-31 03:57 -------- d-----w- c:\program files\Lx_cats
2009-07-03 13:32 . 2009-02-04 16:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-03 13:32 . 2009-01-28 22:20 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 13:32 . 2009-01-28 22:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-02 17:58 . 2009-07-02 17:54 4 ---h--w- c:\windows\Fonts\mlog
2009-06-16 14:55 . 2008-09-01 23:24 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2008-09-01 23:23 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-09 00:02 . 2008-05-04 16:30 -------- d-----w- c:\program files\PokerStars.NET
2009-06-08 23:14 . 2009-06-08 23:14 -------- d-----w- c:\documents and settings\test\Application Data\com.pandora.desktop.FB9956FD96E03239939108614098AD95535EE674.1
2009-06-08 23:14 . 2009-06-08 23:14 -------- d-----w- c:\program files\Pandora
2009-06-08 23:14 . 2009-06-08 23:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-08 23:12 . 2009-06-08 23:14 38208 ----a-w- c:\documents and settings\test\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-06-08 23:06 . 2007-06-04 02:01 -------- d-----w- c:\documents and settings\test\Application Data\BearShare
2009-06-08 13:35 . 2007-02-20 18:07 -------- d-----w- c:\program files\Spyware Doctor
2009-06-08 13:35 . 2007-02-20 18:08 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-06-04 19:45 . 2009-06-04 20:22 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-04 19:44 . 2009-06-04 19:45 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-04 19:38 . 2009-06-04 19:38 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-04 19:37 . 2009-06-04 19:37 -------- d-----w- c:\program files\Lavasoft
2009-06-04 19:37 . 2009-06-04 19:37 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-06-01 22:01 . 2009-06-01 22:01 -------- d-----w- c:\documents and settings\test\Application Data\AVS4YOU
2009-06-01 22:01 . 2009-06-01 22:01 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVS4YOU
2009-06-01 22:00 . 2009-06-01 21:55 -------- d-----w- c:\program files\AVS4YOU
2009-06-01 22:00 . 2009-06-01 21:56 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-29 01:05 . 2008-08-10 05:21 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-07 15:44 . 2008-09-01 23:23 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 08:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2008-09-01 23:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2008-09-01 23:23 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-06-14 21:29 . 2008-12-08 07:04 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-08-10 16:36 . 2007-06-04 02:00 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 20:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-11 24095528]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-17 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-17 118784]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-11-16 32881]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 536576]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 49152]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-23 483328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-04-21 286720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-04-30 208958]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-15 1838592]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-03 1948440]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-02 520024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\test\Start Menu\Programs\Startup\
PMCRemoteLauncher.lnk - c:\documents and settings\test\Local Settings\Application Data\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe [2008-9-16 50448]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-03 13:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\WINDOWS\\system32\\lxdccoms.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/4/2009 3:45 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/28/2009 6:20 PM 327688]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/4/2009 12:18 PM 298776]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R2 srenum;srenum;c:\windows\system32\drivers\srenum.sys [7/2/2009 12:26 PM 36480]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [7/2/2009 12:22 PM 20480]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/28/2007 5:28 PM 24652]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lxdcmon.exe - c:\program files\Lexmark 1300 Series\lxdcmon.exe
Notify-dimsntfy - (no file)

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Sat Jul 18, 2009 1:31 am

.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\docume~1\test\APPLIC~1\Mozilla\Firefox\Profiles\mf62l5g5.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\test\Application Data\Mozilla\Firefox\Profiles\mf62l5g5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-15 15:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????5?9?7?1??????? ???B???????????????B? ??????
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,5d,fe,3a,36,0e,
07,e8,20,c8,28,51,af,b0,29,a3,98,17,1f,67,25,93,f8,60,73,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,94,c3,06,27,94,
25,ea,b0,71,3b,04,66,8b,46,0d,96,4b,1b,91,86,f0,bb,18,f4,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,82,b0,f8,c7,a2,
5d,10,fb,25,da,ec,7e,55,20,c9,26,03,ae,ad,f9,01,21,21,91,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,c4,d4,32,2d,c7,
18,88,c9,3e,1e,9e,e0,57,5a,93,61,5e,27,e7,54,fb,8f,ec,45,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,70,4a,c8,10,ec,
24,b0,06,cd,44,cd,b9,a6,33,6c,cd,85,66,c1,65,85,40,b7,94,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,f5,7b,0f,79,3d,
c4,9c,23,b0,18,ed,a7,3f,8d,37,a4,48,db,a5,1c,16,12,1f,f7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,3e,5c,1f,6d,12,
0c,af,66,31,77,e1,ba,b1,f8,68,02,3a,47,1b,c7,75,bd,ff,69,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,be,8a,80,7c,9b,
01,aa,46,83,6c,56,8b,a0,85,96,ab,a8,1f,02,22,88,92,8b,e3,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,84,79,1c,1c,d9,
3f,cc,44,51,fa,6e,91,28,9e,14,cc,b2,f7,4b,16,b0,a3,7a,76,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,d6,95,04,a5,6f,
d8,1f,65,b1,cd,45,5a,a8,c4,f8,b9,c1,15,df,81,4a,91,2d,b5,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,cf,4e,be,11,52,
3d,c0,fd,e3,0e,66,d5,eb,bc,2f,6b,7c,1b,c7,c1,c7,b4,41,e0,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,41,0e,cf,7a,3c,
a0,3c,ac,fa,ea,66,7f,d4,3b,6b,70,f7,a9,eb,9c,ff,b4,40,7e,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6984)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxdccoms.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Logitech\QuickCam\LU\LULnchr.exe
c:\program files\Logitech\QuickCam\LU\LogitechUpdate.exe
.
**************************************************************************
.
Completion time: 2009-07-15 15:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-15 19:20

Pre-Run: 26,257,043,456 bytes free
Post-Run: 26,946,007,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

324 --- E O F --- 2009-07-15 17:46

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by Origin on Sat Jul 18, 2009 7:39 pm

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\documents and settings\test\Application Data\BearShare

Driver::
Viewpoint Manager Service

Firefox::
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll



Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Tue Jul 21, 2009 11:00 pm

ComboFix 09-07-20.05 - test 07/21/2009 18:29.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.548 [GMT -4:00]
Running from: c:\documents and settings\test\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\test\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\test\Application Data\BearShare
c:\documents and settings\test\Application Data\BearShare\Artwork\2Pac - Better Dayz (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\88 Keys - The Death Of Adam.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\A Studio - Karaoke Rock_ Bohemian Like You.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Aim - Whatulookinat.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Alan Bernhoft - The Weeds.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Alicia Keys - If I Ain't Got You.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Andrew Gold - Thank You For Being a Friend_ The Best Of Andrew Gold.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Art Pepper - Arthur's Blues.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Atomiser - Beautiful Hallucination.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Ben Folds Five - Whatever And Ever Amen.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Big Brovaz - Scooby-Doo 2_ Monsters Unleashed_ The Album.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Big Chief Monk Boudreaux & The Golden Eagles - Mr. Stranger Man.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Birdman - Fast Money (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Birdman - Fast Money_ Screwed & Chopped (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Birdman - Like Father Like Son (Parental Advisory) (Limited Edition).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\BK & MrE - Under The Radar.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Bob Rowe - Coming Home Again.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Bow Wow - The Price Of Fame.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Bowling For Soup - A Hangover You Don't Deserve (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Boy-Girl Band - Thank You For Opening The Door_ Now I Can Molest Your Priests!.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Boyz N Da Hood - Welcome To Atlanta (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Brooks & Dunn - Sing The Eagles (Country Version).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Butch Cassidy - Back B4 You're Lonely (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\C-Bo - Money To Burn (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Capone - Pain_ Time & Glory.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Cassidy - I'm A Hustla (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Cassidy - Split Personality (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Cassidy (AKA B. Reese) - Split Personality (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Cepia - Dowry.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Chicago Blues Council - Chicago Blues Council_ Vol.3.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Chris Brown - Kiss Kiss.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Chrome Dreams - CD Audio Series - More Maximum Foo Fighters_ The Unauthorised Biography Of Foo Fighters.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Code Zero - Give Me Back My Bullets.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Common - Finding Forever (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Condor Records Presents - Eagle's Prayer_ Native Flutes Of The Americas.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Cross Connected - Please - Thank You - May I.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Crystal Woman - Eagle's Return.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Currency - Where Da Cash At (Single).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Dave Van Ronk - Ballads_ Blues & A Spiritual.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\David Blonski - On Wings Of Eagles.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\DJ Khaled - We The Best (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Do Or Die - D.O.D. (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\E-40 - The Element Of Surprise (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Eagles - Eagles.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Eagles - Hotel California.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Eagles - On The Border.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Eagles - The Eagles_ Their Greatest Hits.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Eagles Of Death Metal - Peace Love Death Metal.jpeg

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Tue Jul 21, 2009 11:01 pm

c:\documents and settings\test\Application Data\BearShare\Artwork\Ed Bruce - This Old Hat.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Eels - Daisies of the Galaxy (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Eels - Electro-Shock Blues.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Eels - Meet The Eels_ Essential Eels 1996-2006_ Vol.1 (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Eels - Shootenanny!.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Electric Eels - The Eyeball Of Hell.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Elvis Presley - The Complete Million Dollar Quartet.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Eva Cassidy - Live At Blues Alley.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Eva Cassidy - Sing Eva Cassidy_ Vol.1.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Everything But The Girl - Worldwide.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Future Hitmakers United - The Hit Machine.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\G-Unit - Beg For Mercy (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\G-Unit - Beg For Mercy (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Ghostface Killah - More Fish (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Gin Blossoms - Outside Looking In_ The Best Of The Gin Blossoms.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Grandpa's Ghost - Stardust & Smog_Early Autumn Waltz At The Two_Fourteen.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Gucci Mane - Back To The Traphouse (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Gucci Mane - Hard To Kill (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Gucci Mane - Trap House (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Hit Makers - Massive Tracks.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Hits Doctor Music Presents - Done Again (In The Style Of Eagles)_ Eagles_ Vol.1.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Huey - Notebook Paper (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Indeed - Inter-Dimensional Space Commander.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Janet Jackson - Damita Jo (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Janet Jackson - Damita Jo (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Jason Mraz - Tonight_ Not Again_ Jason Mraz Live At The Eagles Ballroom.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Jerry Fielding - The Best Of Star Trek- 30th Anniversary Special_ Original TV Soundtracks.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Jin - The Rest Is History (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\John Denver - Homegrown.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Johnny Shines - Back To The Country.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Juanita Wright - Gospel Inspiration By Trinity Voices (Lord Thank You).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Kaada - Thank You For Giving Me Your Valuable Time.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Kanye West - Graduation (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Kanye West - Impossible (E-Single).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Kanye West - Late Registration (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Kanye West - Late Registration (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Kanye West - The College Dropout (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Kanye West - The College Dropout (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Kanye West - Through The Wire.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Kanye West - We Don't Care (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Karine Georgian - Chamber Works.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Kidzup Production Inc. Presents - Thank You Lord.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Led Zeppelin - Karaoke_ Classic Rock_ Vol.20.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Led Zeppelin Celtic Tribute - The Celtic Tribute To Led Zeppelin_ Long Ago And Far Away.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Legacy - Moment Of Silence (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Lil' Flip - Da Bottom_ Vol.6 (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Lil' Romeo - RomeoLand.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Limp Bizkit - Greatest Hits (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Limp Bizkit - Greatest Hits (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Limp Bizkit - Results May Vary (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Limp Bizkit - Results May Vary.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Machine Go Boom - Thank You Captain Obvious.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Meewasin Oma - In Loving Memory.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Mel Brown And The Homewreckers - Blues - A Beautiful Thing.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Meredith Brooks - Female Alternative_ Vol.5 (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Milton Rettenberg - Music Of Kern_ Gershwin_ Rogers_ Youmans And Arthur Schwartz.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Moby - Go_ The Very Best Of Moby.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Mr. Maph - Mi Casa Es Su Casa (Single).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Mystikal - Prince Of The South...The Hits (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Nancy Cassidy - Night Skies.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Nancy Cassidy - Pocketbook Romance.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Ne-Yo - Because Of You (Remix) (Single).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Nick Cave & The Bad Seeds - The Abattoir Blues Tour.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Not Missing Drums Project - Urban Voices.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\OG Ron C - Spring Break 2K5.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Paul Wall - Live From The Gridiron (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Pete Townshend - Deep End Live!.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Peter Petrel - Große Erfolge - Es Geht Wieder Aufwärts.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Plain White T's - All That We Needed.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Plain White T's - Hey There Delilah (Single).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Plain White T's - Hey There Delilah.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Rana - CBGB's - NYC_ NY - 11.29.02.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Robert Tree Cody - Young Eagles Flight.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Ronald Roybal - Eagle's Journey Into Dawn.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Roxanne Shanté - Bad Sister (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Samson - Thank You And Goodnight... (Live).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Scarface - My Homies (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Silverchair - Diorama.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Silverchair - Frogstomp.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Silverchair - Modern Rock_ Vol.4.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Silverchair - Sound Choice Karaoke_ Headbangers_ Vol.11 (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Silverchair - The Greatest View.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Slingshot Dakota - Keener Sighs.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Slum Village - Detroit Deli (A Taste Of Detroit) (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Soulja Boy Tellem - Souljaboytellem.com.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\T-Pain - Buy U A Drank (Shawty Snappin') Remix (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\T-Pain - Buy U A Drank (Shawty Snappin') Remix (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\T-Pain - Epiphany (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\T-Pain - Rappa Ternt Sanga (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Talib Kweli - Eardrum (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Terri Hendrix - Places In Between.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Tha Eastsidaz - Tha Eastsidaz (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Blacks - OG Season_ Vol.1.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Dandy Warhols - Bridging The Distance_ A Portland_ OR Covers Compilation.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Dandy Warhols - Cover To Cover_ The Songs Of David Bowie.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Dandy Warhols - Earth To The Dandy Warhols.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Dandy Warhols - Odditorium Or Warlords Of Mars.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Dandy Warhols - The Acoustic Alternative Album.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Dandy Warhols - The Dandy Warhols Come Down.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Dandy Warhols - Thirteen Tales From Urban Bohemia.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Dandy Warhols - Welcome To The Monkey House.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Dixie Hummingbirds - Thank You For One More Day_ The 70th Anniversary Of The Dixie Hummingbirds.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Gold Soul All Stars - A Tribute To Kanye West.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Golden Eagles - Lightning And Thunder.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The New Year Hit Makers - 2009 Super Hits Playlist - Singalong Version.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The Punks - Thank You For the Alternative Rock.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The White Stripes - Get Behind Me Satan (Bonus Track).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The White Stripes - Get Behind Me Satan.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\The White Stripes - White Blood Cells.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Thirty Stones - A Tribute To The White Stripes.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Todd Barry - Falling Off The Bone.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Tribute Sounds Presents - Progressive String Quartet Tribute To Pantera.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Trina - Southern Smoke 18 (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Unk - Stomp The Yard_ Original Motion Picture Soundtrack.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Unk - Walk It Out (Remix) (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Van Halen - Classic Rock_ Vol.23.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Victory Military Band - Flag Waver_ 21 Red_ White & Blue Favorites.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Violator - The Album_ V2.O (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Vitro - Spawn_ The Album.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\WDR Big Band Cologne - Blues & Beyond.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Weezer - Weezer (Red Album) (Deluxe Edition).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Where Eagles Dare - In A Thousand Words Or Less.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Wild Bill Davison - But Beautiful.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Wilmer Watts & The Lonely Eagles - Times Ain't Like They Used To Be_ Early American Rural Music_ Vol.2.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Yo Gotti - Da Bottom_ Vol.9 (Parental Advisory).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\You Am I - Convicts.jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Young Jeezy - The Recession (Edited).jpeg
c:\documents and settings\test\Application Data\BearShare\Artwork\Yung Joc - Joc Of Spades.jpeg

