PC severely hosed due to Trojan

[SplinterKeys]

Working on my son's Dell Inspiron E1705 running XP Media Edition. He said it started misbehaving about a week ago. What I have observed:

1. After booting you get ViewpointService.exe application error - exception breakpoint. This happens every time you boot. It started around the time the PC went south. It is followed soon thereafter with ViewMgr crashing.

2. Most exes don't run. The computer hangs often and has to be rebooted.

3. I cannot run the McAfee command center. However, it is constantly trying to run itself and what you end up with is a whole string of McAfee icons in the sys tray, each with a red slice through it.

4. I downloaded Kapinsky, but could not run the exe. I could run the scan from within a cmd window. It found Trojan.Win32.TDSS.aekg.

5. Because his PC won't run, I'm transferring dowloads & logs via memory stick to/from my PC. Every time I insert the stick back in my PC, McAfee finds and removes "m.exe" from it, indicating that it has found "Spy-Agent.dy"

I have run the DDS.scr for this posting. It produced DDS.txt then crashed.
I tried running GMER. It shows up as a Process in Task Manager for a little while, then disappears.

DDS.Txt:


DDS (Ver_09-05-14.01) - NTFSx86
Run by CCM at 19:37:43.71 on Wed 06/24/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1581 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\CCM\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearch Page = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
mSearchAssistant = hxxp://www.google.com/ie
BHO: c:\windows\system32\gsf83iujid.dll: {b2c7b2a1-00f3-42bd-f434-00aaba2c8952} - c:\windows\system32\gsf83iujid.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [<NO NAME>]
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [services] c:\windows\services.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\ccm\startm~1\programs\startup\is-tkdrf.lnk - c:\documents and settings\ccm\desktop\virus removal tool\is-tkdrf\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1218409801429&h=458bef75a94f28e6930e068256705fbd/&filename=jinstall-6u7-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: fabbdcabbedff - c:\windows\system32\fabbdcabbedff.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\gsf83iujid.dll: {b2c7b2a1-00f3-42bd-f434-00aaba2c8952} - c:\windows\system32\gsf83iujid.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ccm\applic~1\mozilla\firefox\profiles\9xw71w16.default\

============= SERVICES / DRIVERS ===============

R1 is-tkdrfdrv;is-TKDRFdrv;c:\windows\system32\drivers\79555032.sys [2009-6-23 148496]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-27 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-27 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-27 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-27 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-27 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-27 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-27 40552]
S1 a5b099f9;a5b099f9;c:\windows\system32\drivers\a5b099f9.sys [2009-6-17 0]
S2 driver;driver;c:\windows\system32\svchost.exe -k driver [2005-8-16 14336]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-17 24652]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-27 34216]

=============== Created Last 30 ================

2009-06-23 21:35 7,168 a------- c:\windows\system32\drivers\utmymta5.sys
2009-06-23 21:19 148,496 a------- c:\windows\system32\drivers\79555032.sys
2009-06-23 20:26 <DIR> --dsh--- c:\documents and settings\ccm\PrivacIE
2009-06-23 19:01 194,064 a------- c:\windows\system32\kdpini.dll
2009-06-23 18:28 312,847 -------- c:\windows\system32\fc7dd8d7cd6ef63e32fdfebc8a6f5a47.TMP
2009-06-23 18:28 312,847 -------- c:\windows\system32\0ae0e91b902504078cd05c9eec4ddec1.TMP
2009-06-22 22:03 <DIR> --dsh--- c:\documents and settings\ccm\IETldCache
2009-06-22 13:13 26,112 a------- c:\windows\9129837.exe
2009-06-22 13:12 102,784 a------- c:\windows\system32\drivers\c26b7b84.sys
2009-06-18 00:47 312,847 -------- c:\windows\system32\f987bfa988b4904e5fc7a88ed6dcf2fa.TMP
2009-06-18 00:47 312,847 -------- c:\windows\system32\2e29b07310fd6a7ca510c4cebb675b2e.TMP
2009-06-17 22:37 0 a------- c:\windows\system32\drivers\a5b099f9.sys
2009-06-17 22:37 14,336 ----h--- c:\windows\ld10.exe
2009-06-17 22:36 204,100 ac------ C:\pcwr.exe
2009-06-17 22:36 205,828 a------- c:\windows\system32\msxml71.dll
2009-06-17 22:35 2 ac------ C:\274692252
2009-06-17 22:35 10,240 ac------ C:\ddxkfhqb.exe
2009-06-17 22:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\94128116
2009-06-17 22:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\14118124
2009-06-17 22:01 10,752 a------- c:\windows\system32\iehelper.dll
2009-06-17 21:51 262,672 a------- c:\windows\sysguard.exe
2009-06-17 21:51 <DIR> --d----- c:\program files\driver
2009-06-17 21:51 1 ----h--- c:\windows\jmmark2.dat
2009-06-17 21:51 2 ----h--- c:\windows\zaponce52621.dat
2009-06-17 21:51 1 ----h--- c:\windows\bf23567.dat
2009-06-17 21:51 2 ----h--- c:\windows\zaponce52597.dat
2009-06-17 21:51 2 ----h--- c:\windows\zaponce52689.dat
2009-06-17 21:51 25,600 ----h--- c:\windows\ld09.exe
2009-06-17 01:45 <DIR> --d----- c:\program files\AIMTunes
2009-06-17 01:45 21 a------- c:\windows\atid.ini
2009-06-09 14:07 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 14:07 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 14:07 <DIR> --d----- c:\windows\ie8updates
2009-06-09 14:06 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-09 14:02 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-06-23 22:41 622,592 a------- c:\windows\system32\netcfgx.dll
2009-06-23 22:41 622,592 a------- c:\windows\system32\dllcache\netcfgx.dll
2009-06-23 18:28 312,847 -------- c:\windows\system32\fabbdcabbedff.dll
2009-06-22 22:03 80,885 a------- c:\windows\system32\nvModes.dat
2009-05-14 18:26 3,558 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-12-02 21:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120220081203\index.dat

============= FINISH: 19:40:17.21 ===============

[extremeboy]

Hello.

Let's see what we can find and remove. I see a few infection from the DDS log already. TDSSserv is a rootkit, we'll see if it's active or not but take a read below regarding rootkits and backdoors. If you wish to continue follow the steps on running Combofix and GMER.

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you wish to continue follow the steps below.


Download and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3

Please refer to this page for full instructions on how to run ComboFix.

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
• Double click ComboFix.exe to start the program. Agree to the prompts.
• When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Then, please take a GMER scan for me.

We need to scan for Rootkits with GMER

1. Please download GMER from one of the following locations, and save it to your desktop:
   • Main Mirror
     This version will download a randomly named file (Recommended)
   • Zip Mirror
     This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
2. Close any and all open programs, as this process may crash your computer.
3. Double click or on your desktop.
4. Allow the gmer.sys driver to load if asked.
5. You may see this window. If you do, click No.
   
   
6. Click on and wait for the scan to finish.
7. If you see a rootkit warning window, click OK.
8. Push and save the logfile to your desktop.
9. Copy and Paste the contents of that file in your next post.

Take a new DDS run afterwards and post back with the logs.

With Regards,
Extremeboy

[SplinterKeys]

Thanks for the warning about the back-door Trojan. My son has opted for the reformat/reinstall route. Thanks for your time all the same.

[extremeboy]

You're welcome.

Thanks for letting me know. :)

I''l let a moderator close this topic and move it away shortly.

With Regards,
Extremeboy

[tetonbob]

Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help