Win32TrojanTdss infection

View previous topic View next topic Go down

Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 03, 2009 5:19 pm

Hello

New to this and hope you can help. I've come to you because you seem to have helped others with this one.

I got what I think must have been a multiple infection the other night. I think I got a fair amount off (including something called System Security 2009) with the help of Ad-Aware and Malwarebytes, but there's more, I fear. Internet Explorer is messed up, and gives me the option of 'restoring previous session' and if I take that it tries to take me to random sites. If I do a Google search it appears in larger than usual font size and the links take me again to random sites.

Anyway, Ad-Aware has picked up Win32TrojanTdss which, as other posters have described, it removes, but it reappears after the requested reboot.

It all feels pretty serious, but I'm trying to keep calm!

Hijackthis log below. Hope you can help

Cricketboy


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:52:40, on 03/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe
C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\Desktop\winlogon.exe

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 03, 2009 5:20 pm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: RepliGoIEHelperCtl Class - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Program Files\Cerience\RepliGo\RepliGoIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Protect] SHVRTF.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [five Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe" /CustomId:five
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [RepliGo Assistant] "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O4 - Global Startup: Wireless Network Connection.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - [You must be registered and logged in to see this link.]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [You must be registered and logged in to see this link.]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [You must be registered and logged in to see this link.]
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} (five Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - [You must be registered and logged in to see this link.]
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: print sppolers - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 17126 bytes

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Belahzur on Mon Aug 03, 2009 7:32 pm

Hello.

Please disable Ad-Watch, as it may hinder the removal of some HijackThis entries. You can re-enable it after your computer is clean. Please see here for instructions on how to disable it:

1. Right-click on the Ad-Watch icon in the system tray (located down by the system clock for most configurations)
2. Choose *Settings* from the dropdown menu
3. Under the *General Settings* tab turn OFF (red x) the option to "Load Ad-Watch at Startup" (if enabled)

4. Click on the *Status* button in the left hand menu
5. Turn OFF (red x) the option for *Regshield*
6. Close that window, then right-click on the Ad-Watch icon shield again down in the system tray next to the clock.
7. Choose *Turn off Ad-Watch* from the drop menu

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 03, 2009 9:18 pm

Hi

Seem to have problems already. I think this beast, or whatever else I've got, is blocking access to selected websites. Couldn't get onto your malwarebytes link. I was able to do so on another computer and transfer the mbam-setup.exe via a memory stick, but then it wouldn't open.

Any way round this?

I followed the first instructions OK, I think, although I have a different version of Ad-Watch from the one in your screenshots.

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 03, 2009 10:23 pm

Hi again

Did get a bit further by renaming mbam-setup. I got it installed, but it won't run, even when renamed.

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Belahzur on Tue Aug 04, 2009 7:02 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Tue Aug 04, 2009 8:15 pm

Hi

Oh dear! Everything was going OK then I got a message after combofix began to run:

!! ALERT !! It is NOT SAFE to continue!
The contents of the Combofix package has been compromised.
Please download a fresh copy from
[You must be registered and logged in to see this link.]
Note: you may be infected with a file patching virus 'Virut'


Still trying to stay calm

Cricketboy

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Belahzur on Wed Aug 05, 2009 5:32 pm

Hello.
Virut is bad, very bad. We need to use this alternative to Combofix to check for Virut.

I have to let you know, if this scan result shows me Virut is present, it's game over, nothing we can do other than format the machine.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Wed Aug 05, 2009 6:40 pm

Hi

I was pretty much expecting that after some internet research.

Here's the log you request:

DDS (Ver_09-07-30.01) - NTFSx86
Run by David at 19:34:57.35 on 05/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.399 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SHVRTF.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\David\Desktop\dds.scr

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Wed Aug 05, 2009 6:41 pm

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: RepliGoIEHelperCtl Class: {91de4477-9cdc-4806-9bcb-28a963988e94} - c:\program files\cerience\repligo\RepliGoIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &RepliGo: {81f4066b-f330-4872-8094-3e9fbccec8c1} - c:\program files\cerience\repligo\RepliGoIEBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Eraser] c:\program files\eraser\eraser.exe -hide
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [Protect] SHVRTF.EXE
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [DataLayer] c:\program files\common files\pcsuite\datalayer\DataLayer.exe
mRun: [PC Pitstop Optimize Reminder] c:\program files\pcpitstop\optimize2\Reminder.exe
mRun: [five Media Manager Tray] "c:\program files\entriq\mediasphere\EntriqMediaTray.exe" /CustomId:five
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [RepliGo Assistant] "c:\program files\cerience\repligo\RepliGoMon.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -onlytray
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRun: [David] c:\documents and settings\david\David.exe /i
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\WIRELE~1.LNK -
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {0000000A-9980-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {00000161-9980-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - [You must be registered and logged in to see this link.]
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - [You must be registered and logged in to see this link.]
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - [You must be registered and logged in to see this link.]
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - [You must be registered and logged in to see this link.]
DPF: {33564D57-0000-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {33564D57-9980-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - [You must be registered and logged in to see this link.]
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - [You must be registered and logged in to see this link.]
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - [You must be registered and logged in to see this link.]
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - [You must be registered and logged in to see this link.]
DPF: {46431044-1B22-4EF3-B333-863AAF310153} - [You must be registered and logged in to see this link.]
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - [You must be registered and logged in to see this link.]
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - [You must be registered and logged in to see this link.]
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - [You must be registered and logged in to see this link.]
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - [You must be registered and logged in to see this link.]
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - [You must be registered and logged in to see this link.]
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - [You must be registered and logged in to see this link.]
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\82tzbw7s.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Wed Aug 05, 2009 6:42 pm

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-1 64160]
R0 protect;protect;c:\windows\system32\drivers\protect.sys [2009-8-4 18944]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-16 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-12-21 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-20 108552]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\cinemsup.sys [2003-12-18 6656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-6 353672]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-31 298776]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-11-19 38144]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [2008-11-19 238848]
S2 print sppolers;print sppolers;c:\program files\common files\microsoft shared\msinfo\svchost.ra --> c:\program files\common files\microsoft shared\msinfo\Svchost.ra [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 VVBETHERNET;LinkMAX HSA Series Ethernet driver;c:\windows\system32\drivers\vvbeth.sys [2006-1-18 15272]
S3 vvbususb;Virata USB VvBus driver;c:\windows\system32\drivers\vvbususb.sys [2006-1-18 50074]

=============== Created Last 30 ================

2009-08-04 20:48 41,456 ----h--- c:\documents and settings\david\David.exe
2009-08-04 20:46 53,248 a------- c:\windows\system32\F.tmp
2009-08-04 20:46 35,328 a------- c:\windows\system32\E.tmp
2009-08-04 20:46 20,974 a------- c:\windows\system32\D.tmp
2009-08-04 20:45 120 a------- c:\windows\system32\C.tmp
2009-08-04 20:13 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-08-04 20:13 53,248 a------- c:\windows\system32\7.tmp
2009-08-04 20:13 0 a------- c:\windows\system32\8.tmp
2009-08-04 20:13 35,328 a------- c:\windows\system32\6.tmp
2009-08-04 20:13 120 a------- c:\windows\system32\4.tmp
2009-08-03 23:16 --d----- c:\program files\New Folder
2009-08-03 22:43 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 22:43 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-03 17:44 410,984 a------- c:\windows\system32\deploytk.dll
2009-08-02 00:58 --d----- c:\docume~1\david\applic~1\Malwarebytes
2009-08-02 00:58 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 00:58 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-02 00:23 0 a------- c:\windows\SC.INS
2009-08-02 00:23 73 a------- C:\DIET WITHOUT HUNGER.url
2009-07-20 07:52 --dsh--- c:\documents and settings\david\IECompatCache
2009-07-20 07:33 --dsh--- c:\documents and settings\david\PrivacIE
2009-07-20 07:30 --dsh--- c:\documents and settings\david\IETldCache
2009-07-20 07:24 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-20 07:24 --d----- c:\windows\ie8updates
2009-07-20 07:23 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-20 07:23 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-20 07:22 -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-08-04 21:29 94,208 a------- c:\windows\DUMP6939.tmp
2009-08-03 23:28 94,208 a------- c:\windows\DUMP63bb.tmp
2009-08-03 22:50 94,208 a------- c:\windows\DUMP632e.tmp
2009-08-02 22:49 94,208 a------- c:\windows\DUMP5e76.tmp
2009-08-02 17:56 94,208 a------- c:\windows\DUMP5d3e.tmp
2009-08-02 13:38 94,208 a------- c:\windows\DUMP592c.tmp
2009-08-02 12:47 94,208 a------- c:\windows\DUMP63f9.tmp
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 14:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-05 09:32 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-04 12:47 1,822 a------- c:\docume~1\david\applic~1\wklnhst.dat
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 18:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 18:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 18:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 18:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 18:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 18:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 18:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 18:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 18:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 12:01 193,536 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 19:44 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 15:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 15:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 20:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-29 00:53 15,688 a------- c:\windows\system32\lsdelete.exe
1999-06-30 14:06 172,032 a------- c:\windows\inf\agfa\message.exe
2008-10-02 21:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 19:36:33.62 ===============

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Sun Aug 09, 2009 3:06 pm

BUMP

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Origin on Sun Aug 09, 2009 8:03 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\documents and settings\david\David.exe
    c:\windows\system32\F.tmp
    c:\windows\system32\E.tmp
    c:\windows\system32\D.tmp
    c:\windows\system32\C.tmp
    c:\windows\system32\drivers\protect.sys
    c:\windows\system32\7.tmp
    c:\windows\system32\8.tmp
    c:\windows\system32\6.tmp
    c:\windows\system32\4.tmp
    c:\windows\SC.INS*
    c:\windows\DUMP6939.tmp
    c:\windows\DUMP63bb.tmp
    c:\windows\DUMP632e.tmp
    c:\windows\DUMP5e76.tmp
    c:\windows\DUMP5d3e.tmp
    c:\windows\DUMP592c.tmp
    c:\windows\DUMP63f9.tmp


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 3:12 pm

Hi

Thank-you for persevering with me.

Here is the OTMoveIt log to start with:

========== FILES ==========
c:\documents and settings\david\David.exe moved successfully.
c:\windows\system32\F.tmp moved successfully.
c:\windows\system32\E.tmp moved successfully.
c:\windows\system32\D.tmp moved successfully.
c:\windows\system32\C.tmp moved successfully.
c:\windows\system32\drivers\protect.sys moved successfully.
c:\windows\system32\7.tmp moved successfully.
c:\windows\system32\8.tmp moved successfully.
c:\windows\system32\6.tmp moved successfully.
c:\windows\system32\4.tmp moved successfully.
c:\windows\SC.INS moved successfully.
c:\windows\DUMP6939.tmp moved successfully.
c:\windows\DUMP63bb.tmp moved successfully.
c:\windows\DUMP632e.tmp moved successfully.
c:\windows\DUMP5e76.tmp moved successfully.
c:\windows\DUMP5d3e.tmp moved successfully.
c:\windows\DUMP592c.tmp moved successfully.
c:\windows\DUMP63f9.tmp moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 08102009_155604

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 3:42 pm

This Rootkit Scan is massive....

MER 1.0.15.15020 [8hvttwer.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-10 16:15:32
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 86F0AE70 ZwEnumerateKey
Code 86EF4CF0 ZwFlushInstructionCache
Code 86F1447E IofCallDriver
Code 86F189C6 IofCompleteRequest
Code 86EF100D ZwSaveKey
Code 86EEE80D ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 86F14483
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 86F189CB
.text ntkrnlpa.exe!ZwSaveKey 80500D68 5 Bytes JMP 86EF1012
.text ntkrnlpa.exe!ZwSaveKeyEx 80500D7C 5 Bytes JMP 86EEE812
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 86EF4CF4
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 86F0AE74
? srescan.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[264] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[264] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[264] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[264] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[264] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[264] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[264] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0085000A
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[264] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0086000A
.text C:\WINDOWS\system32\spoolsv.exe[364] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\spoolsv.exe[364] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\spoolsv.exe[364] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\spoolsv.exe[364] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\spoolsv.exe[364] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\spoolsv.exe[364] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\system32\spoolsv.exe[364] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\spoolsv.exe[364] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A7000A
.rsrc C:\WINDOWS\system32\svchost.exe[532] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[532] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005636]
.text C:\WINDOWS\system32\svchost.exe[532] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\svchost.exe[532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\svchost.exe[532] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\svchost.exe[532] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\svchost.exe[532] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\svchost.exe[532] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 3:45 pm

text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[564] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[564] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[564] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[564] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[564] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[564] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[564] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0084000A
.text C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[564] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0085000A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[612] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[612] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[612] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[612] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[612] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[612] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[612] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0086000A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[612] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0087000A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[720] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[720] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[720] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[720] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[720] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[720] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[720] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007E000A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[720] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0080000A
.text C:\Program Files\iPod\bin\iPodService.exe[744] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\iPod\bin\iPodService.exe[744] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\iPod\bin\iPodService.exe[744] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\iPod\bin\iPodService.exe[744] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\iPod\bin\iPodService.exe[744] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\iPod\bin\iPodService.exe[744] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\iPod\bin\iPodService.exe[744] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0085000A
.text C:\Program Files\iPod\bin\iPodService.exe[744] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0086000A
.rsrc C:\WINDOWS\system32\svchost.exe[756] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[756] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005636]
.text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[888] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[888] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[888] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[888] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[888] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[888] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 3:47 pm

.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[888] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0082000A
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[888] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0083000A
.text C:\WINDOWS\system32\winlogon.exe[932] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF948F4
.text C:\WINDOWS\system32\winlogon.exe[932] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF94983
.text C:\WINDOWS\system32\winlogon.exe[932] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF94990
.text C:\WINDOWS\system32\winlogon.exe[932] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF94C14
.text C:\WINDOWS\system32\winlogon.exe[932] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF94979
.text C:\WINDOWS\system32\winlogon.exe[932] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF949D1
.text C:\WINDOWS\system32\winlogon.exe[932] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0075000A
.text C:\WINDOWS\system32\winlogon.exe[932] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0077000A
.text C:\Program Files\Bonjour\mDNSResponder.exe[956] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Bonjour\mDNSResponder.exe[956] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Bonjour\mDNSResponder.exe[956] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Bonjour\mDNSResponder.exe[956] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Bonjour\mDNSResponder.exe[956] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Bonjour\mDNSResponder.exe[956] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Bonjour\mDNSResponder.exe[956] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0082000A
.text C:\Program Files\Bonjour\mDNSResponder.exe[956] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0084000A
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF948F4
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF94983
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF94990
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF94C14
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF94979
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF949D1
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0076000A
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0077000A
.text C:\WINDOWS\system32\lsass.exe[1000] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF948F4
.text C:\WINDOWS\system32\lsass.exe[1000] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF94983
.text C:\WINDOWS\system32\lsass.exe[1000] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF94990
.text C:\WINDOWS\system32\lsass.exe[1000] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF94C14
.text C:\WINDOWS\system32\lsass.exe[1000] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF94979
.text C:\WINDOWS\system32\lsass.exe[1000] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF949D1
.text C:\WINDOWS\system32\lsass.exe[1000] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007E000A
.text C:\WINDOWS\system32\lsass.exe[1000] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0081000A
.text C:\WINDOWS\system32\Ati2evxx.exe[1176] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\Ati2evxx.exe[1176] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\Ati2evxx.exe[1176] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\Ati2evxx.exe[1176] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\Ati2evxx.exe[1176] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\Ati2evxx.exe[1176] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\system32\Ati2evxx.exe[1176] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AC000A
.text C:\WINDOWS\system32\Ati2evxx.exe[1176] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AD000A
.rsrc C:\WINDOWS\system32\svchost.exe[1200] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[1200] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005636]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\system32\CTsvcCDA.EXE[1256] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\CTsvcCDA.EXE[1256] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\CTsvcCDA.EXE[1256] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\CTsvcCDA.EXE[1256] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\CTsvcCDA.EXE[1256] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\CTsvcCDA.EXE[1256] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\system32\CTsvcCDA.EXE[1256] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\CTsvcCDA.EXE[1256] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 007E000A
.rsrc C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005636]
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.rsrc C:\WINDOWS\System32\svchost.exe[1324] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\System32\svchost.exe[1324] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01005636]
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF948F4
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF94983
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF94990
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF94C14
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF94979
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF949D1
.text C:\Program Files\Java\jre6\bin\jqs.exe[1380] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Java\jre6\bin\jqs.exe[1380] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Java\jre6\bin\jqs.exe[1380] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Java\jre6\bin\jqs.exe[1380] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Java\jre6\bin\jqs.exe[1380] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Java\jre6\bin\jqs.exe[1380] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 3:51 pm

.text C:\Program Files\Java\jre6\bin\jqs.exe[1380] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007F000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1380] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0081000A
.rsrc C:\WINDOWS\system32\svchost.exe[1528] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[1528] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005636]
.text C:\WINDOWS\system32\svchost.exe[1528] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\svchost.exe[1528] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\svchost.exe[1528] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\svchost.exe[1528] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\svchost.exe[1528] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\svchost.exe[1528] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.rsrc C:\WINDOWS\system32\svchost.exe[1560] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[1560] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005636]
.text C:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF948F4
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF94983
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF94990
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF94C14
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF94979
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF949D1
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0096000A
.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0097000A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1616] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1616] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1616] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1616] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1616] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1616] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1616] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007E000A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1616] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 007F000A
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1644] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1644] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1644] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1644] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1644] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1644] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1644] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0086000A
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1644] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0088000A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1740] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1740] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1740] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1740] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1740] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1740] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1740] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A9000A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1740] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\Ati2evxx.exe[1804] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\Ati2evxx.exe[1804] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\Ati2evxx.exe[1804] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\Ati2evxx.exe[1804] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\Ati2evxx.exe[1804] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\Ati2evxx.exe[1804] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\system32\Ati2evxx.exe[1804] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AC000A
.text C:\WINDOWS\system32\Ati2evxx.exe[1804] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AD000A
.text C:\Program Files\Kontiki\KService.exe[2388] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Kontiki\KService.exe[2388] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Kontiki\KService.exe[2388] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Kontiki\KService.exe[2388] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Kontiki\KService.exe[2388] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Kontiki\KService.exe[2388] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 3:52 pm

.text C:\Program Files\Kontiki\KService.exe[2388] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00DA000A
.text C:\Program Files\Kontiki\KService.exe[2388] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00DB000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] WININET.dll!HttpAddRequestHeadersA 3D94CF40 5 Bytes JMP 00FE000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[2444] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 0109000A
.reloc C:\WINDOWS\Explorer.EXE[2456] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE0000040]
.reloc C:\WINDOWS\Explorer.EXE[2456] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x010FE91D]
.text C:\WINDOWS\Explorer.EXE[2456] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\Explorer.EXE[2456] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\Explorer.EXE[2456] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\Explorer.EXE[2456] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\Explorer.EXE[2456] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\Explorer.EXE[2456] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\Explorer.EXE[2456] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00D0000A
.text C:\WINDOWS\Explorer.EXE[2456] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00D1000A
.text C:\Documents and Settings\David\Desktop\8hvttwer.exe[2548] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Documents and Settings\David\Desktop\8hvttwer.exe[2548] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Documents and Settings\David\Desktop\8hvttwer.exe[2548] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Documents and Settings\David\Desktop\8hvttwer.exe[2548] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Documents and Settings\David\Desktop\8hvttwer.exe[2548] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Documents and Settings\David\Desktop\8hvttwer.exe[2548] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Documents and Settings\David\Desktop\8hvttwer.exe[2548] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B0000A
.text C:\Documents and Settings\David\Desktop\8hvttwer.exe[2548] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B1000A
.text C:\WINDOWS\system32\SHVRTF.EXE[2712] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\SHVRTF.EXE[2712] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\SHVRTF.EXE[2712] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\SHVRTF.EXE[2712] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\SHVRTF.EXE[2712] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\SHVRTF.EXE[2712] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\system32\SHVRTF.EXE[2712] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\SHVRTF.EXE[2712] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B6000A
.text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[2720] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[2720] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[2720] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[2720] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[2720] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[2720] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[2720] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B1000A
.text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[2720] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B2000A
.text C:\Program Files\Kontiki\KHost.exe[2752] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Kontiki\KHost.exe[2752] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Kontiki\KHost.exe[2752] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Kontiki\KHost.exe[2752] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Kontiki\KHost.exe[2752] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Kontiki\KHost.exe[2752] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Kontiki\KHost.exe[2752] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00D9000A
.text C:\Program Files\Kontiki\KHost.exe[2752] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00DA000A
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2828] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2828] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2828] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2828] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2828] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2828] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 3:53 pm

.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2828] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CC000A
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2828] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00CD000A
.text C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe[2960] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe[2960] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe[2960] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe[2960] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe[2960] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe[2960] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe[2960] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AD000A
.text C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe[2960] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AE000A
.text C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe[2984] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe[2984] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe[2984] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe[2984] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe[2984] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe[2984] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe[2984] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BE000A
.text C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe[2984] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00BF000A
.text C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe[2996] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe[2996] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe[2996] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe[2996] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe[2996] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe[2996] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe[2996] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AB000A
.text C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe[2996] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AC000A
.text C:\Program Files\Cerience\RepliGo\RepliGoMon.exe[3036] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Cerience\RepliGo\RepliGoMon.exe[3036] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Cerience\RepliGo\RepliGoMon.exe[3036] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Cerience\RepliGo\RepliGoMon.exe[3036] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Cerience\RepliGo\RepliGoMon.exe[3036] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Cerience\RepliGo\RepliGoMon.exe[3036] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Cerience\RepliGo\RepliGoMon.exe[3036] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AA000A
.text C:\Program Files\Cerience\RepliGo\RepliGoMon.exe[3036] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AB000A
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0098000A
.text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0099000A
.text C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe[3068] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe[3068] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe[3068] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe[3068] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe[3068] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe[3068] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe[3068] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0103000A
.text C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe[3068] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0104000A
.text C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE[3088] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE[3088] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE[3088] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE[3088] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE[3088] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE[3088] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE[3088] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A6000A
.text C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE[3088] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A7000A
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3228] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3228] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3228] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3228] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3228] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3228] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3228] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BD000A
.text C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe[3228] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00BE000A
.text C:\Program Files\iTunes\iTunesHelper.exe[3336] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\iTunes\iTunesHelper.exe[3336] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\iTunes\iTunesHelper.exe[3336] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\iTunes\iTunesHelper.exe[3336] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\iTunes\iTunesHelper.exe[3336] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\iTunes\iTunesHelper.exe[3336] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\iTunes\iTunesHelper.exe[3336] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CC000A
.text C:\Program Files\iTunes\iTunesHelper.exe[3336] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00CD000A
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3344] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3344] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3344] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3344] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3344] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3344] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 3:54 pm

.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3344] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BF000A
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3344] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C0000A
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00DC000A
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[3392] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00DD000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CA000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[3404] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00CB000A
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B6000A
.text C:\WINDOWS\SOUNDMAN.EXE[3424] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B7000A
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A
.text C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe[3452] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A
.text C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe[3476] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A
? C:\WINDOWS\services.exe[3536] number of sections mismatch; unknown module: dnsapi.dll
.rsrs C:\WINDOWS\services.exe[3536] C:\WINDOWS\services.exe entry point in ".rsrs" section [0x0041BC6C]
.rsrs C:\WINDOWS\services.exe[3536] C:\WINDOWS\services.exe unknown last section [0x00404000, 0x18000, 0xE0000040]
.text C:\WINDOWS\services.exe[3536] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\services.exe[3536] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\services.exe[3536] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\services.exe[3536] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\services.exe[3536] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\services.exe[3536] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\services.exe[3536] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A5000A
.text C:\WINDOWS\services.exe[3536] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A6000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A4000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3548] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\ctfmon.exe[3612] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A8000A
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BD000A
.text C:\Program Files\Eraser\eraser.exe[3640] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00BE000A
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 3:56 pm

.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A7000A
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3668] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A8000A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B0000A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3736] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B1000A
.rsrc C:\WINDOWS\System32\svchost.exe[3796] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\System32\svchost.exe[3796] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01005636]
.text C:\WINDOWS\System32\svchost.exe[3796] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\System32\svchost.exe[3796] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\System32\svchost.exe[3796] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\System32\svchost.exe[3796] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\System32\svchost.exe[3796] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\System32\svchost.exe[3796] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] WININET.dll!HttpAddRequestHeadersA 3D94CF40 5 Bytes JMP 00FE000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3932] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 0109000A
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00DB000A
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[4020] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00DC000A
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B1000A
.text C:\Program Files\Common Files\Sonic Shared\CineTray.exe[4052] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B2000A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A7000A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[4116] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A8000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 3:57 pm

.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] WININET.dll!HttpAddRequestHeadersA 3D94CF40 5 Bytes JMP 00FE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4976] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 0109000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100127A0
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] WININET.dll!HttpAddRequestHeadersA 3D94CF40 5 Bytes JMP 00FE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5352] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 0109000A
.rsrc C:\WINDOWS\system32\svchost.exe[5532] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.rsrc C:\WINDOWS\system32\svchost.exe[5532] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01005636]
.text C:\WINDOWS\system32\svchost.exe[5532] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA48F4
.text C:\WINDOWS\system32\svchost.exe[5532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4983
.text C:\WINDOWS\system32\svchost.exe[5532] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA4990
.text C:\WINDOWS\system32\svchost.exe[5532] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4C14
.text C:\WINDOWS\system32\svchost.exe[5532] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4979
.text C:\WINDOWS\system32\svchost.exe[5532] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA49D1

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 4:01 pm

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [AE5C8B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [AE5C8930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [AE5C9260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [AE5C6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [AE5C6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [AE5C8B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [AE5C8930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [AE5C9260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [AE5C8B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [AE5C6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [AE5C9260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [AE5C8930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [AE5C9260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [AE5C8930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [AE5C8B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [AE5C6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [AE5C8B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [AE5C8930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [AE5C9260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [AE5C8B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [AE5C6E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [AE5C9260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [AE5C8930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A52910] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54AD0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54B20] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54AE0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleA] [7C8841EE] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleW] [7C8841F3] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\ZoneLabs\vsmon.exe[1596] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\Iexplore.exe[2444] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [61A54AD0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [61A54B20] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [61A54AE0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [61A52910] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [61A5C7E0] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleA] [7C8841EE] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleW] [7C8841F3] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!CreateThread] [7C8841F8] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[3060] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8841E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 4:01 pm

IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [kernel32.dll!GetProcAddress] 307825FF
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [kernel32.dll!LoadLibraryA] 25FF0040
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [kernel32.dll!GetVersion] [00403074] C:\WINDOWS\services.exe
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [kernel32.dll!GetCommandLineA] CCCCCCCC
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [kernel32.dll!FreeLibrary] 308025FF
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!GetMessageA] [00403084] C:\WINDOWS\services.exe
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!BeginPaint] 308825FF
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!GetFocus] 00000040
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!EndPaint] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!DispatchMessageA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!DefWindowProcA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!GetSysColor] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!SetFocus] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!ScreenToClient] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!LoadIconA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!ShowWindow] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!SetWindowTextA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!DestroyWindow] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!CreateWindowExA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [user32.dll!GetClientRect] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!wcschr] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!_controlfp] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!__p__commode] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!_acmdln] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!memmove] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!wcslen] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!_XcptFilter] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!toupper] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!_exit] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!__setusermatherr] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!__CxxFrameHandler] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!__getmainargs] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!rand] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [msvcrt.dll!__set_app_type] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!CreateFontIndirectA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!SetBkMode] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!SelectObject] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!GetTextMetricsA] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!LineTo] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!SetPixel] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!GetTextColor] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!GetTextExtentPoint32A] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!PatBlt] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!DeleteObject] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!CreateCompatibleDC] 00000000
IAT C:\WINDOWS\services.exe[3536] @ C:\WINDOWS\services.exe [gdi32.dll!ExtTextOutA] 00000000
IAT C:\Program Files\Internet Explorer\iexplore.exe[4976] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACismsairfdm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1200] 0x00DC0000
Library \\?\globalroot\systemroot\system32\UACkfmqrdycpa.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1200] 0x02FD0000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACbypdriymbf.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 4:02 pm

--- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Mon Aug 10, 2009 4:03 pm

Wow! That was some log!

Hope that's what you wanted.

Cricketboy

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Belahzur on Mon Aug 10, 2009 6:28 pm

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
UACd.sys

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACbypdriymbf.sys
C:\WINDOWS\system32\UACismsairfdm.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Tue Aug 11, 2009 3:25 pm

Hi

I think the computer is terminally ill now. I'm posting from another.

It keeps shutting down spontaneously and restarting. I've not had it stable enough in the last 24hrs to follow your last instruction. It doesn't even seem to want to start in safe mode.

I guess it's a case of reformatting. I have a restore disk from the manufacturer (although they are out of business now).

I've got stuff backed up on an extrernal hard disk. Is there a good way of discovering whether that has got infected? What do I do if it has?

You've been very helpful. Have you any other advice?

Cricketboy

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Belahzur on Tue Aug 11, 2009 3:51 pm

The external is fine, this rootkit doesn't spread via USB.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Cricketboy on Tue Aug 11, 2009 3:54 pm

Hi

Thanks, Belazhur for your help.

I just hope I can get the reformat to work OK.


Cricketboy

Cricketboy
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2009-08-03
OS : XP

View user profile

Back to top Go down

Re: Win32TrojanTdss infection

Post by Belahzur on Tue Aug 11, 2009 4:06 pm

Instructions how to format and reinstall Windows can be found [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum