Win32trojanTDSS Removal Assistance Needed

View previous topic View next topic Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 24th July 2009, 10:26 pm

I think the problem is gone. I ran Ad-Aware smart scan and nothing showed up, and both a Malware Anti-Bytes quick and full system scan and nothing sems to be showing up anymore. I haven't done anything else, and left Ad-Aware disabled, so if there's anything else I should do let me know. If it sounds all good, let me know and I can leave you alone.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26997
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Belahzur on 25th July 2009, 10:51 pm

Hello.
Most of the malware is gone, but some problems still remain.

Please download GooredFix from one of the locations below and save it to your Desktop
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Now open a new notepad file.
Input this into the notepad file:

File::
C:\WINDOWS\msb.exe
C:\WINDOWS\oyedilawetidalu.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Edalizajovanile"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 25th July 2009, 10:58 pm

GooredFix by jpshortstuff (12.07.09)
Log created at 18:56 on 25/07/2009 (Andrew Gladwin)
Firefox version 3.5.1 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{8A551DF7-6415-413B-97BA-771A8D86BB22} -> Success!
Deleting C:\Documents and Settings\Andrew Gladwin\Local Settings\Application Data\{8A551DF7-6415-413B-97BA-771A8D86BB22} -> Success!

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:49 11/06/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [16:34 16/09/2007]
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [14:45 26/10/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [14:45 26/10/2008]

-=E.O.F=-

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26997
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 25th July 2009, 11:01 pm

When I dragged it into Combo-Fix, it said I can not rename ComboFix as Combo-Fix, but that's what I was told to do way back. Should I just change the name on the desktop (click and then it lets me change it without having to open My Computer) to ComboFix and then do it?

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26997
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Belahzur on 25th July 2009, 11:13 pm

Nah, re-download Combofix without renaming it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 25th July 2009, 11:28 pm

ComboFix 09-07-24.01 - Andrew Gladwin 07/25/2009 19:16.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.232 [GMT -4:00]
Running from: c:\documents and settings\Andrew Gladwin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew Gladwin\Desktop\CFScript.txt
AV: ZoneAlarm Anti-virus Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Anti-virus Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\msb.exe"
"c:\windows\oyedilawetidalu.dll"
.

((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))
.

2009-07-24 17:01 . 2009-07-24 17:01 -------- d-----w- c:\documents and settings\Andrew Gladwin\Application Data\Malwarebytes
2009-07-24 17:01 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 17:01 . 2009-07-24 17:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 17:01 . 2009-07-24 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-24 17:01 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-23 20:46 . 2009-07-25 22:59 -------- d-s---w- C:\Combo-Fix
2009-07-23 18:54 . 2009-07-23 18:54 -------- d-----w- c:\program files\Trend Micro
2009-07-23 16:28 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-23 16:18 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-23 16:17 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-23 16:17 . 2009-07-23 16:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-23 16:16 . 2009-07-23 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-23 16:16 . 2009-07-23 16:16 -------- d-----w- c:\program files\Lavasoft
2009-07-17 18:39 . 2009-07-17 18:39 -------- d-----w- c:\program files\iPod
2009-07-17 18:30 . 2009-07-17 18:30 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-13 20:40 . 2009-07-25 20:44 -------- d-----w- c:\program files\TuneUpMedia
2009-07-13 20:40 . 2009-07-25 20:46 -------- d-----w- c:\documents and settings\Andrew Gladwin\Application Data\TuneUpMedia
2009-07-13 20:40 . 2009-07-13 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2009-07-09 03:43 . 2009-07-09 03:43 -------- d-----w- c:\program files\The Extractor
2009-07-09 03:43 . 2009-07-09 03:42 737280 ----a-w- c:\windows\iun6002.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-25 21:02 . 2006-04-24 17:24 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-25 21:02 . 2005-11-21 17:42 56 --sh--r- c:\windows\system32\0F7D1EBD22.sys
2009-07-24 21:40 . 2007-07-03 21:44 386636 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-24 21:40 . 2007-07-03 21:43 31641376 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-23 20:46 . 2008-12-11 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-23 20:32 . 2008-12-23 19:35 -------- d-----w- c:\program files\DNA
2009-07-17 18:40 . 2008-01-13 03:13 -------- d-----w- c:\program files\iTunes
2009-07-17 18:39 . 2007-06-30 20:37 -------- d-----w- c:\program files\Common Files\Apple
2009-07-16 20:44 . 2008-12-11 01:36 -------- d-----w- c:\program files\NOS
2009-07-05 18:48 . 2005-09-26 03:46 -------- d-----w- c:\documents and settings\Andrew Gladwin\Application Data\Apple Computer
2009-07-05 16:27 . 2009-06-22 01:00 -------- d-----w- c:\program files\FlashMute
2009-06-17 22:04 . 2007-06-30 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-16 14:55 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 17:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-13 00:02 . 2006-07-21 20:03 1878984 ----a-w- c:\documents and settings\Andrew Gladwin\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-06-10 22:29 . 2009-06-10 19:53 -------- d-----w- c:\documents and settings\Andrew Gladwin\Application Data\U3
2009-06-10 22:18 . 2008-10-13 17:57 -------- d-----w- c:\documents and settings\Andrew Gladwin\Application Data\gtk-2.0
2009-06-04 21:10 . 2009-05-26 19:34 25 ----a-w- c:\windows\popcinfot.dat
2009-06-03 19:27 . 2004-08-10 17:51 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 11:06 . 2009-06-02 11:05 -------- d-----w- c:\program files\QuickTime
2009-05-29 17:36 . 2009-05-10 20:38 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-29 17:36 . 2008-01-13 03:04 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 15:44 . 2004-08-10 17:51 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 04:39 . 2008-06-18 10:39 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-07-23 21:22 . 2007-07-23 21:22 19104 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-07-23 21:22 . 2007-07-23 21:22 105632 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-24 21:41 . 2009-07-24 21:41 16384 c:\windows\Temp\Perflib_Perfdata_438.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"FlashMute"="c:\program files\FlashMute\FlashMute.exe" [2006-03-11 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-26 136600]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-18 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/23/2009 12:18 PM 64160]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.sys [8/30/2007 4:11 PM 402944]
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26997
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 25th July 2009, 11:29 pm

------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Andrew Gladwin\Application Data\Mozilla\Firefox\Profiles\h8pre2sy.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-25 19:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3345164839-973460320-4224190119-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1652)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
.
Completion time: 2009-07-25 19:27
ComboFix-quarantined-files.txt 2009-07-25 23:26
ComboFix2.txt 2009-07-23 21:17

Pre-Run: 62,314,770,432 bytes free
Post-Run: 62,305,247,232 bytes free

232 --- E O F --- 2009-07-15 07:01

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26997
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Belahzur on 26th July 2009, 12:12 am

Hello.
Just about done now, one last log I want to see.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 26th July 2009, 12:15 am

Acrobat.com
Acrobat.com
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Audacity 1.2.6
Bonjour
DellSupport
DivX Codec
DivX Player
DivX Web Player
Gimp 2.6.0
Google Talk (remove only)
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Intel(R) PRO Network Adapters and Drivers
iTunes
Java(TM) 6 Update 10
Java(TM) 6 Update 2
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.1)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Netflix Movie Viewer
Plants vs. Zombies
PokerStars.net
QuickTime
RER Video Converter
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
The Extractor
TuneUp Companion 1.5.7
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Yahoo! Messenger
ZoneAlarm Anti-virus

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26997
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Belahzur on 26th July 2009, 12:17 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Ask Toolbar
    Java(TM) 6 Update 10
    Java(TM) 6 Update 2

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "This release is Windows 7 support-ready and includes support for Internet Explorer 8...".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe that you downloaded to install the newest version.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Alex Freeman on 26th July 2009, 12:35 am

Quite well, actually. Java went under my radar but I dunno how much it's used with Firefox, so I'm glad to update it. I really can't thank you guys enough for going through all this with me and being patient, because you saved me from wiping my hard drive and the 15 bucks (I know, not much) I spent on iTunes and the long list of books I want to buy, which is pretty important to me. Plus, you saved my paying some guy to come in and mess around and instead I got a little bit of knowledge from doing it myself with a lot of help.

Anything else I need to do, or fini?

Alex Freeman
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-07-23
OS OS : XP
Points Points : 26997
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32trojanTDSS Removal Assistance Needed

Post by Belahzur on 26th July 2009, 8:51 pm

Nope, looks fine now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum