Malware Post

[06Honda]

Windows XP Home Edition SP2

Issue summary: Cannot update any programs at all. Cannot do a windows update. All links selected within your site give me an IE error page. When ever I do a search in google it takes me to a page to buy some software every time. All of my favorites saved before this started allow me to go to those sites.

IE 6.0 SP2

Step 1: Did not have Spybot but downloaded it and got a connection error when attempting to

install.

Step 2: Antivirus programs tried AVG; ZoneAlarm & Avast. Was able to install them but could not

update any of them. Currently have Avast. All three tried will let me scan but cannot update to get

newest definitions.

Step 3: Add remove programs followed, nothing found.

Step 3: House Cleaning done with CCleaner 2.0, tried to download CCcleaner Sim would not install.

Step 4: SUPERAntiSpyware was already installed, unable to update to get latest definitions.Here is

the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/07/2008 at 10:18 PM

Application Version : 4.21.1004

Core Rules Database Version : 3625
Trace Rules Database Version: 1609

Scan type       : Complete Scan
Total Scan Time : 00:22:41

Memory items scanned      : 330
Memory threats detected   : 0
Registry items scanned    : 4245
Registry threats detected : 0
File items scanned        : 32618
File threats detected     : 1

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt

Step 5: Malwarebytes' Anti-Malware (MBAM) downloaded and scanned okay but cannot update live or manually. See log:
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2

11/12/2008 7:59:20 PM
mbam-log-2008-11-12 (19-59-20).txt

Scan type: Quick Scan
Objects scanned: 43268
Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSbubx.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSScfgb.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnrsr.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoeqh.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSriqp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSthym.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSpaxt.sys (Rootkit.Agent) -> Delete on reboot.

Step 6:  Update Your Java (JRE), indicates I have the most up to date ver which is Ver 6 Update 6.

Step 7: HijackThis, cannot access direct or by link due to IE error " page cannot be displayed". Was able to finally download this via Zdnet, see log. I did not check any boxes in the program results to fix etc.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:19 PM, on 11/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [trueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196566958671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197506489312
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 5357 bytes

Just finishing downloading and installing Ad-Awar3 2008. Tried to update and got this" Getting updates...
Server connection failed
Installation finished
Failed to retrieve update data".

This is my first attempt at posting by following the instructions. Please let me know if there is anything else needed and i will do my best to comply so this can get sorted out. Thanks again for the awesome help.   

Update as of 8:16 EST 12 Nov 08:

I can know update all my software and everthing is back to normal. Following the steps works, awesome post and awesome site. Malwarebytes' Anti-Malware (MBAM) seemed to be the one that sorted my pc out completely.

[06Honda]

Here are some logs done after work today. Appears there are still some issues. Each time I run Malwarebytes, I follow the instructions but it keeps finding one every time after I restart and scan?
Malwarebytes' Anti-Malware 1.30
Database version: 1391
Windows 5.1.2600 Service Pack 2

11/13/2008 5:26:14 PM
mbam-log-2008-11-13 (17-26-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 72108
Time elapsed: 19 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{3DCD8EEC-7469-41B2-AD90-AFDA28CD5DC9}\RP2\A0000001.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSosvn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\TDSS9909.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.30
Database version: 1391
Windows 5.1.2600 Service Pack 2

11/13/2008 5:53:46 PM
mbam-log-2008-11-13 (17-53-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 72082
Time elapsed: 19 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{3DCD8EEC-7469-41B2-AD90-AFDA28CD5DC9}\RP2\A0000032.sys (Trojan.Downloader) -> No action taken.

Windows 5.1.2600 Service Pack 2

11/13/2008 7:08:12 PM
mbam-log-2008-11-13 (19-08-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 72358
Time elapsed: 19 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{3DCD8EEC-7469-41B2-AD90-AFDA28CD5DC9}\RP2\A0000042.sys (Trojan.Downloader) -> No action taken.

Here is a recent SuperAntiSpyware log from after the Mal log which didn't detect anything:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/13/2008 at 07:45 PM

Application Version : 4.21.1004

Core Rules Database Version : 3635
Trace Rules Database Version: 1618

Scan type       : Complete Scan
Total Scan Time : 00:34:13

Memory items scanned      : 361
Memory threats detected   : 0
Registry items scanned    : 4267
Registry threats detected : 0
File items scanned        : 33989
File threats detected     : 0










Any comments welcome, new at this Trojan removal stuff. Thanks.

[06Honda]

Latest log, looks pretty good:
Malwarebytes' Anti-Malware 1.30
Database version: 1399
Windows 5.1.2600 Service Pack 2

11/14/2008 9:21:29 PM
mbam-log-2008-11-14 (21-21-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 71954
Time elapsed: 22 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[CBMatt]

Sorry for the long wait.  Things are very busy right now and we're a bit short-staffed, which is causing us to get more behind than usual.  Some recent server issues also contributed to this somewhat.  But we are doing our best to pick up the slack and help everyone out.  Are you still experiencing problems with malware?  If so, please follow these steps again:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

I know you've already gone through the process and posted the logs, but malware changes and evolves, so we need to see if the state of your computer has changed at all.  It's difficult to instruct our users if we don't have the most up-to-date information.  Thank you for your understanding, and if you still need help, we'll be here to do what we can.