Hi guys Everytime I go to a site any site my antivirus program nod32 alerts me of this trojan fake alert, i delete it everytime but keeps coming back.Some sites wont even load.whether im using ie7 or firefox still the same. I dont get the message if i dont have any antivirus program running and surfing the net is no problem then.Can someone please look at hjt log for me and see how i can rid myself of this trojan.Thank You. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:30:22 AM, on 11/8/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\drivers\dcfssvc.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\ACER\PSM.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\acer\eRecovery\Monitor.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {ac1840ca-f154-4226-96f1-5a732c9a5766} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Std plugin - {FFFFFFFF-DAD2-4a4c-848D-2CBFC6F0FD21} - sac32.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [MPS] C:\ACER\PSM.EXE O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/stg_drm.ocx O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179445501859 O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5029/mcfscan.cab O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- End of file - 9707 bytes
Hi cadtc Now, please download ComboFix. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection. • Run Combo-Fix.exe and follow the prompts. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. • Wait for the scan to be completed. • If it requires a reboot, please do it. • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt) Do not click on the ComoboFix window, as it may cause it to stall. Best Regards
Hi cdavfrew, I was unable to download combo fix cause i cant even bring up the site page.I asked a friend to download it for me on his computer.He was able to get to the site no problems but was unable to rename it before downloading.The only option available was save as which downloaded it straight to his desktop. I tried renaming it after but no good.It tells me to use alphanumerical characters.
Hey cadtc Please then reboot your computer into Safe Mode With Networking by doing the following: • Restart your computer • After pressing the power button, repeatedly tap the F8 key. • Instead of Windows loading as normal, the Advanced Options Menu should appear; • Select the option to run Windows in Safe Mode With Networking, then press Enter. • Choose the administrator's account. After that, download Combofix with the instructions I gave you, but do not rename it. Run it. Best Regards
Hi cdavfrew, Thanks for that. I downloaded combofix ok.Heres the log. Thank You. ComboFix 08-11-07.01 - Pat 2008-11-09 17:45:53.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.148 [GMT -8:00] * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Pat\Application Data\inst.exe c:\documents and settings\Pat\Local Settings\Temporary Internet Files\101.gif c:\documents and settings\Pat\Local Settings\Temporary Internet Files\102.gif c:\documents and settings\Pat\Local Settings\Temporary Internet Files\103.gif c:\documents and settings\Pat\Local Settings\Temporary Internet Files\104.gif c:\documents and settings\Pat\Local Settings\Temporary Internet Files\105.gif c:\documents and settings\Pat\Local Settings\Temporary Internet Files\106.gif c:\windows\Downloaded Program Files\setup.inf c:\windows\system\oeminfo.ini c:\windows\system32\ADVAPI32.dll 5.1.2600.5512 (xpsp.080413-2113) Advanced Windows 32 Base API c:\windows\system32\Apphelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library c:\windows\system32\av.dat c:\windows\system32\cmds.txt c:\windows\system32\cs.dat c:\windows\system32\csm.txt c:\windows\system32\drivers\TDSSpxfe.sys c:\windows\system32\GDI32.dll 5.1.2600.5512 (xpsp.080413-2105) GDI Client DLL c:\windows\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL c:\windows\system32\kernel32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows NT BASE API Client DLL c:\windows\system32\LPK.DLL 5.1.2600.5512 (xpsp.080413-2105) Language Pack c:\windows\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL c:\windows\system32\ntdll.dll 5.1.2600.5512 (xpsp.080413-2111) NT Layer DLL c:\windows\system32\ps1.dat c:\windows\system32\rc.dat c:\windows\system32\RPCRT4.dll 5.1.2600.5512 (xpsp.080413-2108) Remote Procedure Call Runtime c:\windows\system32\Secur32.dll 5.1.2600.5512 (xpsp.080413-2113) Security Support Provider Interface c:\windows\system32\TDSSehys.dll c:\windows\system32\TDSSixgp.dll c:\windows\system32\TDSSkrxx.dll c:\windows\system32\TDSSlpas.log c:\windows\system32\TDSSmtpe.dat c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSnpur.dll c:\windows\system32\TDSSoitu.dll c:\windows\system32\TDSSsahc.dll c:\windows\system32\TDSSwkod.log c:\windows\system32\TDSSyaqu.dll c:\windows\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL c:\windows\system32\USP10.dll 1.0420.2600.5512 (xpsp.080413-2105) Uniscribe Unicode script processor c:\windows\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries c:\windows\system32\windows_update.exe J:\Autorun.inf K:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSSERV.SYS -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 ))))))))))))))))))))))))))))))) . 2008-11-09 17:29 . 2005-03-11 14:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec 2008-11-09 17:29 . 2008-11-09 17:29 <DIR> d-------- c:\documents and settings\Administrator 2008-11-08 23:15 . 2008-11-08 23:15 512,096 --a------ c:\windows\system32\drivers\amon.sys 2008-11-08 23:15 . 2008-11-08 23:15 298,104 --a------ c:\windows\system32\imon.dll 2008-11-08 23:15 . 2008-11-08 23:15 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys 2008-11-07 15:46 . 2008-11-08 22:56 56,832 --a------ c:\windows\system32\sac32.dll 2008-11-05 13:46 . 2008-11-05 13:46 0 --a------ c:\windows\nsreg.dat 2008-10-30 20:34 . 2008-10-30 20:34 <DIR> d-------- c:\windows\system32\NtmsData 2008-10-30 16:55 . 2008-10-30 16:58 54,156 --ah----- c:\windows\QTFont.qfn 2008-10-30 16:55 . 2008-10-30 16:58 1,409 --a------ c:\windows\QTFont.for 2008-10-30 14:24 . 2008-08-14 03:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-30 14:24 . 2008-08-14 03:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-30 14:24 . 2008-08-14 02:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-30 14:24 . 2008-08-14 02:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-30 14:24 . 2008-09-15 05:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys 2008-10-30 14:24 . 2008-09-08 03:41 333,824 --------- c:\windows\system32\dllcache\srv.sys 2008-10-30 14:22 . 2008-10-15 09:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll 2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\system32\scripting 2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\system32\en 2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\system32\bits 2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\l2schemas 2008-10-30 14:07 . 2008-10-30 14:07 <DIR> d-------- c:\windows\ServicePackFiles 2008-10-14 17:07 . 2008-04-13 17:12 4,274,816 --------- c:\windows\system32\nv4_disp.dll 2008-10-14 17:06 . 2004-08-03 22:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys 2008-10-10 16:04 . 2003-11-04 15:10 69,632 --a------ c:\windows\system32\lfgif13n.dll 2008-10-10 16:03 . 2004-05-14 16:53 462,848 --a------ c:\windows\system32\ltkrn13n.dll 2008-10-10 16:03 . 2004-05-14 16:53 450,560 --a------ c:\windows\system32\ltimg13n.dll 2008-10-10 16:03 . 2004-05-14 16:53 401,408 --a------ c:\windows\system32\lfcmp13n.dll 2008-10-10 16:03 . 2004-05-14 16:53 299,008 --a------ c:\windows\system32\ltdis13n.dll 2008-10-10 16:03 . 2004-01-12 02:09 206,336 --a------ c:\windows\system32\ltefx13n.dll 2008-10-10 16:03 . 2004-05-14 16:53 163,840 --a------ c:\windows\system32\ltfil13n.dll 2008-10-10 16:03 . 2004-05-14 16:53 57,344 --a------ c:\windows\system32\lfbmp13n.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-06 14:42 --------- d-----w c:\program files\DivoCodec 2008-10-03 18:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll 2008-09-29 04:08 --------- d-----w c:\program files\Trend Micro 2008-09-27 19:06 --------- d-----w c:\documents and settings\Nick\Application Data\LG Electronics 2008-09-27 18:57 --------- d-----w c:\program files\Jigsaw Puzzle Platinum 2008-09-27 06:41 --------- d-----w c:\program files\Elf Bowling - Hawaiian Vacation 2008-09-27 06:41 --------- d-----w c:\documents and settings\All Users\Application Data\MumboJumbo 2008-09-27 03:28 --------- d-----w c:\program files\minigolfgold_at 2008-09-20 23:36 --------- d-----w c:\program files\Western Digital 2008-09-20 18:36 --------- d-----w c:\program files\Picasa2 2008-09-15 13:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-14 04:13 --------- d-----w c:\program files\Hasbro Interactive 2008-08-27 09:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll 2008-08-25 09:38 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe 2008-08-25 09:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe 2008-08-23 06:56 635,848 ----a-w c:\windows\system32\dllcache\iexplore.exe 2008-08-23 06:54 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll 2008-08-14 11:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 11:04 138,496 ------w c:\windows\system32\dllcache\afd.sys 2008-08-14 10:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe 2007-12-29 02:06 47,360 ----a-w c:\documents and settings\Pat\Application Data\pcouffin.sys 2007-07-10 17:54 23 --sha-w c:\windows\system32\bafadbfb_r.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-06-08 2128832] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "eRecoveryService"="c:\windows\System32\Check.exe" [2004-11-24 245760] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960] "MPS"="c:\acer\PSM.EXE" [2004-03-04 372736] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-11-08 949376] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe] "SoundMan"="SOUNDMAN.EXE" [2005-01-04 c:\windows\SoundMan.exe] "AlcWzrd"="ALCWZRD.EXE" [2005-01-04 c:\windows\ALCWZRD.EXE] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Express Calendar Checker SE.lnk] backup=c:\windows\pss\Photo Express Calendar Checker SE.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PE2CKFNT SE] --------- 1998-07-03 12:51 25088 c:\program files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Ares\\Ares.exe"= "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2004-12-15 76544] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280] R2 ScFBPNT2;CanoScan FBP2 Port Driver;c:\windows\system32\drivers\ScFBPNT2.SYS [1999-05-21 15488] R3 int15.sys;int15.sys;c:\program files\acer\eRecovery\int15.sys [2005-01-13 69632] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J] \Shell\AutoRun\command - J:\wdsync.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af9332f5-c94f-11dc-a1a2-000feade1056}] \Shell\AutoRun\command - J:\LaunchU3.exe -a *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . - - - - ORPHANS REMOVED - - - - BHO-{ac1840ca-f154-4226-96f1-5a732c9a5766} - (no file) HKCU-Run-eRecoveryService - (no file) HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe HKLM-Run-RegistryMechanic - (no file) Notify-WgaLogon - (no file) . ------- Supplementary Scan ------- . R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 R0 -: HKCU-Main,Start Page = hxxp://www.iprimus.com.au/ R1 -: HKCU-Internet Settings,ProxyOverride = *.local O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/stg_drm.ocx c:\windows\Downloaded Program Files\stg_drm.ocx c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx c:\windows\Downloaded Program Files\CONFLICT.2\stg_drm.ocx O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx c:\windows\Downloaded Program Files\armhelper.ocx . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-09 17:48:45 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-11-09 17:49:19 ComboFix-quarantined-files.txt 2008-11-10 01:49:18 Pre-Run: 15,132,295,168 bytes free Post-Run: 18,899,894,272 bytes free 230 --- E O F --- 2008-11-03 11:03:20
Hey cadtc You are still quite infected, with malware from a year ago. Please download Superantispyware Free and install it. Follow the prompts and reboot if required. Launch Superantispyware Free either by running C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.exe or right-click on the SuperAntispyware icon in your task bar (it looks like a bug) and click on Scan for Spyware, Adware, Malware... Configuring SuperAntispyware • Click on Preferences. • In the tab General and Startup, make sure the box Start SuperAntispyware when Windows starts is unchecked. This will prevent SuperAntispyware from starting everytime, because it may interfere with other fixes that may be run. • Navigate to the tab Scanning Control. • Make sure only these boxes are checked: Code: Close browsers before scanning Scan for tracking cookies Terminate memory threats before quarantining Scan Alternate Data Streams Use Kernel Direct File Access (recommended) Use Kernel Direct Registry Access (recommended) Use Direct Disk Access (recommended) • Click on Close. Updating SuperAntispyware • At the main window, click on Check for Updates.... • Wait for SuperAntispyware to be fully updated. Scanning Time • Boot into safe mode by repeatedly pressing the F8 key after you press the power button. If safe mode does not work, tell me and do the scan in normal mode. • Launch SuperAntispyware. • At the main window, click on Scan your Computer.... • Make sure all drives (excluding CD drives) are checked, select Perform Complete Scan, and then click on Next. • Wait for the scan to complete, and then click on Next>. This will quarantine and remove all detected items. • Reboot your computer. Post A Log • Launch SuperAntispyware • Click on Preferences • Navigate to the tab Statistics/Logs. • Choose the latest scan log, and the click on View Log.... • Copy and paste the contents of the log here in your next post. Best Regards
Hi cdavfrew, I was able to boot in safe mode and run superantispyware. Here s the log from that scan. Thank You. SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 11/10/2008 at 02:43 PM Application Version : 4.21.1004 Core Rules Database Version : 3629 Trace Rules Database Version: 1613 Scan type : Complete Scan Total Scan Time : 00:37:28 Memory items scanned : 181 Memory threats detected : 0 Registry items scanned : 5516 Registry threats detected : 0 File items scanned : 83960 File threats detected : 42 Adware.Tracking Cookie C:\Documents and Settings\Pat\Cookies\pat@mediaplex[2].txt C:\Documents and Settings\Pat\Cookies\pat@adbrite[2].txt C:\Documents and Settings\Pat\Cookies\pat@ads.adbrite[1].txt C:\Documents and Settings\Pat\Cookies\pat@server.iad.liveperson[3].txt C:\Documents and Settings\Pat\Cookies\pat@myroitracking[1].txt C:\Documents and Settings\Pat\Cookies\pat@serv.clicksor[1].txt C:\Documents and Settings\Pat\Cookies\pat@bs.serving-sys[1].txt C:\Documents and Settings\Pat\Cookies\pat@ad.yieldmanager[2].txt C:\Documents and Settings\Pat\Cookies\pat@atdmt[2].txt C:\Documents and Settings\Pat\Cookies\pat@questionmarket[2].txt C:\Documents and Settings\Pat\Cookies\pat@ehg-starcomworldwide.hitbox[1].txt C:\Documents and Settings\Pat\Cookies\pat@serving-sys[1].txt C:\Documents and Settings\Pat\Cookies\pat@server.iad.liveperson[1].txt C:\Documents and Settings\Pat\Cookies\pat@apmebf[1].txt C:\Documents and Settings\Pat\Cookies\pat@hitbox[2].txt C:\Documents and Settings\Pat\Cookies\pat@adopt.euroclick[2].txt C:\Documents and Settings\Nick\Cookies\nick@overture[1].txt C:\Documents and Settings\Nick\Cookies\nick@msnportal.112.2o7[1].txt C:\Documents and Settings\Nick\Cookies\nick@imrworldwide[2].txt C:\Documents and Settings\Nick\Cookies\nick@apmebf[1].txt C:\Documents and Settings\Nick\Cookies\nick@atdmt[2].txt C:\Documents and Settings\Nick\Cookies\nick@mediaplex[2].txt C:\Documents and Settings\Nick\Cookies\nick@paypal.112.2o7[1].txt C:\Documents and Settings\Nick\Cookies\nick@2o7[1].txt C:\Documents and Settings\Nick\Cookies\nick@stats.paypal[2].txt C:\Documents and Settings\Nick\Cookies\nick@ads.bridgetrack[1].txt C:\Documents and Settings\Nick\Cookies\nick@3mobile.112.2o7[1].txt C:\Documents and Settings\Carmen\Cookies\carmen@msnportal.112.2o7[1].txt C:\Documents and Settings\Carmen\Cookies\carmen@imrworldwide[2].txt C:\Documents and Settings\Carmen\Cookies\carmen@serving-sys[1].txt C:\Documents and Settings\Carmen\Cookies\carmen@atdmt[1].txt C:\Documents and Settings\Carmen\Cookies\carmen@ingdirect.112.2o7[1].txt C:\Documents and Settings\Carmen\Cookies\carmen@bridge2.admarketplace[1].txt C:\Documents and Settings\Carmen\Cookies\carmen@admarketplace[1].txt C:\Documents and Settings\Carmen\Cookies\carmen@3038.86797.clickshield[1].txt C:\Documents and Settings\Carmen\Cookies\carmen@overture[2].txt C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt Rootkit.TDSServ/Fake C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\TDSSPXFE.SYS.VIR Unclassified.Unknown Origin D:\DADS STUFF\MP3CDMAKERKEY2\KEYGEN.NFO
Hey cadtc Please zip the folder C:\Qoobox into a zip file and upload it here: http://www.uploadmalware.com/ • Click Start. • Open My Computer. • Select the Tools menu and click Folder Options. • Select the View Tab. • Under the Hidden files and folders heading select Show hidden files and folders. • Uncheck the Hide protected operating system files (recommended) option. • Click Yes to confirm. • Click OK. After that, upload this file C:\windows\system32\bafadbfb_r.dll to http://www.virustotal.com/ and post the results here. Best Regards
Hi cdavfrew, Heres the results u asked for from virustotal.Thank You. File bafadbfb_r.dll received on 11.11.2008 03:49:55 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/36 (0%) Antivirus Version Last Update Result AhnLab-V3 2008.11.11.0 2008.11.10 - AntiVir 7.9.0.29 2008.11.10 - Authentium 5.1.0.4 2008.11.10 - Avast 4.8.1248.0 2008.11.10 - AVG 8.0.0.161 2008.11.11 - BitDefender 7.2 2008.11.11 - CAT-QuickHeal 9.50 2008.11.10 - ClamAV 0.94.1 2008.11.11 - DrWeb 4.44.0.09170 2008.11.10 - eSafe 7.0.17.0 2008.11.10 - eTrust-Vet 31.6.6203 2008.11.11 - Ewido 4.0 2008.11.10 - F-Prot 4.4.4.56 2008.11.10 - F-Secure 8.0.14332.0 2008.11.11 - Fortinet 3.117.0.0 2008.11.11 - GData 19 2008.11.11 - Ikarus T3.1.1.45.0 2008.11.11 - K7AntiVirus 7.10.521 2008.11.10 - Kaspersky 7.0.0.125 2008.11.11 - McAfee 5430 2008.11.10 - Microsoft 1.4104 2008.11.11 - NOD32 3601 2008.11.11 - Norman 5.80.02 2008.11.10 - Panda 9.0.0.4 2008.11.10 - PCTools 4.4.2.0 2008.11.10 - Prevx1 V2 2008.11.11 - Rising 21.03.02.00 2008.11.10 - SecureWeb-Gateway 6.7.6 2008.11.10 - Sophos 4.35.0 2008.11.11 - Sunbelt 3.1.1785.2 2008.11.11 - Symantec 10 2008.11.11 - TheHacker 6.3.1.1.147 2008.11.10 - TrendMicro 8.700.0.1004 2008.11.10 - VBA32 3.12.8.9 2008.11.10 - ViRobot 2008.11.10.1459 2008.11.10 - VirusBuster 4.5.11.0 2008.11.10 - Additional information File size: 23 bytes MD5...: 6bd616e55d90268a994d9577f22e474b SHA1..: e4ba94170af856258a8d47e4b42a735fccd29e81 SHA256: fe30ecd1c52ec4a0c2178af2e7fad74e09621e2c827b193ba17a5344c2fae94b SHA512: f33874e629e41c9330dd9aafcb49e279d9da19d0c8ca6b1f857623e7c67873c0 16732071a9b908ca859670a43ed1f8932b39760a20a0a198972f3283d1f2fec7 PEiD..: - TrID..: File type identification Unknown! PEInfo: -
Hey cadtc Please upload that file to http://www.uploadmalware.com/ as well. You look clean now! Enjoy! Best Regards
Hi cdavfrew, I posted that file also.Thanks heaps for your help.I will be spreading the word to my friends about afterdawn.com.If i could ask you one more thing.People tell me to use firefox instead of ie7.In your expert opinion which is better or is it just a case of user preference.Again thank you very much for your help.
In my humble opinion, it just is a case of user preference. Contrary to popular belief, IE is not the crumbling wall of defense. It is actually quite secure, and IE7 was definitely more secure than FireFox 2. Firefox 3 should not be compared with IE7, but rather, with IE8, which should be coming out soon. Yes, I know that IE can be exploited many different ways to allow malware, but with the right defenses, IE has the potential to become a great graphic and secure browser. If you have an antivirus, antispyware, and firewall, then you probably should get these softwares as well: SpywareBlaster Spybot Advanced Windowscare Personal All of these have immunization functions which serve to secure Internet Explorer, and as to their effectiveness, I've been using IE forever, and never got infected. Of course, safe surfing is a critical part. Do not visit shady sites, etc... Glad I could help you! It was my pleasure. Best Regards
Hi cdavfrew, Thanks for your view on ie7 and firefox. I decided to download the software you recommended to use with my antivirus software.As I was installing them my antivirus program detected that i was infected with a trojan,but not with another one but exactly the same one and also this trojan , trojan Win32/Agent.ODG. I couldnt believe it.I dont no if it was the right thing to do but i decided to go through the whole process again to get rid of it. I have posted the hijack log,the combo fix log in safe mode as before and the superantispyware log for you to analyse.I just thought it would save time I assumed since it was the exact same trojan. Thank you cadvfrew for your help. ogfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:01:51 PM, on 11/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\drivers\dcfssvc.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\ACER\PSM.EXE C:\Program Files\acer\eRecovery\Monitor.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [MPS] C:\ACER\PSM.EXE O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-21-1322420240-282186101-3338049652-1007\..\Run: [eRecoveryService] (User 'Nick') O4 - HKUS\S-1-5-21-1322420240-282186101-3338049652-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Nick') O4 - HKUS\S-1-5-21-1322420240-282186101-3338049652-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Nick') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/stg_drm.ocx O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179445501859 O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5029/mcfscan.cab O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- End of file - 8351 bytes ---------------------------------------- ComboFix 08-11-07.01 - Administrator 2008-11-12 19:14:10.2 - FAT32x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.305 [GMT -8:00] Running from: d:\combofix\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 ))))))))))))))))))))))))))))))) . 2008-11-12 18:15 . 2008-11-12 18:15 <DIR> d-------- c:\windows\LastGood 2008-11-12 14:03 . 2008-11-12 14:03 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-12 14:03 . 2008-11-12 14:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-12 13:51 . 2008-11-12 13:51 <DIR> d-------- c:\program files\SpywareBlaster 2008-11-11 19:30 . 2008-11-11 19:30 185 --a------ c:\windows\system32\bafadbfb_r.zip 2008-11-11 10:45 . 2008-11-11 10:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip 2008-11-11 10:06 . 2008-11-11 10:53 530,678 --a------ C:\Qoobox.zip 2008-11-10 13:54 . 2008-11-10 13:54 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-09 17:29 . 2005-03-11 14:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec 2008-11-09 17:29 . 2008-11-09 17:29 <DIR> d-------- c:\documents and settings\Administrator 2008-11-08 23:15 . 2008-11-08 23:15 512,096 --a------ c:\windows\system32\drivers\amon.sys 2008-11-08 23:15 . 2008-11-08 23:15 298,104 --a------ c:\windows\system32\imon.dll 2008-11-08 23:15 . 2008-11-08 23:15 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys 2008-11-05 13:46 . 2008-11-05 13:46 0 --a------ c:\windows\nsreg.dat 2008-10-30 20:34 . 2008-10-30 20:34 <DIR> d-------- c:\windows\system32\NtmsData 2008-10-30 16:55 . 2008-10-30 16:58 54,156 --ah----- c:\windows\QTFont.qfn 2008-10-30 16:55 . 2008-10-30 16:58 1,409 --a------ c:\windows\QTFont.for 2008-10-30 14:24 . 2008-08-14 03:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-30 14:24 . 2008-08-14 03:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-30 14:24 . 2008-08-14 02:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-30 14:24 . 2008-08-14 02:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-30 14:24 . 2008-09-15 05:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys 2008-10-30 14:24 . 2008-09-08 03:41 333,824 --------- c:\windows\system32\dllcache\srv.sys 2008-10-30 14:22 . 2008-10-15 09:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll 2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\system32\scripting 2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\system32\en 2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\system32\bits 2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\l2schemas 2008-10-30 14:07 . 2008-10-30 14:07 <DIR> d-------- c:\windows\ServicePackFiles 2008-10-14 17:07 . 2008-04-13 17:12 4,274,816 --------- c:\windows\system32\nv4_disp.dll 2008-10-14 17:06 . 2004-08-03 22:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-06 14:42 --------- d-----w c:\program files\DivoCodec 2008-10-03 18:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll 2008-09-29 04:08 --------- d-----w c:\program files\Trend Micro 2008-09-27 19:06 --------- d-----w c:\documents and settings\Nick\Application Data\LG Electronics 2008-09-27 18:57 --------- d-----w c:\program files\Jigsaw Puzzle Platinum 2008-09-27 06:41 --------- d-----w c:\program files\Elf Bowling - Hawaiian Vacation 2008-09-27 06:41 --------- d-----w c:\documents and settings\All Users\Application Data\MumboJumbo 2008-09-27 03:28 --------- d-----w c:\program files\minigolfgold_at 2008-09-20 23:36 --------- d-----w c:\program files\Western Digital 2008-09-20 18:36 --------- d-----w c:\program files\Picasa2 2008-09-15 13:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-14 04:13 --------- d-----w c:\program files\Hasbro Interactive 2008-08-27 09:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll 2008-08-25 09:38 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe 2008-08-25 09:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe 2008-08-23 06:56 635,848 ----a-w c:\windows\system32\dllcache\iexplore.exe 2008-08-23 06:54 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll 2008-08-14 11:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 11:04 138,496 ------w c:\windows\system32\dllcache\afd.sys 2008-08-14 10:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe 2007-12-29 02:06 47,360 ----a-w c:\documents and settings\Pat\Application Data\pcouffin.sys 2007-07-10 17:54 23 --sha-w c:\windows\system32\bafadbfb_r.dll . ((((((((((((((((((((((((((((( snapshot@2008-11-09_17.48.59.29 ))))))))))))))))))))))))))))))))))))))))) . + 2008-11-11 18:46:08 632,320 ----a-r c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}\IconCD95F66110.exe + 2008-11-11 18:46:08 29,184 ----a-r c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}\IconCD95F6617.exe + 2008-11-10 21:55:12 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe + 2008-11-10 21:55:14 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "eRecoveryService"="c:\windows\System32\Check.exe" [2004-11-24 245760] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960] "MPS"="c:\acer\PSM.EXE" [2004-03-04 372736] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-11-08 949376] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe] "SoundMan"="SOUNDMAN.EXE" [2005-01-04 c:\windows\SoundMan.exe] "AlcWzrd"="ALCWZRD.EXE" [2005-01-04 c:\windows\ALCWZRD.EXE] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Express Calendar Checker SE.lnk] backup=c:\windows\pss\Photo Express Calendar Checker SE.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PE2CKFNT SE] --------- 1998-07-03 12:51 25088 c:\program files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Ares\\Ares.exe"= "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2004-12-15 76544] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280] S2 ScFBPNT2;CanoScan FBP2 Port Driver;c:\windows\system32\drivers\ScFBPNT2.SYS [1999-05-21 15488] S3 int15.sys;int15.sys;c:\program files\acer\eRecovery\int15.sys [2005-01-13 69632] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J] \Shell\AutoRun\command - J:\wdsync.exe *Newly Created Service* - DCFS2K . - - - - ORPHANS REMOVED - - - - HKCU-RunOnce-NeroHomeFirstStart - c:\program files\Common Files\Nero\Lib\NMFirstStart.exe . ------- Supplementary Scan ------- . O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/stg_drm.ocx c:\windows\Downloaded Program Files\stg_drm.ocx c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx c:\windows\Downloaded Program Files\CONFLICT.2\stg_drm.ocx O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx c:\windows\Downloaded Program Files\armhelper.ocx . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-12 19:15:44 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: c:\windows\system32\winlogon.exe -> c:\windows\system32\tsd32.dll . Completion time: 2008-11-12 19:16:10 ComboFix-quarantined-files.txt 2008-11-13 03:16:10 ComboFix2.txt 2008-11-10 01:49:22 Pre-Run: 18,949,734,400 bytes free Post-Run: 19,081,691,136 bytes free 178 --- E O F --- 2008-11-03 11:03:20 ---------------------------------------------- SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 11/13/2008 at 11:31 AM Application Version : 4.21.1004 Core Rules Database Version : 3629 Trace Rules Database Version: 1613 Scan type : Complete Scan Total Scan Time : 00:38:12 Memory items scanned : 173 Memory threats detected : 0 Registry items scanned : 5536 Registry threats detected : 0 File items scanned : 85507 File threats detected : 20 Adware.Tracking Cookie C:\Documents and Settings\Pat\Cookies\pat@mediaplex[2].txt C:\Documents and Settings\Pat\Cookies\pat@overture[1].txt C:\Documents and Settings\Pat\Cookies\pat@te.kontera[2].txt C:\Documents and Settings\Pat\Cookies\pat@server.iad.liveperson[3].txt C:\Documents and Settings\Pat\Cookies\pat@bs.serving-sys[2].txt C:\Documents and Settings\Pat\Cookies\pat@atdmt[2].txt C:\Documents and Settings\Pat\Cookies\pat@serving-sys[1].txt C:\Documents and Settings\Pat\Cookies\pat@kontera[1].txt C:\Documents and Settings\Pat\Cookies\pat@server.iad.liveperson[2].txt C:\Documents and Settings\Pat\Cookies\pat@apmebf[1].txt C:\Documents and Settings\Pat\Cookies\pat@adopt.euroclick[2].txt C:\Documents and Settings\Nick\Cookies\nick@serving-sys[2].txt C:\Documents and Settings\Nick\Cookies\nick@2o7[2].txt C:\Documents and Settings\Nick\Cookies\nick@msnportal.112.2o7[2].txt C:\Documents and Settings\Nick\Cookies\nick@ads.bridgetrack[2].txt C:\Documents and Settings\Nick\Cookies\nick@ad.yieldmanager[1].txt C:\Documents and Settings\Nick\Cookies\nick@adopt.euroclick[1].txt C:\Documents and Settings\Nick\Cookies\nick@bs.serving-sys[2].txt Rootkit.TDSServ/Fake C:\SYSTEM VOLUME INFORMATION\_RESTORE{7444174A-1CD8-47F9-AAFE-AC9AC025B3AB}\RP1\A0000018.SYS Unclassified.Unknown Origin D:\SYSTEM VOLUME INFORMATION\_RESTORE{7444174A-1CD8-47F9-AAFE-AC9AC025B3AB}\RP3\A0000100.NFO
Hey cadtc I have a suspicion you aren't actually infected, but it's something else. Where does Nod32 detect this trojan? Delete C:\Qoobox, and turn off your system restore, then turn it back on. Best Regards
Hi cdavfrew, Nod32 detected at C:\Qoobox.zip »ZIP »Qoobox/Quarantine/C/WINDOWS/system32/TDSSnpur.dll.vir - Win32/Agent.ODG trojan C:\Qoobox.zip »ZIP »Qoobox/Quarantine/C/WINDOWS/system32/TDSSoitu.dll.vir - Win32/Agent.ODG trojan I did what u said and then ran nod32 and came up all clear.Silly me it should have clicked when it showed up in quarantine. Thanks heaps cdavfrew for all your help. Much appreciated.
