Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help TDSS Trojans & Hijackthis Log


  • This topic is locked This topic is locked
17 replies to this topic

#1 4me2know

4me2know

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 25 October 2008 - 07:44 AM

My computer began acting very stangely (even for Vista - Home Premium) erlier. In addition to its sluggish performance, Google searches in Internet Explorer turned up unsolicited advertising sites and phony virus scans. Plus notepad.exe hung up when you tried to save a . TXT file. AVG anti-rootkit found and removed about six hidden TDSS rootkits, including TDSS.crrx.dll
However, Malwarebytes Anti Malware still found them and removed them. A second test with Malwarebytes Anti Malware no longer detected them.
I ran 2 online AV/Trojan scanners but they shut down before giving me a report.

I also ran:
CC Cleaner, NOD32 AV, Ad-Aware SE Plus, AVG Anti Spyware, Stinger and Spybot.

After running Spybot, I got an error message that Config.NT was missing from system 32/commandcom. I replaced Config.NT from a Windows XP OS and did a Run SFC/Scannow, which hopefully fixed that.

Please let me know if there is still any malware and if any processes that are running could be removed to improve performance.

Thanks for your help. :thumbsup:

Here are some logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:02 AM, on 10/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\werfault.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Les\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
f:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-
0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-
7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-
FA578C2EBDC3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-
D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-
45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-
CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-
A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-
0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe"
/WAITSERVICE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program
Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program
Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [c:\Windows\System32\rundll32.exe
C:\Windows\system32\icsdclt.dll,ICSClient] c:\Windows\System32
\rundll32.exe C:\Windows\system32\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32
\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
/autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media
Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows
Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe
oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows
Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-
AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -
C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -
{85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263}
- C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data
Collection Control) -
https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
(BDSCANONLINE Control) -
http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BelkinAPMmonitor - Macrovision - C:\PROGRA~1
\BELKIN~2\BELKIN~4.EXE
O23 - Service: BelkinAPMRMI - Macrovision - C:\PROGRA~1\BELKIN~2
\BELKIN~3.EXE
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown
owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program
Files\Eset\nod32krn.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer
Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

End of file - 6333 bytes

---------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.30
Database version: 1316
Windows 6.0.6001 Service Pack 1

10/25/2008 4:28:52 AM
mbam-log-2008-10-25 (04-28-43).txt

Scan type: Quick Scan
Objects scanned: 45133
Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion \Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb}
(Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio n\RunServices\SSDPSRV (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\av.dat (Trojan.FakeAlert) -> No action taken.
C:\Users\Les\AppData\Local\Temp\TDSS5769.tmp (Trojan.Agent) -> No action taken.
C:\Users\Les\AppData\Local\Temp\TDSS5778.tmp (Trojan.Agent) -> No action taken.
----------------------------------------------------------------------------------------------------

Edited by 4me2know, 25 October 2008 - 07:54 AM.


BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:54 PM

Posted 25 October 2008 - 06:40 PM

Hello, 4me2know.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.
  • About 1 in 100 times the computer will not longer be able to boot after running Combofix. This requires experienced hands to restore the system to bootability.
  • There are several malware infections that "target" Combofix. Experienced Helpers are aware of these infections, and take steps to remove them prior to the use of Combofix. If you do not, various things can happen depending on the infection -- from Combofix being unable to run, to the deletion of the folder C:\Windows\System32, requiring a clean install to repair.
  • Combofix makes some rather significant changes to the internals of XP and Vista in order to work. It can therefore be very dangerous!!
  • The real power of Combofix comes not as a general purposed malware remover. It is rather modest in that capacity. Combofix is powerful because it provides to the experienced Helper a convenient and powerful front-end to Scripts. It is because of its scripting strengths, and its unique reporting capabilities, that you see Combofix often recommended. But not because of its abilities as a general malware scanner.
  • Many malware removal experts will not respond to a request for help if they see that Combofix was run by the end-user without supervision. You might find after running Combofix that your system problems are worse, and nobody is willing to help you.
  • There are several general purpose anti-malware utilities where the Author(s) intended the application for general use by end-users without Supervision. Combofix is not one of them, and you would be advised to honor that position taken by its Author.
How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)
In your next reply, please include the following:
  • ComboFix.txt

Billy3

Edited by Billy O'Neal, 25 October 2008 - 06:41 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 4me2know

4me2know
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 26 October 2008 - 02:28 PM

Thanks Billy. I will post ComboFix.txt ASAP. I hope it does not screw up my computer's boot as the only way I can recover is to bring my computer to factory without all my programs.

Edited by 4me2know, 26 October 2008 - 02:28 PM.


#4 4me2know

4me2know
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 26 October 2008 - 04:48 PM

I am in deep trouble after running Combofix as instructed!!! I really appreciate your help. Apparently, I am the 1 in 100 and my computer will not boot.
It gives me a message such as "A recent hardware change" damaged your computer. "1. Insert windows installation disk and restart your computer. 2. choose your language. 3. Repair computer. File:Windows\system 32\config\system. Status: OXC000014C Regestry file missing or corrupt."

I do not have a windows vista home premium system disk as it came preinstalled with my month old Acer computer.

I did replace the 250 GB hard disk with a 1 TB, which fortunately was cloned. However I have installed a lot of new programs after the clone.

So I temprarilly removed my data/programs install disk 500MB and reinstalled from the original Acer drive. I can access the 1TB drive, which will not boot.

I need to find out how to restore the 1TB drive to the restore point that ComboFix set. Log follows.

I did do a Malbytes Anti-Malware scan on the Acer drive and unfortunately it too was infected. I had all removed. Log follows

Combofix.Txt:
ComboFix 08-10-25.01 - Les 2008-10-26 15:32:26.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1670 [GMT -4:00]
Running from: C:\Users\Les\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

----------------------------------------------------------------
alwarebytes' Anti-Malware 1.30
Database version: 1324
Windows 6.0.6001 Service Pack 1

10/26/2008 5:16:07 PM
mbam-log-2008-10-26 (17-16-07).txt

Scan type: Quick Scan
Objects scanned: 43744
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\SSDPSRV (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\ssdpsrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Thanks for your help!!!!!

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:54 PM

Posted 26 October 2008 - 06:35 PM

Alrighty.. please give me some time to talk with my colleagues on this one. We may be able to restore the original installation to working order :thumbsup:

But I'd like to get some other's opinions on how to move forward before I proceed :)

Thanks!

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 4me2know

4me2know
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 26 October 2008 - 07:04 PM

I fixed th boot thank G-D!!! I hope there are no additional problems caused by ComboFix.

I found a windows vista recovery disk iso torent on the Internet, seeded it, downloaded it and burnt it to disk. When I ran repair it fixed the boot and ComboFix completed. Acer could have supplied that disk. What would it have cost them? 50 cents? MS provides it free.

Here is the ComboFix log:

ComboFix 08-10-25.01 - Les 2008-10-26 15:32:26.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1670 [GMT -4:00]
Running from: C:\Users\Les\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\systeminfo.dll
F:\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS)
-------\Service_TDSSserv.sys)


((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 )))))))))))))))))))))))))))))))
.

2008-10-26 19:42 . 2008-10-26 19:43 655,498,238 --a------ C:\Windows\MEMORY.DMP
2008-10-26 09:35 . 2008-10-26 09:35 <DIR> d-------- C:\Users\All Users\NtiDvdCopy
2008-10-26 09:35 . 2008-10-26 09:35 <DIR> d-------- C:\ProgramData\NtiDvdCopy
2008-10-26 09:28 . 2008-10-26 09:28 <DIR> d-------- C:\Users\Les\Option
2008-10-26 09:16 . 2008-10-26 09:16 <DIR> d-------- C:\Users\All Users\BlazeVideo
2008-10-26 09:16 . 2008-10-26 09:16 <DIR> d-------- C:\ProgramData\BlazeVideo
2008-10-26 09:11 . 2008-10-26 09:11 <DIR> d-------- C:\Program Files\NTI
2008-10-26 09:06 . 2008-10-26 09:09 <DIR> d-------- C:\Program Files\NewTech Infosystems
2008-10-26 09:06 . 2008-10-26 09:06 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2008-10-26 08:30 . 2008-10-26 08:30 0 --a------ C:\Windows\Jcmkr32.INI
2008-10-26 08:12 . 2008-10-26 08:12 <DIR> d-------- C:\Users\All Users\LightScribe
2008-10-26 08:12 . 2008-10-26 08:12 <DIR> d-------- C:\ProgramData\LightScribe
2008-10-26 05:34 . 2008-10-26 05:34 17 --a------ C:\stinger- use!!!.opt
2008-10-26 03:35 . 2008-10-26 03:35 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-10-26 03:35 . 2008-10-26 03:35 1,024 --------- C:\Windows\System32\NTIBUN4.dll
2008-10-26 03:33 . 2008-10-26 08:34 <DIR> d-------- C:\Windows\Downloaded Installations
2008-10-25 07:52 . 2005-04-14 16:27 2,577 --------- C:\Windows\System32\CONFIG.NT
2008-10-25 07:08 . 2008-10-25 07:08 366 --a------ C:\Windows\wininit.ini
2008-10-25 07:02 . 2008-10-25 05:18 2,482,695 --a------ C:\stinger- USE!!!.exe
2008-10-25 07:00 . 2008-10-25 07:00 <DIR> d-------- C:\Users\Les\Pavark
2008-10-25 06:37 . 2008-10-25 06:37 2,335,270 --------- C:\Windows\System32\acc87F6.mht
2008-10-25 05:29 . 2008-10-25 05:52 <DIR> d-------- C:\Windows\BDOSCAN8
2008-10-25 05:22 . 2008-10-25 05:34 <DIR> d-------- C:\Users\Les\.housecall6.6
2008-10-25 05:22 . 2008-10-25 05:22 102,664 --------- C:\Windows\System32\drivers\tmcomm.sys
2008-10-25 05:21 . 2008-10-25 05:21 <DIR> d-------- C:\Windows\Sun
2008-10-25 05:09 . 2008-10-25 05:13 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-10-25 05:09 . 2008-10-25 05:13 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-10-25 05:09 . 2008-10-25 06:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-25 05:07 . 2008-10-25 05:07 15,083,520 --a------ C:\spybotsd160.exe
2008-10-25 02:12 . 2008-10-25 02:12 <DIR> d-------- C:\Program Files\Easy Video Splitter
2008-10-25 01:47 . 2008-10-25 01:47 <DIR> d-------- C:\Users\Les\AppData\Roaming\NCH Software
2008-10-24 22:53 . 2008-10-24 22:53 4,117 --------- C:\Windows\System32\TDSSpone.lo_
2008-10-24 22:51 . 2008-10-25 04:01 1,520,387 --------- C:\Windows\System32\TDSSnyfn.lo_
2008-10-24 22:48 . 2008-10-25 03:34 2,760 --------- C:\Windows\System32\TDSSfopt.dl_
2008-10-24 22:47 . 2008-10-24 22:47 164 --------- C:\Windows\System32\TDSSwqsc.da_
2008-10-24 06:25 . 2008-10-24 06:25 <DIR> d-------- C:\Users\All Users\Yahoo! Companion
2008-10-24 06:25 . 2008-10-24 06:25 <DIR> d-------- C:\ProgramData\Yahoo! Companion
2008-10-24 06:18 . 2008-10-24 06:18 <DIR> d-------- C:\Program Files\Yahoo!
2008-10-23 03:05 . 2008-10-23 19:05 <DIR> d-------- C:\4dfac4ba0e3a94b4e07590118b43
2008-10-22 03:00 . 2008-10-22 19:00 <DIR> d-------- C:\4a7ca470e02a9f3e2108b4
2008-10-17 03:10 . 2008-10-17 03:46 <DIR> d-------- C:\Windows\SQLTools9_KB948109_ENU
2008-10-17 03:03 . 2008-10-17 03:43 <DIR> d-------- C:\Windows\SQL9_KB948109_ENU
2008-10-16 07:32 . 2008-10-17 03:13 422 --------- C:\Windows\System32\mapisvc.inf
2008-10-16 07:28 . 2008-10-16 07:33 <DIR> d-------- C:\Program Files\Microsoft Small Business
2008-10-16 07:27 . 2008-10-16 07:27 5,200 --------- C:\Windows\System32\PerfStringBackup.TMP
2008-10-16 07:23 . 2008-10-17 03:46 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-10-16 07:17 . 2008-10-16 07:17 <DIR> d-------- C:\Program Files\Microsoft Works
