Jump to content

Malwarebytes

Problems with Seneka

- - - - -
Started by kueller, Jan 20 2009 03:44 AM

5 replies to this topic

#1
kueller
Posted 20 January 2009 - 03:44 AM

    New Member

  • Members
  • Pip
  • 3 posts
Hey guys, I just got a lightly-used computer from a friend, and it's in pretty bad shape. Well, not that bad, really, just a lot of garbage, most of which I cleared out no problem. But it's got this seneka.dat trojan virus thing and I just cannot get rid of it. Poked around some threads here and it looked like people were saying that it required custom scripts to remove, so I figured I'd better make a post and see if anyone can help me with this.

I've run a half-dozen antivirus programs, but whenever i reboot this thing has come back. The internet browsers run slowly, which I believe is the fault of this virus. Other than that, no real effects - I don't have any passwords or serious stuff on this computer, and I definitely don't intend to use it for any of that now ;) So here's a HJT! and a MB log, and let me know what else I should post. Thanks for your help!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:21 PM, on 1/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Microsoft IntelliPoint\IPoint.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - AppInit_DLLs: cvsahn.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 4223 bytes






Malwarebytes' Anti-Malware 1.31
Database version: 1482
Windows 5.1.2600 Service Pack 2

1/19/2009 1:07:33 PM
mbam-log-2009-01-19 (13-07-33).txt

Scan type: Quick Scan
Objects scanned: 52579
Time elapsed: 3 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.

#2
AdvancedSetup
Posted 21 January 2009 - 06:48 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA
When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

Then look for the following Java folders and if found delete them.
C:\Program Files\Java
C:\Program Files\Common Files\Java
C:\Documents and Settings\All Users\Application Data\Java
C:\Documents and Settings\All Users\Application Data\Sun\Java
C:\Documents and Settings\username\Application Data\Java
C:\Documents and Settings\username\Application Data\Sun\Java



[indent]You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member kueller only. If you are a lurker, do NOT try this on your system!
If you are not kueller and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.

STEP01
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.


STEP02
    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup215.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP03
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
This should apply to AVG8:
To disable the Resident Shield, please:
open AVG User Interface
double-click on the Resident Shield
un-tick the option Resident Shield active
save the changes.

STEP04
Please download and run the following file to repair file and registry permissions
fixacl.exe

STEP05
  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
  • Reboot your computer after it runs
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
  • Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.

STEP06
Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip
Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

STEP07
Posted ImageIf you have a prior copy of Combofix, delete it now !

Download ComboFix from one of these locations, saving to DESKTOP:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


  • Double click on Combo-Fix.exe & follow the prompts.

  • If and only if you are prompted to download a new version of Combofix, reply NO .

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.

STEP08
IF and only IF the Combofix has worked without exceptions, only then, do the following. IF it has exceptions, then please provide all details and put that in a reply pronto, and STOP, and await my reply.

Only if Combofix has a good finish:
I'm going to have you get and run a special tool. It will hopefully take out most remains of this beast. Keep in mind that not all files I list here will be found on your system; so do not be alarmed. This is a general-type list of typical infectors.

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\SYSTEM32\TDSSixgp.dll
C:\WINDOWS\SYSTEM32\TDSSproc.log
C:\WINDOWS\SYSTEM32\TDSSwkod.log
C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp
c:\windows\system32\drivers\msqpdxserv.sys
C:\resycled
D:\resycled
e:\resycled
f:\resycled
g:\resycled
c:\windows\system32\TDSSweat.dat
C:\WINDOWS\system32\drivers\TDSSmqlt.sys
C:\windows\system32\drivers\tdssserv.sys
C:\WINDOWS\system32\drivers\TDSSmact.sys
C:\WINDOWS\system32\TDSSfpmp.dll
C:\WINDOWS\system32\TDSSwpyd.dat
C:\WINDOWS\system32\TDSStkdv.log
C:\WINDOWS\system32\TDSSotxb.dll
C:\WINDOWS\system32\TDSScrrn.dll
C:\WINDOWS\system32\TDSSbvqh.dll
C:\WINDOWS\system32\TDSSjnmx.dll
c:\windows\system32\TDSShrxr.dll
c:\windows\system32\TDSSkkbi.log
c:\windows\system32\TDSSlrvd.dat
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSrhyp.log
c:\windows\system32\TDSSrtqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\TDSSnirj.dat

Drivers to delete:
tdss
tdssserv
TDSSserv.SYS
Service_TDSSSERV.SYS
Legacy_TDSSSERV.SYS
msqpdxserv.sys
msqpdxserv

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
HKEY_LOCAL_MACHINE\SOFTWARE\tdss
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

STEP09
Download DDS and save it to your desktop from one of these 3 locations
1 http://www.techsupportforum.com/sectools/sUBs/dds
2 http://download.bleepingcomputer.com/sUBs/dds.scr
3 http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.
Please include the following logs in your next reply:
DDS.txt
Attach.txt

Please then reply with a copy of C:\Combofix.txt, C:\Avenger.txt, and a new HijackThis

RE-Enable your AntiVirus and AntiSpyware applications.[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#3
kueller
Posted 22 January 2009 - 04:31 AM

    New Member

  • Members
  • Pip
  • 3 posts
Wow, you guys are great! Okay, here's the logs:


DDS (Ver_09-01-18.01) - NTFSx86
Run by Corinthian at 20:26:22.32 on Wed 01/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1983.1558 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Corinthian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mWinlogon: Userinit=c:\windows\explorer.exe,
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Jsofuqidef] rundll32.exe "c:\windows\Bqidafoqipo.dll",e
mRun: [Skudotucejaq] rundll32.exe "c:\windows\ilihahur.dll",e
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
AppInit_DLLs: cvsahn.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\corint~1\applic~1\mozilla\firefox\profiles\x4zm6q2g.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - HiddenExtension: XUL Cache: {EE557A16-F7BC-4BCE-BA87-BEFE82AC715D} - c:\documents and settings\corinthian\local settings\application data\{EE557A16-F7BC-4BCE-BA87-BEFE82AC715D}
FF - HiddenExtension: XUL Cache: {7E501673-0122-44C4-AC01-C94A7BDD0328} - c:\windows\system32\config\systemprofile\local settings\application data\{7e501673-0122-44c4-ac01-c94a7bdd0328}\

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-11-12 8576]
R4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-26 24652]
S0 dklxcn;dklxcn;c:\windows\system32\drivers\mwqrp.sys --> c:\windows\system32\drivers\mwqrp.sys [?]
S0 eldos;eldos;c:\windows\system32\drivers\csqlgphd.sys --> c:\windows\system32\drivers\csqlgphd.sys [?]
S0 ltvdkd;ltvdkd;c:\windows\system32\drivers\nerlgk.sys --> c:\windows\system32\drivers\nerlgk.sys [?]
S0 qvydcfeo;qvydcfeo;c:\windows\system32\drivers\swgjinpj.sys --> c:\windows\system32\drivers\swgjinpj.sys [?]
S0 ryawu;ryawu;c:\windows\system32\drivers\gfib.sys --> c:\windows\system32\drivers\gfib.sys [?]
S0 whqu;whqu;c:\windows\system32\drivers\uadp.sys --> c:\windows\system32\drivers\uadp.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================

2009-01-21 19:57 <DIR> a-dshr-- C:\cmdcons
2009-01-21 19:56 161,792 a------- c:\windows\SWREG.exe
2009-01-21 19:56 98,816 a------- c:\windows\sed.exe
2009-01-21 19:56 <DIR> --d----- C:\Combo-Fix
2009-01-21 14:54 133,632 a------- c:\windows\ilihahur.dll
2009-01-21 14:42 41,984 a------- c:\windows\Bqidafoqipo.dll
2009-01-05 22:10 31,232 a------- c:\windows\system32\pcload.exe
2009-01-03 23:04 <DIR> --d----- c:\program files\CCleaner
2009-01-03 23:04 <DIR> --d----- c:\program files\ClamWinPortable
2009-01-03 22:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-03 22:40 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-03 22:40 <DIR> --d----- c:\docume~1\corint~1\applic~1\SUPERAntiSpyware.com
2009-01-03 21:52 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-01-03 21:52 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-01-03 21:42 <DIR> --d----- c:\docume~1\corint~1\applic~1\Twain
2008-12-28 21:25 <DIR> --d----- c:\program files\Ventrilo
2008-12-28 21:25 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-28 21:25 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-27 17:35 31,048 a------- c:\windows\system32\drivers\point32.sys
2008-12-27 17:35 <DIR> --d----- c:\program files\Microsoft IntelliPoint
2008-12-26 23:59 7 a------- c:\windows\system32\answxt.bin

==================== Find3M ====================

2009-01-12 10:58 111,616 a------- c:\windows\system32\userinit.exe
2008-12-15 20:45 1,777 a------- c:\windows\mozver.dat
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys

============= FINISH: 20:26:36.10 ===============










ComboFix 09-01-20.05 - Corinthian 2009-01-21 20:07:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1983.1649 [GMT -8:00]
Running from: c:\documents and settings\Corinthian\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\windows\system32\chert5-998.exe
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaqltaemqn.sys
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\senekalgwkypmy.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\senekamlrpxtps.dll
c:\windows\system32\senekaruebdyot.dll
c:\windows\system32\senekawtjrevmk.dll
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\yyevhonf.job
c:\windows\wiaserviv.log

c:\windows\system32\userinit.exe . . . is infected!!

Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\$NtUninstallKB935839$\kernel32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-15 22:39 . 2009-01-15 22:39 <DIR> d-------- c:\documents and settings\Corinthian\Application Data\Viewpoint
2009-01-03 22:45 . 2009-01-03 22:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-03 22:45 . 2009-04-02 11:28 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-01-03 22:40 . 2009-01-03 22:40 <DIR> d-------- c:\documents and settings\Corinthian\Application Data\SUPERAntiSpyware.com
2009-01-03 21:42 . 2009-01-03 21:49 <DIR> d-------- c:\documents and settings\Corinthian\Application Data\Twain
2008-12-28 21:26 . 2008-12-28 21:28 <DIR> d-------- c:\documents and settings\Corinthian\Application Data\Ventrilo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 18:21 --------- d-----w c:\program files\Microsoft Small Business
2009-04-10 18:19 --------- d-----w c:\program files\Microsoft.NET
2009-04-10 18:18 --------- d-----w c:\program files\Microsoft SQL Server
2009-04-02 19:59 --------- d-----w c:\program files\CyberLink
2009-04-02 19:59 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-02 19:33 15,600 ----a-w c:\windows\gdrv.sys
2009-04-02 19:31 315,392 ----a-w c:\windows\HideWin.exe
2009-04-02 19:31 --------- d-----w c:\program files\Realtek
2009-04-02 19:31 --------- d-----w c:\program files\DIFX
2009-04-02 19:28 --------- d--h--w c:\documents and settings\Corinthian\Application Data\InstallShield
2009-04-02 19:00 --------- d-----w c:\program files\microsoft frontpage
2009-01-21 22:54 133,632 ----a-w c:\windows\ilihahur.dll
2009-01-21 22:42 41,984 ----a-w c:\windows\Bqidafoqipo.dll
2009-01-21 10:35 --------- d-----w c:\documents and settings\Corinthian\Application Data\uTorrent
2009-01-21 03:52 --------- d-----w c:\program files\Media Files
2009-01-12 03:05 --------- d-----w c:\program files\Google
2009-01-08 02:57 --------- d-----w c:\program files\Steam
2009-01-04 07:04 --------- d-----w c:\program files\ClamWinPortable
2009-01-04 07:04 --------- d-----w c:\program files\CCleaner
2009-01-04 06:40 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-04 06:40 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-04 06:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-29 05:25 --------- d-----w c:\program files\Ventrilo
2008-12-28 01:35 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-12-13 06:32 --------- d-----w c:\program files\Trend Micro
2008-12-10 14:48 --------- d-----w c:\documents and settings\Corinthian\Application Data\Malwarebytes
2008-12-10 13:35 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-10 13:35 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 03:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-25 10:14 --------- d-----w c:\program files\Yahoo!
2008-11-25 10:13 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-28 13:16 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-28 13:16 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-28 13:16 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-28 13:16 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-28 13:16 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2009-01-12 10:58 111616 be9f5da369dddc22224c053bbb27c64e c:\windows\system32\userinit.exe
2009-01-12 10:58 111616 be9f5da369dddc22224c053bbb27c64e c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-30 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-30 7634944]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Jsofuqidef"="c:\windows\Bqidafoqipo.dll" [2009-01-21 41984]
"Skudotucejaq"="c:\windows\ilihahur.dll" [2009-01-21 133632]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-06-15 c:\windows\SkyTel.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cvsahn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 02:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"35760:TCP"= 35760:TCP:Service
"35776:TCP"= 35776:TCP:Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-11-12 8576]
R4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-04-26 24652]
S0 dklxcn;dklxcn;c:\windows\system32\drivers\mwqrp.sys --> c:\windows\system32\drivers\mwqrp.sys [?]
S0 eldos;eldos;c:\windows\system32\drivers\csqlgphd.sys --> c:\windows\system32\drivers\csqlgphd.sys [?]
S0 ltvdkd;ltvdkd;c:\windows\system32\drivers\nerlgk.sys --> c:\windows\system32\drivers\nerlgk.sys [?]
S0 qvydcfeo;qvydcfeo;c:\windows\system32\drivers\swgjinpj.sys --> c:\windows\system32\drivers\swgjinpj.sys [?]
S0 ryawu;ryawu;c:\windows\system32\drivers\gfib.sys --> c:\windows\system32\drivers\gfib.sys [?]
S0 whqu;whqu;c:\windows\system32\drivers\uadp.sys --> c:\windows\system32\drivers\uadp.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - Z:\FalloutLauncher.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-22 c:\windows\Tasks\zfliziza.job
- c:\windows\system32\ljJApmNF.dll []
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-msiexec.exe - msiconf.exe
SafeBoot-gzvba.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\Corinthian\Application Data\Mozilla\Firefox\Profiles\x4zm6q2g.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 20:11:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\system32\rundll32.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-21 20:15:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-22 04:15:32

Pre-Run: 69,062,201,344 bytes free
Post-Run: 69,046,026,240 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

209






Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\brsvc01a.exe" not found!
Deletion of file "C:\WINDOWS\system32\brsvc01a.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\brss01a.exe" not found!
Deletion of file "C:\WINDOWS\system32\brss01a.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\SYSTEM32\TDSSproc.log" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSproc.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp"
Deletion of file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "c:\windows\system32\drivers\msqpdxserv.sys" not found!
Deletion of file "c:\windows\system32\drivers\msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\resycled" not found!
Deletion of file "C:\resycled" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "D:\resycled"
Deletion of file "D:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "e:\resycled"
Deletion of file "e:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "f:\resycled"
Deletion of file "f:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "g:\resycled"
Deletion of file "g:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "c:\windows\system32\TDSSweat.dat" not found!
Deletion of file "c:\windows\system32\TDSSweat.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!
Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSfpmp.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSfpmp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!
Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSShrxr.dll" not found!
Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSkkbi.log" not found!
Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSlrvd.dat" not found!
Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSlxwp.dll" not found!
Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSnmxh.log" not found!
Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSoiqt.dll" not found!
Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSrhyp.log" not found!
Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSrtqp.dll" not found!
Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSsihc.dll" not found!
Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSxfum.dll" not found!
Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSmtve.dat" not found!
Deletion of file "c:\windows\system32\TDSSmtve.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSnirj.dat" not found!
Deletion of file "c:\windows\system32\TDSSnirj.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!
Deletion of driver "tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!
Deletion of driver "tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!
Deletion of driver "TDSSserv.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!
Deletion of driver "Service_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!
Deletion of driver "Legacy_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!
Deletion of driver "msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!
Deletion of driver "msqpdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:12 PM, on 1/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Jsofuqidef] rundll32.exe "C:\WINDOWS\Bqidafoqipo.dll",e
O4 - HKLM\..\Run: [Skudotucejaq] rundll32.exe "C:\WINDOWS\ilihahur.dll",e
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - AppInit_DLLs: cvsahn.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 4227 bytes





and I've attatched the attach.txt as a zipped file. Thanks so much for your help so far!

Attached Files


#4
AdvancedSetup
Posted 22 January 2009 - 07:39 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
You're not out of the Woods yet. You have multiple very nasty infections. DO NOT use this computer for any type of Banking or sites that require logon credentials.


Please download Lop S&D

Double-click on Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt), typcially C:\lopR.txt

----
Then please run the following tool. Don't forget you MUST be in SAFE MODE in order to run the cleaning process.
Choose options 2 and 3 for cleaning in Safe Mode.
You may want to print the Web page because you won't have Internet access in Safe Mode

Please download and run this tool. Follow the instructions provided on the page
SmitFraudFix


When that is done please run this tool

Please download the following scanning tool. GMER
[indent]
  • Open the zip file and copy the file gmer.exe to your Desktop.
  • Double click on gmer.exe and run it.
  • It may take a minute to load and become available.
  • Do not make any changes. As soon as it's done and the COPY button is available click on the COPY button.
  • DO NOT Click on the SCAN button.
  • This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.
  • Click OK and quit the GMER program.
[/indent]


Then run this again.

Update and Scan with Malwarebytes' Anti-Malware
  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#5
kueller
Posted 23 January 2009 - 02:04 AM

    New Member

  • Members
  • Pip
  • 3 posts
Thanks again! Here's the logs. One problem: When I ran gmer.exe, it stayed blank, even after about 10 minutes. I clicked the copy button, but nothing copied. Not sure what that means, but let me know if I messed up and need to do something again. Here's the logs I got:





--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : AMD Athlon™ 64 X2 Dual Core Processor 4400+ )
BIOS : Award Modular BIOS v6.00PG
USER : Corinthian ( Administrator )
BOOT : Normal boot
C:\ (Local Disk) - NTFS - Total:298 Go (Free:64 Go)
D:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)
E:\ (USB)
F:\ (USB)
G:\ (USB)
H:\ (USB)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Thu 01/22/2009|17:42 )

--------------------\\ Listing folders in APPLIC~1

[04/02/2009|11:04] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[04/02/2009|11:28] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> InstallShield
[04/02/2009|11:55] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[01/03/2009|10:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> SUPERAntiSpyware.com

[06/26/2008|07:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[04/26/2008|03:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[04/26/2008|03:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL OCP
[04/26/2008|02:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[04/26/2008|02:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[04/26/2008|03:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Dragon's Eye Productions
[11/13/2008|05:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Fallout3
[06/26/2008|07:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> FLEXnet
[12/10/2008|05:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[01/03/2009|09:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[05/19/2008|07:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft Help
[07/11/2008|09:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NCH Swift Sound
[04/26/2008|01:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NVIDIA
[01/03/2009|10:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SUPERAntiSpyware.com
[04/26/2008|03:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Viewpoint
[11/05/2008|02:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[11/25/2008|02:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo!

[04/26/2008|03:43] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> acccore
[10/18/2008|09:31] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> Adobe
[06/28/2008|01:20] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> Apple Computer
[04/26/2008|04:06] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> DivX
[04/02/2009|11:04] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> Identities
[04/02/2009|11:28] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> InstallShield
[11/17/2008|11:00] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> IsolatedStorage
[04/26/2008|03:40] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> Macromedia
[12/10/2008|06:48] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> Malwarebytes
[01/19/2009|06:19] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> Microsoft
[08/22/2008|09:10] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> mIRC
[04/26/2008|02:01] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> Mozilla
[01/21/2009|07:31] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> Sun
[01/03/2009|10:40] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> SUPERAntiSpyware.com
[01/03/2009|09:49] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> Twain
[01/21/2009|02:35] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> uTorrent
[12/28/2008|09:28] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> Ventrilo
[01/15/2009|10:39] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> Viewpoint
[04/26/2008|04:05] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> vlc
[05/22/2008|05:24] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> WinRAR
[11/12/2008|09:09] C:\DOCUME~1\CORINT~1\APPLIC~1\<DIR> Yahoo!

[04/02/2009|11:04] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities
[04/02/2009|11:28] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> InstallShield
[04/02/2009|11:55] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[04/02/2009|11:00] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[04/02/2009|11:00] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[01/21/2009 08:54 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[02/28/2006 04:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini
[01/21/2009 09:00 PM][--a------] C:\WINDOWS\tasks\zfliziza.job

--------------------\\ Listing Folders in C:\Program Files

[04/27/2008|05:04] C:\Program Files\<DIR> AC3Filter
[06/26/2008|07:25] C:\Program Files\<DIR> Adobe
[04/26/2008|03:43] C:\Program Files\<DIR> AIM6
[11/05/2008|02:50] C:\Program Files\<DIR> Apple Software Update
[04/26/2008|08:41] C:\Program Files\<DIR> Audacity
[05/10/2008|09:11] C:\Program Files\<DIR> BearShare
[11/13/2008|05:25] C:\Program Files\<DIR> Bethesda Softworks
[04/26/2008|02:05] C:\Program Files\<DIR> Bonjour
[01/03/2009|11:04] C:\Program Files\<DIR> CCleaner
[01/03/2009|11:04] C:\Program Files\<DIR> ClamWinPortable
[01/21/2009|08:08] C:\Program Files\<DIR> Common Files
[04/02/2009|10:58] C:\Program Files\<DIR> ComPlus Applications
[04/02/2009|11:59] C:\Program Files\<DIR> CyberLink
[04/02/2009|11:31] C:\Program Files\<DIR> DIFX
[09/12/2008|09:48] C:\Program Files\<DIR> DivX
[09/30/2007|12:05] C:\Program Files\<DIR> Dungeon Keeper 2
[11/12/2008|07:27] C:\Program Files\<DIR> Fallout.3-RELOADED
[01/11/2009|07:05] C:\Program Files\<DIR> Google
[11/13/2008|05:25] C:\Program Files\<DIR> InstallShield Installation Information
[04/26/2008|02:05] C:\Program Files\<DIR> Internet Explorer
[04/26/2008|02:05] C:\Program Files\<DIR> iPod
[04/26/2008|02:05] C:\Program Files\<DIR> iTunes
[09/07/2008|01:03] C:\Program Files\<DIR> Linksys Wireless-G PCI Wireless Network Monitor
[11/17/2008|10:53] C:\Program Files\<DIR> LiveJournal Backup
[11/17/2008|11:00] C:\Program Files\<DIR> ljArchive
[12/10/2008|05:35] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[01/20/2009|07:52] C:\Program Files\<DIR> Media Files
[04/11/2008|08:39] C:\Program Files\<DIR> Messenger
[04/02/2009|11:00] C:\Program Files\<DIR> microsoft frontpage
[12/27/2008|05:35] C:\Program Files\<DIR> Microsoft IntelliPoint
[05/19/2008|07:55] C:\Program Files\<DIR> Microsoft Office
[07/28/2008|07:56] C:\Program Files\<DIR> Microsoft Silverlight
[04/10/2009|10:21] C:\Program Files\<DIR> Microsoft Small Business
[04/10/2009|10:18] C:\Program Files\<DIR> Microsoft SQL Server
[05/19/2008|07:55] C:\Program Files\<DIR> Microsoft Works
[04/10/2009|10:19] C:\Program Files\<DIR> Microsoft.NET
[08/22/2008|08:01] C:\Program Files\<DIR> mIRC
[11/12/2008|05:30] C:\Program Files\<DIR> mount
[04/02/2009|10:58] C:\Program Files\<DIR> Movie Maker
[01/22/2009|05:42] C:\Program Files\<DIR> Mozilla Firefox
[11/13/2008|05:24] C:\Program Files\<DIR> MSBuild
[04/02/2009|10:57] C:\Program Files\<DIR> MSN
[04/02/2009|10:57] C:\Program Files\<DIR> MSN Gaming Zone
[04/11/2008|08:47] C:\Program Files\<DIR> MSXML 6.0
[07/11/2008|09:20] C:\Program Files\<DIR> NCH Software
[07/11/2008|09:20] C:\Program Files\<DIR> NCH Swift Sound
[04/02/2009|10:58] C:\Program Files\<DIR> NetMeeting
[04/02/2009|10:57] C:\Program Files\<DIR> Online Services
[04/11/2008|08:45] C:\Program Files\<DIR> Outlook Express
[05/24/2008|04:15] C:\Program Files\<DIR> Picasa2
[11/04/2008|10:26] C:\Program Files\<DIR> Portal
[04/23/2008|04:31] C:\Program Files\<DIR> Prime95
[11/05/2008|02:53] C:\Program Files\<DIR> QuickTime
[04/02/2009|11:31] C:\Program Files\<DIR> Realtek
[11/13/2008|05:22] C:\Program Files\<DIR> Reference Assemblies
[01/07/2009|06:57] C:\Program Files\<DIR> Steam
[01/03/2009|10:40] C:\Program Files\<DIR> SUPERAntiSpyware
[12/12/2008|10:32] C:\Program Files\<DIR> Trend Micro
[04/02/2009|11:04] C:\Program Files\<DIR> Uninstall Information
[10/09/2008|11:31] C:\Program Files\<DIR> uTorrent
[12/28/2008|09:25] C:\Program Files\<DIR> Ventrilo
[04/26/2008|03:57] C:\Program Files\<DIR> VideoLAN
[04/26/2008|03:43] C:\Program Files\<DIR> Viewpoint
[11/05/2008|02:43] C:\Program Files\<DIR> Windows Media Components
[04/11/2008|08:42] C:\Program Files\<DIR> Windows Media Player
[04/02/2009|10:57] C:\Program Files\<DIR> Windows NT
[04/02/2009|10:59] C:\Program Files\<DIR> WindowsUpdate
[05/22/2008|05:24] C:\Program Files\<DIR> WinRAR
[04/02/2009|11:00] C:\Program Files\<DIR> xerox
[11/05/2008|03:03] C:\Program Files\<DIR> XP Codec Pack
[11/25/2008|02:14] C:\Program Files\<DIR> Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[06/26/2008|07:24] C:\Program Files\Common Files\<DIR> Adobe
[04/26/2008|03:42] C:\Program Files\Common Files\<DIR> AOL
[11/05/2008|02:52] C:\Program Files\Common Files\<DIR> Apple
[05/19/2008|07:55] C:\Program Files\Common Files\<DIR> DESIGNER
[04/02/2009|11:59] C:\Program Files\Common Files\<DIR> InstallShield
[06/26/2008|07:20] C:\Program Files\Common Files\<DIR> Macrovision Shared
[11/11/2008|06:03] C:\Program Files\Common Files\<DIR> Microsoft Shared
[04/02/2009|10:58] C:\Program Files\Common Files\<DIR> MSSoap
[04/02/2009|02:50] C:\Program Files\Common Files\<DIR> ODBC
[04/02/2009|10:58] C:\Program Files\Common Files\<DIR> Services
[04/02/2009|02:50] C:\Program Files\Common Files\<DIR> SpeechEngines
[04/11/2008|08:45] C:\Program Files\Common Files\<DIR> System
[01/03/2009|10:39] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 29 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\CORINT~1\Cookies\corinthian@advertising[1].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 17:43:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\CORINT~1\Application Data\uTorrent\Adobe Photoshop CS3 Extended + Crack.1.torrent
C:\DOCUME~1\CORINT~1\Application Data\uTorrent\Adobe Photoshop CS3 Extended + Crack.torrent
C:\DOCUME~1\CORINT~1\My Documents\My Music\iTunes\iTunes Music\Pixies\Doolittle\09 Crackity Jones.m4a
C:\DOCUME~1\CORINT~1\My Documents\Stuff\Backroom Facials\Back Room Facials - Jade(crack whore).asf
C:\DOCUME~1\CORINT~1\My Documents\Stuff\Beat Angel Escalayer\_Tiffany Mynx 115 Cumshot Scenes\2000's\Tales From The Crack (2004) - facial.mpg


[F:36][D:8]-> C:\DOCUME~1\CORINT~1\LOCALS~1\Temp
[F:24][D:0]-> C:\DOCUME~1\CORINT~1\Cookies
[F:197][D:4]-> C:\DOCUME~1\CORINT~1\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Thu 01/22/2009|17:43 - Option : [1]

--------------------\\ Scan completed at 17:43:44









SmitFraudFix v2.391

Scan done at 17:48:53.60, Thu 01/22/2009
Run from C:\Documents and Settings\Corinthian\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C9373659-83ED-4B60-AD99-D3D096A05874}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C9373659-83ED-4B60-AD99-D3D096A05874}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C9373659-83ED-4B60-AD99-D3D096A05874}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C9373659-83ED-4B60-AD99-D3D096A05874}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End








Malwarebytes' Anti-Malware 1.31
Database version: 1482
Windows 5.1.2600 Service Pack 2

1/22/2009 5:59:11 PM
mbam-log-2009-01-22 (17-59-11).txt

Scan type: Quick Scan
Objects scanned: 51067
Time elapsed: 1 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:00:43, on 1/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - AppInit_DLLs: cvsahn.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 3448 bytes






and I'm not using this computer for anything that requires a password, except this site. thanks!

#6
AdvancedSetup
Posted 23 January 2009 - 03:53 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Hi kueller,

Well I'm sorry but since you have evidence of cracked or pirated software you're using on the system I have no choice but to close this thread now.
If you feel this is inaccurate information please send any Moderator a private message explaining in detail and they will review your information in private.

HiJack This! Forum Policy
[indent]

Quote

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.
[/indent]

Adobe Photoshop CS3 Extended + Crack.torrent
Adobe Photoshop CS3 Extended + Crack.1.torrent

Your system is still infected and needs to be cleaned.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us