Win32trojanTDSS Removal Assistance Needed

View previous topic View next topic Go down

Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 6:42 pm

So, Ad-Aware says I have Win32trojanTDSS and that it will get rid of it but I need to reboot my computer. That didn't work, it's still there, and it's a pain to get rid of. I'm very untrained in this type of computer work and could really use some hands-on (and hopefully sympathetic/semi-beginner helping) assistance. I tried downloading Malwarebyte's Anti-Malware but it won't run, as I expected.

Help, please?

I'm using a desktop with Windows XP.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Origin on 23rd July 2009, 6:50 pm

Hello Alex Freeman,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

  • If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  • If you have any cracked/pirated software in your computer delete them or we will not help you.
  • Only follow advise from Geek Police Staff and not a regular member.
  • Do NOT run any tool without Geek Police supervision as it could hinder your system useless.
Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 6:54 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:25 PM, on 7/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\msb.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\b.exe
C:\Documents and Settings\Andrew Gladwin\Desktop\HJTInstall.exe
C:\Documents and Settings\Andrew Gladwin\Desktop\HJTInstall.exe
C:\Documents and Settings\Andrew Gladwin\Desktop\HJTInstall.exe
C:\Documents and Settings\Andrew Gladwin\Desktop\HJTInstall.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Andrew Gladwin\Desktop\HJTInstall.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking] C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
O4 - HKLM\..\Run: [Xderuvaponame] rundll32.exe "C:\WINDOWS\Onimacehez.dll",e
O4 - HKLM\..\Run: [Edalizajovanile] rundll32.exe "C:\WINDOWS\oyedilawetidalu.dll",e
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\nos_uninstall_Adobe.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\b.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - [You must be registered and logged in to see this link.]
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11201 bytes

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Origin on 23rd July 2009, 6:56 pm

Lets try working here first, if things get too difficult then we will deal with it in safe mode Wink

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 7:16 pm

So I ran the scan, but it goes blue screen halfway through. It did it twice. Should I run safe mode and retry the scan?

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 7:24 pm

Well I ran the scan in safemode, but I can't access the interne in it (using laptop in the house). Should I do something like save it in notepad, reboot and switch to regular and paste it in here?

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 7:26 pm

And another note (sorry I'm not editing, his laptop is bogged) is that I can't type in safe mode, only copy and paste. Weird.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Origin on 23rd July 2009, 7:28 pm

No please do the following:

I see that you are running BitTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If BitTorrent is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • BitTorrent



  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [Xderuvaponame] rundll32.exe "C:\WINDOWS\Onimacehez.dll",e
    O4 - HKLM\..\Run: [Edalizajovanile] rundll32.exe "C:\WINDOWS\oyedilawetidalu.dll",e
    O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\b.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
    O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
    O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe



  • Press "Fix Checked"
  • Close Hijack This.

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 8:45 pm

Alright I deleted anything I could find of BitTorrent (which wasn't much because I deleted it forever ago, so I was alitle confused)

I've downloaded ComboFix and I'm running it but it just says it's preparing to run and I'm not entirely sure what to do now. Sorry I tookt his lon to respond, I had to run out but I'm all ears now. I just don't get the last bulets.

Follow the prompts. NOTE:

Allow combofix to run

Post C:\combofix.txt back here.

It had me download something from microsoft, but it's stopped there at a blue screen, not the one on the whole computer but Combo Fix is on blue.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 8:47 pm

Ah, wait, hold on, it's running now, says it may take a little while for scanning of infected files. Am I on the right track?

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Origin on 23rd July 2009, 8:49 pm

Yes you are, once finished please post the log back here Wink


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 8:51 pm

It said to note down the following files.

C:\WINDOWS\system32\drivers\UACcnforbufkx.sys
C:\WINDOWS\system32\UACnpuisbseta.dll
C:\WINDOWS\system32\UACbboadcddgh.dll
C:\WINDOWS\system32\UACkfyqluclil.dat
C:\WINDOWS\system32\UACvpvmkxpied.db
C:\WINDOWS\system32\UACuvahiojnwm.dll
C:\WINDOWS\system32\UACqehnejcqhh.dll
C:\WINDOWS\system32\UACqqbloxgebn.dll

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 8:51 pm

And after I ok'ed that, it restarted my computer. Not blue screen, just restarted.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Origin on 23rd July 2009, 8:52 pm

Rootkit found Wink continue with the scan once you reboot.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 9:03 pm

Alright, it has taken this long and it's at Completed Stage_50 and nothing has happened for a few minutes. Just keep waiting, am I being impatient? Goofy

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 9:04 pm

Just being impatient, it just said it's deleting files now. Waiting.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Origin on 23rd July 2009, 9:11 pm

If you machine is really infected it takes a long time Smile


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 9:18 pm

Alright, here it is. Oddly, it deleted my background and went to the one I had before, which is good for me because I couldn't find it and prefer it.

ComboFix 09-07-23.01 - Andrew Gladwin 07/23/2009 16:52:52.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.313 [GMT -4:00]
Running from: C:\Documents and Settings\Andrew Gladwin\Desktop\Combo-Fix.exe
AV: ZoneAlarm Anti-virus Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Anti-virus Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\1.wmv
C:\Program Files\INSTALL.LOG
C:\WINDOWS\Installer\5958b2.msi
C:\WINDOWS\Installer\5958b8.msi
C:\WINDOWS\Installer\5958be.msi
C:\WINDOWS\msa.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\UACcnforbufkx.sys
C:\WINDOWS\system32\drivers\vsfoceswvanhtk.sys
C:\WINDOWS\system32\msxml71.dll
C:\WINDOWS\system32\net.net
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\UACbboadcddgh.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACkfyqluclil.dat
C:\WINDOWS\system32\UACnpuisbseta.dll
C:\WINDOWS\system32\UACqehnejcqhh.dll
C:\WINDOWS\system32\UACqqbloxgebn.dll
C:\WINDOWS\system32\UACuvahiojnwm.dll
C:\WINDOWS\system32\UACvpvmkxpied.db
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
.

2009-07-23 18:54:49 . 2009-07-23 18:54:49 0 d-----w- C:\Program Files\Trend Micro
2009-07-23 16:28:25 . 2009-07-03 14:49:07 15688 ----a-w- C:\WINDOWS\system32\lsdelete.exe
2009-07-23 16:18:01 . 2009-07-03 14:49:08 64160 ----a-w- C:\WINDOWS\system32\drivers\Lbd.sys
2009-07-23 16:17:14 . 2009-07-23 16:17:26 0 dc-h--w- C:\DOCUME~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-23 16:16:47 . 2009-07-23 16:17:58 0 d-----w- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-07-23 16:16:47 . 2009-07-23 16:16:47 0 d-----w- C:\Program Files\Lavasoft
2009-07-23 05:36:19 . 2009-07-23 05:34:01 137728 ----a-w- C:\WINDOWS\msb.exe
2009-07-17 18:39:42 . 2009-07-17 18:39:42 0 d-----w- C:\Program Files\iPod
2009-07-13 20:40:20 . 2009-07-13 20:40:36 0 d-----w- C:\Program Files\TuneUpMedia
2009-07-13 20:40:11 . 2009-07-23 04:52:22 0 d-----w- C:\Documents and Settings\Andrew Gladwin\Application Data\TuneUpMedia
2009-07-13 20:40:08 . 2009-07-13 20:40:40 0 d-----w- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUpMedia
2009-07-09 03:43:12 . 2009-07-09 03:43:12 0 d-----w- C:\Program Files\The Extractor
2009-07-09 03:43:12 . 2009-07-09 03:42:58 737280 ----a-w- C:\WINDOWS\iun6002.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-23 21:05:39 . 2007-07-03 21:44:11 386276 --sha-w- C:\WINDOWS\system32\drivers\fidbox.idx
2009-07-23 21:05:39 . 2007-07-03 21:43:59 31641376 --sha-w- C:\WINDOWS\system32\drivers\fidbox.dat
2009-07-23 20:46:01 . 2008-12-11 01:36:40 0 d-----w- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NOS
2009-07-23 20:32:28 . 2008-12-23 19:35:35 0 d-----w- C:\Program Files\DNA
2009-07-17 18:40:09 . 2008-01-13 03:13:08 0 d-----w- C:\Program Files\iTunes
2009-07-17 18:39:40 . 2007-06-30 20:37:08 0 d-----w- C:\Program Files\Common Files\Apple
2009-07-16 20:52:52 . 2006-04-24 17:24:34 2516 --sha-w- C:\WINDOWS\system32\KGyGaAvL.sys
2009-07-16 20:52:52 . 2005-11-21 17:42:20 56 --sh--r- C:\WINDOWS\system32\0F7D1EBD22.sys
2009-07-16 20:44:02 . 2008-12-11 01:36:40 0 d-----w- C:\Program Files\NOS
2009-07-05 18:48:26 . 2005-09-26 03:46:13 0 d-----w- C:\Documents and Settings\Andrew Gladwin\Application Data\Apple Computer
2009-07-05 16:27:56 . 2009-06-22 01:00:48 0 d-----w- C:\Program Files\FlashMute
2009-06-17 22:04:15 . 2007-06-30 20:37:08 0 d-----w- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2009-06-16 14:55:16 . 2004-08-10 17:51:26 119808 ----a-w- C:\WINDOWS\system32\t2embed.dll
2009-06-16 14:55:16 . 2004-08-10 17:51:07 82432 ----a-w- C:\WINDOWS\system32\fontsub.dll
2009-06-13 00:02:37 . 2006-07-21 20:03:52 1878984 ----a-w- C:\Documents and Settings\Andrew Gladwin\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-06-10 22:29:23 . 2009-06-10 19:53:13 0 d-----w- C:\Documents and Settings\Andrew Gladwin\Application Data\U3
2009-06-10 22:18:58 . 2008-10-13 17:57:15 0 d-----w- C:\Documents and Settings\Andrew Gladwin\Application Data\gtk-2.0
2009-06-04 21:10:52 . 2009-05-26 19:34:12 25 ----a-w- C:\WINDOWS\popcinfot.dat
2009-06-03 19:27:58 . 2004-08-10 17:51:20 1290752 ----a-w- C:\WINDOWS\system32\quartz.dll
2009-06-02 11:06:51 . 2009-06-02 11:05:50 0 d-----w- C:\Program Files\QuickTime
2009-05-29 17:36:16 . 2009-05-10 20:38:39 2060288 ----a-w- C:\WINDOWS\system32\usbaaplrc.dll
2009-05-29 17:36:16 . 2008-01-13 03:04:24 39424 ----a-w- C:\WINDOWS\system32\drivers\usbaapl.sys
2009-05-26 19:33:32 . 2009-05-26 19:33:32 0 d-----w- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap Games
2009-05-26 19:33:32 . 2009-05-26 19:32:38 0 d-----w- C:\Program Files\PopCap Games
2009-05-07 15:44:00 . 2004-08-10 17:51:11 344064 ----a-w- C:\WINDOWS\system32\localspl.dll
2009-04-29 04:56:02 . 2004-08-10 17:51:29 827392 ----a-w- C:\WINDOWS\system32\wininet.dll
2009-04-29 04:55:56 . 2004-08-10 17:51:09 78336 ----a-w- C:\WINDOWS\system32\ieencode.dll
2009-07-18 04:39:57 . 2008-06-18 10:39:57 137208 ----a-w- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
2007-07-23 21:22:05 . 2007-07-23 21:22:05 19104 ----a-w- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2007-07-23 21:22:06 . 2007-07-23 21:22:06 105632 ----a-w- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 9:18 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "C:\Program Files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 22:24:28 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24:37 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 19:08:26 67160]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 00:07:44 389120]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 22:07:44 68856]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 22:16:12 4670968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00:00 15360]
"FlashMute"="C:\Program Files\FlashMute\FlashMute.exe" [2006-03-11 19:49:16 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 00:42:54 1404928]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 06:05:00 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 21:50:42 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 21:50:18 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 06:02:00 86016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 03:11:42 49152]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 14:35:40 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 14:32:24 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 14:36:20 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-26 14:45:26 136600]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 21:22:02 3739648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 21:10:28 35696]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2009-05-26 21:18:30 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2009-07-13 18:03:10 292128]
"Edalizajovanile"="C:\WINDOWS\oyedilawetidalu.dll" [2008-12-04 23:59:24 134144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - C:\WINDOWS\system32\narrator.exe [2004-08-04 10:00:00 53760]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-8-18 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [7/23/2009 12:18:01 PM 64160]
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe --> C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49:06 AM 1029456]
S3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;C:\WINDOWS\system32\drivers\WlanGZXP.sys [8/30/2007 4:11:15 PM 402944]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeUpdater - C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
HKLM-Run-REGSHAVE - C:\Program Files\REGSHAVE\REGSHAVE.EXE
HKLM-Run-VerizonServicepoint.exe - C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
FF - ProfilePath - C:\DOCUME~1\ANDREW~1\APPLIC~1\Mozilla\Firefox\Profiles\h8pre2sy.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: XUL Cache: {8A551DF7-6415-413B-97BA-771A8D86BB22} - C:\Documents and Settings\Andrew Gladwin\Local Settings\Application Data\{8A551DF7-6415-413B-97BA-771A8D86BB22}

---- FIREFOX POLICIES ----
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Origin on 23rd July 2009, 9:31 pm

hello, some of the log was cut off, can you post all the contents of the log Smile


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 9:35 pm

ComboFix 09-07-23.01 - Andrew Gladwin 07/23/2009 16:52:52.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.313 [GMT -4:00]
Running from: C:\Documents and Settings\Andrew Gladwin\Desktop\Combo-Fix.exe
AV: ZoneAlarm Anti-virus Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Anti-virus Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\1.wmv
C:\Program Files\INSTALL.LOG
C:\WINDOWS\Installer\5958b2.msi
C:\WINDOWS\Installer\5958b8.msi
C:\WINDOWS\Installer\5958be.msi
C:\WINDOWS\msa.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\UACcnforbufkx.sys
C:\WINDOWS\system32\drivers\vsfoceswvanhtk.sys
C:\WINDOWS\system32\msxml71.dll
C:\WINDOWS\system32\net.net
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\UACbboadcddgh.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACkfyqluclil.dat
C:\WINDOWS\system32\UACnpuisbseta.dll
C:\WINDOWS\system32\UACqehnejcqhh.dll
C:\WINDOWS\system32\UACqqbloxgebn.dll
C:\WINDOWS\system32\UACuvahiojnwm.dll
C:\WINDOWS\system32\UACvpvmkxpied.db
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
.

2009-07-23 18:54:49 . 2009-07-23 18:54:49 0 d-----w- C:\Program Files\Trend Micro
2009-07-23 16:28:25 . 2009-07-03 14:49:07 15688 ----a-w- C:\WINDOWS\system32\lsdelete.exe
2009-07-23 16:18:01 . 2009-07-03 14:49:08 64160 ----a-w- C:\WINDOWS\system32\drivers\Lbd.sys
2009-07-23 16:17:14 . 2009-07-23 16:17:26 0 dc-h--w- C:\DOCUME~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-23 16:16:47 . 2009-07-23 16:17:58 0 d-----w- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-07-23 16:16:47 . 2009-07-23 16:16:47 0 d-----w- C:\Program Files\Lavasoft
2009-07-23 05:36:19 . 2009-07-23 05:34:01 137728 ----a-w- C:\WINDOWS\msb.exe
2009-07-17 18:39:42 . 2009-07-17 18:39:42 0 d-----w- C:\Program Files\iPod
2009-07-13 20:40:20 . 2009-07-13 20:40:36 0 d-----w- C:\Program Files\TuneUpMedia
2009-07-13 20:40:11 . 2009-07-23 04:52:22 0 d-----w- C:\Documents and Settings\Andrew Gladwin\Application Data\TuneUpMedia
2009-07-13 20:40:08 . 2009-07-13 20:40:40 0 d-----w- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUpMedia
2009-07-09 03:43:12 . 2009-07-09 03:43:12 0 d-----w- C:\Program Files\The Extractor
2009-07-09 03:43:12 . 2009-07-09 03:42:58 737280 ----a-w- C:\WINDOWS\iun6002.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-23 21:05:39 . 2007-07-03 21:44:11 386276 --sha-w- C:\WINDOWS\system32\drivers\fidbox.idx
2009-07-23 21:05:39 . 2007-07-03 21:43:59 31641376 --sha-w- C:\WINDOWS\system32\drivers\fidbox.dat
2009-07-23 20:46:01 . 2008-12-11 01:36:40 0 d-----w- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NOS
2009-07-23 20:32:28 . 2008-12-23 19:35:35 0 d-----w- C:\Program Files\DNA
2009-07-17 18:40:09 . 2008-01-13 03:13:08 0 d-----w- C:\Program Files\iTunes
2009-07-17 18:39:40 . 2007-06-30 20:37:08 0 d-----w- C:\Program Files\Common Files\Apple
2009-07-16 20:52:52 . 2006-04-24 17:24:34 2516 --sha-w- C:\WINDOWS\system32\KGyGaAvL.sys
2009-07-16 20:52:52 . 2005-11-21 17:42:20 56 --sh--r- C:\WINDOWS\system32\0F7D1EBD22.sys
2009-07-16 20:44:02 . 2008-12-11 01:36:40 0 d-----w- C:\Program Files\NOS
2009-07-05 18:48:26 . 2005-09-26 03:46:13 0 d-----w- C:\Documents and Settings\Andrew Gladwin\Application Data\Apple Computer
2009-07-05 16:27:56 . 2009-06-22 01:00:48 0 d-----w- C:\Program Files\FlashMute
2009-06-17 22:04:15 . 2007-06-30 20:37:08 0 d-----w- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2009-06-16 14:55:16 . 2004-08-10 17:51:26 119808 ----a-w- C:\WINDOWS\system32\t2embed.dll
2009-06-16 14:55:16 . 2004-08-10 17:51:07 82432 ----a-w- C:\WINDOWS\system32\fontsub.dll
2009-06-13 00:02:37 . 2006-07-21 20:03:52 1878984 ----a-w- C:\Documents and Settings\Andrew Gladwin\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-06-10 22:29:23 . 2009-06-10 19:53:13 0 d-----w- C:\Documents and Settings\Andrew Gladwin\Application Data\U3
2009-06-10 22:18:58 . 2008-10-13 17:57:15 0 d-----w- C:\Documents and Settings\Andrew Gladwin\Application Data\gtk-2.0
2009-06-04 21:10:52 . 2009-05-26 19:34:12 25 ----a-w- C:\WINDOWS\popcinfot.dat
2009-06-03 19:27:58 . 2004-08-10 17:51:20 1290752 ----a-w- C:\WINDOWS\system32\quartz.dll
2009-06-02 11:06:51 . 2009-06-02 11:05:50 0 d-----w- C:\Program Files\QuickTime
2009-05-29 17:36:16 . 2009-05-10 20:38:39 2060288 ----a-w- C:\WINDOWS\system32\usbaaplrc.dll
2009-05-29 17:36:16 . 2008-01-13 03:04:24 39424 ----a-w- C:\WINDOWS\system32\drivers\usbaapl.sys
2009-05-26 19:33:32 . 2009-05-26 19:33:32 0 d-----w- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap Games
2009-05-26 19:33:32 . 2009-05-26 19:32:38 0 d-----w- C:\Program Files\PopCap Games
2009-05-07 15:44:00 . 2004-08-10 17:51:11 344064 ----a-w- C:\WINDOWS\system32\localspl.dll
2009-04-29 04:56:02 . 2004-08-10 17:51:29 827392 ----a-w- C:\WINDOWS\system32\wininet.dll
2009-04-29 04:55:56 . 2004-08-10 17:51:09 78336 ----a-w- C:\WINDOWS\system32\ieencode.dll
2009-07-18 04:39:57 . 2008-06-18 10:39:57 137208 ----a-w- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
2007-07-23 21:22:05 . 2007-07-23 21:22:05 19104 ----a-w- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2007-07-23 21:22:06 . 2007-07-23 21:22:06 105632 ----a-w- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 9:35 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "C:\Program Files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 22:24:28 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24:37 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 19:08:26 67160]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 00:07:44 389120]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 22:07:44 68856]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 22:16:12 4670968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00:00 15360]
"FlashMute"="C:\Program Files\FlashMute\FlashMute.exe" [2006-03-11 19:49:16 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 00:42:54 1404928]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 06:05:00 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 21:50:42 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 21:50:18 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 06:02:00 86016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 03:11:42 49152]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 14:35:40 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 14:32:24 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 14:36:20 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-26 14:45:26 136600]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 21:22:02 3739648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 21:10:28 35696]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2009-05-26 21:18:30 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2009-07-13 18:03:10 292128]
"Edalizajovanile"="C:\WINDOWS\oyedilawetidalu.dll" [2008-12-04 23:59:24 134144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - C:\WINDOWS\system32\narrator.exe [2004-08-04 10:00:00 53760]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-8-18 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [7/23/2009 12:18:01 PM 64160]
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe --> C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49:06 AM 1029456]
S3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;C:\WINDOWS\system32\drivers\WlanGZXP.sys [8/30/2007 4:11:15 PM 402944]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeUpdater - C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
HKLM-Run-REGSHAVE - C:\Program Files\REGSHAVE\REGSHAVE.EXE
HKLM-Run-VerizonServicepoint.exe - C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
FF - ProfilePath - C:\DOCUME~1\ANDREW~1\APPLIC~1\Mozilla\Firefox\Profiles\h8pre2sy.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: XUL Cache: {8A551DF7-6415-413B-97BA-771A8D86BB22} - C:\Documents and Settings\Andrew Gladwin\Local Settings\Application Data\{8A551DF7-6415-413B-97BA-771A8D86BB22}

---- FIREFOX POLICIES ----
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 23rd July 2009, 9:37 pm

I had to split it into two. I hope that's it, I tried to go back to the Combo-Fix folder and it's empty now, the Trojan must've wiped it....

I might have to leave for a couple hours, but I'll be back sometime before 9 (it's 5:30 here) so I hope you'll be back and still be able to help. If that's not it and the folder's wiped, would you like me to rerun Combo-Fix?

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 24th July 2009, 1:14 am

BUMP

I have returned, and if I could start again with help it'd be greatly appreciated. Or, if Origin is off for now, I'll come back tomorrow to keep working. This is on e-mal alert so luckily I'll know if there's a respons.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 24th July 2009, 5:17 pm

I ran Malware Anti-Bytes in a quick scan and it removed 8 items, said I had to restart to fully do so. It saved alog, and I haven't done anything since. Just updating.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 24th July 2009, 10:26 pm

I think the problem is gone. I ran Ad-Aware smart scan and nothing showed up, and both a Malware Anti-Bytes quick and full system scan and nothing sems to be showing up anymore. I haven't done anything else, and left Ad-Aware disabled, so if there's anything else I should do let me know. If it sounds all good, let me know and I can leave you alone.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Belahzur on 25th July 2009, 10:51 pm

Hello.
Most of the malware is gone, but some problems still remain.

Please download GooredFix from one of the locations below and save it to your Desktop
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Now open a new notepad file.
Input this into the notepad file:

File::
C:\WINDOWS\msb.exe
C:\WINDOWS\oyedilawetidalu.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Edalizajovanile"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 25th July 2009, 10:58 pm

GooredFix by jpshortstuff (12.07.09)
Log created at 18:56 on 25/07/2009 (Andrew Gladwin)
Firefox version 3.5.1 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{8A551DF7-6415-413B-97BA-771A8D86BB22} -> Success!
Deleting C:\Documents and Settings\Andrew Gladwin\Local Settings\Application Data\{8A551DF7-6415-413B-97BA-771A8D86BB22} -> Success!

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:49 11/06/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [16:34 16/09/2007]
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [14:45 26/10/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [14:45 26/10/2008]

-=E.O.F=-

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 25th July 2009, 11:01 pm

When I dragged it into Combo-Fix, it said I can not rename ComboFix as Combo-Fix, but that's what I was told to do way back. Should I just change the name on the desktop (click and then it lets me change it without having to open My Computer) to ComboFix and then do it?

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Belahzur on 25th July 2009, 11:13 pm

Nah, re-download Combofix without renaming it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 25th July 2009, 11:28 pm

ComboFix 09-07-24.01 - Andrew Gladwin 07/25/2009 19:16.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.232 [GMT -4:00]
Running from: c:\documents and settings\Andrew Gladwin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew Gladwin\Desktop\CFScript.txt
AV: ZoneAlarm Anti-virus Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Anti-virus Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\msb.exe"
"c:\windows\oyedilawetidalu.dll"
.

((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))
.

2009-07-24 17:01 . 2009-07-24 17:01 -------- d-----w- c:\documents and settings\Andrew Gladwin\Application Data\Malwarebytes
2009-07-24 17:01 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 17:01 . 2009-07-24 17:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 17:01 . 2009-07-24 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-24 17:01 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-23 20:46 . 2009-07-25 22:59 -------- d-s---w- C:\Combo-Fix
2009-07-23 18:54 . 2009-07-23 18:54 -------- d-----w- c:\program files\Trend Micro
2009-07-23 16:28 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-23 16:18 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-23 16:17 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-23 16:17 . 2009-07-23 16:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-23 16:16 . 2009-07-23 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-23 16:16 . 2009-07-23 16:16 -------- d-----w- c:\program files\Lavasoft
2009-07-17 18:39 . 2009-07-17 18:39 -------- d-----w- c:\program files\iPod
2009-07-17 18:30 . 2009-07-17 18:30 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-13 20:40 . 2009-07-25 20:44 -------- d-----w- c:\program files\TuneUpMedia
2009-07-13 20:40 . 2009-07-25 20:46 -------- d-----w- c:\documents and settings\Andrew Gladwin\Application Data\TuneUpMedia
2009-07-13 20:40 . 2009-07-13 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2009-07-09 03:43 . 2009-07-09 03:43 -------- d-----w- c:\program files\The Extractor
2009-07-09 03:43 . 2009-07-09 03:42 737280 ----a-w- c:\windows\iun6002.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-25 21:02 . 2006-04-24 17:24 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-25 21:02 . 2005-11-21 17:42 56 --sh--r- c:\windows\system32\0F7D1EBD22.sys
2009-07-24 21:40 . 2007-07-03 21:44 386636 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-24 21:40 . 2007-07-03 21:43 31641376 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-23 20:46 . 2008-12-11 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-23 20:32 . 2008-12-23 19:35 -------- d-----w- c:\program files\DNA
2009-07-17 18:40 . 2008-01-13 03:13 -------- d-----w- c:\program files\iTunes
2009-07-17 18:39 . 2007-06-30 20:37 -------- d-----w- c:\program files\Common Files\Apple
2009-07-16 20:44 . 2008-12-11 01:36 -------- d-----w- c:\program files\NOS
2009-07-05 18:48 . 2005-09-26 03:46 -------- d-----w- c:\documents and settings\Andrew Gladwin\Application Data\Apple Computer
2009-07-05 16:27 . 2009-06-22 01:00 -------- d-----w- c:\program files\FlashMute
2009-06-17 22:04 . 2007-06-30 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-16 14:55 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 17:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-13 00:02 . 2006-07-21 20:03 1878984 ----a-w- c:\documents and settings\Andrew Gladwin\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-06-10 22:29 . 2009-06-10 19:53 -------- d-----w- c:\documents and settings\Andrew Gladwin\Application Data\U3
2009-06-10 22:18 . 2008-10-13 17:57 -------- d-----w- c:\documents and settings\Andrew Gladwin\Application Data\gtk-2.0
2009-06-04 21:10 . 2009-05-26 19:34 25 ----a-w- c:\windows\popcinfot.dat
2009-06-03 19:27 . 2004-08-10 17:51 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 11:06 . 2009-06-02 11:05 -------- d-----w- c:\program files\QuickTime
2009-05-29 17:36 . 2009-05-10 20:38 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-29 17:36 . 2008-01-13 03:04 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 15:44 . 2004-08-10 17:51 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 04:39 . 2008-06-18 10:39 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-07-23 21:22 . 2007-07-23 21:22 19104 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-07-23 21:22 . 2007-07-23 21:22 105632 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-24 21:41 . 2009-07-24 21:41 16384 c:\windows\Temp\Perflib_Perfdata_438.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"FlashMute"="c:\program files\FlashMute\FlashMute.exe" [2006-03-11 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-26 136600]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-18 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/23/2009 12:18 PM 64160]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.sys [8/30/2007 4:11 PM 402944]
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 25th July 2009, 11:29 pm

------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Andrew Gladwin\Application Data\Mozilla\Firefox\Profiles\h8pre2sy.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-25 19:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3345164839-973460320-4224190119-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1652)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
.
Completion time: 2009-07-25 19:27
ComboFix-quarantined-files.txt 2009-07-25 23:26
ComboFix2.txt 2009-07-23 21:17

Pre-Run: 62,314,770,432 bytes free
Post-Run: 62,305,247,232 bytes free

232 --- E O F --- 2009-07-15 07:01

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Belahzur on 26th July 2009, 12:12 am

Hello.
Just about done now, one last log I want to see.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 26th July 2009, 12:15 am

Acrobat.com
Acrobat.com
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Audacity 1.2.6
Bonjour
DellSupport
DivX Codec
DivX Player
DivX Web Player
Gimp 2.6.0
Google Talk (remove only)
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Intel(R) PRO Network Adapters and Drivers
iTunes
Java(TM) 6 Update 10
Java(TM) 6 Update 2
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.1)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Netflix Movie Viewer
Plants vs. Zombies
PokerStars.net
QuickTime
RER Video Converter
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
The Extractor
TuneUp Companion 1.5.7
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Yahoo! Messenger
ZoneAlarm Anti-virus

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Belahzur on 26th July 2009, 12:17 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Ask Toolbar
    Java(TM) 6 Update 10
    Java(TM) 6 Update 2

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "This release is Windows 7 support-ready and includes support for Internet Explorer 8...".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe that you downloaded to install the newest version.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 26th July 2009, 12:35 am

Quite well, actually. Java went under my radar but I dunno how much it's used with Firefox, so I'm glad to update it. I really can't thank you guys enough for going through all this with me and being patient, because you saved me from wiping my hard drive and the 15 bucks (I know, not much) I spent on iTunes and the long list of books I want to buy, which is pretty important to me. Plus, you saved my paying some guy to come in and mess around and instead I got a little bit of knowledge from doing it myself with a lot of help.

Anything else I need to do, or fini?

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26987
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Belahzur on 26th July 2009, 8:51 pm

Nope, looks fine now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum