Jump to content
Sign in to follow this  
david faversham

TDSS infection?

Recommended Posts

My machine shut itself down and rebooted. On restart there was a dialog box telling me I had a virus and to download a anti virus programme.

Without letting the download commence I isolated the computor from both my home network and the internet and tried to run system restore but got shut down before it could complete both in normal windows and in safe mode.

I tried running windows defender and AVG 7.5 anti-malwarebut neither would run.

Using a clean computer I discovered that my AVG should have been udated to 8.0 so I downloaded both the updated programme and updates and installed them from CD.

The updated AVG 8.0 ran OK in safe mode but has to restart itself in normal sessions, no report log is produced to send to AVG of the attempted shutdowns. While AVG did remove a number of suspect files the computer is still obvoiusly infected.

I found you guys on a google of one of the files AVG removed.

I downloaded Spy Bot; it won't run.

I tried the Panda scan and it stops on the update, restarts all finsh at the same point.

ESET can't be found by the infected computer when connected to the internet. I have just tried updating AVG directly from the internet but as soon as the download starts it breaks the connection. I can't even get to the Windows Update site. I have also just discovered that it blocks downloads directly from AVG site but I can update via memory stick.

Hijack runs OK

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:51:11, on 14/11/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\ASUS\Probe\AsusProb.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

G:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG8\avgui.exe

C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe

C:\WINDOWS\notepad.exe

C:\WINDOWS\notepad.exe

C:\WINDOWS\system32\NOTEPAD.EXE

N:\Anti virus\HiJackThis.exe

N:\Anti virus\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Etomi\Plugins\RazaWebHook.dll/3000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\NEWMIC~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\NEWMIC~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\NEWMIC~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\NEWMIC~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://www.amyuni.com) -- C:\WINDOWS\System32\cdintf.dll

[2008/11/07 23:09:46 | 00,000,000 | ---D | C] -- C:\Program Files\Broderbund

[2008/10/24 00:54:58 | 00,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll

========== Files - Modified Within 30 Days ==========

[38 C:\*.tmp files]

[1 C:\WINDOWS\System32\*.tmp files]

[5 C:\WINDOWS\*.tmp files]

[1 e:\Documents and Settings\David\My Documents\*.tmp files]

[2008/11/14 22:09:10 | 30,105,790 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2008/11/14 20:25:09 | 00,002,472 | ---- | M] () -- C:\Documents and Settings\David\Desktop\rootkit scan.csv

[2008/11/14 20:21:54 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2008/11/14 20:19:05 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2008/11/14 20:18:48 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2008/11/14 20:18:45 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2008/11/14 20:18:41 | 21,467,50464 | -HS- | M] () -- C:\hiberfil.sys

[2008/11/13 15:56:36 | 00,418,304 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David\Desktop\OTListIt.exe

[2008/11/12 21:06:58 | 00,000,069 | ---- | M] () -- C:\WINDOWS\brmx2001.ini

[2008/11/12 15:57:43 | 00,000,988 | ---- | M] () -- C:\WINDOWS\win.ini

[2008/11/12 15:57:43 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2008/11/12 15:57:43 | 00,000,211 | RHS- | M] () -- C:\boot.ini

[2008/11/11 10:49:42 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 8.0.lnk

[2008/11/11 10:49:41 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll

[2008/11/11 10:49:39 | 00,012,936 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys

[2008/11/11 10:49:38 | 00,090,632 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys

[2008/11/11 10:49:35 | 00,098,440 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys

[2008/11/11 10:49:35 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys

[2008/11/11 10:49:30 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg

[2008/11/11 10:49:30 | 00,334,743 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg

[2008/11/10 22:18:01 | 01,640,330 | -H-- | M] () -- C:\Documents and Settings\David\Local Settings\Application Data\IconCache.db

[2008/11/10 22:03:47 | 00,000,114 | ---- | M] () -- C:\WINDOWS\System32\delself.bat

[2008/11/10 07:18:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2008/11/07 23:24:44 | 00,000,851 | ---- | M] () -- C:\tempbmm.iss

[2008/11/07 21:13:09 | 00,408,766 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2008/11/07 21:13:08 | 00,479,352 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2008/11/07 21:13:08 | 00,062,836 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2008/11/06 22:25:50 | 00,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT

[2008/11/06 22:25:50 | 00,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT

[2008/11/06 22:04:35 | 00,037,376 | ---- | M] () -- C:\Documents and Settings\David\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/10/16 14:13:40 | 01,809,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng.dll

[2008/10/16 14:13:40 | 01,809,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuaueng.dll

[2008/10/16 14:13:40 | 00,202,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuweb.dll

[2008/10/16 14:13:40 | 00,202,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuweb.dll

[2008/10/16 14:12:22 | 00,323,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll

[2008/10/16 14:12:22 | 00,323,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wucltui.dll

[2008/10/16 14:12:20 | 00,561,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll

[2008/10/16 14:12:20 | 00,561,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuapi.dll

[2008/10/16 14:12:20 | 00,213,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaucpl.cpl

[2008/10/16 14:12:20 | 00,213,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuaucpl.cpl

[2008/10/16 14:09:44 | 00,092,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdm.dll

[2008/10/16 14:09:44 | 00,092,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cdm.dll

[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauclt.exe

[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuauclt.exe

[2008/10/16 14:09:44 | 00,043,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wups2.dll

[2008/10/16 14:09:40 | 00,031,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll.mui

[2008/10/16 14:08:58 | 00,034,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wups.dll

[2008/10/16 14:08:58 | 00,034,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wups.dll

[2008/10/16 14:07:46 | 00,023,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaucpl.cpl.mui

[2008/10/16 14:07:44 | 00,023,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui

[2008/10/16 14:07:14 | 00,018,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng.dll.mui

[2008/10/16 14:06:48 | 00,268,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll

[2008/10/16 14:06:48 | 00,208,744 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\muweb.dll

[2008/10/16 14:06:48 | 00,027,496 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui

< End of report >

EXTRAS

OTListIt Extras logfile created on: 14/11/2008 22:44:13 - Run 5

OTListIt by OldTimer - Version 1.0.12.0 Folder = C:\Documents and Settings\David\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.45% Memory free

3.26 Gb Paging File | 2.67 Gb Available in Paging File | 81.84% Paging File free

Paging file location(s): C:\pagefile.sys 1440 2880;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 53.71 Gb Total Space | 18.73 Gb Free Space | 34.88% Space Free | Partition Type: NTFS

Drive D: | 2.00 Gb Total Space | 0.92 Gb Free Space | 45.88% Space Free | Partition Type: FAT32

Drive E: | 31.76 Gb Total Space | 3.93 Gb Free Space | 12.38% Space Free | Partition Type: NTFS

Drive F: | 13.17 Gb Total Space | 1.48 Gb Free Space | 11.20% Space Free | Partition Type: NTFS

Drive G: | 10.66 Gb Total Space | 7.80 Gb Free Space | 73.20% Space Free | Partition Type: NTFS

Drive H: | 5.19 Gb Total Space | 0.71 Gb Free Space | 13.72% Space Free | Partition Type: NTFS

Drive I: | 2.00 Gb Total Space | 0.49 Gb Free Space | 24.66% Space Free | Partition Type: FAT32

Drive J: | 2.00 Gb Total Space | 1.77 Gb Free Space | 88.93% Space Free | Partition Type: FAT32

Drive K: | 1.87 Gb Total Space | 1.53 Gb Free Space | 81.83% Space Free | Partition Type: FAT32

Drive L: | 31.19 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: TOWER

Current User Name: David

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Whitelist: On

File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 1

"UpdatesDisableNotify" = 1

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger

File not found -- C:\Documents and Settings\David\Local Settings\Temp\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard

[2008/04/18 15:06:53 | 00,214,560 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer

[2004/12/19 22:19:05 | 03,862,528 | ---- | M] (Etomi Development Team) -- C:\Program Files\Etomi\Shareaza.exe:*:Enabled:Etomi Ultimate File Sharing

[2008/04/14 00:12:22 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer

[2005/02/15 10:36:40 | 00,565,248 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client

[1998/07/13 16:13:30 | 00,613,376 | ---- | M] (Cendant Software, Inc.) -- C:\Program Files\Sierra On-Line\SIGSPat.exe:*:Disabled:SIGSPat

File not found -- L:\Autorun.exe:*:Enabled:Installer

File not found -- C:\Program Files\NETGEAR\SC101 Manager Utility\Client\SCM.exe:*:Enabled:NETGEAR Storage Central Manager

[2006/09/23 12:16:49 | 00,013,312 | ---- | M] (Apache Software Foundation) -- C:\Program Files\HP Web Jetadmin\hpwebjetd.exe:*:Enabled:Apache HTTP Server

[2006/05/11 02:05:12 | 00,155,648 | ---- | M] (Aelitis) -- C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus

File not found -- C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe

File not found -- C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe

File not found -- C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe

File not found -- C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe

[2005/01/11 16:33:58 | 01,183,744 | ---- | M] () -- C:\Program Files\Video Server S\Video Server S.exe:*:Enabled:Video Server S

[2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour

[2008/05/21 03:37:24 | 12,844,576 | ---- | M] (Microsoft Corporation) -- C:\Program Files\New Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook

[2007/08/28 23:23:36 | 00,340,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files\New Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove

[2008/05/21 04:54:40 | 01,022,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\New Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote

[2008/10/01 17:57:04 | 14,258,472 | ---- | M] (Apple Inc.) -- G:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}" = PhotoGallery

"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1

"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{0C3FCE48-6984-11D5-90F8-00E029591716}" = Brother MFC Software Suite

"{105CFC7C-6992-11D5-BD9D-000102C10FD8}" = Lizardtech DjVu Control

"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP810" = Canon MP810

"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition

"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update

"{1B399A41-C1D0-40A2-9E4F-095868EFAF01}" = InterVideo WinDVD 5

"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3

"{21DB3D90-D816-4092-A260-CA3F6B55A6DD}" = Sonic_PrimoSDK

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}" = CP_Panorama1Config

"{26346FB6-4F69-453D-95CE-B6BA3A5382F8}" = Broderbund Media Manager

"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload

"{2EBA5473-558B-462C-AEE4-FE50FA799F2A}" = Mouse Driver

"{2F3D179F-BF30-4FC0-A244-009683B0E40F}" = Oracle 8.1.7 ODBC Driver for BMW Applications

"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator 2

"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp

"{31A57C3E-30DD-421F-B5C7-974DACB0D05F}" = Canon Camera WIA Driver

"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2

"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4

"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6

"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9

"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10

"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java SE Runtime Environment 6 Update 1

"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java 6 Update 2

"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java 6 Update 3

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{32BDCCB8-9DC8-496d-9DB1-F77510775BDB}" = InstantShareDevices

"{33D6CC28-9F75-4d1b-A11D-98895B3A3729}" = HP Photosmart 330,380,420,470,7800,8000,8200 Series

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{36E47DA1-10E1-45d9-8B19-14D19607CDCF}" = CP_CalendarTemplates1

"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HYDRAVISION

"{3F695596-85E6-4224-BC70-538F9036797A}" = MovieShop

"{40589552-3892-409E-B92C-9F5032A4B2F0}" = Safari

"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer

"{4EF69D40-4DC9-485E-95D3-B1C22F218FC8}" = upapp

"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder

"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade

"{56EE8B17-8274-418d-89AC-C057C5DB251E}" = RandMap

"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg

"{59C9A627-5F4A-47c4-94FD-9A886F5AC971}" = PS330

"{5A01C58E-B0EC-49b9-AD71-7C0468688087}" = CP_Package_Basic1

"{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition

"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch

"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder

"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0

"{66BA8C26-AFE4-4408-807B-43E76B57EF53}" = SkinsHP1

"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6A5FE305-1147-400D-9795-8B80E693476A}" = Serif WebPlus SE

"{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PartitionMagic

"{6DA9102E-199F-43A0-A36B-6EF48081A658}" = MobileMe Control Panel

"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder

"{6FC503A3-7DE2-40F3-B156-C8A14118AF60}" = iLike Sidebar

"{7148F0A8-6813-11D6-A77B-00B0D0142050}" = Java 2 Runtime Environment, SE v1.4.2_05

"{7148F0A8-6813-11D6-A77B-00B0D0142060}" = Java 2 Runtime Environment, SE v1.4.2_06

"{7148F0A8-6813-11D6-A77B-00B0D0142150}" = Java 2 Runtime Environment, SE v1.4.2_15

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{74344F10-34CA-480E-BD02-B3F4FA692BFA}" = File Viewer Utility 1.3.1

"{748F4870-8350-11D3-B0BF-080009FB4A19}" = HP Share-to-Web

"{755EC5E3-FD51-46bd-A57F-7A2D56FBF061}" = PSTAPlugin

"{769A295C-DCF4-41d6-AFBA-7D9394B23AFE}" = PSPrinters08

"{7E27304E-BAA2-4d90-A34E-76641FAFABB4}" = CP_AtenaShokunin1Config

"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5

"{85B1BEF2-2357-4C27-ABBE-15A1AE3AF78D}" = HP Deskjet 5700

"{86BB059D-1231-457B-B88F-F9B315A18F90}" = Windows Vista Upgrade Advisor

"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour

"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver

"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime

"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0015-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_ULTIMATER_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_ULTIMATER_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_ULTIMATER_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_ULTIMATER_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007

"{90120000-00BA-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007

"{90120000-0114-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_ULTIMATER_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{91120000-002E-0000-0000-0000000FF1CE}" = Microsoft Office Ultimate 2007

"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{95398D6D-E2A6-45BC-A9B2-C8C1D9D00E6E}" = DECAdry Express Business Cards 4

"{96BF9A2A-1835-4DEE-A94F-9EA4F77976BF}" = InterVideo DVDCopy 2 for AsusTek

"{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}" = Apple Mobile Device Support

"{9DE006A5-B384-4EDE-A760-0F217136B9EA}" = Microsoft IntelliType Pro 2.2

"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender

"{A3455242-DAE0-4523-8242-FD82706ABF4B}" = CameraDrivers

"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero - Burning Rom

"{A5BB5365-EFB4-44c3-A7E2-EB59B7EFD23D}" = CueTour

"{A5F68DC8-0278-4AD8-B413-861509B5F25B}" = ArcSoft Panorama Maker 3

"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet

"{A833A505-4D7A-41F5-9362-A2F8DFFE6E9B}" = Camera Window

"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder

"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2

"{AEF2D1F3-0696-11D5-8E6A-00C04F7FA234}" = PaperPort 8.0 SE

"{B4D279F1-4309-49cc-A4B5-3A0D2E59C7B5}" = PanoStandAlone

"{B754C893-6177-4061-9B2F-88F58C1C5166}" = CIG

"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2

"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm

"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster

"{C1E693A4-B1D5-4DCD-B68D-2087835B7184}" = ScanSoft OmniPage SE 4.0

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center

"{D6FD2A0F-E1FD-4795-A774-D42261F92FF1}" = NETGEAR Storage Central Manager Utility

"{D94A8E22-DF2B-4107-9E51-608A60A7671D}" = Personal Ancestral File 5

"{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}" = iTunes

"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant

"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter

"{EF91B23E-3819-43A1-AE47-043E1900EB2B}" = RemoteCapture 2.7.4

"{F366D0C4-18F2-44A6-A4E7-7ED2DD37F3D3}" = InterVideo Disc Master 2

"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status

"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio

"{FB26EA24-AE01-4C86-BEBC-424D5B81E66E}" = The Print Shop

"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard

"{FF3999BE-1A7B-4738-88AA-97BF14094A4A}" = PictureProject

"ACDSee" = ACDSee

"ActiveScan 2.0" = Panda ActiveScan 2.0

"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player Plugin

"Adobe Photoshop Elements 2.0" = Adobe Photoshop Elements 2.0

"Advanced Drawing 1.10" = Advanced Drawing

"All ATI Software" = ATI - Software Uninstall Utility

"ASUS Probe V2.21.05" = ASUS Probe V2.21.05

"ASUS Probe V2.23.03" = ASUS Probe V2.23.03

"ATI Display Driver" = ATI Display Driver

"Audacity_is1" = Audacity 1.2.6

"AVG8Uninstall" = AVG 8.0

"Azureus" = Azureus

"Caesar 3" = Caesar 3

"ClickArt 250,000 Premier Image Pack 1.0" = ClickArt 250,000 Premier Image Pack

"ClickArt Gallery 1.0" = ClickArt

Share this post


Link to post
Share on other sites

Be careful using a memory stick as the card and data on it can easily become infected as well.

Start HJT and do a Scan Only and place a check mark on the following items

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} hxxp://v4.windowsupdate.microsoft.com/CAB/...8108.4677777778 (Reg Error: Key does not exist or could not be opened.)

Select all of the 016 entries for Sun Java

Then click Fix Selected...

Not sure what's in this file it could be bad or good. You can edit it with NOTEPAD and post back what it says.

C:\WINDOWS\System32\delself.bat

This is part of a Peer2Peer software downloader which is often how computers get infected.

C:\Program Files\Etomi\Plugins\RazaWebHook.dll

You need to uninstall all Peer2Peer software in order for us to be able to assist you since they can potentially reinfect you as we're working on the cleanup.

You also have Azureus running on your system which is another P2P application.

Delete this file: C:\tempbmm.iss

You need to uninstall all your old versions of Java such as these

Java 2 Runtime Environment, SE v1.4.2_05

Java 2 Runtime Environment, SE v1.4.2_06

Java 2 Runtime Environment, SE v1.4.2_15

J2SE Runtime Environment 5.0 Update 2

J2SE Runtime Environment 5.0 Update 4

J2SE Runtime Environment 5.0 Update 6

J2SE Runtime Environment 5.0 Update 9

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 10

Java

Share this post


Link to post
Share on other sites

It seems you are indeed infected with a RootKit.TDSS variant.

If you can, please visit here and follow the instructions.

http://www.gmer.net/faq.php

Just in case you can't access it via website url, here's the IP http://204.152.184.145/faq.php

Replace the rootkit.rustok with tdss, The instructions are the same regardless of this particular variant we're dealing with. :blink:

When done run MBABM go to the UPDATE tab and update the program and do a Quick Scan, fix anything found and RESTART your computer

Then after the restart run another HJT scan and save log then post back all the logs please

Share this post


Link to post
Share on other sites

Thanks for you help Advanedsetup.

By chance I had done most of what you suggested in your last post before you posted it. I will follow your final instructions.

For those that have similar problems this is how I worked around the problem.

The virus stopped me from following your instuctions by replacing deleted files on reboot. I couldn't even uninstall all the JAva update files.

Out of desperation I looked at the GMER faqs which gave me an idea.

I deleted the first entry which you pointed out using Hijack. I closed Hijack then re-scanned and saw the file hadn't re-appeared. I purchased a couple of cheap memory chips. Using a clean system I downloaded and unzipped GMER. I then renamed the file test.exe The infected system not only allowed me to copy the file to the desktop it also after a couple of misstarts loaded the programme.

The scan highlighted a system file. I deleted the file and did the same exercise of renaming Malwarebytes. Malwarebytes now openned but couldn't update so I ran it in its downloaded state.

I chose to run a scan of my C drive; after five minutes or so AVG which already had the latest updates began to flag viruses including TDSS files while in its standby mode. Spy Bot also ran when selected picking up a number of files it didn't like which I deleted.

I rebooted and found that uninstall now worked so removed most of the progammes you pointed out. Not only that I could now get onto the internet and update Malwarebytes.

I am currently running a full Malwarebytes scan and will set AVG to do the same overnight.

I am not likely to get back to following up cleaning up the system untill Monday when I will get back to following your instructions and posting the reports.

I know I am not yet out of the wood but I can't believe the improvements in the speed of the system following albeit not in order some of your instructions.

THANKS GUYS

Share this post


Link to post
Share on other sites

No problem, thanks for the follow-up. On Monday please once again start MBAB and do another update and Quick Scan, fix anything found and restart the PC

Then please run this routine so that we can check to see what else might be left over.

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I also need for you to download this program
OTListIt.exe
to your desktop.
  • Close all applications and windows so that you have nothing open and are at your Desktop

  • Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

  • Place a checkmark in the
    "Scan All Users"
    checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

  • Click the Run Scan button

  • NOTE:
    Please be patient and let the scan run without using the computer

  • When the scan is complete, a text file (
    OTListIt.Txt
    ) will open in Notepad (if not, it can be found on your Desktop)

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.

  • Submit your reply and close the Notepad window with
    OTList.txt

  • Also OTListIt's
    Extras.txt
    log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.

  • NOTE:
    If the files (
    OTListIt.txt, Extras.txt
    ) do not appear in your taskbar, just open the files in notepad from your desktop.


Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

Share this post


Link to post
Share on other sites

Since there has been no reply for 5 days, I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.