Sysvxd.exe and o/s and gmer issues

[Mister Greywolf]

Hello,

First let me say what a brilliant service you run - it is very much appreciated.

I am having a number of issues, all or most of which may be due to an infection by sysvxd.exe. I am sure that is present on my system.

I am also having difficulty with running gmer to get gmer.txt. I get error messages, and the manage uploads function would not accept the generated text file (which anyway seems empty). I'll deal with that last.

1. Browser Issues:
- clicks on search results for all search engines (Google, Yahoo, Ask etc) launch another proprietary search page in a new window, not the link on the page
- the url for the link in the SERP does not show on the status bar
- copying and pasting the url from the search results page gives same response (i have to copy them to notepad, then type them to get where i am going)
- all antivirus vendor sites are blocked (can't update my AV)
- thetechsupportforum, bleeping computer etc are blocked

2. Operating System issues:
- firewall is turned off approx. 15 seconds after the desktop boots
- regular error messages of "instruction at 0x023773cc reference memory at 0x023773cc" for winlogon.exe, dep.exe (data execution prevention?), winlogon.exe, winauclt.exe, reader_sl.exe and others
- regular failure of applications to launch, with error message that "the application failed to initialize"
- irregular crashes to blue screen "fatal error"
- irregular "hangs" where no actions can be taken, necessitating a hard reboot

3. Installed programmes over the past month:
- Sysvxd.exe, Au_.exe
- FlashPlayerUpdate.exe, FlashPlayerUpdate01.exe, firefox.exe, updater.exe, xpicleanup.exe, MRT.exe, helper.exe, SearchWithGoogleUpdate.exe, FlashUtil10a.exe, uninstall_activeX.exe, talkback.exe

4. Gmer issues
- I have stopped all applications, and Task manager shows none are running
- error msg 1. "Warning! Loaded GMER's driver version is incompatible with the currently running GMER application. You need to stop the driver with the command "net stop gmer" or restart your computer"
- error msg 2. GMER "C:\Windows\system32\config\system: The process cannot access the file because it is being used by another program"
- I have run the "net stop gmer" in the Run dialog box. The error msg is repeated when I try to run gmer.exe
- I have restarted my computer - same error msg
- (I have screenshots of these)
- accordingly I have dones as much as I can. Any advice on this?

Thank you again for your time and help.

5. DDS Copy and Paste

DDS (Version 1.0) - NTFSx86
Run by Chris at 21:05:18.37 on 30/11/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.196 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
"C:\WINDOWS\system32\drivers\svchost.exe"
C:\Program Files\Domain Tools\ProjectWhois\ProjectWhois.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Chris\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
uInternet Settings,ProxyServer = 172.16.228.253:80
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {CC7E636D-39AA-49b6-B511-65413DA137A1} - c:\program files\internet explorer developer toolbar\IEDevToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {CC962137-2E78-4f94-975E-FC0C07DBD78F} - c:\program files\internet explorer developer toolbar\IEDevToolbar.dll
TB: {11352A67-0178-46B1-8855-D50B2F81C054} - c:\progra~1\wat_en\ACCESS~1.DLL
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {11352A67-0178-46B1-8855-D50B2F81C054} - c:\progra~1\wat_en\ACCESS~1.DLL
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\chris\startm~1\programs\startup\projec~1.lnk - c:\program files\domain tools\projectwhois\ProjectWhois.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {E74202F3-30F4-4237-B262-D4B2219718A1} = 192.168.1.1
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Defrag32b;Defrag32Boot;c:\windows\system32\drivers\Defrag32b.sys [2004-10-23 54424]
R2 Defrag32;Defrag32;c:\windows\system32\drivers\Defrag32.sys [2004-10-23 54424]
R2 PDSched;PDScheduler;"c:\program files\raxco\perfectdisk\PDSched.exe" [2005-1-4 237635]
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;\??\E:\PNDIS5.SYS []
S3 StreamSurge;StreamSurge Driver;c:\windows\system32\drivers\ss.sys []

=============== Created Last 30 ================

2008-11-30 20:24 250 a------- c:\windows\gmer.ini
2008-11-28 21:12 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-28 21:10 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-11-15 09:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg7
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-19 00:13 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2007-07-15 07:27 <DIR> --d----- c:\docume~1\chris\applic~1\AVG7
2007-05-30 17:55 <DIR> --d----- c:\docume~1\chris\applic~1\OLYMPUS
2007-04-19 00:50 <DIR> --d----- c:\docume~1\chris\applic~1\Sony Corporation
2007-04-19 00:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sony Corporation
2007-04-18 20:54 <DIR> --d----- c:\docume~1\chris\applic~1\AdobeAUM
2007-04-18 17:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intel
2006-08-07 08:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft
2006-07-28 12:12 <DIR> --d----- c:\docume~1\chris\applic~1\vlc
2006-06-26 14:17 <DIR> --d----- c:\docume~1\chris\applic~1\salesforce.com
2006-06-26 14:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\salesforce.com
2006-06-26 14:00 <DIR> --d----- c:\docume~1\chris\applic~1\MSN6
2006-06-24 21:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6

============= FINISH: 2127.31 ===============

[sUBs]

1. Download this file

2. Double click to run it

3. When finished, it shall produce a log for you. Post that log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[Mister Greywolf]

Thanks for the contact. I have downloaded the combofix.exe. There may be a delay in posting, as I have to go to an internet cafe to contact you, rather than doing it from home.

Thanks again.

[Mister Greywolf]

First, thank you very very much. Brilliant.

I cancelled my meeting and ran home to do this. I've run combofix.exe, and now I get proper search results, i.e. can click through to the shown url, and I haven't had an error message since booting up - and my firewall remains on.

I'm also a bit anxious - was there a key logger? I've accessed email, im services, and confidential servers related to work since this infection. Do I need to change passwords?

Ok, log follows:

ComboFix 08-12-06.06 - Chris 2008-12-07 14:24:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.229 [GMT 0:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\azip32.dll
c:\windows\system32\casino1.ico
c:\windows\system32\casino2.ico
c:\windows\system32\casino3.ico
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\drivers\TDSSserv.sys
c:\windows\system32\dzgtactx.dll
c:\windows\system32\FTPx.dll
c:\windows\system32\MabryObj.dll
c:\windows\system32\TDSSadw.dll
c:\windows\system32\TDSSerrors.log
c:\windows\system32\tdssinit.dll
c:\windows\system32\tdssl.dll
c:\windows\system32\tdsslog.dll
c:\windows\system32\tdssmain.dll
c:\windows\system32\tdsspopup.dll
c:\windows\system32\tdsspopup1.url
c:\windows\system32\TDSSpopup2.url
c:\windows\system32\tdsspopup3.url
c:\windows\system32\TDSSserf.dll
c:\windows\system32\TDSSserf1.dll
c:\windows\system32\TDSSservers.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV
-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-11-30 20:24 . 2008-11-30 20:43 250 --a------ c:\windows\gmer.ini
2008-11-28 21:12 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-28 21:10 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 09:51 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 68856]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-27 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-04-20 579584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-19 184320]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-30 77824]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 40960]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-10 219136]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
ProjectWhois.lnk - c:\program files\Domain Tools\ProjectWhois\ProjectWhois.exe [2006-11-21 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 16:42 73728 c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Total War\\Medieval - Total War\\Medieval_TW.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R2 PDSched;PDScheduler;"c:\program files\Raxco\PerfectDisk\PDSched.exe" [2005-01-04 237635]
S3 StreamSurge;StreamSurge Driver;c:\windows\system32\DRIVERS\ss.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Mouse Suite 98 Daemon - ICO.EXE


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
uInternet Settings,ProxyServer = 172.16.228.253:80
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E74202F3-30F4-4237-B262-D4B2219718A1} = 192.168.1.1

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\r8l6cvk9.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 14:31:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv]
"imagepath"="\systemroot\system32\drivers\TDSSserv.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2008-12-07 14:33:22
ComboFix-quarantined-files.txt 2008-12-07 14:32:56

Pre-Run: 8,486,150,144 bytes free
Post-Run: 9,115,820,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

155 --- E O F --- 2008-11-29 03:07:19

***************************************************

Fantastic. I'm so grateful. I've been dealing with this for 2 months, and had decided I had to reformat before finding your service.

Thanks again.

[sUBs]

It's a rootkit hidden backdoor. Would be wise to change all your passwords now.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

[Mister Greywolf]

Hello sUBs,

I did the scan - took an hour 45 mins.

I notice the sysvxd.exe file is still in the c:\\windows folder, though is not named as a threat. Is it? Should I do something about that? I've got a lot of log files in there created around the same time, too. Hmm...

Anyway, I'm sure you'll advise me how to proceed.

Kaspersky copy and paste:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 8, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 07, 2008 20:05:59
Records in database: 1442800
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 79660
Threat name: 8
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 01:45:46


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir Infected: Trojan-Downloader.Win32.Small.adgj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSserv.sys.vir Infected: Rootkit.Win32.Agent.eeq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssadw.dll.vir Infected: Rootkit.Win32.Clbd.kr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssl.dll.vir Infected: Backdoor.Win32.UltimateDefender.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdsslog.dll.vir Infected: Backdoor.Win32.Agent.rfv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssmain.dll.vir Infected: Backdoor.Win32.Agent.tcb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdsspopup.dll.vir Infected: Backdoor.Win32.UltimateDefender.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssserf.dll.vir Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdssserf1.dll.vir Infected: Backdoor.Win32.TDSS.zj 1

The selected area was scanned.


Thanks once again for your time and effort.

[sUBs]

Quote:

I notice the sysvxd.exe file is still in the c:\\windows folder, though is not named as a threat. Is it? Should I do something about that? I've got a lot of log files in there created around the same time, too. Hmm...

Logfiles named KB*****.log are created by Windows Updates. You shouldn't delete them.
Sysvxd came in with the infection but it doesn't contain malicious code. That's why Kaspersky ignored it. It's more of a support file. You may delete it.


Of the stuff Kaspersky found, C:\QooBox\ is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix


----------------------


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update → http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[Mister Greywolf]

Hello sUBs,

I have uninstalled combofix, as you advised.

I am installing the software you have recommended - spywareblaster, erunt, sun java etc. and reenabled windows update, avg update etc.

I did delete sysvxd.exe.

My system is performing well - search results as normal, no crashes or error messages, and I'm able to update my av etc. I have no system issues.

Thank you very very much. This is a wonderful service. I am so impressed - and searching your site couldn't find a way to donate or whatever. If there is anything I can do to help do please say.

Thank you again.

Mister Greywolf

[sUBs]

Quote:

couldn't find a way to donate or whatever.

http://www.techsupportforum.com/secu...m-com-you.html

I thank you on behalf of the children, kind sir.