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Tue Jul 21, 2009 11:02 pm

c:\documents and settings\test\Application Data\BearShare\Creatives.xml
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\10.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1040.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1043.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1044.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1050.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1054.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1055.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1057.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1058.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1060.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1062.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1063.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\1070.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\11.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\12.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\13.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\14.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\15.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\16.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\17.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\18.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\19.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\2.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\20.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\21.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\22.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\23.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\24.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\25.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\26.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\27.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\28.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\29.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\3.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\30.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\31.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\32.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\33.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\34.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\35.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\36.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\37.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\38.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\4.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\5.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\6.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\7.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\8.gif
c:\documents and settings\test\Application Data\BearShare\CreativesFiles\9.gif
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\__db.001
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\__db.002
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\__db.003
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\__db.004
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\BackUp\DataDir\ContentDirs.db
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\BackUp\DataDir\ContentFile.db
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\BackUp\DataDir\DownloadFile.db
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\BackUp\DataDir\PartsHashes.db
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\BackUp\DataDir\Playlists.db
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\DataDir\ContentDirs.db
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\DataDir\ContentFile.db
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\DataDir\DownloadFile.db
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\DataDir\PartsHashes.db
c:\documents and settings\test\Application Data\BearShare\Data\DataBase\DataDir\Playlists.db
c:\documents and settings\test\Application Data\BearShare\Data\rjn.a92
c:\documents and settings\test\Application Data\BearShare\IMPictures\19809809.gif
c:\documents and settings\test\Application Data\BearShare\Partials\{019E6FCF-408B-4696-B461-6337F737FBA4}.tmp
c:\documents and settings\test\Application Data\BearShare\Partials\{51B26FCB-922A-40AE-A918-65E5DA8067AE}.tmp
c:\documents and settings\test\Application Data\BearShare\Partials\{96E9C604-BCBA-4228-9EFB-7B8AE66FA342}.tmp
c:\documents and settings\test\Application Data\BearShare\Partials\{CCB7E219-F1C1-45A2-A901-D206FAECF9F5}.tmp
c:\documents and settings\test\Application Data\BearShare\Partials\{E16DB730-6F88-4A58-9400-955310011201}.tmp
c:\documents and settings\test\Application Data\BearShare\Partials\{F3EA26FE-C9E7-43F7-8DF2-FFE4F01B4588}.tmp
c:\documents and settings\test\Application Data\BearShare\Statistics.xml
c:\windows\Fonts\mlog

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Tue Jul 21, 2009 11:02 pm

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-06-21 to 2009-07-21 )))))))))))))))))))))))))))))))
.

2009-07-15 19:24 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 19:24 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 19:08 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-15 19:08 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-13 21:14 . 2009-07-15 19:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-03 13:33 . 2009-07-02 20:55 551192 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.exe
2009-07-03 13:33 . 2009-07-02 20:56 294168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.dll
2009-07-03 13:33 . 2009-07-02 20:56 281880 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmvflx.dll
2009-07-03 13:33 . 2009-07-02 20:55 170776 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-07-03 13:33 . 2009-07-02 20:56 153368 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-07-03 13:33 . 2009-07-03 13:32 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-03 13:33 . 2009-07-03 13:32 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-03 13:33 . 2009-07-03 13:32 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-07-03 13:33 . 2009-07-02 20:56 10520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2009-07-03 13:33 . 2009-07-02 20:56 287000 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-07-03 13:33 . 2009-07-02 20:56 26824 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2009-07-03 13:29 . 2009-07-03 13:28 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-03 13:29 . 2009-07-03 13:28 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-03 13:28 . 2009-07-02 20:56 443672 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-07-03 13:28 . 2009-07-02 20:56 583960 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-07-02 18:47 . 2009-07-02 18:47 -------- d-----w- c:\documents and settings\test\Application Data\Malwarebytes
2009-07-02 18:47 . 2009-07-02 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 18:35 . 2009-07-02 18:35 -------- d-----w- c:\program files\Trend Micro
2009-07-02 16:25 . 2009-06-14 20:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-07-02 16:22 . 2009-07-02 16:22 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2009-06-25 14:35 . 2009-06-25 14:35 -------- d-----w- c:\documents and settings\test\Local Settings\Application Data\AVG Security Toolbar
2009-06-25 14:32 . 2009-06-25 14:30 832144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-25 14:31 . 2009-07-13 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

.

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Tue Jul 21, 2009 11:03 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 22:44 . 2009-03-30 01:26 -------- d-----w- c:\documents and settings\test\Application Data\Skype
2009-07-21 04:47 . 2007-03-31 03:57 -------- d-----w- c:\program files\Lx_cats
2009-07-17 14:47 . 2009-01-28 22:20 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-11 04:47 . 2009-01-28 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-09 19:47 . 2009-06-19 04:24 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-09 19:47 . 2009-06-19 04:24 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-09 19:47 . 2009-06-19 04:23 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-03 13:32 . 2009-07-03 13:34 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-03 13:32 . 2009-02-04 16:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-03 13:32 . 2009-01-28 22:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-03 13:32 . 2009-07-03 13:34 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-03 13:32 . 2009-07-03 13:34 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-03 13:32 . 2009-07-03 13:34 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-03 13:32 . 2009-07-03 13:34 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-03 13:32 . 2009-07-03 13:34 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-03 13:32 . 2009-07-03 13:34 1107224 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgssie.dll
2009-07-03 13:32 . 2009-07-03 13:34 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-02 20:56 . 2009-07-03 13:34 840984 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-07-02 20:56 . 2009-07-03 13:34 309016 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgvvx.dll
2009-07-02 20:56 . 2009-07-03 13:34 330520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsched.dll
2009-07-02 20:56 . 2009-07-03 13:34 161048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmax.exe
2009-07-02 20:56 . 2009-07-03 13:34 67352 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcrlpx.dll
2009-07-02 20:56 . 2009-07-03 13:34 308504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxpl.dll
2009-07-02 20:56 . 2009-07-03 13:34 550168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgapix.dll
2009-07-02 20:56 . 2009-07-03 13:34 181528 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avg7api.dll
2009-07-02 20:56 . 2009-07-03 13:34 222488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\fixcfg.exe
2009-07-02 20:56 . 2009-07-03 13:34 223512 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-07-02 20:56 . 2009-07-03 13:34 231704 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdsvc.exe
2009-07-02 20:55 . 2009-07-03 13:34 79128 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgpp.dll
2009-07-02 20:55 . 2009-07-03 13:34 202008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcmgr.exe
2009-07-02 20:55 . 2009-07-03 13:34 99608 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgse.dll
2009-07-02 20:55 . 2009-07-03 13:34 1948440 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguires.dll
2009-07-02 20:55 . 2009-07-03 13:34 1004800 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfrw.exe
2009-07-02 20:55 . 2009-07-03 13:34 1261336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-07-02 20:55 . 2009-07-03 13:34 247064 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgoff2k.dll
2009-07-02 20:55 . 2009-07-03 13:34 68376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgdumpx.exe
2009-07-02 20:55 . 2009-07-03 13:34 405272 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgex.exe
2009-07-02 20:55 . 2009-07-03 13:34 358168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmx.dll
2009-07-02 20:55 . 2009-07-03 13:34 419096 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgssff.dll
2009-07-02 19:48 . 2009-06-19 04:24 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-07-02 19:48 . 2009-06-19 04:24 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-07-02 19:48 . 2009-06-19 04:24 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-07-02 19:48 . 2009-06-19 04:24 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-07-02 19:48 . 2009-06-04 19:45 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-07-02 19:48 . 2009-06-04 19:44 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-07-02 19:48 . 2009-06-04 19:44 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-07-02 19:48 . 2009-06-19 04:24 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-07-02 19:48 . 2009-06-19 04:24 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-07-02 19:47 . 2009-06-19 04:24 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-07-02 19:47 . 2009-06-19 04:24 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-07-02 19:47 . 2009-06-19 04:23 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-07-02 19:47 . 2009-06-19 04:23 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-07-02 19:47 . 2009-06-19 04:23 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-25 14:30 . 2009-07-03 13:34 692504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcsrvx.exe
2009-06-25 14:30 . 2009-07-03 13:34 417560 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcclix.dll
2009-06-25 14:30 . 2009-07-03 13:34 382744 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgclitx.dll
2009-06-25 14:29 . 2009-07-03 13:34 274200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgamnot.dll
2009-06-16 14:55 . 2008-09-01 23:24 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2008-09-01 23:23 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-09 00:02 . 2008-05-04 16:30 -------- d-----w- c:\program files\PokerStars.NET
2009-06-08 23:14 . 2009-06-08 23:14 -------- d-----w- c:\documents and settings\test\Application Data\com.pandora.desktop.FB9956FD96E03239939108614098AD95535EE674.1
2009-06-08 23:14 . 2009-06-08 23:14 -------- d-----w- c:\program files\Pandora
2009-06-08 23:14 . 2009-06-08 23:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-08 23:12 . 2009-06-08 23:14 38208 ----a-w- c:\documents and settings\test\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-06-08 13:35 . 2007-02-20 18:07 -------- d-----w- c:\program files\Spyware Doctor
2009-06-08 13:35 . 2007-02-20 18:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-04 19:45 . 2009-06-04 20:22 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-04 19:45 . 2009-06-04 19:45 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-04 19:44 . 2009-06-04 19:45 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-04 19:44 . 2009-06-04 19:44 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-04 19:38 . 2009-06-04 19:38 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-04 19:37 . 2009-06-04 19:37 -------- d-----w- c:\program files\Lavasoft
2009-06-04 19:37 . 2009-06-04 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-03 19:27 . 2008-09-01 23:23 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-01 22:01 . 2009-06-01 22:01 -------- d-----w- c:\documents and settings\test\Application Data\AVS4YOU
2009-06-01 22:01 . 2009-06-01 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-06-01 22:00 . 2009-06-01 21:55 -------- d-----w- c:\program files\AVS4YOU
2009-06-01 22:00 . 2009-06-01 21:56 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-29 01:05 . 2008-08-10 05:21 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-07 15:44 . 2008-09-01 23:23 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 08:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2008-09-01 23:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-14 21:29 . 2008-12-08 07:04 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-08-10 16:36 . 2007-06-04 02:00 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Tue Jul 21, 2009 11:03 pm

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-21 22:40 . 2008-07-26 12:25 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
- 2009-07-15 19:12 . 2008-07-26 12:25 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
+ 2008-09-01 23:23 . 2009-06-03 19:27 1290752 c:\windows\system32\dllcache\quartz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 20:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-11 24095528]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-17 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-17 118784]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-11-16 32881]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 536576]
"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 49152]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-23 483328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-04-21 286720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-04-30 208958]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-15 1838592]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-03 1948440]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-02 520024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Tue Jul 21, 2009 11:04 pm

c:\documents and settings\test\Start Menu\Programs\Startup\
PMCRemoteLauncher.lnk - c:\documents and settings\test\Local Settings\Application Data\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe [2008-9-16 50448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-03 13:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\WINDOWS\\system32\\lxdccoms.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/4/2009 3:45 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/28/2009 6:20 PM 335752]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/4/2009 12:18 PM 298776]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [7/2/2009 12:22 PM 20480]
S2 srenum;srenum;c:\windows\system32\DRIVERS\srenum.sys --> c:\windows\system32\DRIVERS\srenum.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
.
Contents of the 'Scheduled Tasks' folder

2009-07-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:47]

2008-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 17:42]

2009-07-17 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4176167818.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]

2009-07-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

2009-07-17 c:\windows\Tasks\WebReg 20070409211835.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-09 22:06]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\test\Application Data\Mozilla\Firefox\Profiles\mf62l5g5.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\test\Application Data\Mozilla\Firefox\Profiles\mf62l5g5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Tue Jul 21, 2009 11:04 pm

