Help with Trojan? Infected PC

Question

don19582m 0 Newbie Poster

15 Years Ago

I need help with something that’s infected my computer and I can't remove.

I first noticed something was wrong when any internet search engine links are re-directed to other suspicious sites. Additionally, my browser was unable to contact any anti-virus sites, responding with an unable to connect message. My anti-virus software was also being blocked from downloading updates.

I followed the instructions in the "read me before posting a request for assistance" thread by PhilliePhan. Here are the results:

I’m using the Trend-Micro Internet Security protection suite on Windows XP Pro SP3.
Hidden file viewing is enabled.
Downloaded ATF-Cleaner.
Checked add/remove programs. Don't think I saw anything suspicious.
Downloaded MS Malicious Software Removal Tool,
Updated Windows.
Re-booted.
Ran MS Malicious Software Removal Tool. No malicious software was detected.
A Trend-Micro auto update completed right after the MS Mal Software Tool finished.
Re-booted.
Ran ATF-Cleaner. Empty all, no problem.
Updated Malwarebytes Anit-Malware, full scan.
Ran ESET. No threats found.
Re-boot.
Ran HiJackThis. Collected uninstall list and saved log.
Trend-Micro scan. Found threats, removed some, quarantined others.

Trend-micro identifies infected files but is unable to remove them permanently. The last Trend-Micro scan shows the problem still exists. It has quarantined dll files prefixed with TDSS in the windows\system32 directory and some in windows\temp. Trend-Micro is unable to delete any of these files, they are locked or I lack sufficient privileges message (I am running as administrator). I cannot see any of these files in explorer and each time I run the scan it finds more dll files.

After doing the above, I note that the browser re-direction has stopped and my anti-virus is able to update. The re-appearance of the TDSS files when I do the Trend-Micro scans concerns me.

Any help you can offer is greatly appreciated.

Here are the Malwarebytes log, ESET log, uninstall list and HiJack log:

Malwarebytes' Anti-Malware 1.30
Database version: 1348
Windows 5.1.2600 Service Pack 3

10/31/2008 8:20:30 PM
mbam-log-2008-10-31 (20-20-30).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 138335
Time elapsed: 43 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dsly (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dsly (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dsly (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ebgf (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ebgf (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ebgf (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP1080\A0071004.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP1080\A0071005.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP1080\A0071006.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP1080\A0071007.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP1081\A0071008.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP1081\A0071009.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP1081\A0071010.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP1083\A0073010.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP1083\A0074010.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\nesfj.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\ryprfti.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ (Trojan.Agent) -> Delete on reboot.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3575 (20081031)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=e7712c49142ac9458b7a8bd595a85c96
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-01 02:26:22
# local_time=2008-10-31 09:26:22 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=296309
# found=0
# scan_time=2923

Adobe Acrobat 5.0
Adobe Flash Player ActiveX
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
AnswerWorks Runtime
AutoCAD 2002
AutoCAD 2006 - English
Autodesk DWF Viewer
BCM V.92 56K Modem
Brother 1440
Brownie
Canon PhotoRecord
Canon PowerShot A40 WIA Driver
Canon Utilities PhotoStitch 3.1
Canon Utilities RAW Image Converter
Canon Utilities RemoteCapture 2.2
Canon Utilities ZoomBrowser EX
Classic PhoneTools
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell Solution Center
DellSupport
Digital Line Detect
Documents To Go
Easy CD Creator 5 Basic
eDrawings 2004
ESET Online Scanner
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
InterActual Player
iPod Updater 2004-08-06
ItsDeductible Express
iTunes
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Data Access Components KB870669
Microsoft Digital Image Pro 9
Microsoft Interactive Training
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft XML Parser and SDK
Microtek FineReader OCR Engine
Modem Helper
MPIO Manager 2
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MUSICMATCH Jukebox
Nikon Message Center
NVIDIA Display Driver
NVIDIA Drivers
Olympus Digital Wave Player
Paint Shop Pro 7
palmOne
PictureProject
PictureProject In Touch Downloader 1.0
PowerDVD
Quicken 2008
Quicken WillMaker Plus 2008
QuickTime
RealPlayer
ResumeMaker Professional
Resumes Quick & Easy
Rhapsody Player Engine
SafeCast Shared Components
ScanWizard 5
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
SnagIt 7
SolidWorks 2004 SP0
Trend Micro Internet Security
Trend Micro Internet Security
TurboTax Deluxe 2002
TurboTax Deluxe 2003
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Verizon High Speed Internet
Verizon Online Help and Support
Verizon Servicepoint 1.5.12
Viewpoint Media Player (Remove Only)
Visio 2000
WexTech AnswerWorks
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:37 AM, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HandSpring\Hotsync.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\Donald Dixon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [TSC] "C:\Program Files\Trend Micro\Internet Security\tsc.exe" /HD
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&language=en&product=SymNRT&version=2008.0.3.16&build=Symantec&a=00000082.00000004.0000000a&b=00000082.0000001e.0000004a&c=00000082.00000020.0000004c
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\HandSpring\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7260 bytes

