Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google redirect virus and others [RESOLVED]


  • This topic is locked This topic is locked

#1
Onderdole

Onderdole

    Member

  • Member
  • PipPip
  • 20 posts
hi guys ,

im having real problems with goofle redirect virus.

For years i have used Avast and Spybot S&D and update them regualry but last week i got hit with a virus that made my computer reboot and when it came back up it was trashed, Everything i try surf is redirected or cant find, all the update connections for anti malware software im running fail, i cant acess my email via outlook, adn the machine and internet are barely crawling on. its so bad in fact that i had to sue a work machine just to connect to geekstogo.com, the virus keps re-directing me away.

Now im here im askign for help in removinf the best and cleaning up my machine. ive read the pinned topics through and soem old ones on this virus so can you guys help.

muc happreciated Dave

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:26:36, on 22/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [HijackThis startup scan] E:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - Global Startup: DSLMON.lnk = E:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - E:\Program Files\Ahead\InCD\InCDsrv.exe

--
End of file - 2744 bytes

heres the HJT log
  • 0

Advertisements


#2
Egwene

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello Onderdole,

Welcome to the site! :) My name's Egwene and I'll be helping clean up your computer. :)

Let's try this to begin, and if you can't run this tool, don't worry and just come back here to tell me that.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


N.B : Please check if you have posted me all the content of the log. If not, please post me what is missing in a other reply :)


Regards,
Egwene.

Edited by Egwene, 22 October 2008 - 06:41 AM.

  • 0

#3
Onderdole

Onderdole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Egwene,

thank you for helping me, i was slow in getting back to you because this virus has crippled my normal internet use, it stopped me using my normal machine to acess any anti malware sites, and my work machine wouldnt accept the RSIT site, however i installed in an old harddrive, installed win 98 on it, and my internet connection and i can now at least get the tools needed to continue withyour help (phew, a bit fo an afternoon there). In order to communicate with you i gotta reboot up in bios, change the boot up drive, talk to you and download tools, then reboot up in bios, change to my infected drive, run the analysis, reboot in bios again using this windown 98 drive, log on here and pass on results.

dont worry all tools will actualy be run on the infected drive, the windows 98 drive is just os as ican DL them

I seriously hate what this virus has doen to my machine, and the work it is making me do.

anwway back to business.

firstly, Yes that initial posting was he complete HJT log, its short as i used blavkvipers guidance to strip down the processes runnign and keep the machine slick as posible.

here are the two files from RSTI



Logfile of random's system information tool 1.04 (written by random/random)
Run by Dave Murphy at 2008-10-22 21:18:50
Microsoft Windows XP Professional Service Pack 2
System drive E: has 45 GB (59%) free of 76 GB
Total RAM: 1022 MB (69% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:18:55, on 22/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\setup\avast.setup
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Dave Murphy\Desktop\RSIT.exe
E:\Program Files\Trend Micro\HijackThis\Dave Murphy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ashMaiSv] E:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [HijackThis startup scan] E:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - Global Startup: DSLMON.lnk = E:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - E:\Program Files\Ahead\InCD\InCDsrv.exe

--
End of file - 2897 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - E:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast!"=E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2004-06-13 98352]
"KernelFaultCheck"=E:\WINDOWS\system32\dumprep 0 -k []
"ashMaiSv"=E:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe [2004-06-13 200752]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]
"HijackThis startup scan"=E:\Program Files\Trend Micro\HijackThis\HijackThis.exe [2008-10-19 396288]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup
DSLMON.lnk - E:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
WgaLogon.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"E:\WINDOWS\system32\sessmgr.exe"="E:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1cfb80e1-29b9-11d9-b9e9-806d6172696f}]
shell\AutoRun\command - D:\Setup.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d428d6cf-8aed-11d9-a15f-806d6172696f}]
shell\AutoRun\command - D:\dsetup.exe


======List of files/folders created in the last 3 months======

2008-10-22 21:18:50 ----D---- E:\rsit
2008-10-22 14:19:20 ----A---- E:\WINDOWS\IE4 Error Log.txt
2008-10-21 20:46:44 ----HDC---- E:\WINDOWS\$NtUninstallKB925902$
2008-10-21 20:46:41 ----A---- E:\WINDOWS\imsins.BAK
2008-10-21 20:46:34 ----HDC---- E:\WINDOWS\$NtUninstallKB926436$
2008-10-20 16:41:59 ----ASH---- E:\desktop.ini
2008-10-19 11:30:01 ----D---- E:\Program Files\AVG
2008-10-19 00:29:01 ----D---- E:\!KillBox
2008-10-19 00:16:16 ----D---- E:\Program Files\Trend Micro
2008-10-19 00:15:49 ----D---- E:\Program Files\Hijackthis
2008-10-19 00:02:00 ----D---- E:\Program Files\Enigma Software Group
2008-10-18 21:56:21 ----A---- E:\WINDOWS\system32\delself.bat
2008-09-16 07:33:57 ----D---- E:\Program Files\McDonaldsDragons
2008-09-13 15:48:10 ----D---- E:\Program Files\McDonaldsFairies
2008-09-13 15:47:40 ----SHD---- E:\WINDOWS\ftpcache
2008-08-07 02:46:29 ----D---- E:\Documents and Settings\Dave Murphy\Application Data\rhcg1bj0ea58
2008-07-29 22:06:31 ----D---- E:\Documents and Settings\All Users\Application Data\Avg8