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-21 18:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????5?9?7?1??????? ???B???????????????B? ??????
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,5d,fe,3a,36,0e,
07,e8,20,c8,28,51,af,b0,29,a3,98,17,1f,67,25,93,f8,60,73,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,94,c3,06,27,94,
25,ea,b0,71,3b,04,66,8b,46,0d,96,4b,1b,91,86,f0,bb,18,f4,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,82,b0,f8,c7,a2,
5d,10,fb,25,da,ec,7e,55,20,c9,26,03,ae,ad,f9,01,21,21,91,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,c4,d4,32,2d,c7,
18,88,c9,3e,1e,9e,e0,57,5a,93,61,5e,27,e7,54,fb,8f,ec,45,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,70,4a,c8,10,ec,
24,b0,06,cd,44,cd,b9,a6,33,6c,cd,85,66,c1,65,85,40,b7,94,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,f5,7b,0f,79,3d,
c4,9c,23,b0,18,ed,a7,3f,8d,37,a4,48,db,a5,1c,16,12,1f,f7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,3e,5c,1f,6d,12,
0c,af,66,31,77,e1,ba,b1,f8,68,02,3a,47,1b,c7,75,bd,ff,69,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,be,8a,80,7c,9b,
01,aa,46,83,6c,56,8b,a0,85,96,ab,a8,1f,02,22,88,92,8b,e3,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,84,79,1c,1c,d9,
3f,cc,44,51,fa,6e,91,28,9e,14,cc,b2,f7,4b,16,b0,a3,7a,76,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,d6,95,04,a5,6f,
d8,1f,65,b1,cd,45,5a,a8,c4,f8,b9,c1,15,df,81,4a,91,2d,b5,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,cf,4e,be,11,52,
3d,c0,fd,e3,0e,66,d5,eb,bc,2f,6b,7c,1b,c7,c1,c7,b4,41,e0,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,41,0e,cf,7a,3c,
a0,3c,ac,fa,ea,66,7f,d4,3b,6b,70,f7,a9,eb,9c,ff,b4,40,7e,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(8144)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxdccoms.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Logitech\QuickCam\LU\LULnchr.exe
c:\program files\Logitech\QuickCam\LU\LogitechUpdate.exe
.
**************************************************************************
.
Completion time: 2009-07-21 18:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-21 22:48
ComboFix2.txt 2009-07-18 01:54
ComboFix3.txt 2009-07-15 19:20

Pre-Run: 26,192,711,680 bytes free
Post-Run: 26,150,027,264 bytes free

622 --- E O F --- 2009-07-21 22:04

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Tue Jul 21, 2009 11:07 pm

sorry it is so long

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by Origin on Wed Jul 22, 2009 9:22 pm

Please run another Malwarebytes scan and post the results back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Thu Jul 23, 2009 1:53 am

Malwarebytes' Anti-Malware 1.39
Database version: 2435
Windows 5.1.2600 Service Pack 2

7/22/2009 9:52:21 PM
mbam-log-2009-07-22 (21-52-21).txt

Scan type: Quick Scan
Objects scanned: 105130
Time elapsed: 9 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by Origin on Fri Jul 24, 2009 6:37 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Mon Jul 27, 2009 4:53 pm

it is running fine. Thanks

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by speedyp on Mon Jul 27, 2009 4:53 pm

I did uninstall combofix

speedyp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2009-07-13
OS : xp

View user profile

Back to top Go down

Re: Help!!! Win32trojanTDSS

Post by Belahzur on Mon Jul 27, 2009 9:00 pm

Yes, that's what Combofix /u does.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Win32TrojanTdss

Post by ven kahn on Thu Oct 15, 2009 1:18 am

Moderated Message: Hello, your comment has been removed. Please do not post in another member's topic. If you need help, please read [You must be registered and logged in to see this link.] over and [You must be registered and logged in to see this link.] to open a new topic.

ven kahn
Beginner
Beginner

Status :
Online
Offline

Posts : 1
Joined : 2009-10-15
OS : xp

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum