0

It appears that I have been infected with this bug. I have reviewed the already existing thread that is related to ISPYNOW, however, whenever I try to access a link that has anything to do with malware or spyware I get redirected or my browser will not allow the website with the links to come up. If I had another computer I would access the links from there and download the programs to disk and load but unfortunately I do not have access to another computer.

Is there anyway someone could email me the programs necessary to fix these problems?

Thank you,

Sickofit

5
Contributors
30
Replies
31
Views
8 Years
Discussion Span
Last Post by gerbil
0

Without another sys to load programs from, I can only suggest that you search Docs & Settings for files with these names :

nah_jpde.exe
runhh6110411.exe
learn32.dll
mscscc.dll
rehh
vigrs
Ina
comm3
fsh1

..and delete them. Once [if] you find some then note the file modification time [there is a column in Explorer that shows it] and work your way through each folder in D & S, ordering them by File Mod time to locate others with the same time as those you found. Tedious, I know. Restart, and see if they have stayed deleted.
Please post back with a list of those you found and deleted/

0

Gerbil,

Thanks for the response. I was able to access a friends computer this morning and have downloaded malwarebytes and hijack this. I am assuming that this will make this process easier to deal with. I am just hopeful that the virus will allow me to install them on my computer. Let me know exactly what I need to do with these programs and I will post whatever is needed from there.

Again, thanks for your help,

sickofit

0

Run MBAM. Do the quick scan THEN do a full scan. Fix any detected infections in both cases (leave the full scan overnight). Reboot, then run hijackthis. DO NOT remove anything using HijackThis, just post the log here and we will comb through it

0

OK it will not let me run MBAM but I am able to get a Hijack this log. Here it is. Hopefully I can get started with this and maybe we can do something to get the MBAM to work.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:18 PM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Daddy\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150775665671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150806934562
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 6927 bytes

0

Okay this is prettymuch Crunchies domain. He is kind of a master of HJT logs and usually hangs out on this board. give it a day or two and see if he checks in.

0

sorry... didn't mean to post here:-O

0

Hello, Sickofit, your hijackthis log is clean. Regarding ISpyNow, did you track down any of those files I listed?
Your problem is more than ISpyNow if the MBAM installer is blocked. If you have not already done so, please stop mbam-setup.exe from running. Download a fresh copy of the installer, rename it to mybam-setup.exe and see if it will run - it should.
Just so you do not have to chase about for instructions on MBAM:
=Dclick that file, mybam-setup.exe, to install the application,
-uncheck the Udate and Start options, then click Finish.
Start MBAM via the icon, immediately Update it.
Select "Perform Quick Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
[Darn thread hijackers... :)]

0

gerbil,

Yes, I found 3 files that you had mentioned:
runhh6110411.exe
learn32.dll (x2)
Ina

I deleted these as you requested but I am having trouble finding anything else in D & S.

I am locked out of one of my DOCUMENT folders, IE redirects any searches for spyware, i.e. malwarebytes.org. Getting fake Micro update notices that direct me to www.defender-review, although I have not seen that one in a while. Will not allow avgfree to update - no connection available. avg does not find anything on scan.

I will have to download another copy of malwarebytes to disc and rename it on the download. I copied the existing copy to the computer and now I cannot open it nor can I remove it, access denied.

I will try to download a new copy as soon as I can. In the meantime if there is anything else I can do, please let me know.

Thanks for your help,

sickofit

0

Sickofit,
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
If by some chance Combofix will not run try renaming the combofix.exe to mycomfx.exe, and dclicking it.

0

Gerbil

When I try to click on the link, my Internet Explorer will not let me get to the link. Says the page is unavailable. This is the problem I was telling you about, apparantely whatever this virus is, it has the ability to see if I am trying to access a page that has any type of spyware removal tools on it and it gives me the unavailable page.

0

Crunchie,

I've tried to rename it, with no luck. Seems to me that when I transferred the file from cd to the computer the virus locked it up. It will not let me run it and it will not let me remove it.

Ive tried renaming on the cd and moving it over again but that is not working either.

0

Sickofit, can you try to access a Combofix dl site from Safe Mode with Networking? If successful, run Combofix from Safe mode.
You could try these scans, one should do, again from safe mode:
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java. Panda will clean only virii, but it is superb at listing other malwares which can then be targeted.
Please ATTACH to your post the log it produces.
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....

0

Ok, I can get to panda in safe mode. No luck on Kaspersky or on the Combo. Same problem.

I registered with panda, downloaded 2.0, enabled active x control, however, when it sets to update the active scan 2.0 I get an error and cant get any further.

sickofit

0

Do a system search for files named TDSSserv.*** and delete any that are found.
If you do find find and delete them, try running MBAM again and also Gerbil's advice.

0

Ok. How annoying. You have a version of ISpyNow which is protected by a rootkit, it is very likely TDSS. So a few things we can try before you have to go walking with a flashdrive in your hot lil hand, to find a friendly type who will let you dl Combofix. We need it. Make sure to load the dl addy into the flashdrive... But first:
There is always another online scan: http://www.f-secure.com/security_center/
If it won't run, then:
==Download [currently it will not dl correctly with Opera; use IE] the latest standalone version of Blacklight from ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe - Start it, accept the agreement and Scan.

Else if we assume that it is TDSS, go into C:\WINDOWS\system32 and rename every file commencing with the letters TDSS to XXXTDSS. Here is a typical selection.. you may have some or none or similar others :

c:\windows\system32\TDSSblal.dat
c:\windows\system32\TDSScshc.dll
c:\windows\system32\TDSSdlpb.dll
c:\windows\system32\TDSSkfkl.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSojtp.dll
c:\windows\system32\TDSSqogd.log
c:\windows\system32\TDSSurev.dll
c:\windows\system32\TDSSwhke.log
c:\windows\system32\TDSSxnyq.dll
You may find some in c:\windows\system32\drivers\...
eg: c:\windows\system32\drivers\TDSSrfpc.sys

Try to run MBAM now [rename mbam.exe to mybm.exe first]. And then try to dl Combofix...
As crunchie said, you could delete any TDSS... files in system32 if you so wished. TDSS is a play on TSDDD, which is a valid displaydriver.

0

If you get to the stage where you can download combofix, rename it BEFORE you actually save it to your desktop.

Attachments CF_download_rename.gif 19.12 KB
0

Ok, cant get to either of the f-secure sites. Searched for the TDSSserv files and came up with 2 and deleted. Mbam still wont run. I am going to download some of these to disc from another computer and rename them. Hopefully "something" will work from there

0

Ok gentlemen, finally a bit of success. Combo fix has been run and the log follows. Waiting on a reply before trying Malwarebytes.

Log:

ComboFix 08-12-01.03 - Administrator 2008-12-02 17:22:50.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.816 [GMT -6:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bszip.dll
c:\windows\system32\drivers\TDSSpaxt.sys
c:\windows\system32\Drivers\TDSSrvdc.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSfxmp.dll
c:\windows\system32\TDSSkfkl.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoaha.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSoxum.dll
c:\windows\system32\TDSSqrde.log
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\TDSSurxb.dll
c:\windows\system32\TDSSweat.dat
c:\windows\system32\TDSSxehr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-02 17:17 . 2008-12-02 17:17 <DIR> d-------- C:\CMBFIX
2008-12-02 16:48 . 2008-12-02 17:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-02 16:48 . 2008-12-02 16:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-02 16:48 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-02 16:48 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 23:22 . 2008-12-01 23:22 <DIR> d-------- c:\windows\LastGood.Tmp
2008-12-01 23:22 . 2008-12-01 23:22 <DIR> d-------- c:\program files\Panda Security
2008-12-01 23:22 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-01 23:21 . 2008-12-02 17:04 <DIR> d-------- c:\documents and settings\Administrator.HAL\Application Data\AVG7
2008-12-01 23:18 . 2006-06-19 17:04 <DIR> d-------- c:\documents and settings\Administrator.HAL\Application Data\Gtek
2008-12-01 23:18 . 2008-12-01 23:18 <DIR> d-------- c:\documents and settings\Administrator.HAL
2008-11-30 20:25 . 2008-11-30 20:25 <DIR> d-------- c:\documents and settings\Administrator
2008-11-30 16:48 . 2008-11-30 16:48 <DIR> d-------- c:\windows\system32\scripting
2008-11-30 16:48 . 2008-11-30 16:48 <DIR> d-------- c:\windows\system32\en
2008-11-30 16:48 . 2008-11-30 16:48 <DIR> d-------- c:\windows\system32\bits
2008-11-30 16:48 . 2008-11-30 16:48 <DIR> d-------- c:\windows\l2schemas
2008-11-30 16:47 . 2008-11-30 16:47 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-30 16:43 . 2008-11-30 16:43 <DIR> d-------- c:\windows\EHome
2008-11-11 16:55 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 01:30 . 2008-11-09 10:31 664 --a------ c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 23:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-11-22 15:35 --------- d-----w c:\program files\Dl_cats
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 00:39 --------- d-----w c:\program files\Sportsbook Poker
2008-04-13 22:15 5,910,715 ----a-w c:\program files\Audit_Support_Center.exe
2006-06-20 03:45 17,344,752 ----a-w c:\program files\avg71free_394a763.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-17 590848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\windows\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 08:47 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
--a------ 2004-11-10 13:36 290816 c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-06-15 00:21 169472 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 21:36 1207080 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-10-14 19:46 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-10-14 19:50 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-10-14 19:49 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-09-11 04:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-11 04:40 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-09-08 18:20 8192 c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-07-12 18:05 1117184 c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-06-15 00:13 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-04-23 11:43 228088 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-14 15:58 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-22 22:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-01 28544]
.
Contents of the 'Scheduled Tasks' folder

2008-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-01 c:\windows\Tasks\MalwareBot Scheduled Scan.job
- c:\program files\MalwareBot\MalwareBot.exe []

2008-12-01 c:\windows\Tasks\MalwareBot Scheduled Scan.job
- c:\program files\MalwareBot []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-HPseti - c:\documents and settings\Daddy\Application Data\Google\runhh6110411.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 17:31:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-02 17:33:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-02 23:33:07

Pre-Run: 35,133,931,520 bytes free
Post-Run: 35,299,864,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

183 --- E O F --- 2008-12-01 01:03:21

0

Looks good, sickofit.
Try MBAM now. Remember to update it first, and run the Quick Scan.

0

Well I managed to forget to update first so I will post (2) quick scans. First one prior to update, second post update.

I have performed one full scan prior to update which I will post last, I have to run another full scan post update, when it is done I will post it

0

Quick Scan prior to update:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

12/2/2008 6:27:29 PM
mbam-log-2008-12-02 (18-27-29).txt

Scan type: Quick Scan
Objects scanned: 65590
Time elapsed: 6 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MalwareBot (Rogue.MalwareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareBot (Rogue.MalwareBot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Daddy\Application Data\MalwareBot (Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Application Data\MalwareBot\Log (Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Application Data\MalwareBot\Settings (Rogue.MalwareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Daddy\Application Data\MalwareBot\rs.dat (Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Application Data\MalwareBot\Log\2008 Dec 01 - 02_25_58 PM_406.log (Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Application Data\MalwareBot\Settings\ScanResults.pie (Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\TDSS5e4d.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\TDSS5f76.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\TDSS6c86.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\TDSSb071.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daddy\Local Settings\Temp\TDSSb0ee.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

0

Quick Scan post update:

Malwarebytes' Anti-Malware 1.30
Database version: 1450
Windows 5.1.2600 Service Pack 3

12/2/2008 7:51:33 PM
mbam-log-2008-12-02 (19-51-33).txt

Scan type: Quick Scan
Objects scanned: 69654
Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Daddy\nah_sgjj.exe (Trojan.Agent) -> Quarantined and deleted successfully.

0

In the prior to update full scan, there were items that I removed and I am not sure it is reflected here but here is the Full Scan prior to update:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

12/2/2008 7:14:08 PM
mbam-log-2008-12-02 (19-14-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 126109
Time elapsed: 45 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

Allright, here is the "updated" full scan. There were 10 files, all TDSS. I looked for these and never found them but apparantely they were there.

Is there a next step?

Full Scan post update:

Malwarebytes' Anti-Malware 1.30
Database version: 1450
Windows 5.1.2600 Service Pack 3

12/2/2008 8:49:23 PM
mbam-log-2008-12-02 (20-49-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130290
Time elapsed: 43 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfum.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSkfkl.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoaha.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoxum.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSurxb.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpaxt.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSrvdc.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

0

Mmm... they were all quarantined by Combofix... and MBAM found them in there. I think you are clear to go, what is your opinion?
Go Start, run:
combofix /u
This will uninstall combofix and its files and quarantine folder.

0

Gerbil,

Thanks so much for your help, you guys are fantastic.

I have uninstalled Combofix.

I think that we are good to go.

Ive had some of these types of issues before but this one was pretty irritating. Looks like I am not the only one out there dealing with this nasty.

Thanks again,

Sickofit

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.