windows-virus

3 Contributors
22 Replies
469 Views
2 Weeks Discussion Span
Latest Post 15 Years Ago Latest Post by crunchie

crunchie 990 Most Valuable Poster

15 Years Ago

Hi and welcome to the Daniweb forums :).

==========

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

crunchie 990 Most Valuable Poster

15 Years Ago

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\WINDOWS\system32\drivers\TDSSmqlt.sys

crunchie 990 Most Valuable Poster

15 Years Ago

A. Please RUN HijackThis Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

O4 - Global Startup: Digital Line Detect.lnk = ?

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
C:\WINDOWS\system32\drivers\TDSSmqlt.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), pleasere-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:Combofix.txt
A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

crunchie 990 Most Valuable Poster

15 Years Ago

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\WINDOWS\SYSTEM32\DRIVERS\beep.sys

====

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.Once the files are downloaded click on Next
Click on Scan Settings and configure as follows: Scan using the following Anti-Virus database:Extended

Scan Options:Scan Archives
Scan Mail Bases

Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on:Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

crunchie 990 Most Valuable Poster

15 Years Ago

Try these instead;

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall60.trendmicro.com/en/start_corp.asp?id=scan
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Also run this online trojan scanner

TrojanScan

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

don19582m 0 Newbie Poster · Answer 1 · 2008-11-03T21:23:46+00:00

Hello Crunchie,

Thanks for the welcome and trying to help.

I ran ComboFix. The first thing it did was issue a message about detecting the presence of root kit activity and rebooted the PC. After booting, ran through stages, rebooted again. After the second reboot, my anti-virus must have restarted. ComboFix flashed a message I didn't catch and then the antivirus messaged permission to allow ComboFix to continue. I granted permission and ComboFix finished running. I hope that didn't screw anything up with ComboFix. Below are the two logs you requested -- ComboFix's and HiJackthis.

ComboFix 08-10-26.01 - 2008-11-02 23:57:40.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.275 [GMT -5:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv
-------\Legacy_TDSSserv
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 )))))))))))))))))))))))))))))))
.

2008-10-31 20:33 . 2008-10-31 20:37 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-10-27 20:13 . 2008-10-27 20:13 <DIR> d-------- C:\Documents and Settings\Donald Dixon\Application Data\Malwarebytes
2008-10-27 20:12 . 2008-10-27 20:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-27 20:12 . 2008-10-27 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-27 20:12 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-27 20:12 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-10-25 22:40 . 2002-06-25 13:59 4,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\beep.sys
2008-10-25 22:40 . 2002-06-25 13:59 4,224 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys
2008-10-24 03:25 . 2008-10-15 11:34 337,408 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-16 01:27 . 2008-08-14 05:11 2,189,184 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntoskrnl.exe
2008-10-16 01:27 . 2008-08-14 05:09 2,145,280 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2008-10-16 01:27 . 2008-08-14 04:33 2,066,048 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2008-10-16 01:27 . 2008-08-14 04:33 2,023,936 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrpamp.exe
2008-10-15 12:40 . 2008-09-08 05:41 333,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\srv.sys
2008-10-15 12:36 . 2008-09-15 07:12 1,846,400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 02:49 --------- d-----w C:\Documents and Settings\Donald Dixon\Application Data\U3
2008-10-20 02:15 --------- d-----w C:\Program Files\Quicken
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2006-04-22 21:14 115,592 ----a-w C:\Documents and Settings\Donald Dixon\Application Data\GDIPFONTCACHEV1.DAT
2006-04-08 15:47 115,592 ----a-w C:\Documents and Settings\Eric Dixon\Application Data\GDIPFONTCACHEV1.DAT
2004-08-27 02:53 19,480 ----a-w C:\Program Files\SolidWorksswxJRNL.BAK
.

((((((((((((((((((((((((((((( snapshot_2008-10-28_21.15.04.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-29 02:05:17 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-11-03 05:51:31 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-10-29 02:05:17 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-11-03 05:51:31 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-10-29 02:05:17 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-11-03 05:51:31 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2007-03-15 23:16:42 236,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\WgaLogon.dll
+ 2008-09-06 04:30:42 241,704 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wgaLogon.dll
- 2007-03-15 23:17:08 336,768 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\WgaTray.exe
+ 2008-09-06 04:29:58 917,032 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\WgaTray.exe
- 2008-07-19 00:08:32 36,368 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\tmpreflt.sys
+ 2008-08-16 08:00:46 36,368 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\tmpreflt.sys
- 2008-07-19 00:08:38 205,328 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\tmxpflt.sys
+ 2008-08-16 08:00:52 205,328 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\tmxpflt.sys
- 2008-07-18 23:51:32 1,195,448 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\vsapint.sys
+ 2008-08-16 07:53:50 1,195,448 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\vsapint.sys
- 2007-03-15 23:19:28 1,476,992 ----a-w C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
+ 2008-09-06 04:30:06 1,480,232 ----a-w C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
+ 2007-07-27 19:49:02 196,683 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiA.dll
+ 2007-07-27 19:49:02 225,355 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiW.dll
+ 2005-12-06 00:25:22 139,264 ----a-w C:\WINDOWS\SYSTEM32\lnod32umc.dll
+ 2005-12-05 17:37:10 106,496 ----a-w C:\WINDOWS\SYSTEM32\lnod32upd.dll
- 2008-10-07 19:19:40 16,721,856 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-10-07 17:19:42 16,721,856 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-02-11 14:39:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLA.dll
+ 2008-02-11 14:39:18 237,568 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLW.dll
+ 2008-02-08 18:53:46 110,592 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerLang.dll
+ 2008-02-05 13:48:04 77,824 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerUninstaller.exe
- 2007-03-15 23:16:42 236,928 ----a-w C:\WINDOWS\SYSTEM32\WgaLogon.dll
+ 2008-09-06 04:30:42 241,704 ----a-w C:\WINDOWS\SYSTEM32\WgaLogon.dll
- 2007-03-15 23:17:08 336,768 ------w C:\WINDOWS\SYSTEM32\WgaTray.exe
+ 2008-09-06 04:29:58 917,032 ------w C:\WINDOWS\SYSTEM32\WgaTray.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="C:\Program Files\Internet Explorer\iexplore.exe" [2008-08-23 635848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 5058560]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-02 98304]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2003-10-06 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-10 185896]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 C:\WINDOWS\BCMSMMSG.exe]
"nwiz"="nwiz.exe" [2003-10-06 C:\WINDOWS\SYSTEM32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2002-12-27 82026]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2007-09-29 28672]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2008-07-13 118784]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-11-12 45056]
HotSync Manager.lnk - C:\Program Files\HandSpring\Hotsync.exe [2004-06-09 471040]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Microtek Scanner Finder.lnk - C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2004-12-12 303104]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-04-18 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S0 axkc;axkc;C:\WINDOWS\system32\drivers\oitjqw.sys [ ]
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys [2004-11-21 16384]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 38496]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 38144]

*Newly Created Service* - TDSSSERV.SYS
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dellnet.com/

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-03 07:11:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\BRSS01A.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\CDAC11BA.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-11-03 7:14:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-03 12:14:37

Pre-Run: 54,844,297,216 bytes free
Post-Run: 54,878,736,384 bytes free

175 --- E O F --- 2008-10-25 08:02:25

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:52 AM, on 11/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HandSpring\Hotsync.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Donald Dixon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&language=en&product=SymNRT&version=2008.0.3.16&build=Symantec&a=00000082.00000004.0000000a&b=00000082.0000001e.0000004a&c=00000082.00000020.0000004c
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\HandSpring\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6868 bytes

don19582m 0 Newbie Poster · Answer 2 · 2008-11-04T09:26:17+00:00

Could not locate the file TDSSmqlt.sys file through the web sites listed nor with explorer. Checked folder settings -- hidden files and system directories still visible and ran an explorer search on C: drive for TDSS*.* but no hits. Not sure what else to do?

don19582m 0 Newbie Poster · Answer 3 · 2008-11-05T09:33:56+00:00

Hello Crunchie,

Ran HiJackThis and deleted the three items requested above via the Fix Checked button.

Ran the CFScript.txt file through ComboFix. Two messages were generated:
(1) "ComboFix has detected rootkit activity and needs to reboot the machine", and
(2) "Writing 'limitblankpassworduse' with data '1' failed". The PC booted twice with ComboFix; the first message happened before the first boot, the second message occurred after the second boot. I had the same problem with Trend Micro restarting after the second boot although I had it disabled. So I don't know if it interfered with ComboFix near the end.

Here is the ComboFix.txt file followed by the HiJackThis log I ran after everything was done:

ComboFix 08-10-26.01 - 2008-11-04 20:31:38.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.240 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Donald Dixon\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv
-------\Legacy_TDSSserv
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-10-31 20:33 . 2008-10-31 20:37 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-10-27 20:13 . 2008-10-27 20:13 <DIR> d-------- C:\Documents and Settings\Donald Dixon\Application Data\Malwarebytes
2008-10-27 20:12 . 2008-10-27 20:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-27 20:12 . 2008-10-27 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-27 20:12 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-27 20:12 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-10-25 22:40 . 2002-06-25 13:59 4,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\beep.sys
2008-10-25 22:40 . 2002-06-25 13:59 4,224 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys
2008-10-24 03:25 . 2008-10-15 11:34 337,408 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-16 01:27 . 2008-08-14 05:11 2,189,184 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntoskrnl.exe
2008-10-16 01:27 . 2008-08-14 05:09 2,145,280 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2008-10-16 01:27 . 2008-08-14 04:33 2,066,048 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2008-10-16 01:27 . 2008-08-14 04:33 2,023,936 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrpamp.exe
2008-10-15 12:40 . 2008-09-08 05:41 333,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\srv.sys
2008-10-15 12:36 . 2008-09-15 07:12 1,846,400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 02:49 --------- d-----w C:\Documents and Settings\Donald Dixon\Application Data\U3
2008-10-20 02:15 --------- d-----w C:\Program Files\Quicken
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2006-04-22 21:14 115,592 ----a-w C:\Documents and Settings\Donald Dixon\Application Data\GDIPFONTCACHEV1.DAT
2006-04-08 15:47 115,592 ----a-w C:\Documents and Settings\Eric Dixon\Application Data\GDIPFONTCACHEV1.DAT
2004-08-27 02:53 19,480 ----a-w C:\Program Files\SolidWorksswxJRNL.BAK
.

((((((((((((((((((((((((((((( snapshot_2008-11-03_ 7.14.05.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-03 05:51:31 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-11-05 02:23:39 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-11-03 05:51:31 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-11-05 02:23:39 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-11-03 05:51:31 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-11-05 02:23:39 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="C:\Program Files\Internet Explorer\iexplore.exe" [2008-08-23 635848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 5058560]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-02 98304]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2003-10-06 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-10 185896]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 C:\WINDOWS\BCMSMMSG.exe]
"nwiz"="nwiz.exe" [2003-10-06 C:\WINDOWS\SYSTEM32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2002-12-27 82026]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2007-09-29 28672]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2008-07-13 118784]
HotSync Manager.lnk - C:\Program Files\HandSpring\Hotsync.exe [2004-06-09 471040]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Microtek Scanner Finder.lnk - C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2004-12-12 303104]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-04-18 118784]