Win32TrojanTDSS....please help

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 4th September 2009, 1:30 pm

IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [0116FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [0116FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [0116FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [011706B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [0116FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [0116FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [0116FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [011704E0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [011706B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [0116FA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [0116FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [0116FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [011704E0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [011706B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [01170300] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [011706B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [0116FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 4th September 2009, 1:30 pm

IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [0116FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [0116FA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [0116FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [0116FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [0116FA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [011706B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [0116FA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [0116FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [01170120] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [0116FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [0116FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [0116FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [01170300] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [0116FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [0116FA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [011706B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [0116F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2112] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [0116FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [00D5FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [00D5FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [00D5FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [00D5FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [00D5FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 4th September 2009, 1:31 pm

IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [00D5FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [00D606B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [00D5FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [00D5FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [00D5FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [00D5FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [00D5FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [00D5FA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [00D606B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [00D604E0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [00D606B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [00D60300] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [00D606B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [00D5FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [00D5FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [00D5FA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [00D5FA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [00D5FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [00D5FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [00D604E0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [00D606B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 4th September 2009, 1:31 pm

IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [00D60300] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [00D5FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [00D5FA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [00D606B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [00D5FA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [00D5FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [00D60120] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [00D5FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [00D5FC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ C:\WINDOWS\System32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ c:\windows\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [00D5FFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ c:\windows\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [00D5FE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\System32\svchost.exe[2152] @ c:\windows\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [00D5F890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryExA] [00EBFA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryExW] [00EBFC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!CreateProcessW] [00EC06B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryW] [00EBFFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [00EBFC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [00EBFFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 4th September 2009, 1:32 pm

IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [00EBFFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [00EBFFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [00EBFC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [00EBFFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [00EBFC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [00EC06B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [00EBFFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [00EC04E0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [00EC06B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [00EBFFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [00EBFC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [00EBFA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [00EC06B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [00EBFA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [00EBFC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [00EBFFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [00EC04E0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [00EC06B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 4th September 2009, 1:32 pm

IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [00EBFA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [00EBFC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [00EBFFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [00EC0120] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [00EBFFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [00EBFC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [00EC0300] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [00EC06B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [00EBFFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [00EBFC10] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [00EBFA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [00EC0300] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [00EBFFA0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [00EBFA00] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [00EC06B0] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [00EBF890] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 4th September 2009, 1:33 pm

IAT C:\WINDOWS\Explorer.EXE[2956] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [00EBFE20] C:\Program Files\CA\SharedComponents\PPRT\bin\CACheck.dll (API interceptors/CA, Inc.)
IAT C:\Program Files\Internet Explorer\Iexplore.exe[4068] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs KmxFile.sys (HIPS File Guard driver/CA)
AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs kmxagent.sys (HIPS Agent Driver/CA)
AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

Device \Driver\Tcpip \Device\Ip kmxfw.sys (HIPS Firewall Driver/CA)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp kmxfw.sys (HIPS Firewall Driver/CA)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Udp kmxfw.sys (HIPS Firewall Driver/CA)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\RawIp kmxfw.sys (HIPS Firewall Driver/CA)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Modem \Device\0000006c kmxfw.sys (HIPS Firewall Driver/CA)
Device \Driver\Tcpip \Device\IPMULTICAST kmxfw.sys (HIPS Firewall Driver/CA)
Device \Driver\AFD \Device\Afd KmxCF.sys (HIPS Content Filter Driver/CA)
---- Processes - GMER 1.0.15 ----

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 4th September 2009, 1:33 pm

Library \\?\globalroot\systemroot\system32\UAClmjrfltdkf.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [808] 0x00ED0000
Library \\?\globalroot\systemroot\system32\UACwibimrmbjo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [808] 0x036D0000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACswdtplgpkw.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACswdtplgpkw.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACswdtplgpkw.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACfuomnairoj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UAClmjrfltdkf.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACuxqvlmeufy.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACfpmkowbevp.db
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACwibimrmbjo.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UAClirslnylvd.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACnhmdvaswrt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACswdtplgpkw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACswdtplgpkw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACfuomnairoj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UAClmjrfltdkf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACuxqvlmeufy.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACfpmkowbevp.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACwibimrmbjo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UAClirslnylvd.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACnhmdvaswrt.dll

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 4th September 2009, 1:34 pm

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Documents\My Music\ads 0 bytes
File C:\Documents and Settings\All Users\Documents\My Music\avginfoavi.ctf 2394 bytes
File C:\Documents and Settings\All Users\Documents\My Music\avginfowin.ctf 21367 bytes
File C:\Documents and Settings\All Users\Documents\My Music\u7avi1640u1590m6.bin 60339 bytes
File C:\Documents and Settings\All Users\Documents\My Music\u7avi1641u159073.bin 64199 bytes
File C:\Documents and Settings\All Users\Documents\My Music\u7avi1643u1590a8.bin 65009 bytes
File C:\Documents and Settings\All Users\Documents\My Music\u7avi1644u1590ub.bin 65012 bytes
File C:\Documents and Settings\All Users\Documents\My Music\u7avi1648u15902m.bin 65322 bytes
File C:\Documents and Settings\All Users\Documents\My Music\u7avi1652u1590m9.bin 67811 bytes
File C:\Documents and Settings\All Users\Documents\My Music\u7avi1661u1590yd.bin 73380 bytes
File C:\Documents and Settings\All Users\Documents\My Music\u7avi1664u1590iz.bin 74669 bytes
File C:\Documents and Settings\All Users\Documents\My Music\u7avi1666u15905o.bin 76759 bytes

---- EOF - GMER 1.0.15 ----

i hope that i did this right....let me know what else you need and i will do what is needed for this....thank you in advance as well...

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

BUMP please....

Post by georgeegg on 6th September 2009, 2:41 pm

so on Friday was when i posted the reply to the being told/asked to do the GMER and nothing in return yet....i know that you guys are really busy and all but you said to Bump it after 2 days.... hope ive been doing this correctly....

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by Belahzur on 6th September 2009, 6:22 pm

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
UACd.sys

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACswdtplgpkw.sys

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
HKLM\SYSTEM\ControlSet001\Services\UACd.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 7th September 2009, 1:19 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Disablement of driver "UACd.sys" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACswdtplgpkw.sys" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet001\Services\UACd.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by Belahzur on 7th September 2009, 8:46 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

combo fix log...might take a few posts....sorry

Post by georgeegg on 8th September 2009, 12:01 am

ComboFix 09-09-06.06 - GT 09/07/2009 19:20.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.623.302 [GMT -4:00]
Running from: c:\documents and settings\GT\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: CA Anti-Virus *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\50e5543.msi
c:\windows\Installer\8a58be0.msi
c:\windows\Installer\b56279b.msi
c:\windows\system32\UACfpmkowbevp.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACuxqvlmeufy.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_ONESTEP_SEARCH_SERVICE
-------\Legacy_UACd.sys
-------\Service_MyWebSearchService
-------\Service_OneStep Search Service
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-07 14:03 . 2009-09-07 14:03 -------- d-----w- c:\documents and settings\GT\Application Data\Office Genuine Advantage
2009-09-04 12:29 . 2009-09-04 12:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-03 22:41 . 2009-09-03 22:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-03 22:21 . 2009-09-03 22:21 -------- d-----w- C:\Sun
2009-08-13 04:04 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-12 21:50 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-12 21:48 . 2009-08-12 21:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-12 21:48 . 2009-08-12 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-12 21:48 . 2009-08-12 21:48 -------- d-----w- c:\program files\Lavasoft
2009-08-12 18:51 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 19:03 . 2009-09-07 18:47 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-11 18:40 . 2009-08-11 18:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-11 18:40 . 2009-08-11 18:40 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-08-11 18:39 . 2009-08-11 18:39 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-11 18:39 . 2009-08-11 18:39 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-11 18:39 . 2009-08-11 18:39 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-11 18:39 . 2009-09-07 16:36 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-11 18:39 . 2009-08-11 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-11 18:39 . 2009-08-11 18:39 -------- d-----w- c:\program files\AVG
2009-08-11 18:39 . 2009-08-11 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-11 18:08 . 2009-08-11 18:08 -------- d-----w- c:\documents and settings\GT\Application Data\Sammsoft
2009-08-11 18:08 . 2009-08-11 18:08 -------- d-----w- c:\program files\Advanced Registry Optimizer
2009-08-09 22:38 . 2009-08-09 22:38 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 23:33 . 2008-05-24 16:19 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-09-07 23:33 . 2008-05-24 16:19 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-09-07 23:33 . 2008-05-24 16:19 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-09-07 23:33 . 2008-05-24 16:19 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-09-07 23:33 . 2008-05-24 16:19 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-09-07 23:33 . 2008-05-24 16:19 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-09-07 23:33 . 2008-05-24 16:19 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-09-07 23:33 . 2008-05-24 16:19 446798 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-09-03 22:46 . 2008-04-19 18:10 -------- d-----w- c:\program files\Java
2009-08-13 15:34 . 2009-07-12 02:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-13 15:34 . 2009-07-12 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-12 20:10 . 2008-08-11 21:47 -------- d-----w- c:\program files\Coupons
2009-08-08 05:05 . 2009-01-24 05:33 -------- d-----w- c:\documents and settings\GT\Application Data\FrostWire
2009-08-07 21:12 . 2009-08-07 21:12 70656 ----a-w- c:\windows\system32\drivers\fpxdsiwwkidbkxtp.sys
2009-08-06 19:32 . 2007-10-23 21:01 -------- d-----w- c:\program files\Full Tilt Poker
2009-08-05 09:01 . 2001-08-23 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-17 19:01 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2007-09-23 20:55 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-10 20:14 . 2008-01-22 18:51 -------- d-----w- c:\program files\Nanny Mania
2009-07-08 19:30 . 2009-04-27 00:11 256 ----a-w- c:\windows\system32\pool.bin
2009-07-03 17:09 . 2001-08-23 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2001-08-23 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2001-08-23 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2001-08-23 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2001-08-23 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2001-08-23 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2001-08-23 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2001-08-23 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2001-08-23 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2001-08-23 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2007-09-23 19:59 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2001-08-23 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-03-30 14:39 . 2008-03-30 14:39 0 -c--a-w- c:\program files\temp01
2008-05-24 16:33 . 2008-05-24 15:54 30720 --sha-w- c:\windows\rnapxs\Rnapxs.dat
.

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 8th September 2009, 12:01 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:56 1062144 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-29 68856]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2008-08-22 2084480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe" [2006-11-02 156160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-03 149280]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-05-21 181488]
"dvHighMem"="c:\windows\cfgmng32.exe" [2007-09-03 11333632]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-09-09 234736]
"cafw"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-09-09 771312]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-09-09 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-09-09 259312]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-05-24 14088]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-20 68592]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\CIDLinkAdvisor.dll" [2008-07-23 1377720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-11 18:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 18:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\pfs\\callatl\\rteng9.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\palmOne\\Hotsync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/11/2009 2:40 PM 12552]
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/12/2009 5:50 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/11/2009 2:39 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/11/2009 2:39 PM 108552]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/11/2009 2:39 PM 297752]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [1/21/2008 1:54 PM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [1/21/2008 1:54 PM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104]
R2 WinSvchostManager;WinSock Svchost Manager;c:\windows\system32\svcprs32.exe [5/24/2008 11:54 AM 823296]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [5/24/2008 11:54 AM 185584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-09-06 c:\windows\Tasks\CAAntiSpywareScan_Daily as GT at 12 55 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\caantispyware.exe [2008-05-24 05:37]

2009-09-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKCU-Run-SearchAndDestroyMFC - c:\program files\Search And Destroy\Search And Destroy.exe
HKLM-Run-Cmaudio - cmicnfg.cpl

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 8th September 2009, 12:02 am

.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Search - ?p=ZJxdm027YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\winsflt.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - [You must be registered and logged in to see this link.]
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1160)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1384)
c:\windows\system32\winsflt.dll
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(3124)
c:\windows\system32\WININET.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\windows\system32\wscntfy.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\mdmcls32.exe
c:\windows\system32\mdmcls32.exe
.
**************************************************************************
.
Completion time: 2009-09-07 19:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 23:53

Pre-Run: 14,054,387,712 bytes free
Post-Run: 14,941,134,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

279 --- E O F --- 2009-09-04 12:32

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by Belahzur on 8th September 2009, 1:26 am

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 8th September 2009, 12:34 pm

========== FILES ==========
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09082009_083337


and here is the log as well....
========== FILES ==========
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09082009_083337

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by Belahzur on 8th September 2009, 2:28 pm

Hello.
Now finally, post a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 8th September 2009, 4:27 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:00 PM, on 9/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\cfgmng32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\GT\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [dvHighMem] C:\WINDOWS\cfgmng32.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZJxdm027YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 13411 bytes

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 8th September 2009, 4:30 pm

now i did get a message about some other trojan from my AVG antivirus software....is there more to do for that or does what we have done take care of all the issues....if not then let me know what you need me to do next...thank you all again you have all been a real help....

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by Belahzur on 8th September 2009, 7:45 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O8 - Extra context menu item: &Search - ?p=ZJxdm027YYUS


  • Press "Fix Checked"
  • Close Hijack This.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 8th September 2009, 8:13 pm

well i ran my AD Ware scan like before and the only things that came up this time was tracking cookies....and that Trojan is not showig up in my scan....now the Trojan horse Generic14.FFS did come up in my scheduled AVG scan and it got moved to the virus vault....should i still be ok with that?? i really do appreciate the assistance and believe me i will be talking to everyone that i know about your people's abillities and send more people your way....thank you again and keep up the great work....

George

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by Belahzur on 8th September 2009, 8:15 pm

Hello.
Where did AVG find that trojan? I'll take a likely bet and say "system volume information"?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 8th September 2009, 8:26 pm

"C:\System Volume Information\_restore{AE0762F6-CDA4-449C-BF08-537B56165EF1}\RP665\A0050269.dll";"Trojan horse Generic14.FFS";"Moved to Virus Vault"

thats the results from todays scan...like 4 1/2 hours ago...so am i safe to do my banking again or is there anything else i need to do??

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by Belahzur on 8th September 2009, 8:42 pm

Heh. System Volume Information is just system restore, they should get flushed when you run Combofix /u.

This should be fine now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32TrojanTDSS....please help

Post by georgeegg on 8th September 2009, 8:53 pm

Thank you i did the combofix u like i was told....it will run a scheduled scan tomorrow(AVG) and if something comes up i will let you know otherwise thak you tons and you guys are awesome......

George

georgeegg
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-08-17
Gender Gender : Male
OS OS : XP
Points Points : 26756
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum