NEED HELP with Malware TDSS

View previous topic View next topic Go down

NEED HELP with Malware TDSS

Post by tobiasschaap on Fri Dec 12, 2008 12:54 pm

Hi,

I have malware (think TDSS)in my machine running Windows XP SP3. I have used programmes like malwarebytes and hitman pro(containing other anti-spyware programmes) but nothing helped. Besides this my pc crashes and restart when i search for tdss files and when malwarebytes is searching for malware.

I read the post of girikumar_s who has the same problem as i, and i already removed c:\windows\system32\tdssosvd.dat but the other file that causes my pc to crash i couldn't find: c:\windows\system32\drivers\tdss****.sys there were some other tdss names files which i also removed, but my pc keeps crashing!

Then i downloaden and run Combofix. At first my pc crashed when running combofix for the first time, which leaded to the fact that i dont have "explorer" (in windows) not internet explorer, so i dont see the start at the left of my screen.

But i managed to run Combofix succesfully when in safemode as administrator. I will post the log in my next post.

Please help me to solve this problem, thank you in advance

Tobias

tobiasschaap
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2008-12-12
OS OS : Windows XP SP 3
Points Points : 29160
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP with Malware TDSS

Post by tobiasschaap on Fri Dec 12, 2008 12:55 pm

ComboFix 08-12-11.05 - Administrator 2008-12-12 13:29:12.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.821 [GMT 1:00]
Gestart vanuit: c:\program files\Combofix\ComboFix.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Gerarda Wieten\Gerarda Wieten.exe
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\windows\csrss.exe
c:\windows\system32\.exe
c:\windows\system32\Drivers\Wintd40.sys
c:\windows\system32\ftpupd.exe
c:\windows\system32\nsprs.dll
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\wertyu.dll
c:\windows\system32\WinCtrl32.dl_
c:\windows\system32\WinCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Legacy_WINTD40
-------\Service_TDSSserv.sys
-------\Service_Wintd40


(((((((((((((((((((( Bestanden Gemaakt van 2008-11-12 to 2008-12-12 ))))))))))))))))))))))))))))))
.

2008-12-12 13:26 . 2006-11-11 22:11 d--h----- c:\documents and settings\Administrator\Sjablonen
2008-12-12 13:26 . 2006-11-11 22:59 d--h----- c:\documents and settings\Administrator\Onlangs geopend
2008-12-12 13:26 . 2006-11-11 22:59 d--h----- c:\documents and settings\Administrator\Netwerkprinteromgeving
2008-12-12 13:26 . 2006-11-11 22:59 d-------- c:\documents and settings\Administrator\Mijn documenten
2008-12-12 13:26 . 2006-11-11 22:59 dr------- c:\documents and settings\Administrator\Menu Start
2008-12-12 13:26 . 2006-11-11 22:59 d-------- c:\documents and settings\Administrator\Favorieten
2008-12-12 13:26 . 2008-12-11 13:35 d-------- c:\documents and settings\Administrator\Bureaublad
2008-12-12 13:26 . 2008-12-12 13:26 d-------- c:\documents and settings\Administrator
2008-12-12 12:27 . 2008-12-12 12:27 d-------- c:\program files\Combofix
2008-12-12 12:12 . 2008-12-12 12:12 d-------- c:\program files\Hijack This
2008-12-12 12:07 . 2008-12-12 12:10 d-------- c:\program files\Superantispyware
2008-12-12 01:04 . 2008-12-12 01:04 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 01:04 . 2008-12-12 01:04 d-------- c:\documents and settings\Gerarda Wieten\Application Data\Malwarebytes
2008-12-12 01:04 . 2008-12-12 01:04 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 01:04 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 01:04 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 20:57 . 2008-12-11 20:57 d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-11 20:57 . 2008-12-11 20:57 d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-11 20:57 . 2008-12-11 20:57 164 --a------ C:\install.dat
2008-12-11 20:54 . 2008-12-12 11:51 d-------- c:\program files\Spybot - Search & Destroy
2008-12-11 15:34 . 2008-12-12 12:13 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-11 15:33 . 2008-12-11 15:34 d-------- c:\program files\Adware
2008-12-11 14:57 . 2008-12-11 14:57 dr-h----- c:\documents and settings\Gerarda Wieten\Onlangs geopend
2008-12-08 19:16 . 2008-12-08 19:16 d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-08 19:16 . 2008-12-08 19:16 d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-08 13:47 . 2008-12-08 13:47 d----c--- c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-12-08 13:42 . 2008-12-08 13:47 d-------- C:\b90c1343c42bcb5bdb2d
2008-12-08 13:42 . 2008-12-08 13:42 dr-h----- C:\AHCache
2008-12-08 13:41 . 2008-12-08 13:41 d----c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-08 11:27 . 2008-12-08 11:27 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-08 11:27 . 2008-12-08 11:27 1,409 --a------ c:\windows\QTFont.for
2008-12-08 11:12 . 2008-12-08 11:12 d-------- c:\program files\Microsoft Silverlight
2008-12-05 00:55 . 2008-12-05 00:55 d-------- c:\program files\Google Virus Verwijderaar
2008-11-28 18:31 . 2008-11-28 18:38 d-------- c:\windows\SxsCaPendDel
2008-11-27 23:06 . 2008-12-12 11:49 d-------- c:\program files\CCleaner
2008-11-27 17:22 . 2008-11-27 17:22 14,848 --a------ c:\windows\system32\getwn32.dll
2008-11-12 08:24 . 2008-10-24 12:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 08:23 . 2008-09-04 18:17 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 11:58 --------- d-----w c:\program files\Spamfilter
2008-12-12 10:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-12 10:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-11 14:25 --------- d-----w c:\program files\Deamon Tools(spelletjes)
2008-12-11 14:17 6,656 ----a-w c:\windows\system32\drivers\aeaudio.sys
2008-12-11 12:54 --------- d-----w c:\program files\Torrentz
2008-12-11 12:36 --------- d-----w c:\program files\ESET
2008-12-11 12:31 --------- d-----w c:\documents and settings\Gerarda Wieten\Application Data\Lavasoft
2008-12-11 11:57 --------- d-----w c:\documents and settings\Gerarda Wieten\Application Data\uTorrent
2008-12-08 10:29 --------- d-----w c:\program files\QuickTime
2008-12-05 02:18 31,104 ----a-w c:\windows\system32\drivers\Winec07.sys
2008-12-05 00:11 31,104 ----a-w c:\windows\system32\drivers\Wintw81.sys
2008-12-03 22:18 98,304 ----a-w c:\windows\DUMP5709.tmp
2008-11-28 17:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 17:29 --------- d-----w c:\program files\Philips
2008-11-28 08:04 --------- d-----w c:\program files\WinZix
2008-11-27 22:31 --------- d-----w c:\program files\Hitman Pro
2008-11-27 19:21 --------- d-----w c:\program files\Google
2008-11-11 10:45 --------- d-----w c:\documents and settings\Gerarda Wieten\Application Data\Canon
2008-11-09 15:09 --------- d-----w c:\documents and settings\Gerarda Wieten\Application Data\SPAMfighter
2008-11-09 15:08 --------- d-----w c:\program files\Common Files\Application
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:43 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:33 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-13 21:10 23,752 ----a-w c:\documents and settings\Gerarda Wieten\Application Data\GDIPFONTCACHEV1.DAT
2008-10-03 10:05 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 15:28 1,846,528 ----a-w c:\windows\system32\win32k.sys
2006-11-20 08:42 61 --sh--w c:\windows\cnerolf.dat
2008-09-01 20:30 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008090120080902\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\program files\Norton Antivirus\vptray.exe" [2001-09-24 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SPAMfighter Agent"="c:\program files\Spamfilter\SFAgent.exe" [2008-10-22 325768]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-08 413696]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"iTunesHelper"="c:\program files\iPod\iTunes\iTunesHelper.exe" [2005-06-24 278528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-14 57344]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winec07.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wintw81.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iPod\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Torrentz\\utorrent.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Ontspan\\PES 6\\PES6.exe"=
"c:\\Program Files\\Msn Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Msn Messenger\\livecall.exe"=

R1 SSHDRV76;SSHDRV76;\??\c:\windows\system32\drivers\SSHDRV76.sys [2008-03-01 53760]
S0 Winec07;Winec07;c:\windows\system32\Drivers\Winec07.sys [2006-11-11 31104]
S0 Wintw81;Wintw81;c:\windows\system32\Drivers\Wintw81.sys [2006-11-11 31104]
S2 fips32cup;fips32cup;\??\c:\windows\system32\drivers\fips32cup.sys [2004-08-04 30592]
S2 SPAMfighter Update Service;SPAMfighter Update Service;"c:\program files\Spamfilter\sfus.exe" [2008-10-22 184968]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-12 38496]
.
Inhoud van de 'Gedeelde Taken' map

2008-12-12 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\Google Virus Verwijderaar\XoftSpy.exe [2008-12-03 19:05]

2008-12-11 c:\windows\Tasks\XoftSpySE.job
- c:\program files\Google Virus Verwijderaar\XoftSpy.exe [2008-12-03 19:05]
.
- - - - ORPHANS VERWIJDERD - - - -

HKLM-Run-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
HKLM-Run-Hitman Pro Expiration Helper - c:\program files\Hitman Pro\Hitman Pro\xphelper.exe


.
------- Bijkomende Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]

c:\windows\system32\msvcrt.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\MaxisGolfTeleX.ocx
O16 -: {08EE4BCE-527E-4760-B11A-B829415E9103}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\MaxisGolfTeleX.inf

c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\JordanApplet.dll
O16 -: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\jordanapplet.inf

c:\windows\Downloaded Program Files\PlaNetSysInfo.dll - O16 -: {3E90FFF5-1347-45B9-91F6-DA47926E9697}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\PlaNetSysInfo.osd

c:\windows\Downloaded Program Files\instwact.dll - O16 -: {91F52A42-C10D-49A7-B941-882C657C604F}
[You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-12 13:31:16
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\System32\NavLogon.dll
.
Voltooingstijd: 2008-12-12 13:32:01
ComboFix-quarantined-files.txt 2008-12-12 12:31:54

Pre-Run: 36.411.445.248 bytes beschikbaar
Post-Run: 36,401,352,704 bytes beschikbaar

207 --- E O F --- 2008-12-09 23:29:44

tobiasschaap
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2008-12-12
OS OS : Windows XP SP 3
Points Points : 29160
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP with Malware TDSS

Post by tobiasschaap on Fri Dec 12, 2008 12:58 pm

This is my HIJACK THIS LOG:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:57:51, on 12-12-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton Antivirus\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\Spamfilter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iPod\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.nl/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {08EE4BCE-527E-4760-B11A-B829415E9103} (MaxisGolfTeleX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {3E90FFF5-1347-45B9-91F6-DA47926E9697} (PlaNet SysInfo Agent) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {91F52A42-C10D-49A7-B941-882C657C604F} (Installation Helper Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Norton Antivirus\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Norton Antivirus\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\Spamfilter\sfus.exe

--
End of file - 7182 bytes

tobiasschaap
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2008-12-12
OS OS : Windows XP SP 3
Points Points : 29160
# Likes # Likes : 0

View user profile

Back to top Go down

Re: NEED HELP with Malware TDSS

Post by Belahzur on Fri Dec 12, 2008 5:17 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
Winec07
Wintw81
fips32cup

File::
c:\windows\system32\drivers\fips32cup.sys
c:\windows\system32\Drivers\Winec07.sys
c:\windows\system32\Drivers\Wintw81.sys

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winec07.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wintw81.sys]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: NEED HELP with Malware TDSS

Post by Doctor Inferno on Thu Jan 15, 2009 8:29 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum