Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Unknown Virus on Laptop
   
BullGuard Antivirus Forum > Virus Removal > Removal Tools > Unknown Virus on Laptop  
Forum Quick Jump
 
New Topic Post reply to : Unknown Virus on Laptop Printable version of : Unknown Virus on Laptop
[ << Previous Thread | Next Thread >> ]

Plight
New Member


Date Joined Nov 2008
Total Posts : 5
  		   Posted 11-26-2008 9:35 (GMT +1)    Quote: Unknown Virus on LaptopAlert an admin about: Unknown Virus on Laptop
Hello

I'm not completely sure how but I have a virus on my Dell laptop that hijacks all google or yahoo (others probably) searches. If I cut and paste the websites instead of clicking on the hyperlink then it's usually okay. Also, I cannot create a system restore point. I'm told to toggle the capability and reboot but have already done so. I'm not sure what else since it's not been that long. I have run numerous anti-virus checks and have deleted some things. I've also deleted cookies and files and the like. CCClean also. But, something is still hijacking my web searches and preventing the restore points.

I've attached my Hijackthis.log file. Thank you for any help you can give me. Cheers!

Plight

File Attachment :
hijackthis.log   13KB (application/octet-stream)
This file has been downloaded 64 time(s).
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14325
  		   Posted 11-26-2008 9:50 (GMT +1)    Quote: Unknown Virus on LaptopAlert an admin about: Unknown Virus on Laptop
Hello smile
 
 
Download malwarebyte
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968
 
Or here:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968

Save the file as setup.exe

Run the setup.exe file,
When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.
Go into the Malware folder in through Program Files
Rename the mbam.exe or what not file to mab.exe update and run it.
Do a full computer scan
Check all and remove/fix/delete them.

Restart your computer and post the log
 

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 

Plight
New Member


Date Joined Nov 2008
Total Posts : 5
  		   Posted 11-26-2008 10:07 (GMT +1)    Quote: Unknown Virus on LaptopAlert an admin about: Unknown Virus on Laptop
Thanks for your quick reply. Awesome!

I'm running the scan now. However, it didn't go quite according to what you said. It never froze like you said it would. It went straight through with no delay. It's already covered about 25000 objects and has found 2 of them infected so far.

I did want to add something that I just remembered. My AVG file also says that control file is missing. I am pretty sure it's related to this virus or spyware infection.

I might be going to bed pretty soon. I wanted to thank you - wish you a Happy Thanksgiving - and let you know I'll be back to follow through tomorrow, if I do decide to duck out. Cheers!

Plight
Back to Top
 

Plight
New Member


Date Joined Nov 2008
Total Posts : 5
  		   Posted 11-26-2008 6:59 (GMT +1)    Quote: Unknown Virus on LaptopAlert an admin about: Unknown Virus on Laptop
Hello Touch

I believe it has fixed my problems. I do have a few questions if you don't mind. I have a "need" to know these things. First, my log file:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

11/26/2008 9:21:40 AM
mbam-log-2008-11-26 (09-21-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 172269
Time elapsed: 1 hour(s), 1 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\a1dc0fc00707a5a47b1b8c47064e8e01 (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\a1dc0fc00707a5a47b1b8c47064e8e01 (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\registrysmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Philip\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Delete on reboot.
C:\Documents and Settings\Philip\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Delete on reboot.

Files Infected:
C:\Program Files\RegistrySmart\DataBase.ref (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\RegCleaner.dll (Rogue.RegistrySmart) -> Delete on reboot.
C:\Program Files\RegistrySmart\RegistrySmart.exe (Rogue.RegistrySmart) -> Delete on reboot.
C:\Program Files\RegistrySmart\RegistrySmart.url (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\TCL.dll (Rogue.RegistrySmart) -> Delete on reboot.
C:\Program Files\RegistrySmart\zlib.dll (Rogue.RegistrySmart) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart\RegistrySmart on the Web.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart\RegistrySmart.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Philip\Application Data\RegistrySmart\Log\2008 Nov 25 - 03_30_02 AM_046.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Philip\Application Data\RegistrySmart\Log\2008 Nov 25 - 12_40_44 PM_968.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\RegistrySmart.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.dwy (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSotub.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSovba.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSqomd.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSStnyq.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSurkv.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSxnpb.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSrfct.sys (Rootkit.Agent) -> Delete on reboot.

Now, to start with, I don't believe any of the RegistrySmart items are viruses or spyware. I believe I downloaded it as a tool to get better and the Malware application thought they were a problem. Is that correct?

Also, on the line that has a heuristics.reserved.word.exploit issue with svchost.dwy, I wanted to see if I created a problem. I suspected this file and could not delete it so renamed it from an executable (svchost.exe). Did I screw things up? I have a feeling it was deleted and maybe that will come back to bite me.

Lastly, what kind of Trojan Agent did I have? A TDSS? What's that?

Thanks so much for all of your help. I'd been messing with it by myself way too long. If I'm not mistaken I did try to run this but it would not launch. Last question: is that why you had me rename the application to mab from mbam? Thanks again.

Plight
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14325
  		   Posted 11-27-2008 5:49 (GMT +1)    Quote: Unknown Virus on LaptopAlert an admin about: Unknown Virus on Laptop
TDSS is a rootkit, I´ll therefore suggest you post a combofix log.
"is that why you had me rename the application to mab from mbam"  -> Yes smile


Please download Combofix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
 
 
And save to the desktop.

Close all other browser windows.
 
 
 
 
Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".
 
 
Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.
 
Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

 When finished, it will produce a logfile located at C:\combofix.txt.
 

Post the contents of that log in your next reply


Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 

Plight
New Member


Date Joined Nov 2008
Total Posts : 5
  		   Posted 11-27-2008 7:18 (GMT +1)    Quote: Unknown Virus on LaptopAlert an admin about: Unknown Virus on Laptop
Hello Touch

Thanks for your help and follow through on this problem. It's much appreciated. Here is the log file from ComboFix.

ComboFix 08-11-26.05 - Philip 2008-11-26 21:08:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.449 [GMT -8:00]
Running from: c:\documents and settings\Philip\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache
c:\windows\system32\TDSSbeat.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-26 00:58 . 2008-11-26 00:58 <DIR> d-------- C:\Malaware
2008-11-26 00:09 . 2008-11-26 00:11 <DIR> d-------- C:\Hijack
2008-11-24 22:56 . 2007-06-11 23:04 2,267,368 --a------ c:\windows\system32\Flash.ocx
2008-11-24 22:56 . 2003-11-19 14:59 512,688 --a------ c:\windows\system32\XceedCry.dll
2008-11-24 22:56 . 2004-05-11 10:56 423,784 --a------ c:\windows\system32\XceedBkp.dll
2008-11-24 22:56 . 2004-02-05 21:53 389,120 --a------ c:\windows\system32\ACTSKN43.OCX
2008-11-24 22:56 . 2004-03-09 00:00 131,856 --a------ c:\windows\system32\MSADODC.ocx
2008-11-24 22:56 . 2000-07-15 06:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL
2008-11-24 22:56 . 2001-03-28 23:02 89,088 --a------ c:\windows\system32\ProgressBar4.ocx
2008-11-24 22:56 . 1999-01-26 20:36 11,012 --a------ c:\windows\system32\threadapi.tlb
2008-11-23 23:21 . 2008-11-23 23:21 <DIR> d-------- c:\program files\AskSBar
2008-11-23 23:21 . 2008-11-23 23:21 249,592 --a------ c:\windows\system32\cssdll32.dll
2008-11-23 23:20 . 2008-11-26 21:17 <DIR> d-------- c:\program files\COMODO
2008-11-23 23:20 . 2008-11-26 21:17 <DIR> d-------- c:\documents and settings\Philip\Application Data\Comodo
2008-11-23 00:06 . 2008-11-23 00:06 <DIR> d-------- c:\program files\Lavasoft
2008-11-23 00:06 . 2008-11-26 15:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-22 23:59 . 2008-11-22 23:59 <DIR> dr-h----- c:\documents and settings\Admin!!\Application Data\yahoo!
2008-11-21 11:22 . 2008-11-21 11:22 <DIR> d-------- c:\program files\XML Notepad 2007
2008-11-18 18:37 . 2008-11-26 09:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-18 18:37 . 2008-11-26 09:53 <DIR> d-------- c:\documents and settings\Philip\Application Data\Malwarebytes
2008-11-18 18:37 . 2008-11-18 18:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-18 18:37 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-18 18:37 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-11 13:00 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 12:59 . 2008-09-04 09:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-10-28 21:44 . 2008-10-28 21:44 262,144 --a------ C:\ntuser.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-27 05:55 --------- d-----w c:\program files\BOINC
2008-11-27 05:23 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-27 00:18 --------- d-----w c:\program files\Lx_cats
2008-11-23 11:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-01 16:26 --------- d--h--r c:\documents and settings\Philip\Application Data\yahoo!
2008-10-29 17:26 60,744 ----a-w c:\documents and settings\Philip\g2mdlhlpx.exe
2008-10-29 05:44 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:42 --------- d-----w c:\documents and settings\Philip\Application Data\FileZilla
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-12-08 3096576]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-20 200704]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-01 29744]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-23 185896]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-08-03 1032192]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\Philip\Start Menu\Programs\Startup\
BOINC Manager.lnk - c:\program files\BOINC\boincmgr.exe [2007-03-01 3604480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2006-11-03 1941579]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-24 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 07:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE.exe]
--------- 2005-02-23 12:57 57344 c:\program files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 02:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-08-01 16:00 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-12-13 06:41 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 06:45 118784 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 06:44 98304 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-09 23:24 20480 c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-07-12 16:05 1117184 c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2006-08-22 12:32 184320 c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
--a------ 2008-10-07 07:23 111856 c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-12 19:10 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-08 15:48 761947 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\Remote Debugger\\x86\\msvsmon.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4500:UDP"= 4500:UDP:IPsec (IKE NAT-T)
"500:UDP"= 500:UDP:IPsec (IKE)
"135:TCP"= 135:TCP:RPC Endpoint Mapper and DCOM infrastructure
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"1433:TCP"= 1433:TCP:ISP

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-04 97928]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-06 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-06 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-04 76040]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQLEXPRESS [2006-08-27 92952]
R2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);"c:\program files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2008-08-05 16912]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-24 29744]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2006-12-01 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4dd5cde-7117-11db-b653-0015c56e4d80}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a57d96da-267f-11dd-b759-0015c56e4d80}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a57d96dc-267f-11dd-b759-0015c56e4d80}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-26 c:\windows\Tasks\RegistrySmart Scheduled Scan.job
- c:\program files\RegistrySmart\RegistrySmart.exe []

2008-11-26 c:\windows\Tasks\RegistrySmart Scheduled Scan.job
- c:\program files\RegistrySmart []

2008-11-17 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-02-21 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-Bezeq - c:\program files\wow250\WOW.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-McRegWiz - c:\progra~1\mcafee.com\agent\mcregwiz.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-RegistrySmart - c:\program files\RegistrySmart\RegistrySmart.exe
MSConfigStartUp-SVCHOST - c:\windows\system32\drivers\svchost.exe
MSConfigStartUp-Uniblue SpeedUpMyPC - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Philip\Application Data\Mozilla\Firefox\Profiles\doltw0kr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 21:53:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\3cfb88b6-1eba-485d-a7ed-1f2a9560c47b.tmp 46390 bytes executable
c:\windows\TEMP\6406db5b-50c2-408c-b100-4b773faef887.tmp 357657 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\msftesql$SQLEXPRESS]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLEXPRESS"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\lxcgcoms.exe
c:\program files\BOINC\boinc.exe
c:\windows\system32\dwwin.exe
c:\program files\BOINC\projects\setiathome.berkeley.edu\astropulse_5.00_windows_intelx86.exe
c:\program files\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe
.
**************************************************************************
.
Completion time: 2008-11-26 22:00:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-27 06:00:31

Pre-Run: 39,519,498,240 bytes free
Post-Run: 39,388,225,536 bytes free

259 --- E O F --- 2008-11-19 11:02:30


Also, do I need a svchost.exe file at: C:\WINDOWS\system32\drivers\svchost.exe. I deleted it.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14325
  		   Posted 11-27-2008 7:26 (GMT +1)    Quote: Unknown Virus on LaptopAlert an admin about: Unknown Virus on Laptop
Clean log. combofix got rid of the remnants from TDSSSERV infection.
 
No, you don´t need C:\WINDOWS\system32\drivers\svchost.exe.
 
The legal Windows file are located here:
C:\WINDOWS\system32\svchost.exe.

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Post Edited (Touch) : 27-11-2008 06:47:01 GMT

Back to Top
 

Plight
New Member


Date Joined Nov 2008
Total Posts : 5
  		   Posted 11-27-2008 7:28 (GMT +1)    Quote: Unknown Virus on LaptopAlert an admin about: Unknown Virus on Laptop
Thanks again. I am amazed.

Plight
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14325
  		   Posted 11-28-2008 4:50 (GMT +1)    Quote: Unknown Virus on LaptopAlert an admin about: Unknown Virus on Laptop
My pleasure smile
 
 
Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->
Uninstall ComboFix. Delete its related folders and files.
Reset your clock settings. Hide file extensions.
Hide the system/hidden files. And resets System Restore again.
 
Also, please read this article by Tony Klein: How I got Infected in the First Place

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 
New Topic Post reply to : Unknown Virus on Laptop Printable version of : Unknown Virus on Laptop
 
Forum Information
Currently it is Friday, January 09, 2009 2:37 AM (GMT +1)
There are a total of 65.961 posts in 16.185 threads.
In the last 3 days there were 24 new threads and 93 reply posts. View Active Threads
Who's Online
This forum has 27794 registered members. Please welcome our newest member, schneevogel.
42 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Vbs malware gen in phone memory card.. please help (1)09-01-2009 01:20:25 (bindujagarla)
Random pop-ups (0)09-01-2009 00:10:41 (yogendra)
Some nasty trojan (4)08-01-2009 23:58:06 (buioch)
Anybody can help me remove Downloader Conhook Trojan? (2)08-01-2009 23:20:29 (menkixede)
Help with slow computer and file removal (3)08-01-2009 23:12:07 (papy1)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard