Jump to content

Vundo (and other problems)


Recommended Posts

Hi,

First, great work with this forum! I have a stubborn Vundo infection that pops up every time I run mbam. Other problems that might be worth mentioning:

* Yesterday mbam spotted 'Rootkit.ADS'. I think it's been removed though.

* I seem to have some remnants of 'AntiVirus XP 2008' as well. There are icons in my Start menu, although there are only placeholder graphics instead of proper icons, if you know what I mean. I don't think it's a real problem though.

I'd really appreciate any help that comes my way. I've run mbam and HJT (as requested in the sticky thread), so here goes...

Thanks,

Sean

__________________________________________________________________________

***HJT***

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:41:24, on 19/01/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [nogewajufu] Rundll32.exe "C:\WINDOWS\system32\hapejulu.dll",s

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [nogewajufu] Rundll32.exe "C:\WINDOWS\system32\lutazipu.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{046D27A9-134B-4AE0-9CEF-1CCD7FF3B79A}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{046D27A9-134B-4AE0-9CEF-1CCD7FF3B79A}: NameServer = 192.168.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{046D27A9-134B-4AE0-9CEF-1CCD7FF3B79A}: NameServer = 192.168.1.1

O20 - AppInit_DLLs: c:\windows\system32\kefuzego.dll , c:\windows\system32\rapepute.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 10119 bytes

__________________________________________________________________________

***MBAM***

Malwarebytes' Anti-Malware 1.33

Database version: 1666

Windows 5.1.2600 Service Pack 3

19/01/2009 21:35:24

mbam-log-2009-01-19 (21-35-24).txt

Scan type: Quick Scan

Objects scanned: 54687

Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nogewajufu (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi. ;)

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

---------------------------

Open HijackThis and put a check next to these:

O4 - HKLM\..\Run: [nogewajufu] Rundll32.exe "C:\WINDOWS\system32\hapejulu.dll",s

O4 - HKUS\S-1-5-19\..\Run: [nogewajufu] Rundll32.exe "C:\WINDOWS\system32\lutazipu.dll",s (User 'LOCAL SERVICE')

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O20 - AppInit_DLLs: c:\windows\system32\kefuzego.dll , c:\windows\system32\rapepute.dll

Click Fix Checked and close HJT.

---------------------------

download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the Scan All Users checkbox on the toolbar.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessry).

Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.

Link to post
Share on other sites

Paste this into the fix box (where it says paste fix here):

[Kill Explorer][Registry - Safe List]< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ListYN -> "C:\WINDOWS\system32\drivers\svchost.exe" -> C:\WINDOWS\system32\drivers\svchost.exe [C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost][Files/Folders - Created Within 30 Days]NY -> dds.scr -> %UserProfile%\Desktop\dds.scrNY -> dds.com -> %UserProfile%\Desktop\dds.com[Files/Folders - Modified Within 30 Days]NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmpNY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmpNY -> 13 C:\Documents and Settings\Seanie\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Seanie\Local Settings\Temp\*.tmpNY -> SSUPDATE.EXE -> %UserProfile%\Local Settings\Temp\SSUPDATE.EXENY -> vqmzrt.exe -> %UserProfile%\Local Settings\Temp\vqmzrt.exeNY -> txdlrf.exe -> %UserProfile%\Local Settings\Temp\txdlrf.exe[Alternate Data Streams]NY -> @Alternate Data Stream - 18944 bytes -> %SystemRoot%\explorer.exe:mian.nest.9.10NY -> @Alternate Data Stream - 288 bytes -> %SystemRoot%\explorer.exe:host.opts.dbNY -> @Alternate Data Stream - 7812 bytes -> %SystemRoot%\explorer.exe:log.dumpNY -> @Alternate Data Stream - 8 bytes -> %SystemRoot%\explorer.exe:extractor6.trgNY -> @Alternate Data Stream - 896 bytes -> %SystemRoot%\explorer.exe:httpcomm.set[Purity][Empty Temp Folders][start Explorer]

Then run the fix. It will produce a log, please post it here.

Also:

Download Lop S&D < here

Double-click Lop S&D.exe

Choose the language, then choose Option 1 (Search)

Wait till the end of the scan

Post the log which is created: (%SystemDrive%\lopR.txt)

Link to post
Share on other sites

***OTScanIt2***

Process Explorer.EXE killed successfully!

[Registry - Safe List]

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}\ not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}\ not found.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\drivers\svchost.exe deleted successfully.

[Files/Folders - Created Within 30 Days]

C:\Documents and Settings\Seanie\Desktop\dds.scr moved successfully.

C:\Documents and Settings\Seanie\Desktop\dds.com moved successfully.

[Files/Folders - Modified Within 30 Days]

C:\Documents and Settings\Seanie\Local Settings\Temp\WMC0000.tmp folder deleted successfully.

C:\Documents and Settings\Seanie\Local Settings\Temp\~nsu.tmp folder deleted successfully.

C:\Documents and Settings\Seanie\Local Settings\Temp\SSUPDATE.EXE moved successfully.

C:\Documents and Settings\Seanie\Local Settings\Temp\vqmzrt.exe moved successfully.

C:\Documents and Settings\Seanie\Local Settings\Temp\txdlrf.exe moved successfully.

[Alternate Data Streams]

ADS C:\WINDOWS\explorer.exe:mian.nest.9.10 deleted successfully.

ADS C:\WINDOWS\explorer.exe:host.opts.db deleted successfully.

ADS C:\WINDOWS\explorer.exe:log.dump deleted successfully.

ADS C:\WINDOWS\explorer.exe:extractor6.trg deleted successfully.

ADS C:\WINDOWS\explorer.exe:httpcomm.set deleted successfully.

[Purity]

Purity scan complete.

[Empty Temp Folders]

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

Windows Temp folder emptied.

Java cache emptied.

FireFox cache emptied.

RecycleBin -> emptied.

Explorer started successfully

< End of fix log >

OTScanIt2 by OldTimer - Version 1.0.6.2 fix logfile created on 01202009_222033

Files moved on Reboot...

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

________________________________________________________________________

***Lop S&D***

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3

X86-based PC ( Multiprocessor Free : Genuine Intel® CPU T2050 @ 1.60GHz )

BIOS : Phoenix ROM BIOS PLUS Version 1.10 A08

USER : Seanie ( Administrator )

BOOT : Normal boot

Antivirus : (Not Activated)

Firewall : (Not Activated)

C:\ (Local Disk) - NTFS - Total:70 Go (Free:3 Go)

D:\ (CD or DVD) - UDF - Total:6 Go (Free:0 Go)

F:\ (Local Disk) - FAT - Total:0 Go (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )

Option : [1] ( 20/01/2009|22:25 )

--------------------\\ Listing folders in APPLIC~1

[23/09/2006|11:42] C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL

[05/12/2008|22:17] C:\DOCUME~1\ADMINI~1\APPLIC~1\AVG7

[14/09/2006|14:24] C:\DOCUME~1\ADMINI~1\APPLIC~1\Corel

[14/09/2006|14:30] C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek

[10/08/2004|12:08] C:\DOCUME~1\ADMINI~1\APPLIC~1\Identities

[14/09/2006|14:19] C:\DOCUME~1\ADMINI~1\APPLIC~1\Intel

[02/09/2008|21:42] C:\DOCUME~1\ADMINI~1\APPLIC~1\Macromedia

[09/09/2008|20:52] C:\DOCUME~1\ADMINI~1\APPLIC~1\Malwarebytes

[03/09/2008|21:00] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft

[14/09/2006|14:25] C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver

[23/12/2008|22:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

[11/11/2006|23:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe

[11/11/2006|23:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems

[23/09/2006|11:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL

[23/12/2008|22:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

[23/12/2008|22:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

[21/02/2007|20:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7

[19/11/2006|19:42] C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink

[02/01/2007|19:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google

[24/09/2006|19:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft

[14/09/2006|14:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\GTek

[14/09/2006|14:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield

[14/09/2006|14:19] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Intel

[05/09/2008|20:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes

[14/09/2006|14:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee

[14/09/2006|14:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com

[24/09/2006|19:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com Personal Firewall

[15/10/2006|19:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft

[29/10/2006|11:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime

[10/08/2004|12:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SBSI

[14/09/2006|14:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic

[29/03/2007|20:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Ericsson

[05/12/2008|21:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

[05/12/2008|22:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

[29/03/2007|20:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Teleca

[02/01/2007|19:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage

[23/09/2006|11:42] C:\DOCUME~1\Cora\APPLIC~1\AOL

[17/10/2006|21:12] C:\DOCUME~1\Cora\APPLIC~1\AVG7

[14/09/2006|14:24] C:\DOCUME~1\Cora\APPLIC~1\Corel

[14/09/2006|14:30] C:\DOCUME~1\Cora\APPLIC~1\Gtek

[10/08/2004|12:08] C:\DOCUME~1\Cora\APPLIC~1\Identities

[14/09/2006|14:19] C:\DOCUME~1\Cora\APPLIC~1\Intel

[17/10/2006|21:14] C:\DOCUME~1\Cora\APPLIC~1\Macromedia

[03/09/2008|21:45] C:\DOCUME~1\Cora\APPLIC~1\Microsoft

[14/09/2006|14:25] C:\DOCUME~1\Cora\APPLIC~1\You've Got Pictures Screensaver

[23/09/2006|11:42] C:\DOCUME~1\DEFAUL~1\APPLIC~1\AOL

[14/09/2006|14:24] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Corel

[14/09/2006|14:30] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek

[10/08/2004|12:08] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Identities

[14/09/2006|14:19] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Intel

[14/09/2006|14:17] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft

[14/09/2006|14:25] C:\DOCUME~1\DEFAUL~1\APPLIC~1\You've Got Pictures Screensaver

[27/12/2008|08:00] C:\DOCUME~1\LOCALS~1\APPLIC~1\AVG7

[23/09/2006|11:50] C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee.com Personal Firewall

[10/08/2004|11:57] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft

[24/09/2006|19:12] C:\DOCUME~1\NETWOR~1\APPLIC~1\Intel

[10/08/2004|11:57] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft

[27/10/2007|18:14] C:\DOCUME~1\Seanie\APPLIC~1\Adobe

[02/10/2006|19:12] C:\DOCUME~1\Seanie\APPLIC~1\AdobeUM

[23/09/2006|11:42] C:\DOCUME~1\Seanie\APPLIC~1\AOL

[17/11/2006|00:19] C:\DOCUME~1\Seanie\APPLIC~1\Apple Computer

[27/10/2008|08:47] C:\DOCUME~1\Seanie\APPLIC~1\Aventail

[17/01/2009|10:58] C:\DOCUME~1\Seanie\APPLIC~1\AVG7

[02/05/2007|22:05] C:\DOCUME~1\Seanie\APPLIC~1\Corel

[06/10/2006|21:53] C:\DOCUME~1\Seanie\APPLIC~1\CyberLink

[01/06/2008|19:40] C:\DOCUME~1\Seanie\APPLIC~1\dvdcss

[17/02/2007|12:36] C:\DOCUME~1\Seanie\APPLIC~1\Google

[14/09/2006|14:30] C:\DOCUME~1\Seanie\APPLIC~1\Gtek

[11/11/2006|11:36] C:\DOCUME~1\Seanie\APPLIC~1\Help

[10/08/2004|12:08] C:\DOCUME~1\Seanie\APPLIC~1\Identities

[14/09/2006|14:19] C:\DOCUME~1\Seanie\APPLIC~1\Intel

[30/09/2006|20:40] C:\DOCUME~1\Seanie\APPLIC~1\Leadertech

[24/09/2006|20:14] C:\DOCUME~1\Seanie\APPLIC~1\Macromedia

[09/09/2008|21:13] C:\DOCUME~1\Seanie\APPLIC~1\Malwarebytes

[23/09/2006|11:26] C:\DOCUME~1\Seanie\APPLIC~1\McAfee.com Personal Firewall

[27/10/2008|08:47] C:\DOCUME~1\Seanie\APPLIC~1\Microsoft

[16/12/2008|22:01] C:\DOCUME~1\Seanie\APPLIC~1\Mozilla

[02/01/2007|19:41] C:\DOCUME~1\Seanie\APPLIC~1\Real

[30/09/2006|20:40] C:\DOCUME~1\Seanie\APPLIC~1\Sonic

[16/10/2006|18:00] C:\DOCUME~1\Seanie\APPLIC~1\Sun

[05/12/2008|22:23] C:\DOCUME~1\Seanie\APPLIC~1\SUPERAntiSpyware.com

[29/03/2007|20:19] C:\DOCUME~1\Seanie\APPLIC~1\Teleca

[31/12/2006|13:47] C:\DOCUME~1\Seanie\APPLIC~1\Template

[10/11/2007|22:40] C:\DOCUME~1\Seanie\APPLIC~1\uTorrent

[29/10/2006|11:46] C:\DOCUME~1\Seanie\APPLIC~1\vlc

[03/02/2008|20:42] C:\DOCUME~1\Seanie\APPLIC~1\Vso

[14/09/2006|14:25] C:\DOCUME~1\Seanie\APPLIC~1\You've Got Pictures Screensaver

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[05/01/2009 23:54][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[20/01/2009 22:22][--ah-----] C:\WINDOWS\tasks\SA.DAT

[04/08/2004 04:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[11/11/2006|23:01] C:\Program Files\Adobe

[31/12/2006|18:06] C:\Program Files\Ahead

[23/12/2008|22:50] C:\Program Files\Apple Software Update

[23/12/2008|22:52] C:\Program Files\Bonjour

[14/09/2006|14:18] C:\Program Files\Broadcom

[05/12/2008|21:39] C:\Program Files\CCleaner

[23/12/2008|22:50] C:\Program Files\Common Files

[14/09/2006|14:16] C:\Program Files\CONEXANT

[02/05/2007|22:04] C:\Program Files\Corel

[14/09/2006|14:19] C:\Program Files\CyberLink

[23/09/2006|11:44] C:\Program Files\Dell

[14/09/2006|14:30] C:\Program Files\Dell Support

[14/09/2006|14:18] C:\Program Files\Digital Line Detect

[02/01/2007|20:46] C:\Program Files\DivX

[03/02/2008|21:17] C:\Program Files\DVDFab Platinum 3

[15/02/2008|19:13] C:\Program Files\Google

[24/09/2006|19:55] C:\Program Files\Grisoft

[17/02/2007|12:35] C:\Program Files\InstallShield Installation Information

[14/09/2006|14:19] C:\Program Files\Intel

[13/12/2008|17:51] C:\Program Files\Internet Explorer

[23/12/2008|22:52] C:\Program Files\iPod

[23/12/2008|22:53] C:\Program Files\iTunes

[04/04/2007|20:23] C:\Program Files\Java

[02/05/2007|21:51] C:\Program Files\MagicISO

[18/01/2009|22:43] C:\Program Files\Malwarebytes' Anti-Malware

[14/09/2006|14:28] C:\Program Files\McAfee

[15/08/2008|23:33] C:\Program Files\Messenger

[17/02/2007|10:54] C:\Program Files\microsoft frontpage

[17/02/2007|10:55] C:\Program Files\Microsoft Office

[14/09/2006|14:29] C:\Program Files\Microsoft Works

[29/10/2008|12:10] C:\Program Files\Modem Helper

[27/07/2008|21:25] C:\Program Files\Movie Maker

[20/01/2009|22:23] C:\Program Files\Mozilla Firefox

[01/09/2007|23:45] C:\Program Files\MSN

[10/08/2004|12:01] C:\Program Files\MSN Gaming Zone

[17/11/2006|00:51] C:\Program Files\MSXML 4.0

[27/07/2008|21:21] C:\Program Files\NetMeeting

[14/09/2006|14:18] C:\Program Files\NetWaiting

[10/08/2004|12:01] C:\Program Files\Online Services

[27/07/2008|21:21] C:\Program Files\Outlook Express

[20/10/2007|22:14] C:\Program Files\PartyGaming

[23/12/2008|22:52] C:\Program Files\QuickTime

[27/12/2006|18:54] C:\Program Files\Real

[02/09/2008|21:36] C:\Program Files\RogueRemover FREE

[14/09/2006|14:16] C:\Program Files\Sigmatel

[14/09/2006|14:21] C:\Program Files\Sonic

[04/05/2007|22:41] C:\Program Files\Sony Ericsson

[18/01/2009|22:26] C:\Program Files\Sophos

[04/12/2008|22:22] C:\Program Files\Spybot - Search & Destroy

[10/12/2008|22:07] C:\Program Files\SUPERAntiSpyware

[14/09/2006|14:17] C:\Program Files\Synaptics

[14/09/2006|14:21] C:\Program Files\Tiscali

[19/01/2009|21:41] C:\Program Files\Trend Micro

[02/01/2007|19:44] C:\Program Files\Uninstall Information

[15/10/2006|01:18] C:\Program Files\uTorrent

[29/10/2006|11:39] C:\Program Files\VideoLAN

[02/01/2007|20:54] C:\Program Files\Windows Media Connect 2

[27/07/2008|21:21] C:\Program Files\Windows Media Player

[27/07/2008|21:21] C:\Program Files\Windows NT

[24/09/2006|19:38] C:\Program Files\WindowsUpdate

[18/10/2006|20:10] C:\Program Files\WinRAR

[10/08/2004|12:04] C:\Program Files\xerox

--------------------\\ Listing Folders in C:\Program Files\Common Files

[11/11/2006|23:01] C:\Program Files\Common Files\Adobe

[11/11/2006|23:03] C:\Program Files\Common Files\Adobe Systems Shared

[23/09/2006|11:44] C:\Program Files\Common Files\AOL

[23/12/2008|22:52] C:\Program Files\Common Files\Apple

[02/05/2007|22:05] C:\Program Files\Common Files\Corel

[17/02/2007|10:55] C:\Program Files\Common Files\Designer

[14/09/2006|14:20] C:\Program Files\Common Files\InstallShield

[14/09/2006|14:11] C:\Program Files\Common Files\Java

[17/02/2007|10:55] C:\Program Files\Common Files\Microsoft Shared

[10/08/2004|12:02] C:\Program Files\Common Files\MSSoap

[14/09/2006|14:25] C:\Program Files\Common Files\Nullsoft

[02/01/2007|19:42] C:\Program Files\Common Files\Real

[28/10/2008|22:30] C:\Program Files\Common Files\Roxio Shared

[10/08/2004|12:02] C:\Program Files\Common Files\Services

[28/10/2008|22:30] C:\Program Files\Common Files\Sonic Shared

[10/08/2004|11:57] C:\Program Files\Common Files\SpeechEngines

[27/07/2008|21:21] C:\Program Files\Common Files\System

[29/03/2007|20:18] C:\Program Files\Common Files\Teleca Shared

[14/09/2006|14:20] C:\Program Files\Common Files\TiVo Shared

[23/01/2008|21:40] C:\Program Files\Common Files\Wise Installation Wizard

--------------------\\ Process

( 58 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-20 22:26:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TDSSSERV]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv]

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv]

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Seanie\Desktop\cracking

C:\DOCUME~1\Seanie\Desktop\cracking\01 Cardiac Arrest.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\01 Panther Dash.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\01 Tell Me Why.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\02 All You Good Good People.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\04 Cut Your Hair.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\05 Come Back to What You Know.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\05 Till the Morning Comes.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\06 Junior Kickstart.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\06 Supersonic.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\07 Eight Miles High.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\08 - Mr. Grieves.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\09 Texarkana.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\9 - Aphex Twin - Avril 14th.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\AlbumArtSmall.jpg

C:\DOCUME~1\Seanie\Desktop\cracking\AlbumArt_{0064FE52-9192-44A2-8B79-21C2D331ECFF}_Large.jpg

C:\DOCUME~1\Seanie\Desktop\cracking\AlbumArt_{0064FE52-9192-44A2-8B79-21C2D331ECFF}_Small.jpg

C:\DOCUME~1\Seanie\Desktop\cracking\clare

C:\DOCUME~1\Seanie\Desktop\cracking\dec

C:\DOCUME~1\Seanie\Desktop\cracking\desktop.ini

C:\DOCUME~1\Seanie\Desktop\cracking\Folder.jpg

C:\DOCUME~1\Seanie\Desktop\cracking\for andreas

C:\DOCUME~1\Seanie\Desktop\cracking\Mamma Mia (2008) - Soundtrack

C:\DOCUME~1\Seanie\Desktop\cracking\next version

C:\DOCUME~1\Seanie\Desktop\cracking\old

C:\DOCUME~1\Seanie\Desktop\cracking\xmas

C:\DOCUME~1\Seanie\Desktop\cracking\clare\01 Bladhm.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\clare\01 Headache.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\clare\01 Meicsiceo.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\clare\01-glasvegas-flowers_and_football_tops.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\clare\02 Can't Take My Eyes off You.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\clare\02 Don't Take Your Gun to Town.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\clare\02 Shut Up.mp3

C:\DOCUME~1\Seanie\Desktop\cracking\clare\03 Cail

Link to post
Share on other sites

Hi Tigger - what do you mean by 'cracks'? (I'm not the brightest!) That 'cracking' folder is a music folder for a CD compilation I was making for the car. The folder used to be called 'Cracking tunes' (as in 'very good tunes'). Not sure whether you use that expression, but it's common in Ireland and Britain.

Link to post
Share on other sites

  • Root Admin

We're sorry but since you have evidence of cracked or pirated software you're using on the system we have to close this thread now.

If you feel this is inaccurate information please send any Moderator a private message explaining in detail and they will review your information in private.

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.
Link to post
Share on other sites

  • Root Admin

Per discussion in PM I've re-opened the post. If there are ANY signs of illegal software in use the post will be closed again permanently.

Please run the following.

Restart the computer and close ALL applications and run this tool.

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. As soon as it's done and the
    COPY
    button is available click on the
    COPY
    button.

  • DO NOT
    Click on the
    SCAN
    button.

  • This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.

  • Click OK and quit the GMER program.

Then run the following

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then run HJT Do a system scan and save a logfile and post back all 3 logs.

Link to post
Share on other sites

_______________________________GMER________________________________________

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-27 21:06:34

Windows 5.1.2600 Service Pack 3

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Ip odptdi.sys (OnDemand Proxy TDI Driver/Aventail Corporation)

Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp odptdi.sys (OnDemand Proxy TDI Driver/Aventail Corporation)

Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp odptdi.sys (OnDemand Proxy TDI Driver/Aventail Corporation)

Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp odptdi.sys (OnDemand Proxy TDI Driver/Aventail Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Services - GMER 1.0.14 ----

Service system32\drivers\TDSSserv.sys (*** hidden *** ) [sYSTEM] TDSSserv <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

_______________________________MBAM__________________________________________

Malwarebytes' Anti-Malware 1.33

Database version: 1700

Windows 5.1.2600 Service Pack 3

27/01/2009 21:11:28

mbam-log-2009-01-27 (21-11-28).txt

Scan type: Quick Scan

Objects scanned: 55113

Time elapsed: 3 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

_______________________________HJT________________________________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:15:36, on 27/01/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Seanie\Desktop\gmer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{046D27A9-134B-4AE0-9CEF-1CCD7FF3B79A}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{046D27A9-134B-4AE0-9CEF-1CCD7FF3B79A}: NameServer = 192.168.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{046D27A9-134B-4AE0-9CEF-1CCD7FF3B79A}: NameServer = 192.168.1.1

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 9038 bytes

Link to post
Share on other sites

  • Root Admin

Please uninstall Adobe Acrobat Reader 7 and ALL versions of Java if installed.

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

Here are the download links for Adobe Reader 9.0.0 but do not install it yet. Wait until we're done.

You're also running an out of date version of AVG Anti-Virus 7 they're now at version 8 DO NOT remove or update it right now but when we're close to being done we'll look at updating it.

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
  • O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
  • O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
  • O17 - HKLM\System\CCS\Services\Tcpip\..\{046D27A9-134B-4AE0-9CEF-1CCD7FF3B79A}: NameServer = 192.168.1.1
  • O17 - HKLM\System\CS1\Services\Tcpip\..\{046D27A9-134B-4AE0-9CEF-1CCD7FF3B79A}: NameServer = 192.168.1.1
  • O17 - HKLM\System\CS2\Services\Tcpip\..\{046D27A9-134B-4AE0-9CEF-1CCD7FF3B79A}: NameServer = 192.168.1.1
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

When the above is done then run the following in this exact order. IF you have any copy of Combofix delete it now and get a new copy.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member
seven stars only

. If you are a lurker, do NOT try this on your system!

If you are not
seven stars
and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

STEP01

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP02

    Download and install
    CCleaner
  • CCleaner

  • Double-click on the downloaded file "ccsetup215.exe" and install the application.

  • Keep the default installation folder "C:\Program Files\CCleaner"

  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"

  • Click finish when done and close
    ALL PROGRAMS

  • Start the
    CCleaner
    program.

  • Click on
    Registry
    and
    Uncheck
    Registry Integrity so that it does not run

  • Click on
    Options
    -
    Advanced
    and
    Uncheck
    "Only delete files in Windows Temp folders older than 48 hours"

  • Click back to
    Cleaner
    and under SYSTEM uncheck the Memory Dumps and Windows Log Files

  • Click on
    Run Cleaner
    button on the bottom right side of the program.

  • Click OK to any prompts

STEP03

Disable your AntiVirus and AntiSpyware

applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

This should apply to AVG8:

To
disable the Resident Shield
, please:

open AVG User Interface

double-click on the Resident Shield

un-tick the option Resident Shield active

save the changes.

STEP04

Please download and run the following file to repair file and registry permissions

STEP05

  • Download
    FixPolicies.exe
    by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.

  • Click on Install. It will create a folder named FixPolicies on your desktop.

  • Open the FixPolicies folder.

  • Double click on
    Fix_policies.cmd
    to run it. Command Prompt will open and close quickly this is normal.

  • Reboot your computer after it runs

  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

  • Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.

STEP06

Download this INF repair file by MS-MVP Miekiemoes:
http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

Unzip the download. Open the folder
VArestorepolicies
and
Right-click
the file inside,
VArestorepolicies.INF
and choose
Install

STEP07

icon_arrow.gif

If you have a prior copy of Combofix, delete it now !

Download ComboFix from one of these locations, saving to DESKTOP:

* IMPORTANT !!! Save ComboFix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware
    applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.

  • If and only if you are prompted to download a new version of Combofix, reply NO .

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF

you should see a message like this:

Rookit_found.gif

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the
C:\ComboFix.txt
in your next reply.

-------------------------------------------------------

A caution -
Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

STEP08

IF

and only
IF
the Combofix has worked without exceptions, only then, do the following. IF it has exceptions, then please provide all details and put that in a reply pronto, and STOP, and await my reply.

Only if Combofix has a good finish:

I'm going to have you get and run a special tool. It will hopefully take out most remains of this beast. Keep in mind that not all files I list here will be found on your system; so do not be alarmed. This is a general-type list of typical infectors.

Download
The Avenger
by Swandog46 from
here
.
  • Unzip/extract it to a folder on your desktop.
  • Double click on
    avenger.exe
    to run
    The Avenger
    .

  • Click
    OK
    .

  • Make sure that the box next to
    Scan for rootkits
    has a tick in it and that the box next to
    Automatically disable any rootkits found
    does
    not
    have a tick in it.

  • Copy
    all
    of the text in the below textbox to the clibpboard by highlighting it and then pressing
    Ctrl+C
    .

    Files to delete:

    C:\WINDOWS\system32\brsvc01a.exe

    C:\WINDOWS\system32\brss01a.exe

    C:\WINDOWS\SYSTEM32\TDSSixgp.dll

    C:\WINDOWS\SYSTEM32\TDSSproc.log

    C:\WINDOWS\SYSTEM32\TDSSwkod.log

    C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp

    c:\windows\system32\drivers\msqpdxserv.sys

    C:\resycled

    D:\resycled

    e:\resycled

    f:\resycled

    g:\resycled

    c:\windows\system32\TDSSweat.dat

    C:\WINDOWS\system32\drivers\TDSSmqlt.sys

    C:\windows\system32\drivers\tdssserv.sys

    C:\WINDOWS\system32\drivers\TDSSmact.sys

    C:\WINDOWS\system32\TDSSfpmp.dll

    C:\WINDOWS\system32\TDSSwpyd.dat

    C:\WINDOWS\system32\TDSStkdv.log

    C:\WINDOWS\system32\TDSSotxb.dll

    C:\WINDOWS\system32\TDSScrrn.dll

    C:\WINDOWS\system32\TDSSbvqh.dll

    C:\WINDOWS\system32\TDSSjnmx.dll

    c:\windows\system32\TDSShrxr.dll

    c:\windows\system32\TDSSkkbi.log

    c:\windows\system32\TDSSlrvd.dat

    c:\windows\system32\TDSSlxwp.dll

    c:\windows\system32\TDSSnmxh.log

    c:\windows\system32\TDSSoiqt.dll

    c:\windows\system32\TDSSrhyp.log

    c:\windows\system32\TDSSrtqp.dll

    c:\windows\system32\TDSSsihc.dll

    c:\windows\system32\TDSSxfum.dll

    c:\windows\system32\TDSSmtve.dat

    c:\windows\system32\TDSSnirj.dat


    Drivers to delete:

    tdss

    tdssserv

    TDSSserv.SYS

    Service_TDSSSERV.SYS

    Legacy_TDSSSERV.SYS

    msqpdxserv.sys

    msqpdxserv


    Registry keys to delete:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

    HKEY_LOCAL_MACHINE\SOFTWARE\tdss

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV


  • In the avenger window, click the
    Paste Script from Clipboard
    icon,
    pastets4.png
    button.

  • :!:
    Make sure that what appears in Avenger
    matches exactly
    what you were asked to Copy/Paste from the Code box above.

  • Click the
    Execute
    button.

  • You will be asked
    Are you sure you want to execute the current script?
    .

  • Click
    Yes
    .

  • You will now be asked
    First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
    .

  • Click
    Yes
    .

  • Your PC will now be rebooted.

  • Note:
    If the above script contains Drivers to delete: or Drivers to disable:, then
    The Avenger
    will require two reboots to complete its operation.

  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.

  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of
    c:\avenger.txt
    into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

STEP09

Download DDS and save it to your desktop from one of these 3 locations

1
http://www.techsupportforum.com/sectools/sUBs/dds

2
http://download.bleepingcomputer.com/sUBs/dds.scr

3
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click
dds.scr
to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]
    Save both reports to your desktop.

Please include the following logs in your next reply:

DDS.txt

Attach.txt

Please then reply with a copy of
C:\Combofix.txt
,
C:\Avenger.txt
, and a new
HijackThis

RE-Enable your AntiVirus and AntiSpyware

applications.
Link to post
Share on other sites

I renamed combofix and ran it in safe mode. Before I ran it, it said that AVG was still running, even though I'd done all I could to disable it. I didn't want to take any chances, so I uninstalled AVG altogether before running combofix (it's an out of date version anyway and you said I'd be better to get more up-to-date a/v software when we're done).

Here are the logs:

DDS, Attach (this reply)

Combofix, Avenger, HJT (next reply)

cheers,

Sean

_____________________DDS.TXT_________________________

DDS (Ver_09-01-19.01) - NTFSx86

Run by Seanie at 21:32:52.35 on 2009-01-29

Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ie/

uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: NoExplorer - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions

mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB

DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://magnet.2020.net/virtualplanner/Core/Player/2020PlayerAX_Win32.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\seanie\applic~1\mozilla\firefox\profiles\mj2nxr7s.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-01-29 07:23 <DIR> a-dshr-- C:\cmdcons

2009-01-29 06:56 286,720 a------- c:\windows\SWREG.exe

2009-01-29 06:56 98,816 a------- c:\windows\sed.exe

2009-01-28 20:27 <DIR> --d----- c:\program files\Yahoo!

2009-01-27 21:05 250 a------- c:\windows\gmer.ini

2009-01-22 22:05 <DIR> --d----- C:\as_xyz

2009-01-20 22:24 <DIR> --d----- C:\Lop SD

2009-01-20 22:20 <DIR> --d----- C:\_OTScanIt

2009-01-19 21:41 <DIR> --d----- c:\program files\Trend Micro

2009-01-18 22:26 <DIR> --d----- c:\program files\Sophos

2009-01-05 10:14 7,552 a------- c:\windows\system32\drivers\SONYPVU1.SYS

2009-01-05 10:14 7,552 a------- c:\windows\system32\dllcache\sonypvu1.sys

==================== Find3M ====================

2009-01-18 22:10 1,033,728 a------- c:\windows\system32\dllcache\explorer.exe

2009-01-18 22:10 1,033,728 a------- c:\windows\explorer.exe

2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys

2008-12-13 06:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

2008-12-05 21:55 1,312,755 a------- C:\MGtools.exe

2007-11-17 14:13 81,920 a------- c:\docume~1\seanie\applic~1\ezpinst.exe

2007-11-17 14:13 47,360 a------- c:\docume~1\seanie\applic~1\pcouffin.sys

2006-12-31 13:48 88 ac------ c:\docume~1\seanie\applic~1\wklnhst.dat

2007-05-02 22:00 56 -c-shr-- c:\windows\system32\A96C0B895C.sys

2007-10-18 19:29 3,766 ac-sh--- c:\windows\system32\KGyGaAvL.sys

2008-09-09 21:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080908\index.dat

2008-09-09 21:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat

============= FINISH: 21:33:20.35 ===============

_____________________ATTACH.TXT_________________________

==== Installed Programs ======================

Adobe Flash Player 10 Plugin

Adobe Flash Player 9 ActiveX

Adobe SVG Viewer 3.0

Apple Mobile Device Support

Apple Software Update

Aventail Access Manager

Aventail OnDemand Proxy Agent

Aventail Web Proxy Agent

Aventail Webifiers

Bonjour

Broadcom Management Programs

CCleaner (remove only)

CinepPlayer 30 Update

Conexant HDA D110 MDC V.92 Modem

Dell Support 3.2

Dell System Restore

Digital Line Detect

DVDFab Platinum 3.0.4.5 Beta Ghosthunter relase

Google Earth

High Definition Audio Driver Package - KB835221

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Intel® Graphics Media Accelerator Driver

Intel® PROSet/Wireless Software

iTunes

Magic ISO Maker v5.4 (build 0239)

Malwarebytes' Anti-Malware

Malwarebytes' RogueRemover

mCore

MCU

mDrWiFi

mHlpDell

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office 2000 Professional

Microsoft Office Web Components

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Works

mIWA

mLogView

mMHouse

Modem Helper

Mozilla Firefox (3.0.5)

mPfMgr

mPfWiz

mProSafe

MSN

mSSO

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

mWlsSafe

mWMI

mXML

mZConfig

NetWaiting

PowerDVD 5.7

QuickSet

QuickTime

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Sonic Activation Module

Sonic DLA

Sonic MyDVD LE

Sonic RecordNow Audio

Sonic RecordNow Copy

Sonic RecordNow Data

Sonic Update Manager

Sony Ericsson PC Suite 1.20.173

Sophos Anti-Rootkit 1.3.1

Spybot - Search & Destroy

SUPERAntiSpyware Free Edition

Synaptics Pointing Device Driver

Tiscali Internet

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update Service

VideoLAN VLC media player 0.8.5

WebFldrs XP

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

WinRAR archiver

Yahoo! Toolbar

==== End Of File ===========================

Link to post
Share on other sites

_____________________C:\COMBOFIX.TXT_________________________

ComboFix 09-01-24.01 - Administrator 2009-01-29 7:24:33.1 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.820 [GMT 0:00]

Running from: c:\documents and settings\Administrator\Desktop\seanfix.exe

AV: *On-access scanning disabled* (Outdated)

FW: *disabled*

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Readme.txt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PACKET

-------\Legacy_TDSSSERV

-------\Service_TDSSserv

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))

.

2009-01-28 20:27 . 2009-01-28 20:27 <DIR> d-------- c:\program files\Yahoo!

2009-01-28 20:27 . 2009-01-28 20:27 <DIR> d-------- c:\documents and settings\Seanie\Application Data\Yahoo!

2009-01-28 20:27 . 2009-01-28 20:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-01-27 21:05 . 2009-01-27 21:05 250 --a------ c:\windows\gmer.ini

2009-01-22 22:05 . 2009-01-22 22:19 <DIR> d-------- C:\as_xyz

2009-01-20 22:24 . 2009-01-20 22:27 <DIR> d-------- C:\Lop SD

2009-01-20 22:20 . 2009-01-20 22:20 <DIR> d-------- C:\_OTScanIt

2009-01-19 21:41 . 2009-01-19 21:41 <DIR> d-------- c:\program files\Trend Micro

2009-01-18 22:26 . 2009-01-18 22:26 <DIR> d-------- c:\program files\Sophos

2009-01-05 10:14 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS

2009-01-05 10:14 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\dllcache\sonypvu1.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-29 07:20 --------- d-----w c:\documents and settings\Seanie\Application Data\AVG7

2009-01-29 07:20 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7

2009-01-29 07:20 --------- d-----w c:\documents and settings\All Users\Application Data\avg7

2009-01-29 07:20 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7

2009-01-28 20:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-28 20:27 --------- d-----w c:\program files\CCleaner

2009-01-26 22:24 --------- d-----w c:\program files\PartyGaming

2009-01-23 07:37 --------- d-----w c:\program files\Java

2009-01-23 07:30 --------- d-----w c:\program files\Corel

2009-01-23 07:27 --------- d-----w c:\program files\Common Files\Adobe

2009-01-18 22:43 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-01-18 22:10 1,033,728 ----a-w c:\windows\explorer.exe

2009-01-14 16:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-14 16:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2008-12-23 22:53 --------- d-----w c:\program files\iTunes

2008-12-23 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-23 22:52 --------- d-----w c:\program files\QuickTime

2008-12-23 22:52 --------- d-----w c:\program files\iPod

2008-12-23 22:52 --------- d-----w c:\program files\Common Files\Apple

2008-12-23 22:52 --------- d-----w c:\program files\Bonjour

2008-12-23 22:51 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer

2008-12-23 22:50 --------- d-----w c:\program files\Apple Software Update

2008-12-23 22:50 --------- d-----w c:\documents and settings\All Users\Application Data\Apple

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-10 22:07 --------- d-----w c:\program files\SUPERAntiSpyware

2008-12-05 22:24 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-12-05 22:23 --------- d-----w c:\documents and settings\Seanie\Application Data\SUPERAntiSpyware.com

2008-12-05 21:55 1,312,755 ----a-w C:\MGtools.exe

2008-12-04 22:22 --------- d-----w c:\program files\Spybot - Search & Destroy

2007-11-17 14:13 81,920 ----a-w c:\documents and settings\Seanie\Application Data\ezpinst.exe

2007-11-17 14:13 47,360 ----a-w c:\documents and settings\Seanie\Application Data\pcouffin.sys

2006-12-31 13:48 88 -c--a-w c:\documents and settings\Seanie\Application Data\wklnhst.dat

2007-05-02 22:00 56 -csh--r c:\windows\system32\A96C0B895C.sys

2007-10-18 19:29 3,766 -csha-w c:\windows\system32\KGyGaAvL.sys

2008-09-09 21:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090120080908\index.dat

2008-09-09 21:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090920080910\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-10 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-01-14 1273488]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-10 22:07 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Sony Ericsson\\Update Service\\ma3platform.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

"c:\\WINDOWS\\stsystra.exe"=

"c:\\Program Files\\Intel\\Wireless\\Bin\\ZCfgSvc.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\Program Files\\Intel\\Wireless\\Bin\\iFrmewrk.exe"=

"c:\\Program Files\\Common Files\\Teleca Shared\\Generic.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"23562:TCP"= 23562:TCP:uTorr_TCP

"23562:UDP"= 23562:UDP:uTorr_UDP

R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [2008-10-27 46744]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-11-17 8944]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-11-17 55024]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\10.tmp --> c:\windows\system32\10.tmp [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]

.

Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-DMXLauncher - c:\program files\Dell\Media Experience\DMXLauncher.exe

Notify-WgaLogon - (no file)

MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ie/

uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/

DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://magnet.2020.net/virtualplanner/Core/Player/2020PlayerAX_Win32.cab

FF - ProfilePath - c:\documents and settings\Seanie\Application Data\Mozilla\Firefox\Profiles\mj2nxr7s.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-29 07:27:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\10.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\p*& 2*]

"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Dell\QuickSet\NicConfigSvc.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Common Files\Teleca Shared\CapabilityManager.exe

c:\program files\Digital Line Detect\DLG.exe

c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Teleca Shared\Generic.exe

c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

.

**************************************************************************

.

Completion time: 2009-01-29 7:29:51 - machine was rebooted [seanie]

ComboFix-quarantined-files.txt 2009-01-29 07:29:48

Pre-Run: 5,296,717,824 bytes free

Post-Run: 4,155,936,768 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

200 --- E O F --- 2009-01-15 21:36:05

_____________________C:\AVENGER.TXT_________________________

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\system32\brsvc01a.exe" not found!

Deletion of file "C:\WINDOWS\system32\brsvc01a.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\brss01a.exe" not found!

Deletion of file "C:\WINDOWS\system32\brss01a.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\TDSSproc.log" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\TDSSproc.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp"

Deletion of file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: file "c:\windows\system32\drivers\msqpdxserv.sys" not found!

Deletion of file "c:\windows\system32\drivers\msqpdxserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\resycled" not found!

Deletion of file "C:\resycled" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "D:\resycled"

Deletion of file "D:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "e:\resycled"

Deletion of file "e:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "f:\resycled"

Deletion of file "f:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "g:\resycled"

Deletion of file "g:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: file "c:\windows\system32\TDSSweat.dat" not found!

Deletion of file "c:\windows\system32\TDSSweat.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!

Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSfpmp.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSfpmp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!

Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!

Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSShrxr.dll" not found!

Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSkkbi.log" not found!

Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSlrvd.dat" not found!

Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSlxwp.dll" not found!

Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSnmxh.log" not found!

Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSoiqt.dll" not found!

Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSrhyp.log" not found!

Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSrtqp.dll" not found!

Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSsihc.dll" not found!

Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSxfum.dll" not found!

Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSmtve.dat" not found!

Deletion of file "c:\windows\system32\TDSSmtve.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSnirj.dat" not found!

Deletion of file "c:\windows\system32\TDSSnirj.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!

Deletion of driver "tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!

Deletion of driver "tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!

Deletion of driver "TDSSserv.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!

Deletion of driver "Service_TDSSSERV.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!

Deletion of driver "Legacy_TDSSSERV.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!

Deletion of driver "msqpdxserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!

Deletion of driver "msqpdxserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

_____________________HJT_________________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:34, on 2009-01-29

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 7665 bytes

Link to post
Share on other sites

  • Root Admin

How is the computer running now?

Are there still any signs of an infection?

Please run another round of updates and scan.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Seems to be running fine. MBAM was clear anyway :lol:

____________________MBAM________________________

Malwarebytes' Anti-Malware 1.33

Database version: 1707

Windows 5.1.2600 Service Pack 3

2009-01-30 07:13:46

mbam-log-2009-01-30 (07-13-46).txt

Scan type: Quick Scan

Objects scanned: 54745

Time elapsed: 2 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

____________________MBAM________________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 07:17, on 2009-01-30

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 7706 bytes

Link to post
Share on other sites

  • Root Admin

Okay, current logs look clean. Let's run one more tool again though to make sure.

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Then update your Anti-Virus and do another Full Scan and let me know if it finds anything or not.

Link to post
Share on other sites

  • Root Admin

When running these scanners please make sure you close down ALL other programs including chat programs and RSS readers, etc.

The logs are finding things running that shouldn't be running.

Please run the following

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Then run a new MBAM update, scan again.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Please also let me know how the computer is running now and if there are still any signs of an infection.

Thanks.

Link to post
Share on other sites

Hi,

I installed Avira after the last step (to replace AVG, which I uninstalled for a previous step), so I was already running a scan with it before I saw your last reply. Avira made 19 detections. Presumably I should avoid doing a system restore now?

MBAM was clear. I'll post the MBAM log, then the HJT one. I'll post the Avira one in the next reply as well...

Thanks,

Sean

_____________________MBAM_____________________

Malwarebytes' Anti-Malware 1.33

Database version: 1712

Windows 5.1.2600 Service Pack 3

2009-01-31 10:53:46

mbam-log-2009-01-31 (10-53-46).txt

Scan type: Quick Scan

Objects scanned: 55833

Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

_____________________HJT_____________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:56, on 2009-01-31

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 8252 bytes

Link to post
Share on other sites

Okay Sean,

Let me know what Avira found please.

Thanks.

Avira AntiVir Personal

Report file date: 31 January 2009 10:00

Scanning for 1302306 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 3) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: SEVENSTARS

Version information:

BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00

AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 09:21:26

AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 08:56:40

LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 13:44:19

LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 08:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 12:30:36

ANTIVIR1.VDF : 7.1.1.113 2817536 Bytes 1/14/2009 09:58:26

ANTIVIR2.VDF : 7.1.1.207 1359360 Bytes 1/30/2009 09:58:40

ANTIVIR3.VDF : 7.1.1.208 2048 Bytes 1/30/2009 09:58:40

Engineversion : 8.2.0.70

AEVDF.DLL : 8.1.1.0 106868 Bytes 1/31/2009 09:59:05

AESCRIPT.DLL : 8.1.1.39 344443 Bytes 1/31/2009 09:59:03

AESCN.DLL : 8.1.1.6 127348 Bytes 1/31/2009 09:59:01

AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 14:58:38

AEPACK.DLL : 8.1.3.5 393588 Bytes 1/31/2009 09:59:00

AEOFFICE.DLL : 8.1.0.33 196987 Bytes 1/31/2009 09:58:56

AEHEUR.DLL : 8.1.0.89 1569143 Bytes 1/31/2009 09:58:54

AEHELP.DLL : 8.1.2.0 119159 Bytes 1/31/2009 09:58:46

AEGEN.DLL : 8.1.1.12 328053 Bytes 1/31/2009 09:58:45

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 11:05:56

AECORE.DLL : 8.1.6.3 176501 Bytes 1/31/2009 09:58:42

AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 11:05:56

AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 09:40:05

AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 10:28:01

AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 13:02:15

AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 12:26:40

AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 09:29:23

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 13:27:49

SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 18:28:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 13:49:40

NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 13:05:10

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 14:48:07

RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 14:34:37

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: 31 January 2009 10:00

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'firefox.exe' - '1' Module(s) have been scanned

Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned

Scan process 'epmworker.exe' - '1' Module(s) have been scanned

Scan process 'Generic.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'DLG.exe' - '1' Module(s) have been scanned

Scan process 'SUPERANTISPYWARE.EXE' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'netwaiting.exe' - '1' Module(s) have been scanned

Scan process 'msconfig.exe' - '1' Module(s) have been scanned

Scan process 'CapabilityManager.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'QTTask.exe' - '1' Module(s) have been scanned

Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned

Scan process 'Application Launcher.exe' - '1' Module(s) have been scanned

Scan process 'issch.exe' - '1' Module(s) have been scanned

Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned

Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned

Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned

Scan process 'quickset.exe' - '1' Module(s) have been scanned

Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned

Scan process 'stsystra.exe' - '1' Module(s) have been scanned

Scan process 'igfxpers.exe' - '1' Module(s) have been scanned

Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned

Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'WLKEEPER.exe' - '1' Module(s) have been scanned

Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned

Scan process 'EvtEng.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

52 processes with 52 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '62' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Documents and Settings\Administrator\Desktop\seanfix.exe

[0] Archive type: RAR SFX (self extracting)

--> 32788R22FWJFW\Prep.com

[DETECTION] Is the TR/Dropper.Gen Trojan

--> 32788R22FWJFW\Tail.com

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file was ignored!

C:\Documents and Settings\Seanie\Desktop\seanfix.exe

[0] Archive type: RAR SFX (self extracting)

--> 32788R22FWJFW\Prep.com

[DETECTION] Is the TR/Dropper.Gen Trojan

--> 32788R22FWJFW\Tail.com

[DETECTION] Is the TR/Dropper.Gen Trojan

[WARNING] The file was ignored!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP323\A0030868.dll

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '49b42806.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP323\A0030871.dll

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '49b4280d.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0033059.exe:extractor6.jpg

[DETECTION] Is the TR/Spy.Agent.110080 Trojan

[NOTE] The file was moved to '49b42840.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0033087.EXE

[DETECTION] Is the TR/Crypt.CFI.Gen Trojan

[NOTE] The file was moved to '49b42846.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0033121.exe:mian.nest.9.10

[DETECTION] Is the TR/Spy.Gen Trojan

[NOTE] The file was moved to '49b4284d.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0034746.com

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '49b42992.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0034753.com

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '49b42997.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0034793.com

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '49b4299b.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0034800.com

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '49b4299f.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0034801.com

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '49b429a2.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0034847.com

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '49b429a5.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0034848.com

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '49b429ac.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0034949.exe

[0] Archive type: RAR SFX (self extracting)

--> 32788R22FWJFW\Prep.com

[DETECTION] Is the TR/Dropper.Gen Trojan

--> 32788R22FWJFW\Tail.com

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '49b429b3.qua'!

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0034988.com

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '49b429b4.qua'!

End of the scan: 31 January 2009 10:45

Used time: 45:43 Minute(s)

The scan has been done completely.

6292 Scanning directories

215165 Files were scanned

19 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

14 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

215144 Files not concerned

3285 Archives were scanned

4 Warnings

14 Notes

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.