[InActive] Google redirect, Desktop frozen, Lots of AdWare

smithno13 · 25th October 2008

Im getting the same google redirect virus, It is also affecting Windows Live search. Virus also uninstalled IE7Pro. I do not know what logs to post, I know I have seen lots of people posting logs in their first post, but I am not sure what programs to use. Thanks in advance for the help.

-Nick

sniper9228 · 25th October 2008

http://www.windowsbbs.com/malware-vi...uncements.html

smithno13 · 25th October 2008

Yes, read that, the virus blocks the DL link for RSIT

sniper9228 · 25th October 2008

The malware experts can take over.

I have ideas, but I will not suggest anything, as I do not want to be banned.

**Geri** · 25th October 2008

Hi smithno13
Welcome to WindowsBBS

Please do this.

Click here and select Open (or Run) to run a tool that will check your computer for a specific rootkit infection.
When the tool completes a log will open.
Please post the contents of that log.

Thanks
Geri

smithno13 · 25th October 2008

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv
NextInstance REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000
Service REG_SZ TDSSserv
Legacy REG_DWORD 1 (0x1)
ConfigFlags REG_DWORD 0 (0x0)
Class REG_SZ LegacyDriver
ClassGUID REG_SZ {8ECC055D-047F-11D1-A537-0000F8753ED1}
DeviceDesc REG_SZ TDSSserv
Capabilities REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000\ LogConf

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv\0000\ Control
ActiveService REG_SZ TDSSserv

TDSS infection active!
Thats not good is it? >.>

**Geri** · 25th October 2008

Hi
OK do you have access to a uninfected computer where you can download and transfer a tool to the infected one?

smithno13 · 26th October 2008

Yes I do. What do I need to Download?

**Geri** · 26th October 2008

Hi
OK, Good.
Please download then transfer Combofix to the infected computer, run it as instructed.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

Close all open programs and windows
Double click combofix.exe and follow the prompts.
Vista users right click Combofix.exe and select Run As Administrator.
When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the log.

Thanks
Geri

smithno13 · 26th October 2008

ComboFix 08-10-24.02 - Compaq_Owner 2008-10-25 22:45:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.796 [GMT -5:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\Compaq_Owner\Application Data\FunWebProducts
C:\Documents and Settings\Compaq_Owner\Application Data\rhcctlj0eg85
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\targets.gz
C:\Program Files\Microsoft Security Adviser
C:\Program Files\Microsoft Security Adviser\msctrl.exe
C:\Program Files\Microsoft Security Adviser\mssadv.log
C:\Program Files\Microsoft Security Adviser\mssadv_sp.log
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\trgts.gz
C:\WINDOWS\PerfInfo
C:\WINDOWS\system32\atkqvwqp.dll
C:\WINDOWS\system32\byXoOIXr.dll
C:\WINDOWS\system32\culoyqof.ini
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\Drivers\TDSSmxwe.sys
C:\WINDOWS\system32\epgnka.dll
C:\WINDOWS\system32\foqyoluc.dll
C:\WINDOWS\system32\glqwuwnd.dll
C:\WINDOWS\system32\grckpjtu.dll
C:\WINDOWS\system32\hptbivvj.ini
C:\WINDOWS\system32\ifrggjln.dll
C:\WINDOWS\system32\iiffFvUk.dll
C:\WINDOWS\system32\itwvriaq.dll
C:\WINDOWS\system32\jgvjew.dll
C:\WINDOWS\system32\khfCvULf.dll
C:\WINDOWS\system32\kihaatmr.exe
C:\WINDOWS\system32\nnfbay.dll
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oiiojkaq.dll
C:\WINDOWS\system32\phc9tlj0eg85.bmp
C:\WINDOWS\system32\pmnkHXqR.dll
C:\WINDOWS\system32\pqwvqkta.ini
C:\WINDOWS\system32\qairvwti.ini
C:\WINDOWS\system32\qdpvugyj.dll
C:\WINDOWS\system32\rcwhluwc.exe
C:\WINDOWS\system32\RqXHknmp.ini
C:\WINDOWS\system32\RqXHknmp.ini2
C:\WINDOWS\system32\rwoiojad.exe
C:\WINDOWS\system32\TDSSarxx.dll
C:\WINDOWS\system32\TDSSmtpe.dat
C:\WINDOWS\system32\TDSSnpur.dll
C:\WINDOWS\system32\TDSSoitu.dll
C:\WINDOWS\system32\TDSSshyf.dll
C:\WINDOWS\system32\TDSSyoqm.dll
C:\WINDOWS\system32\urqqqPjh.dll
C:\WINDOWS\system32\wndsptch.exe
C:\WINDOWS\system32\xjmivugl.ini
C:\WINDOWS\system32\ybohgd.dll
C:\WINDOWS\system32\yfmqqu.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv
-------\Legacy_TDSSserv

((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 )))))))))))))))))))))))))))))))
.

2008-10-25 13:26 . 2008-10-25 13:26 <DIR> d-------- C:\Program Files\Ogg Converter
2008-10-22 20:14 . 2008-10-24 18:05 719 --a------ C:\WINDOWS\Sysvxd.exe
2008-10-18 21:57 . 2008-10-18 21:57 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SPORE
2008-10-17 21:29 . 2008-10-25 13:39 3,896 --a------ C:\WINDOWS\system32\TDSSdxgp.dll
2008-10-13 23:29 . 2008-10-13 23:29 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\$CUERoot$
2008-10-11 23:23 . 2008-10-11 23:32 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Clonk Rage
2008-10-11 23:22 . 2008-10-11 23:32 <DIR> d-------- C:\Program Files\Clonk Rage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 03:37 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Xfire
2008-10-26 03:19 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Skype
2008-10-25 17:43 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-10-25 17:31 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\skypePM
2008-10-23 23:00 --------- d-----w C:\Program Files\Sprint music manager
2008-10-23 12:47 --------- d-----w C:\Program Files\RegCure
2008-10-23 02:06 --------- d-----w C:\Program Files\Bonjour
2008-10-23 01:48 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Hamachi
2008-10-22 02:51 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-19 21:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-19 02:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-10-19 02:22 --------- d-----w C:\Program Files\Electronic Arts
2008-10-18 04:26 --------- d-----w C:\Program Files\Flatout2
2008-10-17 03:23 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\gtk-2.0
2008-10-16 13:49 8,896 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-10-10 16:54 139,664 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-10-10 16:53 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-10-09 14:14 --------- d-----w C:\Program Files\Xfire
2008-10-08 12:55 --------- d-----w C:\Program Files\Cortex Command No mods
2008-10-03 17:41 6,066,176 ----a-w C:\WINDOWS\system32\dllcache\ieframe.dll
2008-09-26 00:54 --------- d-----w C:\Program Files\Samsung
2008-09-23 00:58 --------- d-----w C:\Program Files\Unlocker
2008-09-23 00:39 --------- d-----w C:\Program Files\FileASSASSIN
2008-09-20 00:50 --------- d-----w C:\Program Files\ManyCam 2.3
2008-09-19 02:16 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Tidy Start Menu
2008-09-19 02:15 --------- d-----w C:\Program Files\Tidy Start Menu
2008-09-19 02:10 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2008-09-19 01:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-19 01:36 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-09-19 01:33 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Azureus
2008-09-18 00:41 42,320 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-09-09 05:52 --------- d-----w C:\Program Files\Cortex Command 2
2008-09-09 04:31 --------- d-----w C:\Program Files\Wonderland Online
2008-09-09 04:24 614,283,883 ----a-w C:\Program Files\wl_setup_2.0.3.exe
2008-09-06 01:02 --------- d-----w C:\Program Files\IEPro
2008-09-05 04:48 --------- d-----w C:\Program Files\DivX
2008-09-05 04:47 --------- d-----w C:\Program Files\Netscape
2008-09-03 04:22 --------- d-----w C:\Program Files\xchat
2008-09-03 04:22 --------- d-----w C:\Program Files\mIRC
2008-09-01 17:04 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks
2008-09-01 15:45 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\MiniDm
2008-09-01 00:07 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\IEPro
2008-08-31 21:27 --------- d-----w C:\Program Files\HP
2008-08-31 04:56 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-08-29 23:25 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\X-Chat 2
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-08-14 09:58 2,136,064 ----a-w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-08-14 09:51 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-08-14 09:22 2,015,744 ----a-w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-07-28 02:00 6,144 ----a-w C:\WINDOWS\~DF9BB5.tmp
2008-07-26 09:17 368 ----a-w C:\WINDOWS\Fonts\incubus.txt
2008-07-19 19:17 0 ----a-w C:\Documents and Settings\Compaq_Owner\jagex_runescape_preferences.dat
2008-06-20 21:19 124,821 ----a-w C:\Program Files\Crates.rar
2008-05-08 21:32 390 ----a-w C:\Program Files\Shortcut to Program Files.lnk
2007-10-30 23:48 68,096 -c--a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\upqrsbut.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,528 2007-10-04 15:20:54 C:\Program Files\AIM6\bak\aim6.exe
----a-w 50,528 2008-01-03 16:15:06 C:\Program Files\AIM6\aim6.exe

----a-w 79,224 2007-12-04 13:00:23 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-12-04 13:00:23 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

----a-w 49,152 2005-02-17 13:11:42 C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe

----a-w 132,496 2007-09-25 07:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

-c--a-w 458,752 2005-06-08 23:24:32 C:\Program Files\Logitech\Video\bak\ISStart.exe

----a-w 217,088 2005-06-08 23:14:44 C:\Program Files\Logitech\Video\bak\LogiTray.exe

----a-w 196,608 2005-06-08 22:44:14 C:\Program Files\Logitech\Video\bak\ManifestEngine.exe

----a-w 385,024 2008-01-27 07:32:20 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 5,724,184 2007-10-18 17:34:02 C:\Program Files\Windows Live\Messenger\bak\MsnMsgr.Exe
----a-w 5,724,184 2008-07-14 03:01:26 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

----a-w 663,552 2004-12-14 09:23:44 C:\WINDOWS\CREATOR\bak\Remind_XP.exe

----a-w 237,568 2005-07-23 05:14:00 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

----a-w 221,184 2005-07-20 01:32:18 C:\WINDOWS\system32\bak\LVCOMSX.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 50528]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2008-07-13 5724184]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-03-21 486856]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-23 22058792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 7311360]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 79224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-01 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-07 172032]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2006-01-07 659456]
"0878296a"="C:\WINDOWS\system32\foqyoluc.dll" [N/A]
"PCDrProfiler"="" [N/A]
"ftutil2"="ftutil2.dll" [2004-06-07 C:\WINDOWS\system32\ftutil2.dll]
"nwiz"="nwiz.exe" [2006-05-09 C:\WINDOWS\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 C:\WINDOWS\KHALMNPR.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-08-01 27136]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Adobe Media Player.lnk - C:\Program Files\Adobe Media Player\Adobe Media Player.exe [2008-08-23 260096]
MEMonitor.lnk.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [2008-09-25 929792]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
hpoddt01.exe.lnk - C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat epgnka.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoa dGroup]
@=""
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\PacSteamT\\SteamApps\\smithno123\\garrysmod\\hl2.exe"=
"C:\\PacSteamT\\SteamApps\\smithno123\\half-life\\hl.exe"=
"C:\\PacSteamT\\SteamApps\\smithno123\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\PacSteamT\\SteamApps\\smithno13\\garrysmod\\hl2.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142 Deluxe Edition\\BF2142.exe"=
"C:\\Program Files\\Toblo\\Toblo 1.2.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\TortoiseSVN\\bin\\TortoiseMerge.exe"=
"C:\\Program Files\\TortoiseSVN\\bin\\TortoiseIDiff.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-07-14 65536]
R2 SentinelKeysServer;Sentinel Keys Server;C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2007-04-27 316992]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-07-14 1527887]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 Revolution1;Revolution1;C:\Documents and Settings\Compaq_Owner\My Documents\Program Files\SHAK3.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{aff3217b-7482-11dd-b24b-0018f3282fa5}]
\Shell\AutoRun\command - G:\.\Program\PSMenu\psmenu.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{4816822F-6BB2-4314-A4DA-D5909E06D766} - C:\WINDOWS\system32\urqqqPjh.dll
BHO-{b47b9cc3-8047-4a09-92d1-fda27e4033f6} - C:\WINDOWS\system32\epgnka.dll
BHO-{E2B18D40-DF63-4334-B4A9-DA0A6F9752F6} - C:\WINDOWS\system32\pmnkHXqR.dll
ShellExecuteHooks-{4816822F-6BB2-4314-A4DA-D5909E06D766} - C:\WINDOWS\system32\urqqqPjh.dll
SafeBoot-TDSSmxwe.sys

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\DOCUME~1\COMPAQ~1\APPLIC~1\Mozilla\Firefox\Profiles\ob6msbu7.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.1.0.21115.0.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\npdivx32.dll
FF -: plugin - C:\Program Files\Unity\WebPlayer\loader\npUnity3D32.dll
FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-25 23:11:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-10-25 23:34:45 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2008-10-26 04:34:40

Pre-Run: 9,119,113,216 bytes free
Post-Run: 9,208,737,792 bytes free

350 --- E O F --- 2008-10-22 00:16:14

Also, It seems to have fixed EVERYTHING. Thank You. If anything comes up, I will let you know.

**Geri** · 26th October 2008

Hi
OK we are not quite done here.
You still have some bad files and some that need to be replaced, You need to keep with me until I tell you that you are clean.

Please do the following in the order given.

Please go to Jotti's malware scan
Copy and paste the following file path into *the *"File to upload & scan"box on the top of the page: one at a time
- C:\DOCUME~1\ALLUSE~1\APPLIC~1\upqrsbut.dll
Click on the submit button
Please post the results in your next reply.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\Sysvxd.exe
C:\WINDOWS\system32\TDSSdxgp.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Please post the Jotti Results, and the Combofix log.

Thanks
Geri

smithno13 · 26th October 2008

A-Squared Found Trojan.Win32.Obfuscated!IK
AntiVir Found TR/Vundo.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Lop
BitDefender Found Trojan.Otuboh.Gen
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Obfuscated.gx
G DATA Found Trojan.Otuboh.Gen
Ikarus Found Trojan.Win32.Obfuscated
Kaspersky Anti-Virus Found Trojan.Win32.Obfuscated.gx
NOD32 Found a variant of Win32/Adware.UltimateDefender application
Norman Virus Control Found Zlob.gen94
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-DG
VirusBuster Found nothing
VBA32 Found nothing

Well ****, Still not good. Will get other logs ASAP, but I need to go.