======List of files/folders modified in the last 3 months======

2008-10-22 21:14:37 ----D---- E:\Program Files\Mozilla Firefox
2008-10-22 21:14:21 ----AD---- E:\WINDOWS\Temp
2008-10-22 20:53:48 ----A---- E:\WINDOWS\SchedLgU.Txt
2008-10-22 20:27:34 ----D---- E:\WINDOWS\Prefetch
2008-10-22 20:22:32 ----A---- E:\WINDOWS\ODBC.INI
2008-10-22 20:18:34 ----D---- E:\WINDOWS\system32\drivers
2008-10-22 20:18:27 ----D---- E:\WINDOWS\system32
2008-10-22 19:48:25 ----D---- E:\WINDOWS\system32\CatRoot2
2008-10-22 14:19:20 ----D---- E:\WINDOWS
2008-10-22 11:26:33 ----D---- E:\Program Files\Paint Shop Pro 6
2008-10-22 09:14:20 ----SD---- E:\Documents and Settings\Dave Murphy\Application Data\Microsoft
2008-10-21 23:02:31 ----HD---- E:\WINDOWS\inf
2008-10-21 23:00:19 ----HD---- E:\WINDOWS\$hf_mig$
2008-10-21 22:47:28 ----A---- E:\WINDOWS\NeroDigital.ini
2008-10-21 20:47:17 ----D---- E:\WINDOWS\system32\CatRoot
2008-10-21 20:46:47 ----RSHDC---- E:\WINDOWS\system32\dllcache
2008-10-19 17:02:21 ----D---- E:\WINDOWS\Minidump
2008-10-19 15:38:14 ----D---- E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-19 13:16:21 ----SHD---- E:\System Volume Information
2008-10-19 13:16:21 ----D---- E:\WINDOWS\system32\Restore
2008-10-19 11:30:01 ----SHD---- E:\WINDOWS\Installer
2008-10-19 11:30:01 ----SHD---- E:\Config.Msi
2008-10-19 11:30:01 ----RD---- E:\Program Files
2008-10-19 11:30:00 ----D---- E:\WINDOWS\WinSxS
2008-10-19 11:30:00 ----D---- E:\Program Files\Common Files\Microsoft Shared
2008-10-19 10:48:26 ----D---- E:\WINDOWS\system32\Macromed
2008-10-19 01:39:58 ----SD---- E:\WINDOWS\Downloaded Program Files
2008-10-19 00:51:28 ----D---- E:\WINDOWS\Help
2008-10-19 00:51:28 ----D---- E:\Program Files\Web Publish
2008-10-19 00:51:28 ----D---- E:\Program Files\CCleaner
2008-10-19 00:51:13 ----D---- E:\Program Files\QuickTime
2008-10-19 00:50:17 ----HD---- E:\Program Files\InstallShield Installation Information
2008-10-19 00:48:56 ----D---- E:\Program Files\GameSpy Arcade
2008-10-19 00:48:27 ----D---- E:\Program Files\DivX
2008-10-19 00:45:57 ----D---- E:\Program Files\Common Files\Adobe
2008-10-19 00:44:08 ----D---- E:\WINDOWS\Debug
2008-10-18 22:31:52 ----D---- E:\WINDOWS\security
2008-10-02 14:44:18 ----D---- E:\Program Files\Spybot - Search & Destroy
2008-09-07 14:12:15 ----D---- E:\Program Files\Common Files
2008-09-07 14:10:25 ----D---- E:\Documents and Settings\Dave Murphy\Application Data\Real
2008-09-04 10:30:28 ----A---- E:\WINDOWS\system32\dcdbda9_z.dll
2008-09-02 21:44:42 ----D---- E:\Program Files\Lavasoft
2008-08-21 12:39:31 ----D---- E:\Documents and Settings\Dave Murphy\Application Data\Adobe
2008-08-03 15:21:24 ----D---- E:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 15:07:33 ----D---- E:\Documents and Settings\All Users\Application Data\Lavasoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; E:\WINDOWS\system32\drivers\Aavmker4.sys [2004-06-13 13248]
R1 aswSP;avast! Self Protection; E:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; E:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 InCDPass;InCDPass; E:\WINDOWS\System32\DRIVERS\InCDPass.sys [2004-07-16 28672]
R1 prodrv06;StarForce Protection Environment Driver v6; E:\WINDOWS\System32\drivers\prodrv06.sys [2004-08-09 53920]
R2 aswFsBlk;aswFsBlk; E:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; E:\WINDOWS\system32\drivers\aswMon2.sys [2004-06-13 56960]
R3 adiusbaw;USB ADSL WAN Adapter; E:\WINDOWS\System32\DRIVERS\adiusbaw.sys [2003-03-27 127145]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); E:\WINDOWS\system32\drivers\ALCXWDM.SYS [2007-03-08 4027840]
R3 nv;nv; E:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-07-20 3198368]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; E:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; E:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; E:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; E:\WINDOWS\system32\drivers\WmBEnum.sys [2003-05-14 10144]
R3 WmXlCore;Logitech WingMan Translation Layer Driver; E:\WINDOWS\system32\drivers\WmXlCore.sys [2003-05-14 44288]
R4 InCDfs;InCD File System; E:\WINDOWS\system32\drivers\InCDfs.sys [2004-07-16 92672]
S1 kbdhid;Keyboard HID Driver; E:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S1 P3;Intel PentiumIII Processor Driver; E:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-03 42496]
S2 ADILOADER;General Purpose USB Driver (adildr.sys); E:\WINDOWS\System32\Drivers\adildr.sys [2003-07-17 46167]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter; \??\E:\WINDOWS\system32\drivers\NSDriver.sys []
S3 ALCXSENS;Service for WDM 3D Audio Driver; E:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-02-24 400384]
S3 aswRdr;aswRdr; \??\E:\WINDOWS\system32\drivers\aswRdr.sys []
S3 CCDECODE;Closed Caption Decoder; E:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 ENTECH;ENTECH; \??\E:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 ess;ESS Audio Driver (WDM); E:\WINDOWS\system32\drivers\ess.sys [2001-08-17 63360]
S3 gwiopm;gwiopm; \??\E:\Program Files\Unknown Device Identifier\gwiopm.sys []
S3 hidusb;Microsoft HID Class Driver; E:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-23 9600]
S3 jatmlano;jatmlano; \??\E:\DOCUME~1\DAVEMU~1\LOCALS~1\Temp\jatmlano.sys []
S3 mouhid;Mouse HID Driver; E:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-23 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; E:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; E:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; E:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 NUVision;Studio OnLine; E:\WINDOWS\system32\DRIVERS\NUVision.sys [2000-07-16 136352]
S3 SANDRA;SANDRA; \??\E:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\WNt500x86\Sandra.sys []
S3 SLIP;BDA Slip De-Framer; E:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; E:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 TVICHW32;TVICHW32; \??\E:\WINDOWS\System32\DRIVERS\TVICHW32.SYS []
S3 ULI5261;ULi Based Ethernet NT Driver; E:\WINDOWS\system32\DRIVERS\ULILAN.SYS [2004-07-26 29696]
S3 ULI5261XP;ULi M526X Ethernet NT Driver; E:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; E:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-03 17024]
S3 usbscan;USB Scanner Driver; E:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; E:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WinDMI;WinDMI; \??\E:\Program Files\AOpen\WinDMI\windmidrv.SYS []
S3 WmFilter;Logitech WingMan HID Filter Driver; E:\WINDOWS\system32\drivers\WmFilter.sys [2003-05-14 21216]
S3 WmVirHid;Logitech Virtual Hid Device Driver; E:\WINDOWS\system32\drivers\WmVirHid.sys [2003-05-14 5728]
S3 WSTCODEC;World Standard Teletext Codec; E:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-07 611664]
R2 aswUpdSv;avast! iAVS4 Control Service; E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2004-06-13 53248]
R2 avast! Antivirus;avast! Antivirus; E:\Program Files\Alwil Software\Avast4\ashServ.exe [2004-06-13 77872]
R2 InCDsrv;InCD Helper; E:\Program Files\Ahead\InCD\InCDsrv.exe [2004-07-16 1163378]
S2 spupdsvc;Windows Service Pack Installer update service; E:\WINDOWS\system32\spupdsvc.exe [2005-06-28 22752]
S3 avast! Mail Scanner;avast! Mail Scanner; E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2004-06-13 200752]
S3 avast! Web Scanner;avast! Web Scanner; E:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
S3 IDriverT;InstallDriver Table Manager; E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Visual Studio Analyzer RPC bridge;Visual Studio Analyzer RPC bridge; E:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe [1998-06-06 34036]
S4 NVSvc;NVIDIA Display Driver Service; E:\WINDOWS\system32\nvsvc32.exe [2005-07-20 127043]

-----------------EOF-----------------


********************************************************************************
*********************************************
NEXT THE INFO FILE
********************************************************************************
***********************************************

info.txt logfile of random's system information tool 1.04 2008-10-22 21:18:57

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 E:\WINDOWS\INF\PCHealth.inf
3DMark05-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{2DF7B278-D3B6-40A4-B25C-0E7149F439EA}\Setup.exe" -l0x9
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 10 ActiveX-->E:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->E:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
ALi mini IDE driver-->E:\WINDOWS\System32\ALi5minst.exe E:\WINDOWS\inf\mshdc.inf PCI\VEN_10B9&DEV_5229 1
AOpen Multimedia Utilities-->E:\WINDOWS\IsUninst.exe -f"C:\Program Files\AOpen\Multimedia Utilities\AOMUinst.isu"
avast! Antivirus-->rundll32 E:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
B17 - The Mighty Eighth-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{63B263C2-1B61-11D4-8B6D-00C0F01F6881}\setup.exe" SetupCheck
BJC-1000-->E:\WINDOWS\system32\CNMCP1W.EXE -@E:\WINDOWS\IsUninst.exe -f"E:\BJPrinter\CNMWINDOWS\Canon BJC-1000 Installer\Inst\DeIsL1.isu" -pCanon BJC-1000-c"E:\BJPrinter\CNMWINDOWS\Canon BJC-1000 Installer\Inst\bjinst.dll
Canon Camera Support Core Library-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{5662C158-CA24-4228-BF6C-596FADA08682} /l1033
Canon Camera Window DS for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{7B847C9D-6758-45E6-B598-3BD8F43EAE9E}
Canon Camera Window DVC for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A70D14C6-FF2C-4B8E-A643-7E74EC607614}
Canon Camera Window for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E73534D5-CC93-4C63-9072-5A9734255C74}
Canon Internet Library for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{954BF446-BBC9-42CC-87A6-EBF0D55CA19A}
Canon MovieEdit Task for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DEB416DB-4FA9-42B6-84D3-1E0081300C9E}
Canon PhotoRecord-->MsiExec.exe /X{862983D7-FA08-493E-A9ED-6B7859E069D3}
Canon RAW Image Task for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A0F34E4E-25F0-4B68-AE8F-EF0C15CB1FED}
Canon RemoteCapture Task for ZoomBrowser EX-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities PhotoStitch 3.1-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCleaner (remove only)-->"E:\Program Files\CCleaner\uninst.exe"
Encarta World Atlas 99-->"E:\Program Files\Microsoft Reference\Encarta World Atlas 99\evgunnst.exe" /uninstall
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2-->"E:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IL-2 Sturmovik: Forgotten Battles-->E:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8DF712DA-D325-4FD0-8DE8-E2D78FC3CDC3} /l1033
InCD-->E:\WINDOWS\NuNInst.exe /UNINSTALL
Kubex Software 3D Home Designer-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{5D536ABE-4396-11D5-8578-00105ADDC431}\Setup.exe" -l0x9
Logitech Gaming Software-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{93EC14D5-7AAA-4EAD-BB75-013817A96598}\Setup.Exe" -l0x9
Macromedia Shockwave Player-->E:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE E:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Madden NFL 2004-->E:\Program Files\EA SPORTS\Madden NFL 2004\EAUninstall.exe
MapInfo Professional 7.0-->MsiExec.exe /I{0660BFE2-CD47-400F-A19D-8EC89C91CA8B}
MapInfo Professional Data-->E:\PROGRA~1\MapInfo\PROGRA~1\MapInfo\Data\UNWISE.EXE E:\PROGRA~1\MapInfo\PROGRA~1\MapInfo\Data\INSTALL.LOG
McDonald's Dragons-->E:\Program Files\McDonaldsDragons\uninstall.exe
McDonald's Fairies-->E:\Program Files\McDonaldsFairies\uninstall.exe
Microsoft MapPoint Europe 2004-->MsiExec.exe /I{8704D51E-25B7-4F23-81E7-AA4F54790240}
Microsoft Office XP Professional-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Studio 6.0 Enterprise Edition-->"E:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Mozilla Firefox (3.0.3)-->E:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero OEM-->E:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers-->E:\WINDOWS\System32\nvudisp.exe UninstallGUI
Outlook Express Backup Wizard version 1.1-->"E:\Program Files\Outlook Express Backup Wizard\unins000.exe"
Paint Shop Pro 6.0 (CD-ROM)-->E:\PROGRA~1\PAINTS~1\Unwise.exe E:\PROGRA~1\PAINTS~1\INSTALL.LOG
Populous: The Beginning-->E:\WINDOWS\IsUninst.exe -f"E:\Program Files\Bullfrog\Populous\Uninst.isu" -c"E:\Program Files\Bullfrog\Populous\uninst.dll"
POW-->E:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{CD277B3E-8043-496E-B83B-D53186A072AB} /l1033
PowerDVD-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Realtek AC'97 Audio-->Alcrmv.exe -r -m
Rome - Total War™-->E:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4089999C-6CB7-4F9D-A2F6-DB158DBF91FB} /l1033 /x
SAGEM F@st 800-840-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}\setup.exe" -l0x9
Security Update for Windows XP (KB925902)-->"E:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"E:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Spybot - Search & Destroy-->"E:\Program Files\Spybot - Search & Destroy\unins001.exe"
Studio Online-->E:\WINDOWS\IsUninst.exe -f"E:\Program Files\Pinnacle\Studio Online\ISTUDIO.ISU" -cE:\WINDOWS\ISTUDIO.dll
TalonSoft's West Front Combat Pack-->E:\WINDOWS\IsUninst.exe -f"E:\Program Files\TalonSoft\West Front\Uninst.isu"
Truprint Viewer-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{07802C2B-0ABD-439A-9510-1A89FD4FD5AB}\Setup.exe"
ubi.com-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{AEDDF5A3-29CE-11D5-A8C2-000102246AAE}\Setup.exe" -l0x9 UNINSTALL-L0x9 -uninst
ULi AGP Driver 2.20-->E:\WINDOWS\system32\UnAGP.EXE RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{0DD0650C-5113-4FEE-BDDA-AC0B76FD0BD1}\Setup.exe" -uninst
ULi LAN Driver-->E:\WINDOWS\system32\UnLAN.EXE RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{143BE018-D8F8-4014-8CB6-AF63F5799D21}\Setup.exe" -uninst
VIA Platform Device Manager-->E:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
Windows Blaster Worm Removal Tool (KB833330)-->E:\WINDOWS\$NtUninstallKB833330$\spuninst\spuninst.exe
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows XP Hotfix - KB873333-->E:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->E:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Service Pack 2-->E:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe

=====HijackThis Backups=====

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1215262989953
R3 - Default URLSearchHook is missing
O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonu...geUploader4.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O2 - BHO: (no name) - {58F07DD3-924D-4141-BC74-299F523A95F1} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: avast! antivirus 4.1.1229 [VPS 0424-3] (outdated)

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"devmgr_show_nonpresent_devices"=1
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 31 Stepping 0, AuthenticAMD
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=1f00
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"CLASSPATH"=.;

-----------------EOF-----------------

Thanks again, the help your giving is an honourable venture, unlike those creating this malware
you have my respects
Dave
  • 0

#4
Egwene

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello Onderdole,

Indeed, you're right, you have a nasty infection, but don't worry, we will remove it. :)

First, please do this :

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Reboot into normal mode.

Regards,
Egwene.
  • 0

#5
Onderdole

Onderdole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Egwene

I folowed the instructions properly but my machine will not boot up in safe mode.

It tries to, and a list of what looks drivers scrolls upwards on the screen but then it gets to thsi one

multi(0)disk(0)rdisk(0)partition(1)\windows\system32\drivers\gagp30kx

its the last line displayed and the machine turns off and tries to boot up again from the begining.

I also tried

Safe Mode with networking but that had same outcome

Save Mode with Comand Prompt did work (i didnt try SDFix.exe here though, i just exited)

boot up in debugging mode also worked

what to do now?
  • 0

#6
Egwene

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello Onderdole,

Could you boot into normal mode ?

:)
  • 0

#7
Onderdole

Onderdole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Egwene,

yes i can boot up in normal mose and every mode option except Safe Mode and Safe Mode with Networking.

I can boot up in Safe Mode with Command Line, can we use that.

I could post a camera image of the point where the safe mode boot up freezes then crashes if you want but as i mentioned, all it is is a list of paths to drivers scrolling up the screen
  • 0

#8
Egwene

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello Onderdole,

I could post a camera image of the point where the safe mode boot up freezes then crashes if you want but as i mentioned, all it is is a list of paths to drivers scrolling up the screen


No need, don't worry.

I would like to check something, please do this :

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

Regards,
Egwene.
  • 0

#9
Onderdole

Onderdole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Egwene,

Im at work now so dont have acess to machine, i'll be home tonight and will do hat you ask and post results about midnight ( long hours today)
  • 0

#10
Egwene

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
No problem :)

Just notice i'm french and at home it's the beginning of the afternoon :)

Edited by Egwene, 24 October 2008 - 06:07 AM.

  • 0

Advertisements


#11
Onderdole

Onderdole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
bonjour, ca va Egwene.

Im Irish but work and live in UK at the moment.

As it goes i have a house near Pons Charente Maritime, that we hope to retire to in about 15 yrs.

We'd move there now only my wife wants the children to remain in school in UK, dont know why, the local school to us in france seems way better.

I like france have to admire how you do many things there, but i must admit i think Sarkozy is an arsehole ,especialy the things he sadi about Ireland when we siad "NON" to the EU treaty.

Also i like it when we beat you at Rugby, not often enough im afraid :)
  • 0

#12
Onderdole

Onderdole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Egwene,

here is the LopR log


--------------------\\ Lop S&D 4.2.4-7 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : AMD Athlon™ 64 Processor 3000+ )
BIOS : Phoenix - AwardBIOS v6.00PG
USER : Dave Murphy ( Administrator )
BOOT : Normal boot
Antivirus : avast! antivirus 4.1.1229 [VPS 0424-3] 4.1.1229 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - FAT32 - Total : 3 Go Free : 2 Go
D:\ (CD or DVD) - CDFS - Total : 0 Go Free : 0 Go
E:\ (Local Disk) - NTFS - Total : 74 Go Free : 43 Go

"E:\Lop SD" ( MAJ : 23-10-2008|23:15 )
Option : [1] ( 24/10/2008|22:19 )

--------------------\\ Listing folders in APPLIC~1

[14/09/2007|11:56] E:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[27/07/2007|21:30] E:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
[22/10/2008|09:14] E:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg8
[15/08/2005|19:54] E:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
[03/08/2008|15:07] E:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
[07/02/2005|20:07] E:\DOCUME~1\ALLUSE~1\APPLIC~1\MapInfo
[24/10/2008|00:45] E:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[28/05/2005|10:06] E:\DOCUME~1\ALLUSE~1\APPLIC~1\NFS Underground Demo
[10/03/2005|19:52] E:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[21/10/2005|23:11] E:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
[21/10/2005|20:57] E:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
[19/10/2008|15:38] E:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
[25/11/2005|00:28] E:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage

[21/08/2008|12:39] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Adobe
[28/02/2006|23:27] E:\DOCUME~1\DAVEMU~1\APPLIC~1\AdobeUM
[05/12/2005|21:19] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Apple Computer
[01/10/2005|19:52] E:\DOCUME~1\DAVEMU~1\APPLIC~1\CyberLink
[06/12/2005|23:50] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Google
[09/12/2007|23:11] E:\DOCUME~1\DAVEMU~1\APPLIC~1\gtk-2.0
[29/10/2004|23:50] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Help
[29/10/2004|15:43] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Identities
[31/07/2007|16:26] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Lavasoft
[04/12/2004|11:16] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Macromedia
[07/02/2005|20:11] E:\DOCUME~1\DAVEMU~1\APPLIC~1\MapInfo
[22/10/2008|09:14] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Microsoft
[28/07/2007|20:57] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Mozilla
[07/09/2008|14:10] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Real
[07/08/2008|02:46] E:\DOCUME~1\DAVEMU~1\APPLIC~1\rhcg1bj0ea58
[22/11/2004|21:29] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Skype
[21/05/2007|23:54] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Snapfish
[27/04/2008|20:27] E:\DOCUME~1\DAVEMU~1\APPLIC~1\Uniblue

[29/10/2004|15:34] E:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft

[22/08/2008|12:59] E:\DOCUME~1\EMMABU~1\APPLIC~1\Adobe
[14/09/2007|11:57] E:\DOCUME~1\EMMABU~1\APPLIC~1\AdobeUM
[20/10/2008|16:42] E:\DOCUME~1\EMMABU~1\APPLIC~1\AVGTOOLBAR
[18/02/2007|10:40] E:\DOCUME~1\EMMABU~1\APPLIC~1\Google
[13/11/2004|19:35] E:\DOCUME~1\EMMABU~1\APPLIC~1\Help
[31/10/2004|13:09] E:\DOCUME~1\EMMABU~1\APPLIC~1\Identities
[20/04/2005|20:15] E:\DOCUME~1\EMMABU~1\APPLIC~1\Macromedia
[19/10/2008|11:27] E:\DOCUME~1\EMMABU~1\APPLIC~1\Microsoft
[29/07/2007|13:29] E:\DOCUME~1\EMMABU~1\APPLIC~1\Mozilla
[03/12/2004|16:46] E:\DOCUME~1\EMMABU~1\APPLIC~1\Real

[09/11/2004|09:49] E:\DOCUME~1\LOCALS~1\APPLIC~1\Help
[22/10/2008|09:14] E:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft

[20/03/2005|12:12] E:\DOCUME~1\NETWOR~1\APPLIC~1\Help
[22/10/2008|09:14] E:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft


--------------------\\ Scheduled Tasks located in E:\WINDOWS\Tasks

[24/10/2008 22:07][--ah-----] E:\WINDOWS\tasks\SA.DAT
[23/08/2001 13:00][-r-h-----] E:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in E:\Program Files

[09/11/2004|21:22] E:\Program Files\3D Home Designer
[06/10/2005|18:54] E:\Program Files\Activision
[14/09/2007|11:55] E:\Program Files\Adobe
[15/08/2005|19:52] E:\Program Files\Ahead
[02/03/2005|10:04] E:\Program Files\ALi
[29/10/2004|20:29] E:\Program Files\Alwil Software
[29/10/2004|21:15] E:\Program Files\audiograbber
[19/10/2008|11:30] E:\Program Files\AVG
[27/04/2008|22:42] E:\Program Files\AvRack
[09/12/2007|19:51] E:\Program Files\Bullfrog
[20/06/2006|22:27] E:\Program Files\Canon
[19/10/2008|00:51] E:\Program Files\CCleaner
[16/11/2004|16:26] E:\Program Files\Championship Manager Player Wizard 3
[29/01/2005|12:43] E:\Program Files\Codemasters
[07/09/2008|14:12] E:\Program Files\Common Files
[11/05/2008|19:38] E:\Program Files\cpu-z-127
[15/08/2005|19:54] E:\Program Files\CyberLink
[29/10/2004|21:15] E:\Program Files\CyberTweak
[19/08/2005|23:44] E:\Program Files\directx
[29/10/2004|21:15] E:\Program Files\DirectX Buster
[29/10/2004|21:15] E:\Program Files\directx doctor
[26/01/2005|00:37] E:\Program Files\DirectX Eradicator for XP
[19/10/2008|00:48] E:\Program Files\DivX
[29/10/2004|21:15] E:\Program Files\Drive Rescue
[17/04/2006|13:38] E:\Program Files\EA SPORTS
[15/11/2004|13:26] E:\Program Files\Eidos Interactive
[19/10/2008|00:03] E:\Program Files\Enigma Software Group
[06/03/2005|17:37] E:\Program Files\Futuremark
[19/10/2008|00:48] E:\Program Files\GameSpy Arcade
[22/06/2008|18:15] E:\Program Files\GetRight
[28/12/2007|18:57] E:\Program Files\Google
[19/10/2008|01:08] E:\Program Files\Hijackthis
[29/10/2004|21:18] E:\Program Files\HPS Simulations
[19/10/2008|00:50] E:\Program Files\InstallShield Installation Information
[01/05/2008|13:45] E:\Program Files\Internet Explorer
[02/09/2008|21:44] E:\Program Files\Lavasoft
[25/01/2005|23:17] E:\Program Files\Logitech
[07/02/2005|20:15] E:\Program Files\MapInfo
[01/10/2008|16:02] E:\Program Files\McDonaldsDragons
[24/09/2008|16:47] E:\Program Files\McDonaldsFairies
[14/11/2005|20:46] E:\Program Files\Microprose
[11/11/2004|18:22] E:\Program Files\Microsoft ActiveSync
[29/10/2004|15:36] E:\Program Files\microsoft frontpage
[18/04/2005|22:15] E:\Program Files\Microsoft MapPoint Europe
[11/11/2004|18:20] E:\Program Files\Microsoft Office
[24/10/2005|23:16] E:\Program Files\Microsoft Reference
[11/11/2004|20:02] E:\Program Files\Microsoft Visual Studio
[01/05/2008|13:45] E:\Program Files\Movie Maker
[24/10/2008|01:34] E:\Program Files\Mozilla Firefox
[29/10/2004|15:30] E:\Program Files\MSN Gaming Zone
[01/05/2008|13:45] E:\Program Files\NetMeeting
[29/10/2004|21:11] E:\Program Files\NVIDIA
[29/10/2004|21:23] E:\Program Files\OMFmod
[27/04/2008|13:21] E:\Program Files\Online Services
[01/05/2008|13:44] E:\Program Files\Outlook Express
[03/07/2008|08:35] E:\Program Files\Outlook Express Backup Wizard
[22/10/2008|11:26] E:\Program Files\Paint Shop Pro 6
[09/12/2007|23:24] E:\Program Files\Pinnacle
[19/06/2008|14:42] E:\Program Files\ProRat_v1.9
[19/10/2008|00:51] E:\Program Files\QuickTime
[28/05/2005|22:32] E:\Program Files\Real
[27/04/2008|22:42] E:\Program Files\Realtek AC97
[27/04/2008|22:42] E:\Program Files\Realtek Sound Manager
[29/10/2004|16:33] E:\Program Files\SAGEM
[07/02/2005|20:08] E:\Program Files\Seagate Software
[01/05/2008|20:11] E:\Program Files\SIERRA
[09/09/2007|21:02] E:\Program Files\SMSTFR
[02/10/2008|14:44] E:\Program Files\Spybot - Search & Destroy
[08/09/2007|21:53] E:\Program Files\TalonSoft
[06/03/2005|08:59] E:\Program Files\temp
[29/10/2004|21:23] E:\Program Files\TextPad 4
[11/05/2008|17:32] E:\Program Files\THQ
[11/11/2006|11:10] E:\Program Files\Tiscali Broadband
[14/01/2005|20:38] E:\Program Files\Total War
[19/10/2008|00:16] E:\Program Files\Trend Micro
[16/08/2005|10:11] E:\Program Files\Truprint
[26/01/2006|19:52] E:\Program Files\Ubi Soft
[29/10/2004|21:09] E:\Program Files\ubi.com
[29/10/2004|15:43] E:\Program Files\Uninstall Information
[27/04/2008|22:12] E:\Program Files\VIA
[19/10/2008|00:51] E:\Program Files\Web Publish
[09/12/2007|23:16] E:\Program Files\WinAVI Video Capture
[01/05/2008|13:44] E:\Program Files\Windows Media Player
[02/07/2008|17:59] E:\Program Files\Windows NT
[05/07/2008|14:04] E:\Program Files\WindowsUpdate
[26/03/2007|22:55] E:\Program Files\WinRAR
[29/10/2004|21:15] E:\Program Files\Winternals
[29/10/2004|15:36] E:\Program Files\xerox
[27/07/2007|21:19] E:\Program Files\Yahoo!

--------------------\\ Listing Folders in E:\Program Files\Common Files

[19/10/2008|00:45] E:\Program Files\Common Files\Adobe
[15/08/2005|19:51] E:\Program Files\Common Files\Ahead
[11/11/2004|19:49] E:\Program Files\Common Files\Designer
[28/05/2005|10:05] E:\Program Files\Common Files\DirectX
[01/02/2005|19:22] E:\Program Files\Common Files\InstallShield
[25/01/2005|23:17] E:\Program Files\Common Files\Logitech
[19/01/2005|00:11] E:\Program Files\Common Files\Mathsoft
[19/10/2008|11:30] E:\Program Files\Common Files\Microsoft Shared
[29/10/2004|15:32] E:\Program Files\Common Files\MSSoap
[29/10/2004|16:21] E:\Program Files\Common Files\ODBC
[29/10/2004|21:09] E:\Program Files\Common Files\PocketSoft
[29/10/2004|15:32] E:\Program Files\Common Files\Services
[29/10/2004|16:21] E:\Program Files\Common Files\SpeechEngines
[01/05/2008|13:44] E:\Program Files\Common Files\System
[03/08/2008|15:21] E:\Program Files\Common Files\Wise Installation Wizard

--------------------\\ Process

( 20 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

E:\DOCUME~1\DAVEMU~1\LOCALS~1\Temp\nsb8B.tmp
E:\DOCUME~1\DAVEMU~1\LOCALS~1\Temp\nsuC.exe
E:\DOCUME~1\DAVEMU~1\LOCALS~1\Temp\nsw8C.tmp

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-24 22:21:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
disk error: E:\WINDOWS\System32\
please note that you need administrator rights to perform deep scan

--------------------\\ Searching for other infections

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TDSSSERV]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_TDSSSERV]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TDSSSERV]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_TDSSSERV]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV]



[F:49][D:8]-> E:\DOCUME~1\DAVEMU~1\LOCALS~1\Temp
[F:2][D:0]-> E:\DOCUME~1\DAVEMU~1\Cookies
[F:2][D:1]-> E:\DOCUME~1\DAVEMU~1\LOCALS~1\TEMPOR~1\content.IE5

1 - "E:\Lop SD\LopR_1.txt" - 24/10/2008|22:22 - Option : [1]

--------------------\\ Scan completed at 22:22:11
  • 0

#13
Egwene

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello Onderdole,

I found what i was looking for :)

Let's go on.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Regards,
Egwene.
  • 0

#14
Onderdole

Onderdole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Egwene,

im glad we can procede.

I hae to travel to france today and will not be back until tuesday evening.

so please keep the thread open until then

Tuesday evenign i will do the tests and post the logs

rgds

Dave
  • 0

#15
Onderdole

Onderdole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Egwene

im back, here is the combofix log

ComboFix 08-10-28.01 - Dave Murphy 2008-10-28 21:38:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.744 [GMT 0:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Documents and Settings\Dave Murphy\Application Data\rhcg1bj0ea58
E:\WINDOWS\Fonts\acrsecB.fon
E:\WINDOWS\Fonts\acrsecI.fon
E:\WINDOWS\IE4 Error Log.txt
E:\WINDOWS\system32\dao350.dll
E:\WINDOWS\system32\dcdbda9_z.dll
E:\WINDOWS\system32\DelSelf.bat
E:\WINDOWS\system32\drivers\TDSSpqxt.sys
E:\WINDOWS\system32\mdm.exe
E:\WINDOWS\system32\MSINET.oca
E:\WINDOWS\system32\setup.ini
E:\WINDOWS\system32\TDSSbubx.log
E:\WINDOWS\system32\TDSSciou.dll
E:\WINDOWS\system32\TDSSfpmp.dll
E:\WINDOWS\system32\TDSSliqp.dll
E:\WINDOWS\system32\TDSSnmxh.log
E:\WINDOWS\system32\TDSSnrse.dll
E:\WINDOWS\system32\TDSSoeqh.dll
E:\WINDOWS\system32\TDSSosvn.dat
E:\WINDOWS\system32\TDSSsbhc.dll
E:\WINDOWS\system32\TDSSthym.dll
E:\WINDOWS\system32\TDSStkdv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv
-------\Legacy_TDSSserv


((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))
.

2008-10-24 21:19 . 2008-10-24 21:22 <DIR> d-------- E:\Lop SD
2008-10-23 23:33 . 2008-10-22 01:19 <DIR> d-------- E:\SDFix
2008-10-22 20:18 . 2008-10-22 20:18 <DIR> d-------- E:\rsit
2008-10-21 19:46 . 2008-10-23 23:45 1,943 --a------ E:\WINDOWS\imsins.BAK
2008-10-21 19:45 . 2007-03-08 13:47 1,843,584 -----c--- E:\WINDOWS\system32\dllcache\win32k.sys
2008-10-21 19:45 . 2007-03-08 15:36 577,536 -----c--- E:\WINDOWS\system32\dllcache\user32.dll
2008-10-21 19:45 . 2007-03-08 15:36 281,600 -----c--- E:\WINDOWS\system32\dllcache\gdi32.dll
2008-10-21 19:45 . 2007-03-08 15:36 40,960 -----c--- E:\WINDOWS\system32\dllcache\mf3216.dll
2008-10-20 15:41 . 2008-04-27 12:23 1,603 --a------ E:\Remote Assistance.lnk
2008-10-20 15:41 . 2008-04-27 12:23 796 --a------ E:\Windows Media Player.lnk
2008-10-20 15:41 . 2008-04-27 12:23 206 --ahs---- E:\desktop.ini
2008-10-19 10:30 . 2008-10-19 10:30 <DIR> d-------- E:\Program Files\AVG
2008-10-18 23:51 . 2008-10-18 23:51 54,156 --ah----- E:\WINDOWS\QTFont.qfn
2008-10-18 23:51 . 2008-10-18 23:51 1,409 --a------ E:\WINDOWS\QTFont.for
2008-10-18 23:29 . 2008-10-18 23:29 <DIR> d-------- E:\!KillBox
2008-10-18 23:16 . 2008-10-18 23:16 <DIR> d-------- E:\Program Files\Trend Micro
2008-10-18 23:02 . 2008-10-18 23:03 <DIR> d-------- E:\Program Files\Enigma Software Group
2008-10-18 21:15 . 2001-08-23 12:00 4,224 --a------ E:\WINDOWS\system32\drivers\beep.sys
2008-10-18 21:15 . 2001-08-23 12:00 4,224 --a--c--- E:\WINDOWS\system32\dllcache\beep.sys
2008-10-18 20:26 . 2008-10-19 16:02 1,048,576,000 --a------ E:\WINDOWS\MEMORY.DMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 10:26 --------- d-----w E:\Program Files\Paint Shop Pro 6
2008-10-22 08:14 --------- d-----w E:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg8
2008-10-19 14:38 --------- d-----w E:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-10-18 23:51 --------- d-----w E:\Program Files\Web Publish
2008-10-18 23:51 --------- d-----w E:\Program Files\QuickTime
2008-10-18 23:51 --------- d-----w E:\Program Files\CCleaner
2008-10-18 23:50 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-10-18 23:48 --------- d-----w E:\Program Files\GameSpy Arcade
2008-10-18 23:48 --------- d-----w E:\Program Files\DivX
2008-10-18 23:45 --------- d-----w E:\Program Files\Common Files\Adobe
2008-10-02 13:44 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-10-01 15:02 --------- d-----w E:\Program Files\McDonaldsDragons
2008-09-24 15:47 --------- d-----w E:\Program Files\McDonaldsFairies
2008-09-02 20:50 15,648 ----a-w E:\WINDOWS\system32\drivers\NSDriver.sys
2008-09-02 20:50 15,648 ----a-w E:\WINDOWS\system32\drivers\AWRTRD.sys
2008-09-02 20:50 12,960 ----a-w E:\WINDOWS\system32\drivers\AWRTPD.sys
2008-09-02 20:44 --------- d-----w E:\Program Files\Lavasoft
2008-07-19 08:23 36,936 ----a-w E:\Documents and Settings\Dave Murphy\Application Data\GDIPFONTCACHEV1.DAT
2007-12-19 00:50 7,168 --sha-w E:\Program Files\Thumbs.db
2005-03-08 18:50 22,264 ----a-w E:\Program Files\keys.dat
2004-07-08 23:15 1,078 ------w E:\Program Files\gamespy.ico
2004-11-09 20:26 8,192 --sha-w E:\WINDOWS\o2cLicStore.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"HijackThis startup scan"="E:\Program Files\Trend Micro\HijackThis\HijackThis.exe" [2008-10-18 396288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2004-06-13 98352]
"ashMaiSv"="E:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe" [2004-06-13 200752]

E:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DSLMON.lnk - E:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2004-10-29 962663]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIXL"= pclepixl.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.NTN1"= Nuvision.ax
"MSVIDEO"= pctvcap.dll
"vidc.vixl"= miroxl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 aliidex;aliidex;E:\WINDOWS\system32\drivers\aliidex.sys [2003-03-06 7040]
R0 aliperf;aliperf;E:\WINDOWS\system32\drivers\aliperf.sys [2003-01-16 7168]
R0 uliagpkx;ULi AGP Bus Filter Driver;E:\WINDOWS\system32\DRIVERS\agpkx.sys [2004-07-08 44928]
R0 videX32;videX32;E:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 9216]
R0 xfilt;VIA SATA IDE Hot-plug Driver;E:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17920]
R1 aswSP;avast! Self Protection;E:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;E:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
S3 ess;ESS Audio Driver (WDM);E:\WINDOWS\system32\drivers\ess.sys [2001-08-17 63360]
S3 gwiopm;gwiopm;E:\Program Files\Unknown Device Identifier\gwiopm.sys [ ]
S3 jatmlano;jatmlano;E:\DOCUME~1\DAVEMU~1\LOCALS~1\Temp\jatmlano.sys [ ]
S3 NUVision;Studio OnLine;E:\WINDOWS\system32\DRIVERS\NUVision.sys [2000-07-16 136352]
S3 ULI5261;ULi Based Ethernet NT Driver;E:\WINDOWS\system32\DRIVERS\ULILAN.SYS [2004-07-26 29696]
S3 ULI5261XP;ULi M526X Ethernet NT Driver;E:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672]
S3 WinDMI;WinDMI;E:\Program Files\AOpen\WinDMI\windmidrv.SYS [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1cfb80e1-29b9-11d9-b9e9-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67b3ddcf-1459-11dd-85c0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d428d6cf-8aed-11d9-a15f-806d6172696f}]
\Shell\AutoRun\command - D:\dsetup.exe

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-TDSSpqxt.sys


.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\DOCUME~1\DAVEMU~1\APPLIC~1\Mozilla\Firefox\Profiles\jhl0qwei.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.ukclimbing.com/forums/
FF -: plugin - E:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 21:40:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TDSSserv]
"imagepath"="\systemroot\system32\drivers\TDSSpqxt.sys"
.
Completion time: 2008-10-28 21:42:40
ComboFix-quarantined-files.txt 2008-10-28 21:42:37

Pre-Run: 47,853,907,968 bytes free
Post-Run: 47,841,632,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
E:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

164 --- E O F --- 2008-10-21 19:47:18
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP