|
|
|
trojan Win32/TrojanDownloader.FakeAlert.PL.Gen.
|
|
|
cadtc
Newbie
|
7. November 2008 @ 22:03 |
Link to this message
|
Hi guys
Everytime I go to a site any site my antivirus program nod32 alerts me of this trojan fake alert, i delete it everytime but keeps coming back.Some sites wont even load.whether im using ie7 or firefox still the same. I dont get the message if i dont have any antivirus program running and surfing the net is no problem then.Can someone please look at hjt log for me and see how i can rid myself of this trojan.Thank You.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:22 AM, on 11/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\ACER\PSM.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {ac1840ca-f154-4226-96f1-5a732c9a5766} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Std plugin - {FFFFFFFF-DAD2-4a4c-848D-2CBFC6F0FD21} - sac32.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MPS] C:\ACER\PSM.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/stg_drm.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1179445501859
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-lo...029/mcfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 9707 bytes
|
|
Advertisement
|
 |
|
|
Senior Member
|
8. November 2008 @ 03:55 |
Link to this message
|
Hi cadtc
Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.
? Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
? Wait for the scan to be completed.
? If it requires a reboot, please do it.
? After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the ComoboFix window, as it may cause it to stall.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
ddp
Moderator
|
8. November 2008 @ 14:12 |
Link to this message
|
|
moved to correct forum as not a windows issue.
|
|
cadtc
Newbie
|
8. November 2008 @ 20:19 |
Link to this message
|
|
Hi cdavfrew,
I was unable to download combo fix cause i cant even bring up the site page.I asked a friend to download it for me on his computer.He was able to get to the site no problems but was unable to rename it before downloading.The only option available was save as which downloaded it straight to his desktop. I tried renaming it after but no good.It tells me to use alphanumerical characters.
|
Senior Member
|
9. November 2008 @ 02:17 |
Link to this message
|
Hey cadtc
Please then reboot your computer into Safe Mode With Networking by doing the following:
? Restart your computer
? After pressing the power button, repeatedly tap the F8 key.
? Instead of Windows loading as normal, the Advanced Options Menu should appear;
? Select the option to run Windows in Safe Mode With Networking, then press Enter.
? Choose the administrator's account.
After that, download Combofix with the instructions I gave you, but do not rename it. Run it.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
cadtc
Newbie
|
9. November 2008 @ 04:29 |
Link to this message
|
Hi cdavfrew,
Thanks for that. I downloaded combofix ok.Heres the log.
Thank You.
ComboFix 08-11-07.01 - Pat 2008-11-09 17:45:53.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.148 [GMT -8:00]
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Pat\Application Data\inst.exe
c:\documents and settings\Pat\Local Settings\Temporary Internet Files\101.gif
c:\documents and settings\Pat\Local Settings\Temporary Internet Files\102.gif
c:\documents and settings\Pat\Local Settings\Temporary Internet Files\103.gif
c:\documents and settings\Pat\Local Settings\Temporary Internet Files\104.gif
c:\documents and settings\Pat\Local Settings\Temporary Internet Files\105.gif
c:\documents and settings\Pat\Local Settings\Temporary Internet Files\106.gif
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system\oeminfo.ini
c:\windows\system32\ADVAPI32.dll 5.1.2600.5512 (xpsp.080413-2113) Advanced Windows 32 Base API
c:\windows\system32\Apphelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
c:\windows\system32\av.dat
c:\windows\system32\cmds.txt
c:\windows\system32\cs.dat
c:\windows\system32\csm.txt
c:\windows\system32\drivers\TDSSpxfe.sys
c:\windows\system32\GDI32.dll 5.1.2600.5512 (xpsp.080413-2105) GDI Client DLL
c:\windows\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
c:\windows\system32\kernel32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows NT BASE API Client DLL
c:\windows\system32\LPK.DLL 5.1.2600.5512 (xpsp.080413-2105) Language Pack
c:\windows\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
c:\windows\system32\ntdll.dll 5.1.2600.5512 (xpsp.080413-2111) NT Layer DLL
c:\windows\system32\ps1.dat
c:\windows\system32\rc.dat
c:\windows\system32\RPCRT4.dll 5.1.2600.5512 (xpsp.080413-2108) Remote Procedure Call Runtime
c:\windows\system32\Secur32.dll 5.1.2600.5512 (xpsp.080413-2113) Security Support Provider Interface
c:\windows\system32\TDSSehys.dll
c:\windows\system32\TDSSixgp.dll
c:\windows\system32\TDSSkrxx.dll
c:\windows\system32\TDSSlpas.log
c:\windows\system32\TDSSmtpe.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnpur.dll
c:\windows\system32\TDSSoitu.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSwkod.log
c:\windows\system32\TDSSyaqu.dll
c:\windows\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
c:\windows\system32\USP10.dll 1.0420.2600.5512 (xpsp.080413-2105) Uniscribe Unicode script processor
c:\windows\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
c:\windows\system32\windows_update.exe
J:\Autorun.inf
K:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.
2008-11-09 17:29 . 2005-03-11 14:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-11-09 17:29 . 2008-11-09 17:29 <DIR> d-------- c:\documents and settings\Administrator
2008-11-08 23:15 . 2008-11-08 23:15 512,096 --a------ c:\windows\system32\drivers\amon.sys
2008-11-08 23:15 . 2008-11-08 23:15 298,104 --a------ c:\windows\system32\imon.dll
2008-11-08 23:15 . 2008-11-08 23:15 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys
2008-11-07 15:46 . 2008-11-08 22:56 56,832 --a------ c:\windows\system32\sac32.dll
2008-11-05 13:46 . 2008-11-05 13:46 0 --a------ c:\windows\nsreg.dat
2008-10-30 20:34 . 2008-10-30 20:34 <DIR> d-------- c:\windows\system32\NtmsData
2008-10-30 16:55 . 2008-10-30 16:58 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-30 16:55 . 2008-10-30 16:58 1,409 --a------ c:\windows\QTFont.for
2008-10-30 14:24 . 2008-08-14 03:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-30 14:24 . 2008-08-14 03:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-30 14:24 . 2008-08-14 02:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-30 14:24 . 2008-08-14 02:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-30 14:24 . 2008-09-15 05:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-30 14:24 . 2008-09-08 03:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-30 14:22 . 2008-10-15 09:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\system32\scripting
2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\system32\en
2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\system32\bits
2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\l2schemas
2008-10-30 14:07 . 2008-10-30 14:07 <DIR> d-------- c:\windows\ServicePackFiles
2008-10-14 17:07 . 2008-04-13 17:12 4,274,816 --------- c:\windows\system32\nv4_disp.dll
2008-10-14 17:06 . 2004-08-03 22:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys
2008-10-10 16:04 . 2003-11-04 15:10 69,632 --a------ c:\windows\system32\lfgif13n.dll
2008-10-10 16:03 . 2004-05-14 16:53 462,848 --a------ c:\windows\system32\ltkrn13n.dll
2008-10-10 16:03 . 2004-05-14 16:53 450,560 --a------ c:\windows\system32\ltimg13n.dll
2008-10-10 16:03 . 2004-05-14 16:53 401,408 --a------ c:\windows\system32\lfcmp13n.dll
2008-10-10 16:03 . 2004-05-14 16:53 299,008 --a------ c:\windows\system32\ltdis13n.dll
2008-10-10 16:03 . 2004-01-12 02:09 206,336 --a------ c:\windows\system32\ltefx13n.dll
2008-10-10 16:03 . 2004-05-14 16:53 163,840 --a------ c:\windows\system32\ltfil13n.dll
2008-10-10 16:03 . 2004-05-14 16:53 57,344 --a------ c:\windows\system32\lfbmp13n.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-06 14:42 --------- d-----w c:\program files\DivoCodec
2008-10-03 18:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-29 04:08 --------- d-----w c:\program files\Trend Micro
2008-09-27 19:06 --------- d-----w c:\documents and settings\Nick\Application Data\LG Electronics
2008-09-27 18:57 --------- d-----w c:\program files\Jigsaw Puzzle Platinum
2008-09-27 06:41 --------- d-----w c:\program files\Elf Bowling - Hawaiian Vacation
2008-09-27 06:41 --------- d-----w c:\documents and settings\All Users\Application Data\MumboJumbo
2008-09-27 03:28 --------- d-----w c:\program files\minigolfgold_at
2008-09-20 23:36 --------- d-----w c:\program files\Western Digital
2008-09-20 18:36 --------- d-----w c:\program files\Picasa2
2008-09-15 13:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-14 04:13 --------- d-----w c:\program files\Hasbro Interactive
2008-08-27 09:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 09:38 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-25 09:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-23 06:56 635,848 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 06:54 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 11:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 11:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 10:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-12-29 02:06 47,360 ----a-w c:\documents and settings\Pat\Application Data\pcouffin.sys
2007-07-10 17:54 23 --sha-w c:\windows\system32\bafadbfb_r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-06-08 2128832]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"eRecoveryService"="c:\windows\System32\Check.exe" [2004-11-24 245760]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960]
"MPS"="c:\acer\PSM.EXE" [2004-03-04 372736]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-11-08 949376]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-01-04 c:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-01-04 c:\windows\ALCWZRD.EXE]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Express Calendar Checker SE.lnk]
backup=c:\windows\pss\Photo Express Calendar Checker SE.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PE2CKFNT SE]
--------- 1998-07-03 12:51 25088 c:\program files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2004-12-15 76544]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280]
R2 ScFBPNT2;CanoScan FBP2 Port Driver;c:\windows\system32\drivers\ScFBPNT2.SYS [1999-05-21 15488]
R3 int15.sys;int15.sys;c:\program files\acer\eRecovery\int15.sys [2005-01-13 69632]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\wdsync.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af9332f5-c94f-11dc-a1a2-000feade1056}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -
BHO-{ac1840ca-f154-4226-96f1-5a732c9a5766} - (no file)
HKCU-Run-eRecoveryService - (no file)
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-RegistryMechanic - (no file)
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Start Page = hxxp://www.iprimus.com.au/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/stg_drm.ocx
c:\windows\Downloaded Program Files\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.2\stg_drm.ocx
O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
c:\windows\Downloaded Program Files\armhelper.ocx
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 17:48:45
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-09 17:49:19
ComboFix-quarantined-files.txt 2008-11-10 01:49:18
Pre-Run: 15,132,295,168 bytes free
Post-Run: 18,899,894,272 bytes free
230 --- E O F --- 2008-11-03 11:03:20
|
Senior Member
|
9. November 2008 @ 22:12 |
Link to this message
|
Hey cadtc
You are still quite infected, with malware from a year ago.
Please download Superantispyware Free and install it. Follow the prompts and reboot if required.
Launch Superantispyware Free either by running C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.exe or right-click on the SuperAntispyware icon in your task bar (it looks like a bug) and click on Scan for Spyware, Adware, Malware...
Configuring SuperAntispyware
? Click on Preferences.
? In the tab General and Startup, make sure the box Start SuperAntispyware when Windows starts is unchecked. This will prevent SuperAntispyware from starting everytime, because it may interfere with other fixes that may be run.
? Navigate to the tab Scanning Control.
? Make sure only these boxes are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining
Scan Alternate Data Streams
Use Kernel Direct File Access (recommended)
Use Kernel Direct Registry Access (recommended)
Use Direct Disk Access (recommended)
? Click on Close.
Updating SuperAntispyware
? At the main window, click on Check for Updates....
? Wait for SuperAntispyware to be fully updated.
Scanning Time
? Boot into safe mode by repeatedly pressing the F8 key after you press the power button. If safe mode does not work, tell me and do the scan in normal mode.
? Launch SuperAntispyware.
? At the main window, click on Scan your Computer....
? Make sure all drives (excluding CD drives) are checked, select Perform Complete Scan, and then click on Next.
? Wait for the scan to complete, and then click on Next>. This will quarantine and remove all detected items.
? Reboot your computer.
Post A Log
? Launch SuperAntispyware
? Click on Preferences
? Navigate to the tab Statistics/Logs.
? Choose the latest scan log, and the click on View Log....
? Copy and paste the contents of the log here in your next post.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
cadtc
Newbie
|
10. November 2008 @ 01:22 |
Link to this message
|
Hi cdavfrew,
I was able to boot in safe mode and run superantispyware.
Here s the log from that scan.
Thank You.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/10/2008 at 02:43 PM
Application Version : 4.21.1004
Core Rules Database Version : 3629
Trace Rules Database Version: 1613
Scan type : Complete Scan
Total Scan Time : 00:37:28
Memory items scanned : 181
Memory threats detected : 0
Registry items scanned : 5516
Registry threats detected : 0
File items scanned : 83960
File threats detected : 42
Adware.Tracking Cookie
C:\Documents and Settings\Pat\Cookies\pat@mediaplex[2].txt
C:\Documents and Settings\Pat\Cookies\pat@adbrite[2].txt
C:\Documents and Settings\Pat\Cookies\pat@ads.adbrite[1].txt
C:\Documents and Settings\Pat\Cookies\pat@server.iad.liveperson[3].txt
C:\Documents and Settings\Pat\Cookies\pat@myroitracking[1].txt
C:\Documents and Settings\Pat\Cookies\pat@serv.clicksor[1].txt
C:\Documents and Settings\Pat\Cookies\pat@bs.serving-sys[1].txt
C:\Documents and Settings\Pat\Cookies\pat@ad.yieldmanager[2].txt
C:\Documents and Settings\Pat\Cookies\pat@atdmt[2].txt
C:\Documents and Settings\Pat\Cookies\pat@questionmarket[2].txt
C:\Documents and Settings\Pat\Cookies\pat@ehg-starcomworldwide.hitbox[1].txt
C:\Documents and Settings\Pat\Cookies\pat@serving-sys[1].txt
C:\Documents and Settings\Pat\Cookies\pat@server.iad.liveperson[1].txt
C:\Documents and Settings\Pat\Cookies\pat@apmebf[1].txt
C:\Documents and Settings\Pat\Cookies\pat@hitbox[2].txt
C:\Documents and Settings\Pat\Cookies\pat@adopt.euroclick[2].txt
C:\Documents and Settings\Nick\Cookies\nick@overture[1].txt
C:\Documents and Settings\Nick\Cookies\nick@msnportal.112.2o7[1].txt
C:\Documents and Settings\Nick\Cookies\nick@imrworldwide[2].txt
C:\Documents and Settings\Nick\Cookies\nick@apmebf[1].txt
C:\Documents and Settings\Nick\Cookies\nick@atdmt[2].txt
C:\Documents and Settings\Nick\Cookies\nick@mediaplex[2].txt
C:\Documents and Settings\Nick\Cookies\nick@paypal.112.2o7[1].txt
C:\Documents and Settings\Nick\Cookies\nick@2o7[1].txt
C:\Documents and Settings\Nick\Cookies\nick@stats.paypal[2].txt
C:\Documents and Settings\Nick\Cookies\nick@ads.bridgetrack[1].txt
C:\Documents and Settings\Nick\Cookies\nick@3mobile.112.2o7[1].txt
C:\Documents and Settings\Carmen\Cookies\carmen@msnportal.112.2o7[1].txt
C:\Documents and Settings\Carmen\Cookies\carmen@imrworldwide[2].txt
C:\Documents and Settings\Carmen\Cookies\carmen@serving-sys[1].txt
C:\Documents and Settings\Carmen\Cookies\carmen@atdmt[1].txt
C:\Documents and Settings\Carmen\Cookies\carmen@ingdirect.112.2o7[1].txt
C:\Documents and Settings\Carmen\Cookies\carmen@bridge2.admarketplace[1].txt
C:\Documents and Settings\Carmen\Cookies\carmen@admarketplace[1].txt
C:\Documents and Settings\Carmen\Cookies\carmen@3038.86797.clickshield[1].txt
C:\Documents and Settings\Carmen\Cookies\carmen@overture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt
Rootkit.TDSServ/Fake
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\TDSSPXFE.SYS.VIR
Unclassified.Unknown Origin
D:\DADS STUFF\MP3CDMAKERKEY2\KEYGEN.NFO
|
Senior Member
|
10. November 2008 @ 05:44 |
Link to this message
|
Hey cadtc
Please zip the folder C:\Qoobox into a zip file and upload it here:
http://www.uploadmalware.com/
? Click Start.
? Open My Computer.
? Select the Tools menu and click Folder Options.
? Select the View Tab.
? Under the Hidden files and folders heading select Show hidden files and folders.
? Uncheck the Hide protected operating system files (recommended) option.
? Click Yes to confirm.
? Click OK.
After that, upload this file C:\windows\system32\bafadbfb_r.dll to http://www.virustotal.com/ and post the results here.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
This message has been edited since posting. Last time this message was edited on 10. November 2008 @ 05:50
|
|
cadtc
Newbie
|
10. November 2008 @ 22:04 |
Link to this message
|
Hi cdavfrew,
Heres the results u asked for from virustotal.Thank You.
File bafadbfb_r.dll received on 11.11.2008 03:49:55 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/36 (0%)
Antivirus Version Last Update Result
AhnLab-V3 2008.11.11.0 2008.11.10 -
AntiVir 7.9.0.29 2008.11.10 -
Authentium 5.1.0.4 2008.11.10 -
Avast 4.8.1248.0 2008.11.10 -
AVG 8.0.0.161 2008.11.11 -
BitDefender 7.2 2008.11.11 -
CAT-QuickHeal 9.50 2008.11.10 -
ClamAV 0.94.1 2008.11.11 -
DrWeb 4.44.0.09170 2008.11.10 -
eSafe 7.0.17.0 2008.11.10 -
eTrust-Vet 31.6.6203 2008.11.11 -
Ewido 4.0 2008.11.10 -
F-Prot 4.4.4.56 2008.11.10 -
F-Secure 8.0.14332.0 2008.11.11 -
Fortinet 3.117.0.0 2008.11.11 -
GData 19 2008.11.11 -
Ikarus T3.1.1.45.0 2008.11.11 -
K7AntiVirus 7.10.521 2008.11.10 -
Kaspersky 7.0.0.125 2008.11.11 -
McAfee 5430 2008.11.10 -
Microsoft 1.4104 2008.11.11 -
NOD32 3601 2008.11.11 -
Norman 5.80.02 2008.11.10 -
Panda 9.0.0.4 2008.11.10 -
PCTools 4.4.2.0 2008.11.10 -
Prevx1 V2 2008.11.11 -
Rising 21.03.02.00 2008.11.10 -
SecureWeb-Gateway 6.7.6 2008.11.10 -
Sophos 4.35.0 2008.11.11 -
Sunbelt 3.1.1785.2 2008.11.11 -
Symantec 10 2008.11.11 -
TheHacker 6.3.1.1.147 2008.11.10 -
TrendMicro 8.700.0.1004 2008.11.10 -
VBA32 3.12.8.9 2008.11.10 -
ViRobot 2008.11.10.1459 2008.11.10 -
VirusBuster 4.5.11.0 2008.11.10 -
Additional information
File size: 23 bytes
MD5...: 6bd616e55d90268a994d9577f22e474b
SHA1..: e4ba94170af856258a8d47e4b42a735fccd29e81
SHA256: fe30ecd1c52ec4a0c2178af2e7fad74e09621e2c827b193ba17a5344c2fae94b
SHA512: f33874e629e41c9330dd9aafcb49e279d9da19d0c8ca6b1f857623e7c67873c0
16732071a9b908ca859670a43ed1f8932b39760a20a0a198972f3283d1f2fec7
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
|
Senior Member
|
11. November 2008 @ 04:10 |
Link to this message
|
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
cadtc
Newbie
|
11. November 2008 @ 06:22 |
Link to this message
|
Hi cdavfrew,
I posted that file also.Thanks heaps for your help.I will be spreading the word to my friends about afterdawn.com.If i could ask you one more thing.People tell me to use firefox instead of ie7.In your expert opinion which is better or is it just a case of user preference.Again thank you very much for your help.
|
Senior Member
|
11. November 2008 @ 07:12 |
Link to this message
|
In my humble opinion, it just is a case of user preference.
Contrary to popular belief, IE is not the crumbling wall of defense. It is actually quite secure, and IE7 was definitely more secure than FireFox 2. Firefox 3 should not be compared with IE7, but rather, with IE8, which should be coming out soon.
Yes, I know that IE can be exploited many different ways to allow malware, but with the right defenses, IE has the potential to become a great graphic and secure browser. If you have an antivirus, antispyware, and firewall, then you probably should get these softwares as well:
SpywareBlaster
Spybot
Advanced Windowscare Personal
All of these have immunization functions which serve to secure Internet Explorer, and as to their effectiveness, I've been using IE forever, and never got infected.
Of course, safe surfing is a critical part. Do not visit shady sites, etc...
Glad I could help you! It was my pleasure.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
cadtc
Newbie
|
13. November 2008 @ 01:13 |
Link to this message
|
Hi cdavfrew,
Thanks for your view on ie7 and firefox.
I decided to download the software you recommended to use with my antivirus software.As I was installing them my antivirus program detected that i was infected with a trojan,but not with another one but exactly the same one and also this trojan , trojan Win32/Agent.ODG. I couldnt believe it.I dont no if it was the right thing to do but i decided to go through the whole process again to get rid of it.
I have posted the hijack log,the combo fix log in safe mode as before and the superantispyware log for you to analyse.I just thought it would save time I assumed since it was the exact same trojan. Thank you cadvfrew for your help.
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:51 PM, on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\ACER\PSM.EXE
C:\Program Files\acer\eRecovery\Monitor.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MPS] C:\ACER\PSM.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1322420240-282186101-3338049652-1007\..\Run: [eRecoveryService] (User 'Nick')
O4 - HKUS\S-1-5-21-1322420240-282186101-3338049652-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Nick')
O4 - HKUS\S-1-5-21-1322420240-282186101-3338049652-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Nick')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/stg_drm.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1179445501859
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-lo...029/mcfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 8351 bytes
----------------------------------------
ComboFix 08-11-07.01 - Administrator 2008-11-12 19:14:10.2 - FAT32x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.305 [GMT -8:00]
Running from: d:\combofix\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.
2008-11-12 18:15 . 2008-11-12 18:15 <DIR> d-------- c:\windows\LastGood
2008-11-12 14:03 . 2008-11-12 14:03 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-12 14:03 . 2008-11-12 14:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 13:51 . 2008-11-12 13:51 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-11 19:30 . 2008-11-11 19:30 185 --a------ c:\windows\system32\bafadbfb_r.zip
2008-11-11 10:45 . 2008-11-11 10:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-11-11 10:06 . 2008-11-11 10:53 530,678 --a------ C:\Qoobox.zip
2008-11-10 13:54 . 2008-11-10 13:54 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-09 17:29 . 2005-03-11 14:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-11-09 17:29 . 2008-11-09 17:29 <DIR> d-------- c:\documents and settings\Administrator
2008-11-08 23:15 . 2008-11-08 23:15 512,096 --a------ c:\windows\system32\drivers\amon.sys
2008-11-08 23:15 . 2008-11-08 23:15 298,104 --a------ c:\windows\system32\imon.dll
2008-11-08 23:15 . 2008-11-08 23:15 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys
2008-11-05 13:46 . 2008-11-05 13:46 0 --a------ c:\windows\nsreg.dat
2008-10-30 20:34 . 2008-10-30 20:34 <DIR> d-------- c:\windows\system32\NtmsData
2008-10-30 16:55 . 2008-10-30 16:58 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-30 16:55 . 2008-10-30 16:58 1,409 --a------ c:\windows\QTFont.for
2008-10-30 14:24 . 2008-08-14 03:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-30 14:24 . 2008-08-14 03:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-30 14:24 . 2008-08-14 02:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-30 14:24 . 2008-08-14 02:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-30 14:24 . 2008-09-15 05:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-30 14:24 . 2008-09-08 03:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-30 14:22 . 2008-10-15 09:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\system32\scripting
2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\system32\en
2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\system32\bits
2008-10-30 14:08 . 2008-10-30 14:08 <DIR> d-------- c:\windows\l2schemas
2008-10-30 14:07 . 2008-10-30 14:07 <DIR> d-------- c:\windows\ServicePackFiles
2008-10-14 17:07 . 2008-04-13 17:12 4,274,816 --------- c:\windows\system32\nv4_disp.dll
2008-10-14 17:06 . 2004-08-03 22:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-06 14:42 --------- d-----w c:\program files\DivoCodec
2008-10-03 18:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-29 04:08 --------- d-----w c:\program files\Trend Micro
2008-09-27 19:06 --------- d-----w c:\documents and settings\Nick\Application Data\LG Electronics
2008-09-27 18:57 --------- d-----w c:\program files\Jigsaw Puzzle Platinum
2008-09-27 06:41 --------- d-----w c:\program files\Elf Bowling - Hawaiian Vacation
2008-09-27 06:41 --------- d-----w c:\documents and settings\All Users\Application Data\MumboJumbo
2008-09-27 03:28 --------- d-----w c:\program files\minigolfgold_at
2008-09-20 23:36 --------- d-----w c:\program files\Western Digital
2008-09-20 18:36 --------- d-----w c:\program files\Picasa2
2008-09-15 13:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-14 04:13 --------- d-----w c:\program files\Hasbro Interactive
2008-08-27 09:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 09:38 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-25 09:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-23 06:56 635,848 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 06:54 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 11:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 11:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 10:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-12-29 02:06 47,360 ----a-w c:\documents and settings\Pat\Application Data\pcouffin.sys
2007-07-10 17:54 23 --sha-w c:\windows\system32\bafadbfb_r.dll
.
((((((((((((((((((((((((((((( snapshot@2008-11-09_17.48.59.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-11 18:46:08 632,320 ----a-r c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}\IconCD95F66110.exe
+ 2008-11-11 18:46:08 29,184 ----a-r c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}\IconCD95F6617.exe
+ 2008-11-10 21:55:12 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-11-10 21:55:14 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"eRecoveryService"="c:\windows\System32\Check.exe" [2004-11-24 245760]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960]
"MPS"="c:\acer\PSM.EXE" [2004-03-04 372736]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-11-08 949376]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-01-04 c:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-01-04 c:\windows\ALCWZRD.EXE]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Express Calendar Checker SE.lnk]
backup=c:\windows\pss\Photo Express Calendar Checker SE.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PE2CKFNT SE]
--------- 1998-07-03 12:51 25088 c:\program files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2004-12-15 76544]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280]
S2 ScFBPNT2;CanoScan FBP2 Port Driver;c:\windows\system32\drivers\ScFBPNT2.SYS [1999-05-21 15488]
S3 int15.sys;int15.sys;c:\program files\acer\eRecovery\int15.sys [2005-01-13 69632]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\wdsync.exe
*Newly Created Service* - DCFS2K
.
- - - - ORPHANS REMOVED - - - -
HKCU-RunOnce-NeroHomeFirstStart - c:\program files\Common Files\Nero\Lib\NMFirstStart.exe
.
------- Supplementary Scan -------
.
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/stg_drm.ocx
c:\windows\Downloaded Program Files\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.2\stg_drm.ocx
O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
c:\windows\Downloaded Program Files\armhelper.ocx
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 19:15:44
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\tsd32.dll
.
Completion time: 2008-11-12 19:16:10
ComboFix-quarantined-files.txt 2008-11-13 03:16:10
ComboFix2.txt 2008-11-10 01:49:22
Pre-Run: 18,949,734,400 bytes free
Post-Run: 19,081,691,136 bytes free
178 --- E O F --- 2008-11-03 11:03:20
----------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/13/2008 at 11:31 AM
Application Version : 4.21.1004
Core Rules Database Version : 3629
Trace Rules Database Version: 1613
Scan type : Complete Scan
Total Scan Time : 00:38:12
Memory items scanned : 173
Memory threats detected : 0
Registry items scanned : 5536
Registry threats detected : 0
File items scanned : 85507
File threats detected : 20
Adware.Tracking Cookie
C:\Documents and Settings\Pat\Cookies\pat@mediaplex[2].txt
C:\Documents and Settings\Pat\Cookies\pat@overture[1].txt
C:\Documents and Settings\Pat\Cookies\pat@te.kontera[2].txt
C:\Documents and Settings\Pat\Cookies\pat@server.iad.liveperson[3].txt
C:\Documents and Settings\Pat\Cookies\pat@bs.serving-sys[2].txt
C:\Documents and Settings\Pat\Cookies\pat@atdmt[2].txt
C:\Documents and Settings\Pat\Cookies\pat@serving-sys[1].txt
C:\Documents and Settings\Pat\Cookies\pat@kontera[1].txt
C:\Documents and Settings\Pat\Cookies\pat@server.iad.liveperson[2].txt
C:\Documents and Settings\Pat\Cookies\pat@apmebf[1].txt
C:\Documents and Settings\Pat\Cookies\pat@adopt.euroclick[2].txt
C:\Documents and Settings\Nick\Cookies\nick@serving-sys[2].txt
C:\Documents and Settings\Nick\Cookies\nick@2o7[2].txt
C:\Documents and Settings\Nick\Cookies\nick@msnportal.112.2o7[2].txt
C:\Documents and Settings\Nick\Cookies\nick@ads.bridgetrack[2].txt
C:\Documents and Settings\Nick\Cookies\nick@ad.yieldmanager[1].txt
C:\Documents and Settings\Nick\Cookies\nick@adopt.euroclick[1].txt
C:\Documents and Settings\Nick\Cookies\nick@bs.serving-sys[2].txt
Rootkit.TDSServ/Fake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7444174A-1CD8-47F9-AAFE-AC9AC025B3AB}\RP1\A0000018.SYS
Unclassified.Unknown Origin
D:\SYSTEM VOLUME INFORMATION\_RESTORE{7444174A-1CD8-47F9-AAFE-AC9AC025B3AB}\RP3\A0000100.NFO
|
Senior Member
|
13. November 2008 @ 20:36 |
Link to this message
|
Hey cadtc
I have a suspicion you aren't actually infected, but it's something else.
Where does Nod32 detect this trojan?
Delete C:\Qoobox, and turn off your system restore, then turn it back on.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
cadtc
Newbie
|
14. November 2008 @ 02:21 |
Link to this message
|
|
Hi cdavfrew,
Nod32 detected at
C:\Qoobox.zip »ZIP »Qoobox/Quarantine/C/WINDOWS/system32/TDSSnpur.dll.vir - Win32/Agent.ODG trojan
C:\Qoobox.zip »ZIP »Qoobox/Quarantine/C/WINDOWS/system32/TDSSoitu.dll.vir - Win32/Agent.ODG trojan
I did what u said and then ran nod32 and came up all clear.Silly me it should have clicked when it showed up in quarantine.
Thanks heaps cdavfrew for all your help. Much appreciated.
|
|
Advertisement
|
|
|
Senior Member
|
14. November 2008 @ 04:42 |
Link to this message
|
|
Hey cadtc
You're welcome, and I'm glad you're clean now!
Best Wishes :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