2008-10-16 07:15 . 2008-10-16 07:15 <DIR> d-------- C:\Windows\PCHEALTH
2008-10-16 07:15 . 2008-10-16 07:25 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-10-16 07:13 . 2008-10-16 07:13 <DIR> dr-h----- C:\MSOCache
2008-10-16 03:16 . 2008-10-16 03:16 <DIR> d-------- C:\Users\All Users\Applications
2008-10-16 03:16 . 2008-10-16 03:16 <DIR> d-------- C:\ProgramData\Applications
2008-10-16 01:02 . 2008-08-05 05:49 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-10-16 01:02 . 2008-08-05 05:49 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-10-16 01:02 . 2008-08-05 05:48 217,088 --a------ C:\Windows\System32\psisrndr.ax
2008-10-16 01:02 . 2008-08-05 05:48 177,664 --a------ C:\Windows\System32\mpg2splt.ax
2008-10-16 01:02 . 2008-08-05 05:48 80,896 --a------ C:\Windows\System32\MSNP.ax
2008-10-16 00:33 . 2008-09-17 22:16 2,032,640 --a------ C:\Windows\System32\win32k.sys
2008-10-16 00:33 . 2008-08-26 21:06 288,768 --a------ C:\Windows\System32\drivers\srv.sys
2008-10-16 00:32 . 2008-09-18 01:09 3,601,464 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-10-16 00:32 . 2008-09-18 01:09 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
2008-10-16 00:31 . 2008-10-01 21:32 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-10-16 00:31 . 2008-10-01 23:49 827,392 --a------ C:\Windows\System32\wininet.dll
2008-10-16 00:21 . 2008-10-16 00:23 <DIR> d-------- C:\Program Files\Microsoft Office 2007old
2008-10-14 22:51 . 2008-10-14 22:51 <DIR> d-------- C:\Users\All Users\NCH Software
2008-10-14 22:51 . 2008-10-14 22:51 <DIR> d-------- C:\ProgramData\NCH Software
2008-10-14 22:50 . 2008-10-25 01:48 <DIR> d-------- C:\Program Files\NCH Software
2008-10-11 12:46 . 2008-10-11 12:48 <DIR> d-------- C:\Users\Les\AppData\Roaming\vlc
2008-10-11 12:45 . 2008-10-11 12:45 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-11 12:10 . 2008-10-11 12:10 <DIR> d-------- C:\Users\All Users\GRETECH
2008-10-11 12:10 . 2008-10-11 12:10 <DIR> d-------- C:\ProgramData\GRETECH
2008-10-11 12:08 . 2008-10-11 12:08 <DIR> d-------- C:\Users\Les\AppData\Roaming\GRETECH
2008-10-11 12:08 . 2008-10-11 12:08 <DIR> d-------- C:\Program Files\GRETECH
2008-10-10 13:46 . 2008-10-10 13:46 <DIR> d-------- C:\Program Files\VistaCodecPack
2008-10-10 13:40 . 2008-10-10 13:40 <DIR> d-------- C:\Users\All Users\VistaCodecs
2008-10-10 13:40 . 2008-10-10 13:40 <DIR> d-------- C:\ProgramData\VistaCodecs
2008-10-10 02:30 . 2008-10-10 02:30 <DIR> d-------- C:\Users\Les\AppData\Roaming\Move Networks
2008-10-09 16:27 . 2008-10-09 16:27 <DIR> d-------- C:\Users\All Users\WindowsSearch
2008-10-09 16:27 . 2008-10-09 16:27 <DIR> d-------- C:\ProgramData\WindowsSearch
2008-10-09 03:38 . 2008-07-30 21:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-10-09 03:38 . 2008-03-08 00:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-10-09 03:38 . 2008-07-30 23:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-10-09 03:35 . 2008-04-23 00:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-10-09 03:20 . 2008-10-09 03:20 <DIR> d-------- C:\NVIDIA
2008-10-09 03:19 . 2008-10-09 03:19 <DIR> d-------- C:\Users\Les\AppData\Roaming\Media Player Classic
2008-10-08 00:54 . 2008-10-08 00:54 <DIR> d-------- C:\Program Files\Teorex
2008-10-06 03:58 . 2008-10-06 03:58 <DIR> d-------- C:\Windows\Profiles
2008-10-01 12:03 . 2008-10-01 12:03 <DIR> d-------- C:\Program Files\FLV Player
2008-09-28 20:59 . 2008-10-24 02:15 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-09-28 02:44 . 2008-10-24 04:24 <DIR> d-------- C:\Program Files\Agent
2008-09-28 00:07 . 2008-10-06 03:57 <DIR> d-------- C:\Users\Les\AppData\Roaming\Orbit
2008-09-28 00:07 . 2008-09-28 00:07 <DIR> d-------- C:\Users\Les\AppData\Roaming\GrabPro
2008-09-28 00:07 . 2008-10-05 13:24 <DIR> d-------- C:\downloads
2008-09-27 14:18 . 2008-09-27 14:18 0 --------- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 15:18 --------- d-----w C:\Program Files\Belkin Automatic Power Management Software
2008-10-26 13:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-26 12:59 --------- d-----w C:\Program Files\Common Files\NewTech Infosystems
2008-10-25 11:08 --------- d-----w C:\Program Files\NoAdware5.0
2008-10-25 08:23 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-10-25 03:26 --------- d-----w C:\Program Files\Incomplete
2008-10-25 02:37 --------- d-----w C:\Users\Les\AppData\Roaming\LimeWire
2008-10-23 07:04 --------- d-----w C:\ProgramData\Microsoft Help
2008-10-22 20:10 38,496 ------w C:\Windows\system32\drivers\mbamswissarmy.sys
2008-10-22 20:10 15,504 ------w C:\Windows\system32\drivers\mbam.sys
2008-10-16 05:33 --------- d-----w C:\Program Files\Windows Mail
2008-10-16 02:23 --------- d-----w C:\ProgramData\NVIDIA
2008-10-15 15:49 --------- d-----w C:\Program Files\Movie Converter V3
2008-10-11 04:49 --------- d-----w C:\Program Files\7-Zip
2008-10-10 17:45 --------- d-----w C:\Program Files\ACE Mega CoDecS Pack
2008-10-04 10:15 --------- d-----w C:\ProgramData\Google Updater
2008-09-25 03:13 --------- d-----w C:\Program Files\Movie Joiner
2008-09-25 03:11 --------- d---a-w C:\ProgramData\TEMP
2008-09-25 02:09 --------- d-----w C:\Program Files\Easy Video Joiner
2008-09-24 06:19 174 --sha-w C:\Program Files\desktop.ini
2008-09-24 06:11 0 ------w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-09-24 05:52 --------- d-----w C:\Program Files\Windows Sidebar
2008-09-24 05:52 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-09-24 05:52 --------- d-----w C:\Program Files\Windows Journal
2008-09-24 05:52 --------- d-----w C:\Program Files\Windows Collaboration
2008-09-24 05:52 --------- d-----w C:\Program Files\Windows Calendar
2008-09-24 05:51 --------- d-----w C:\Program Files\Windows Defender
2008-09-22 01:41 --------- d-----w C:\Program Files\AxMan
2008-09-21 02:58 --------- d-----w C:\Program Files\ESET
2008-09-21 02:08 --------- d-----w C:\Program Files\G-Spot Codec Checker
2008-09-21 01:58 --------- d-----w C:\Program Files\WCMD
2008-09-20 23:02 --------- d-----w C:\Users\Les\AppData\Roaming\U3
2008-09-19 09:25 --------- d-----w C:\Program Files\Microtek
2008-09-19 05:23 --------- d-----w C:\Users\Les\AppData\Roaming\Malwarebytes
2008-09-19 05:22 --------- d-----w C:\ProgramData\Malwarebytes
2008-09-19 05:09 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-09-19 05:08 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-09-19 05:07 --------- d-----w C:\Users\Les\AppData\Roaming\SUPERAntiSpyware.com
2008-09-19 05:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-19 04:52 --------- d-----w C:\Users\Les\AppData\Roaming\Grisoft
2008-09-19 04:51 --------- d-----w C:\ProgramData\Grisoft
2008-09-19 04:14 --------- d-----w C:\Users\Les\AppData\Roaming\Lavasoft
2008-09-19 04:13 --------- d-----w C:\Program Files\Lavasoft
2008-09-18 01:27 --------- d--h--w C:\Program Files\Zero G Registry
2008-09-18 01:24 --------- d-----w C:\Program Files\Belkin Bulldog Plus
2008-09-18 00:54 53,448 ----a-w C:\Windows\System32\wuauclt.exe
2008-09-18 00:54 45,768 ----a-w C:\Windows\System32\wups2.dll
2008-09-18 00:54 1,811,656 ----a-w C:\Windows\System32\wuaueng.dll
2008-09-18 00:54 1,524,736 ----a-w C:\Windows\System32\wucltux.dll
2008-09-18 00:53 83,456 ----a-w C:\Windows\System32\wudriver.dll
2008-09-18 00:53 563,912 ----a-w C:\Windows\System32\wuapi.dll
2008-09-18 00:53 36,552 ----a-w C:\Windows\System32\wups.dll
2008-09-18 00:53 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-09-18 00:53 163,904 ----a-w C:\Windows\System32\wuwebv.dll
2008-09-16 12:25 441,760 ------w C:\Windows\system32\drivers\timntr.sys
2008-09-16 12:25 44,384 ------w C:\Windows\system32\drivers\tifsfilt.sys
2008-09-16 12:25 368,480 ------w C:\Windows\system32\drivers\tdrpman.sys
2008-09-16 12:25 132,224 ------w C:\Windows\system32\drivers\snapman.sys
2008-09-16 12:25 --------- d-----w C:\ProgramData\Seagate
2008-09-16 12:25 --------- d-----w C:\Program Files\Seagate
2008-09-16 12:25 --------- d-----w C:\Program Files\Common Files\Seagate
2008-09-16 08:14 --------- d-----w C:\Program Files\LimeWire
2008-09-16 07:01 --------- d-----w C:\Program Files\QuickTime
2008-09-16 07:00 --------- d-----w C:\ProgramData\Apple Computer
2008-09-16 07:00 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-16 06:56 --------- d-----w C:\ProgramData\Apple
2008-09-16 06:56 --------- d-----w C:\Program Files\Apple Software Update
2008-09-16 06:21 --------- d-----w C:\Program Files\Java
2008-09-16 06:19 --------- d-----w C:\Program Files\Common Files\Java
2008-09-15 23:25 --------- d-----w C:\Program Files\DFX
2008-09-15 07:02 269,312 ----a-w C:\Windows\System32\es.dll
2008-09-15 03:57 --------- d-----w C:\Users\Les\AppData\Roaming\CyberLink
2008-09-15 03:57 --------- d-----w C:\ProgramData\CyberLink
2008-09-14 13:53 9,728 ----a-w C:\Windows\System32\ftlx041e.dll
2008-09-14 13:53 9,216 ----a-w C:\Windows\System32\ftlx0411.dll
2008-09-14 13:53 296,960 ----a-w C:\Windows\winhlp32.exe
2008-09-14 13:53 194,560 ----a-w C:\Windows\System32\ftsrch.dll
2008-09-14 13:37 --------- d-----w C:\Program Files\RegCleaner
2008-09-14 12:09 --------- d-----w C:\Program Files\Google
2008-09-14 10:24 --------- d-----w C:\Program Files\MediaMonkey
2008-09-14 10:20 83,136 ----a-w C:\Windows\UIActFax.exe
2008-09-14 10:20 69,632 ----a-w C:\Windows\UIActFax.dll
2008-09-14 10:20 435,392 ------w C:\Windows\System32\ActMonNT.dll
2008-09-14 10:20 --------- d-----w C:\Program Files\ActiveFax
2008-09-14 10:17 --------- d-----w C:\Program Files\CCleaner
2008-09-14 09:58 --------- d-----w C:\Program Files\Hugmot
2008-09-13 15:29 --------- d-----w C:\ProgramData\NOS
2008-09-13 15:29 --------- d-----w C:\Program Files\NOS
2008-09-13 14:54 61,440 ----a-w C:\Windows\System32\winipsec.dll
2008-09-13 14:54 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-09-13 14:54 28,672 ----a-w C:\Windows\System32\FwRemoteSvr.dll
2008-09-13 14:54 272,896 ----a-w C:\Windows\System32\polstore.dll
2008-09-13 14:48 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-09-13 14:47 303,616 ----a-w C:\Windows\System32\wmpeffects.dll
2008-09-13 14:45 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-13 14:40 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-09-13 14:36 988,216 ----a-w C:\Windows\System32\winload.exe
2008-09-13 14:36 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-09-13 14:36 615,992 ----a-w C:\Windows\System32\ci.dll
2008-09-13 14:36 6,656 ----a-w C:\Windows\System32\kbd106n.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-09-13 950664]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-09-13 1655552]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-04-06 8429568]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-04-06 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 C:\Windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
backup=C:\Windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microtek ScanWizard 5 for Windows\Microtek Scanner Finder.lnk
backup=C:\Windows\pss\Microtek Scanner Finder.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
--a------ 2007-02-02 14:05 1261568 C:\Program Files\Acer Assist\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
--a------ 2007-01-24 13:27 319488 C:\Acer\Empowering Technology\SysMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
--a------ 2007-02-02 15:24 3383296 C:\Program Files\Acer Registration\ACE1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
--a------ 2007-02-15 21:39 151552 C:\Acer\AcerTour\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ActiveFax Terminal Server]
--a------ 2008-09-14 06:20 410816 C:\Program Files\ActiveFax\Terminal\TSClientB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BelkinAPM]
--a------ 2008-09-17 21:27 114688 C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2008-06-24 19:52 1325848 C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
--a------ 2007-02-07 03:04 464168 C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2007-04-06 02:21 8429568 C:\Windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--------- 2007-04-06 02:21 81920 C:\Windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
--a------ 2008-06-24 19:56 136472 C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-10-09 07:43 729088 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-09-14 08:08 39408 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-19 03:38 1008184 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D076A7A1-08FA-481F-852B-D8A1F7DBE501}"= UDP:C:\Program Files\Acer Zone\Acer Zone Main Page\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{DAE6A1BF-7D4F-4C94-8252-C11FAC5D69D5}"= TCP:C:\Program Files\Acer Zone\Acer Zone Main Page\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{9721F8A4-1E52-4DBF-A093-17BD36DA4F57}"= C:\Program Files\Acer Zone\Acer Picture Slide DVD\component\CLSLDVD.exe:Cyberlink Picture Slide DVD workprocess
"{402A78BD-B833-4746-ADA8-DA8DABEDE9EC}"= C:\Program Files\Acer Zone\Acer Plug and Record\component\ARAWP.exe:Cyberlink Plug and Record ARA workprocess
"{6939BB91-82E4-4F94-B5FC-260713182C88}"= C:\Program Files\Acer Zone\Acer Plug and Record\component\DVAX2Process.exe:Cyberlink Plug and Record AVAX workprocess
"{656DF53D-C75D-4367-9FFA-807DEDEA38D8}"= UDP:C:\Users\Les\AppData\Local\Temp\WZSE2.TMP\SymNRT.exe:Norton Removal Tool
"{785FB935-7BC2-46D9-B225-FAE76D48A0D9}"= TCP:C:\Users\Les\AppData\Local\Temp\WZSE2.TMP\SymNRT.exe:Norton Removal Tool
"{B19E179B-A890-4A0C-908D-EE9BFAF6750E}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{9FA8E316-EA32-418C-9461-4D7233A936EB}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{33CAA565-0005-452B-8A36-7F8D563AE876}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 Pnp680;SiI 680 ATA Controller;C:\Windows\system32\DRIVERS\pnp680.sys [2006-06-20 59776]
R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\Windows\system32\DRIVERS\tdrpman.sys [2008-09-16 368480]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys [2008-09-13 85008]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys [2008-09-13 25104]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 BelkinAPMmonitor;BelkinAPMmonitor;C:\PROGRA~1\BELKIN~2\BELKIN~4.EXE [2008-09-17 114688]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-03-21 53248]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-03-07 131072]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
R3 BelkinAPMRMI;BelkinAPMRMI;C:\PROGRA~1\BELKIN~2\BELKIN~3.EXE [2008-09-17 114688]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 298496]
S4 ActiveFaxServiceNT;ActiveFax-Server-Service;C:\Program Files\ActiveFax\Server\ActSrvNT.exe [2008-09-14 1479872]
S4 SgtSch2Svc;Seagate Scheduler2 Service;C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [2008-06-24 431384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = \blank.htm
R0 -: HKCU-Main,Start Page = hxxp://my.yahoo.com/
R0 -: HKLM-Main,Local Page = f:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-26 19:44:11
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-10-26 19:47:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-26 23:47:35

Pre-Run: 382,570,573,824 bytes free
Post-Run: 381,567,414,272 bytes free

421 --- E O F --- 2008-10-25 07:01:14

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:54 PM

Posted 26 October 2008 - 07:09 PM

Hello :thumbsup:

Can you please zip the following folders up?

C:\Windows\System32\Config\
C:\WINDOWS\ERDNT
C:\ComboFix
C:\qoobox


Once you've zipped those up, can you upload them here?
http://bleepingcomputer.com/submit-malware.php?channel=54

Thanks!!

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 4me2know

4me2know
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 26 October 2008 - 07:10 PM

ComboFix Quarantine Txt:

2008-10-26 09:11:48 A------- 14 C:\Qoobox\Quarantine\C\Windows\System32\systeminfo.dll.vir
2008-10-26 15:31:00 A------- 58 C:\Qoobox\Quarantine\catchme.log
2008-10-26 15:39:03 A------- 3,748 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-10-26 15:39:15 A------- 1,094 C:\Qoobox\Quarantine\Registry_backups\Legacy_TDSSSERV.SYS).reg.dat
2008-10-26 15:39:16 A------- 2,704 C:\Qoobox\Quarantine\Registry_backups\Service_TDSSserv.sys).reg.dat
2008-10-26 19:46:03 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-10-26 19:46:03 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-10-26 19:46:03 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-10-26 19:46:13 A------- 96 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Acer Tour.reg.dat (*)
2008-10-26 19:46:13 A------- 103 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-eRecoveryService.reg.dat (*)

(*) I think these are legitimate. What do I do to get them back?

Edited by 4me2know, 26 October 2008 - 07:14 PM.


#9 4me2know

4me2know
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 26 October 2008 - 07:57 PM

Files sent. However, malware upload submissions failed for ERDNT.zip (15.7MB) and Config.zip (37.9MB). They could not be uploaded due to:
"Unknown error.
Error number."

C:/ComboFix could not be found on my computer. ComboFix.exe and ComboFix.txt were present.

Thank you.

Edited by 4me2know, 26 October 2008 - 07:58 PM.


#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:54 PM

Posted 26 October 2008 - 08:07 PM

Those are legitimate yes, but the files they were pointing to were already gone. Therefore they should be removed.

The files couldn't go up because they were too large. That's okay.. I think we'll be fine without them.

When was the last time (Other than combofix) that you completely rebooted the machine? Keep in mind the "power button" on vista machines is NOT a full reboot, only going to sleep.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 4me2know

4me2know
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 26 October 2008 - 10:08 PM

I reboot about 2-3 times a week - often for updates.

The computer is running much slower than before the crash and was freezing before the last reboot moments ago. I then disabled some startups and processes and am running sfc /scannow to check/repair damaged system files.

Any ideas?

Thanks for your help.

Edited by 4me2know, 26 October 2008 - 10:08 PM.


#12 4me2know

4me2know
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 27 October 2008 - 06:36 PM

So has anyone analized the files? What do I need to do now? Thanks.

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:54 PM

Posted 28 October 2008 - 03:09 PM

Hello, 4me2know.
I'm sorry that took so long.. ran into several issues last night :thumbsup:

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 4me2know

4me2know
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 28 October 2008 - 03:38 PM

Will do. Thank you. Good luck with your college-application process!

#15 4me2know

4me2know
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 29 October 2008 - 06:45 PM

Esset found nothing. Perhaps that's because I use their NOD23 AV. Thank you.

Here is my latest Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:19 PM, on 10/29/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Ares\Ares.exe
N:\Downloads\AV-Trojan-Firewall-Cleaners\HiJackThis v2.02.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = f:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [c:\Windows\System32\rundll32.exe C:\Windows\system32\icsdclt.dll,ICSClient] c:\Windows\System32\rundll32.exe C:\Windows\system32\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [BelkinAPM] C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BelkinAPMmonitor - Macrovision - C:\PROGRA~1\BELKIN~2\BELKIN~4.EXE
O23 - Service: BelkinAPMRMI - Macrovision - C:\PROGRA~1\BELKIN~2\BELKIN~3.EXE
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 5220 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users