Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brastke/antivirus 2009?


  • This topic is locked This topic is locked
18 replies to this topic

#1 Rjackson36

Rjackson36

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 24 November 2008 - 10:02 AM

Hello, I have tried for 2 days now to remove an incredibly pesky virus and to no avail. I'll try to remember all that I have done. What it is doing: will not let me run a variety of scanner software. Redirects all tech search links to other various sites or post a 404 message, your site for example redirects me to localhost. Will not let me update windows,or any antivirus/spyware software. Will not let system restore work. I have tried all programs in and out of "safe mode". Programs that did work: Adaware,PCcyllin,HJT (After re-naming) CCleaner,Stinger,RSIT. Programs that will not work. Upon clicking give me an hourglass that soon disappears but shows up as an active process in the Windows Task Manager: MBAM.exe, Spybot search and destroy,Windows system restore, OTscanit and gmer.

I hit the fix button on HJT upon finding: brastke.exe and karna.dat and manually removed the brastke.exe folder from windows/system32. This did stop the infection notices I was getting from the red circle with the white x on my taskbar. I never did download the program that it wanted me too.

Attached is the RSIT files. I hope I have explained it thoroughly enough. Please advise and thank you in advance!

Attached Files

  • Attached File  info.txt   21.26KB   9 downloads
  • Attached File  log.txt   28.62KB   24 downloads


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:31 AM

Posted 24 November 2008 - 05:00 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

I will do my best to communicate clearly to you so that we can resolve your issues as quickly as possible. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to fix your computer. Please communicate freely with me about how your computer is reacting and behaving as we work through this process.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.


Also post a new log from RSIT.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Rjackson36

Rjackson36
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 24 November 2008 - 06:28 PM

Hello Sam , Thanks for your quick reply. I did as you instructed but unfortunately this program acted as some of the ones in my first post did. The hourglass shows up and then disappears and the program never loads. It does show up as an active process in task manager but does not start.
Please advise.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:31 AM

Posted 24 November 2008 - 06:53 PM

Ok, plan B.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.
    If Combofix does not run, rename it to cf.exe

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Rjackson36

Rjackson36
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 24 November 2008 - 11:12 PM

Hey Sam, Good news and bad. Bad news: combofix would not load. Good news: I am back on my computer because I was able to load SDFix and run.
I'm sure there is more remants left over but here is my logs. This is a teriffic service your providing!!!!!!!
:thumbsup:




SDFix: Version 1.240
Run by Rick on Mon 11/24/2008 at 09:13 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\MSUPDTE.EXE - Deleted
C:\Documents and Settings\Rick\Favorites\Online Security Test.url - Deleted
C:\WINDOWS\system32\av.dat - Deleted
C:\WINDOWS\system32\delself.bat - Deleted
C:\WINDOWS\system32\msupdte.exe - Deleted
C:\WINDOWS\system32\TDSSdxgp.dll - Deleted
C:\WINDOWS\system32\TDSSmtpe.dat - Deleted
C:\WINDOWS\system32\TDSSakao.log - Deleted


Could Not Remove C:\WINDOWS\system32\TDSSotuu.dll
Could Not Remove C:\WINDOWS\system32\TDSSnrxx.dll
Could Not Remove C:\WINDOWS\system32\TDSSyoqu.dll
Could Not Remove C:\WINDOWS\system32\TDSSnpur.dll



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-24 21:43:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Rick\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe"="C:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe:*:Disabled:TiVo Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

C:\WINDOWS\system32\TDSSotuu.dll Found
C:\WINDOWS\system32\TDSSnrxx.dll Found
C:\WINDOWS\system32\TDSSyoqu.dll Found
C:\WINDOWS\system32\TDSSnpur.dll Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 4 Oct 2008 6,108,728 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Fri 17 Mar 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 27 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 17 Mar 2006 4,348 A..H. --- "C:\Documents and Settings\Rick\My Documents\My Music\License Backup\drmv1key.bak"
Fri 17 Mar 2006 20 A..H. --- "C:\Documents and Settings\Rick\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 17 Mar 2006 400 A.SH. --- "C:\Documents and Settings\Rick\My Documents\My Music\License Backup\drmv2key.bak"
Tue 29 Nov 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sun 20 Jan 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sun 20 Jan 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"

Finished!

---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of random's system information tool 1.04 (written by random/random)
Run by Rick at 2008-11-24 22:00:23
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 9 GB (23%) free of 38 GB
Total RAM: 894 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:30 PM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\apache2triad\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\apache2triad\mysql\bin\mysqld.exe
C:\apache2triad\bin\apache.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\apache2triad\ftp\SlimFTPd.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\apache2triad\mail\bin\XMail.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Rick\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Rick.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bleepingcomputer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E2739AFF-FA40-4527-9A19-DE81795C2C03} (MSN Money Ticker) - http://moneycentral.msn.com/cabs/ticker.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Apache Software Foundation - C:\apache2triad\bin\apache.exe
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Apache Software Foundation - C:\apache2triad\bin\apache.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - PostgreSQL Global Development Group - C:\apache2triad\pgsql\bin\pg_ctl.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SlimFTPd - Unknown owner - C:\apache2triad\ftp\SlimFTPd.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe

--
End of file - 8526 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AntispywareBot Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-01-31 2554944]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"=C:\Program Files\Google\Gmail Notifier\gnotify.exe [2005-07-15 479232]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-02-08 29744]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2006-09-07 15872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-13 68856]
"TivoTransfer"=C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe [2007-09-25 1195008]
"TivoNotify"=C:\Program Files\TiVo\Desktop\TiVoNotify.exe [2007-09-25 384000]
"TivoServer"=C:\Program Files\TiVo\Desktop\TiVoServer.exe [2007-09-25 1495040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-07-13 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-02-17 233534]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-12-03 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\Program Files\FlashGet\FlashGet.exe /min []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcNotifier]
C:\Documents and Settings\Rick\Local Settings\Application Data\VTShared\GCNotifier.exe [2008-01-25 176128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-02-08 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-04-01 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe [2004-10-14 253952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [2004-11-30 1945600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RssReader]
C:\Program Files\RssReader\RssReader.exe [2004-04-04 1077248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sect store]
C:\DOCUME~1\Rick\APPLIC~1\USERON~1\Intra Mp3.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-13 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-02 692316]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-02 102492]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-05-14 180269]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [2008-07-29 1398024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
C:\Program Files\Unlocker\UnlockerAssistant.exe [2006-09-07 15872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2005-10-24 307200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoraTiVoConverter]
C:\Program Files\VideoraTiVoConverter\VideoraTiVoConverter.exe -t []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [1999-11-04 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2005-09-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE [2004-11-04 237568]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-07-14 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll [2008-10-03 6066176]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\TiVo\Desktop\TiVoServer.exe"="C:\Program Files\TiVo\Desktop\TiVoServer.exe:*:Disabled:TiVo Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-11-24 21:42:04 ----D---- C:\Documents and Settings\Rick\Application Data\WinRAR
2008-11-24 20:58:48 ----D---- C:\WINDOWS\ERUNT
2008-11-24 20:52:47 ----D---- C:\SDFix
2008-11-24 08:28:38 ----D---- C:\rsit
2008-11-24 08:03:15 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-23 18:02:12 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-23 17:22:16 ----A---- C:\WINDOWS\system32\stus.exe
2008-11-23 11:23:23 ----D---- C:\Documents and Settings\Rick\Application Data\Macromedia
2008-11-23 04:37:05 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-23 04:37:05 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 16:53:33 ----D---- C:\Documents and Settings\Rick\Application Data\AntispywareBot
2008-11-22 04:58:41 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-21 18:10:40 ----D---- C:\Program Files\CCleaner
2008-11-17 13:40:30 ----D---- C:\WINDOWS\LastGood(2)
2008-11-11 19:18:15 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-11 19:18:01 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-11 19:17:43 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-01 19:18:38 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-11-01 19:15:09 ----A---- C:\WINDOWS\system32\muweb.dll
2008-11-01 19:15:09 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-11-01 19:15:09 ----A---- C:\WINDOWS\system32\mucltui.dll
2008-11-01 03:41:20 ----D---- C:\Program Files\Windows Live Toolbar
2008-11-01 03:39:58 ----SHDC---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-11-01 03:39:24 ----D---- C:\Documents and Settings\All Users\Application Data\WLInstaller

======List of files/folders modified in the last 1 months======

2008-11-24 21:56:26 ----SD---- C:\WINDOWS\Tasks
2008-11-24 21:55:32 ----D---- C:\WINDOWS\Temp
2008-11-24 21:53:33 ----D---- C:\WINDOWS\system32
2008-11-24 21:49:49 ----D---- C:\WINDOWS\Prefetch
2008-11-24 21:35:34 ----D---- C:\WINDOWS\system32\drivers
2008-11-24 21:33:47 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-24 21:10:56 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-11-24 20:58:48 ----D---- C:\WINDOWS
2008-11-24 20:53:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-24 07:07:41 ----D---- C:\Config.Msi
2008-11-24 05:37:13 ----D---- C:\Program Files\Google
2008-11-24 05:31:31 ----SHD---- C:\WINDOWS\Installer
2008-11-24 05:30:41 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-24 05:30:41 ----AD---- C:\Program Files
2008-11-23 17:24:57 ----D---- C:\Program Files\Mozilla Firefox
2008-11-23 13:20:48 ----SHD---- C:\RECYCLER
2008-11-23 09:16:29 ----D---- C:\Documents and Settings\All Users\Application Data\Avg7
2008-11-22 16:43:22 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-22 16:43:22 ----D---- C:\WINDOWS\system32\FlashAX
2008-11-22 04:29:51 ----D---- C:\Program Files\Trend Micro
2008-11-21 18:11:50 ----D---- C:\WINDOWS\Debug
2008-11-21 18:11:48 ----D---- C:\WINDOWS\Minidump
2008-11-21 16:58:08 ----D---- C:\Program Files\AviSynth 2.5
2008-11-21 00:16:47 ----D---- C:\Program Files\Replay AV 8
2008-11-20 23:56:57 ----D---- C:\Program Files\HiDownload
2008-11-19 16:36:50 ----HD---- C:\WINDOWS\inf
2008-11-19 16:36:42 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-18 14:25:51 ----D---- C:\WINDOWS\system32\config
2008-11-18 14:25:15 ----D---- C:\WINDOWS\system32\wbem
2008-11-18 14:25:14 ----D---- C:\WINDOWS\Registration
2008-11-17 13:40:38 ----D---- C:\WINDOWS\Help
2008-11-11 19:18:12 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-11 19:16:58 ----D---- C:\WINDOWS\WinSxS
2008-11-11 07:23:24 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-10 07:27:08 ----A---- C:\WINDOWS\NeroDigital.ini
2008-11-06 04:29:56 ----D---- C:\Documents and Settings\Rick\Application Data\FileZilla
2008-11-03 18:10:25 ----A---- C:\WINDOWS\system32\MRT.exe
2008-11-01 18:30:32 ----SD---- C:\Documents and Settings\Rick\Application Data\Microsoft
2008-11-01 03:39:58 ----D---- C:\Program Files\Common Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-08-11 39424]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-04-05 267192]
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2008-02-15 65936]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 elagopro;GoProto Protocol Driver for LELA; C:\WINDOWS\system32\DRIVERS\elagopro.sys [2007-03-22 28672]
R2 elaunidr;UniDriver for LELA; C:\WINDOWS\system32\DRIVERS\elaunidr.sys [2007-03-22 5376]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 tmactmon;tmactmon; \??\C:\WINDOWS\system32\drivers\tmactmon.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 tmevtmgr;tmevtmgr; \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys []
R2 tmpreflt;tmpreflt; C:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2008-08-16 36368]
R2 tmxpflt;tmxpflt; C:\WINDOWS\system32\DRIVERS\tmxpflt.sys [2008-08-16 205328]
R2 vsapint;vsapint; C:\WINDOWS\system32\DRIVERS\vsapint.sys [2008-08-16 1195448]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-07-14 1269760]
R3 BCM43XX;Wireless-G Notebook Adapter with SpeedBooster Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-02-12 371712]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camc6aud.sys [2005-02-18 38016]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camc6hal.sys [2005-02-18 349696]
R3 catchme;catchme; \??\C:\DOCUME~1\Rick\LOCALS~1\Temp\catchme.sys []
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
R3 HSFHWATI;HSFHWATI; C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 odysseyIM4;Odyssey Network Agent Miniport; C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2005-05-18 173056]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-02-02 191456]
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2008-02-15 333328]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S2 pciinfo;HP Pci Information; \??\C:\DOCUME~1\Rick\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\APLMp50.sys [2006-11-28 28224]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 BCM42RLY;BCM42RLY; \??\C:\WINDOWS\System32\BCM42RLY.SYS []
S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2005-01-18 55320]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\CBTNDIS5.SYS []
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2005-03-03 74496]
S3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
S3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
S3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2005-04-05 11512]
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
S3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2005-04-05 173208]
S3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2005-04-05 36984]
S3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2005-04-05 47192]
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-04-05 17976]
S3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-03-16 159488]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WscNetDr;WSC Filter Miniport; C:\WINDOWS\system32\DRIVERS\WscNetDr.sys []
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-06 611664]
R2 Apache2;Apache2Triad Apache2 Service; C:\apache2triad\bin\apache.exe [2007-03-09 20541]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-07-14 380928]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-02-22 38912]
R2 MySql;Apache2Triad MySql Service; C:\apache2triad\mysql\bin\mysqld.exe [2007-03-09 3502080]
R2 NICSer_WPC54G;NICSer_WPC54G; C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 455680]
R2 SfCtlCom;Trend Micro Central Control Component; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [2008-07-29 698888]
R2 SlimFTPd;SlimFTPd; C:\apache2triad\ftp\SlimFTPd.exe [2008-01-07 54272]
R2 SNMP;SNMP Service; C:\WINDOWS\System32\snmp.exe [2008-04-13 33280]
R2 TivoBeacon2;TiVo Beacon; C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2007-09-25 867328]
R2 TMBMServer;Trend Micro Unauthorized Change Prevention Service; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [2007-12-24 333064]
R2 TmPfw;Trend Micro Personal Firewall; C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe [2008-02-15 488768]
R2 tmproxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [2008-02-15 648456]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 XMail;Apache2Triad Xmail Service; C:\apache2triad\mail\bin\XMail.exe [2007-03-09 339968]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S3 Apache2SSL;Apache2Triad Apache2 Service with SSL; C:\apache2triad\bin\apache.exe [2007-03-09 20541]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-02-08 29744]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-01 168432]
S3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\SHARED\HPQWMI.exe [2005-03-04 98304]
S3 PgSql;Apache2Triad PostgreSQL Service; C:\apache2triad\pgsql\bin\pg_ctl.exe [2007-03-09 66347]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2005-04-05 206552]
S3 SNMPTRAP;SNMP Trap Service; C:\WINDOWS\System32\snmptrap.exe [2008-04-13 8704]

-----------------EOF-----------------

#6 Rjackson36

Rjackson36
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 25 November 2008 - 08:33 AM

Sam, Well I got happy a little too soon. I ran TM PCcyllin last night and today it wanted me to re-boot. Never has it asked me to do that. It took three attempts to get it to finish booting and when it finally did? the virus was back. I am going to run SDfix again while I'm waiting on Plan C.

Thanks!

#7 Rjackson36

Rjackson36
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 25 November 2008 - 09:28 AM

Sam, I finished sdfix again and we're back up. I'm not going to do anything else until I here from you. It did give me a note: Protective host files should be reapplied such as MVPS/HP hosts or Spybots immunizer feature after using SDfix. Thanks!

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:31 AM

Posted 25 November 2008 - 01:56 PM

We're on the right track, but this a nasty one that's been known to be very difficult.

Please post the latest log from your last run of SDFix.
Also try renaming combofix.exe to cf.exe and then running the program.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Rjackson36

Rjackson36
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 25 November 2008 - 04:08 PM

Hello Sam, Ok, I started combofix and everything was going fine until it said it detected a rootkit and needed to re-boot. After doing so it continued its scan and completed step 50. Then it began deleting what it had found. It deleted a few files and then My antivirus program chimed in and said it was blocking regt.cfexe because it was changing windows security. And I can't stop it from being blocked. I did have pccyllin turn off when it started, but it must have turned itself back on when it rebooted. It's just sitting there.. What to do? I almost ready to re-format and loose everything..

#10 Rjackson36

Rjackson36
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 25 November 2008 - 04:09 PM

Heres the latest SDFix log.

SDFix: Version 1.240
Run by Rick on Tue 11/25/2008 at 07:57 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\TDSSdxgp.dll - Deleted
C:\WINDOWS\system32\TDSSmtpe.dat - Deleted
C:\WINDOWS\system32\TDSSakao.log - Deleted


Could Not Remove C:\WINDOWS\system32\TDSSotuu.dll
Could Not Remove C:\WINDOWS\system32\TDSSnrxx.dll
Could Not Remove C:\WINDOWS\system32\TDSSyoqu.dll
Could Not Remove C:\WINDOWS\system32\TDSSnpur.dll



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 08:21:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Rick\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe"="C:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe:*:Disabled:TiVo Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

C:\WINDOWS\system32\TDSSotuu.dll Found
C:\WINDOWS\system32\TDSSnrxx.dll Found
C:\WINDOWS\system32\TDSSyoqu.dll Found
C:\WINDOWS\system32\TDSSnpur.dll Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 4 Oct 2008 6,108,728 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Fri 17 Mar 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 27 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 17 Mar 2006 4,348 A..H. --- "C:\Documents and Settings\Rick\My Documents\My Music\License Backup\drmv1key.bak"
Fri 17 Mar 2006 20 A..H. --- "C:\Documents and Settings\Rick\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 17 Mar 2006 400 A.SH. --- "C:\Documents and Settings\Rick\My Documents\My Music\License Backup\drmv2key.bak"
Tue 29 Nov 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sun 20 Jan 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sun 20 Jan 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"

Finished!

#11 Rjackson36

Rjackson36
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 25 November 2008 - 09:00 PM

Sam, Combofix did complete and I have a new log for you. By the way does this thing have an official name to it??

ComboFix 08-11-26.01 - Rick 2008-11-25 14:37:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.526 [GMT -6:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rick\Application Data\AntispywareBot
c:\documents and settings\Rick\Application Data\AntispywareBot\Log\2008 Nov 22 - 04_53_33 PM_750.log
c:\documents and settings\Rick\Application Data\AntispywareBot\rs.dat
c:\documents and settings\Rick\Application Data\AntispywareBot\Settings\ScanResults.pie
c:\windows\system32\drivers\TDSSmxfe.sys
c:\windows\system32\TDSSakao.log
c:\windows\system32\TDSSdxgp.dll
c:\windows\system32\TDSSihys.log
c:\windows\system32\TDSSmtpe.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnpur.dll
c:\windows\system32\TDSSnrxx.dll
c:\windows\system32\TDSSotuu.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSyoqu.dll
c:\windows\Tasks.\AntiSpywareBot Scheduled Scan.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 01:08 . 2008-11-25 14:23 16,384 --a------ c:\windows\DCEBoot.exe
2008-11-24 21:10 . 2008-11-24 21:10 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-11-24 20:58 . 2008-11-24 20:58 <DIR> d-------- c:\windows\ERUNT
2008-11-24 20:52 . 2008-11-25 08:21 <DIR> d-------- C:\SDFix
2008-11-24 08:28 . 2008-11-24 08:29 <DIR> d-------- C:\rsit
2008-11-23 18:02 . 2008-11-23 18:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-23 17:22 . 2008-04-13 18:12 26,112 --a------ c:\windows\system32\stus.exe
2008-11-23 04:37 . 2008-11-23 07:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-23 04:37 . 2008-11-23 04:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 04:58 . 2008-11-22 04:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-22 04:58 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-22 04:58 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-21 18:10 . 2008-11-21 18:10 <DIR> d-------- c:\program files\CCleaner
2008-11-21 03:33 . 2004-08-04 07:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
2008-11-21 03:33 . 2004-08-04 07:00 4,224 --a------ c:\windows\system32\dllcache\beep.sys
2008-11-17 13:40 . 2008-11-18 14:24 <DIR> d-------- c:\windows\LastGood(2)
2008-11-11 18:17 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 18:16 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-01 19:18 . 2008-11-01 19:18 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-01 19:15 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-01 19:15 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-11-01 19:15 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-01 03:41 . 2008-11-24 05:31 <DIR> d-------- c:\program files\Windows Live Toolbar
2008-11-01 03:39 . 2008-11-01 03:41 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-01 03:39 . 2008-11-01 03:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-24 11:37 --------- d-----w c:\program files\Google
2008-11-23 15:16 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-11-22 10:29 --------- d-----w c:\program files\Trend Micro
2008-11-21 22:58 --------- d-----w c:\program files\AviSynth 2.5
2008-11-21 06:16 --------- d-----w c:\program files\Replay AV 8
2008-11-21 05:56 --------- d-----w c:\program files\HiDownload
2008-11-06 10:29 --------- d-----w c:\documents and settings\Rick\Application Data\FileZilla
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-13 00:36 --------- d-----w c:\documents and settings\Rick\Application Data\Azureus
2008-10-10 10:13 --------- d-----w c:\program files\iTunes
2008-10-10 10:13 --------- d-----w c:\program files\iPod
2008-10-10 10:13 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-10 10:11 --------- d-----w c:\program files\QuickTime
2008-10-10 10:08 --------- d-----w c:\program files\Apple Software Update
2008-10-10 10:07 --------- d-----w c:\program files\Common Files\Apple
2008-10-10 10:07 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-05 01:16 --------- d-----w c:\program files\Picasa2
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-15 23:15 3,768 ----a-w c:\documents and settings\Rick\Application Data\wklnhst.dat
2008-08-05 05:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080520080806\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2007-09-25 1195008]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2007-09-25 384000]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2007-09-25 1495040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-08 29744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-20 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-11-01 36864]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-07-13 21:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2005-02-17 15:01 233534 c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-12-03 13:24 290816 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2007-03-15 18:16 454784 c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcNotifier]
--a------ 2008-01-25 13:03 176128 c:\documents and settings\Rick\Local Settings\Application Data\VTShared\gcnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-02-08 16:17 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-04-01 16:11 794624 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 14:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2004-11-30 12:36 1945600 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RssReader]
--a------ 2004-04-04 17:21 1077248 c:\program files\RssReader\RssReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-13 21:49 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2005-02-02 06:11 692316 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2005-02-02 06:12 102492 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-14 06:53 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-07-29 13:24 1398024 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 11:19 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2005-10-24 14:53 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe"=

R2 NICSer_WPC54G;NICSer_WPC54G;c:\program files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2006-11-01 455680]
R2 SlimFTPd;SlimFTPd;"c:\apache2triad\ftp\SlimFTPd.exe" -service [2008-01-09 54272]
R2 TivoBeacon2;TiVo Beacon;"c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service [2007-09-25 867328]
R2 XMail;Apache2Triad Xmail Service;c:\apache2triad\mail\bin\XMail.exe [2007-03-09 339968]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]
R3 odysseyIM4;Odyssey Network Agent Miniport;c:\windows\system32\DRIVERS\odysseyIM4.sys [2005-05-18 173056]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\Rick\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 Apache2SSL;Apache2Triad Apache2 Service with SSL;"c:\apache2triad\bin\apache.exe" -D SSL -n Apache2SSL -k runservice [2007-03-09 20541]
S3 APLMp50;APLMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\APLMp50.sys [2007-01-31 28224]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\CBTNDIS5.SYS [2005-11-26 17142]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-05-18 29744]
S3 PgSql;Apache2Triad PostgreSQL Service;"c:\apache2triad\pgsql\bin\pg_ctl.exe" runservice -N PgSql -D c:\apache2triad\pgsql\data\ [2007-03-09 66347]

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Flashget - c:\program files\FlashGet\FlashGet.exe
MSConfigStartUp-pccguide - c:\program files\Trend Micro\Internet Security 2006\pccguide.exe
MSConfigStartUp-sect store - c:\docume~1\Rick\APPLIC~1\USERON~1\Intra Mp3.exe
MSConfigStartUp-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-VideoraTiVoConverter - c:\program files\VideoraTiVoConverter\VideoraTiVoConverter.exe
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
MSConfigStartUp-WT GameChannel - c:\program files\WildTangent\Apps\GameChannel.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\709ex01k.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msn.com/
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 15:04:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmxfe.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1832)
c:\windows\system32\Ati2evxx.dll
c:\program files\Funk Software\Funk Client\odLogin.dll
.
Completion time: 2008-11-26 15:07:30
ComboFix-quarantined-files.txt 2008-11-26 21:07:25

Pre-Run: 9,137,041,408 bytes free
Post-Run: 9,126,756,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /noguiboot

245 --- E O F --- 2008-11-12 01:20:46

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:31 AM

Posted 26 November 2008 - 03:30 PM

I call it a pain in the @$$. :thumbsup:
It's known by many names, primarily the TDSS rootkit infection. Here's some info on it.

http://research.sunbelt-software.com/threa...threatid=414535


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\DCEBoot.exe
c:\windows\system32\stus.exe

Driver::
TDSSserv.sys
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Rjackson36

Rjackson36
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 26 November 2008 - 06:07 PM

Hello Sam, I did as instructed and here is the new CF Log. Thanks!


ComboFix 08-11-26.01 - Rick 2008-11-27 17:15:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.445 [GMT -6:00]
Running from: c:\documents and settings\Rick\Desktop\cf.exe
Command switches used :: c:\documents and settings\Rick\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\DCEBoot.exe
c:\windows\system32\stus.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\DCEBoot.exe
c:\windows\system32\stus.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-24 21:10 . 2008-11-24 21:10 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-11-24 20:58 . 2008-11-24 20:58 <DIR> d-------- c:\windows\ERUNT
2008-11-24 20:52 . 2008-11-25 08:21 <DIR> d-------- C:\SDFix
2008-11-24 08:28 . 2008-11-24 08:29 <DIR> d-------- C:\rsit
2008-11-23 18:02 . 2008-11-23 18:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-23 04:37 . 2008-11-23 07:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-23 04:37 . 2008-11-23 04:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 04:58 . 2008-11-22 04:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-22 04:58 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-22 04:58 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-21 18:10 . 2008-11-21 18:10 <DIR> d-------- c:\program files\CCleaner
2008-11-21 03:33 . 2004-08-04 07:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
2008-11-21 03:33 . 2004-08-04 07:00 4,224 --a------ c:\windows\system32\dllcache\beep.sys
2008-11-17 13:40 . 2008-11-18 14:24 <DIR> d-------- c:\windows\LastGood(2)
2008-11-11 18:17 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 18:16 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-01 19:18 . 2008-11-01 19:18 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-01 19:15 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-01 19:15 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-11-01 19:15 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-01 03:41 . 2008-11-24 05:31 <DIR> d-------- c:\program files\Windows Live Toolbar
2008-11-01 03:39 . 2008-11-01 03:41 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-01 03:39 . 2008-11-01 03:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-24 11:37 --------- d-----w c:\program files\Google
2008-11-23 15:16 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-11-22 10:29 --------- d-----w c:\program files\Trend Micro
2008-11-21 22:58 --------- d-----w c:\program files\AviSynth 2.5
2008-11-21 06:16 --------- d-----w c:\program files\Replay AV 8
2008-11-21 05:56 --------- d-----w c:\program files\HiDownload
2008-11-06 10:29 --------- d-----w c:\documents and settings\Rick\Application Data\FileZilla
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-13 00:36 --------- d-----w c:\documents and settings\Rick\Application Data\Azureus
2008-10-10 10:13 --------- d-----w c:\program files\iTunes
2008-10-10 10:13 --------- d-----w c:\program files\iPod
2008-10-10 10:13 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-10 10:11 --------- d-----w c:\program files\QuickTime
2008-10-10 10:08 --------- d-----w c:\program files\Apple Software Update
2008-10-10 10:07 --------- d-----w c:\program files\Common Files\Apple
2008-10-10 10:07 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-05 01:16 --------- d-----w c:\program files\Picasa2
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-15 23:15 3,768 ----a-w c:\documents and settings\Rick\Application Data\wklnhst.dat
2008-08-05 05:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080520080806\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-26_15.06.32.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-27 22:30:48 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_9c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2007-09-25 1195008]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2007-09-25 384000]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2007-09-25 1495040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-08 29744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-20 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-11-01 36864]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-07-13 21:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2005-02-17 15:01 233534 c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-12-03 13:24 290816 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2007-03-15 18:16 454784 c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcNotifier]
--a------ 2008-01-25 13:03 176128 c:\documents and settings\Rick\Local Settings\Application Data\VTShared\gcnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-02-08 16:17 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-04-01 16:11 794624 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 14:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2004-11-30 12:36 1945600 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RssReader]
--a------ 2004-04-04 17:21 1077248 c:\program files\RssReader\RssReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-13 21:49 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2005-02-02 06:11 692316 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2005-02-02 06:12 102492 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-14 06:53 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-07-29 13:24 1398024 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 11:19 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2005-10-24 14:53 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe"=

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 17:18:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1880)
c:\windows\system32\Ati2evxx.dll
c:\program files\Funk Software\Funk Client\odLogin.dll
.
Completion time: 2008-11-27 17:21:32
ComboFix-quarantined-files.txt 2008-11-27 23:20:14
ComboFix2.txt 2008-11-26 21:07:33

Pre-Run: 9,118,482,432 bytes free
Post-Run: 9,106,059,264 bytes free

195 --- E O F --- 2008-11-12 01:20:46

Edited by Rjackson36, 26 November 2008 - 06:29 PM.


#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:31 AM

Posted 27 November 2008 - 11:27 AM

It's looking pretty good. Please open up Malwarebytes and update it.
Then run a quick scan and post the resulting log.

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Rjackson36

Rjackson36
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 27 November 2008 - 10:12 PM

Hey Sam, Hope your Thanksgiving went well. The thing is acting pretty normal. I did notice today that the modem was uploading/downloading solid and my hard drive light was blinking quite a bit when there should not have been anything going on. I was just looking at my website. I'm probably just paranoid. The laptop that is infected is one of 4 computers on my home network. Should I be concerned about it spreading to the others? Is it also possible that my personal data has been uploaded to someone else? Just asking because my wife is very concerned, online banking and such..

Also my adaware scanned and picked up this: win32.worm.kdcrypt and win32.backdoor.tdss and it says it deleted both.

My Trend Micro PCCyllin also poped up and said it quaranteened the following: infected file C:\...\A0041509.dll Trojen Renos.ank, BKDR_TDSS.V, TDSS.T,TDSS.AV and TDSS.AU.

Anyway I did as you asked and here is the log.

Malwarebytes' Anti-Malware 1.30
Database version: 1430
Windows 5.1.2600 Service Pack 3

11/28/2008 3:23:36 PM
mbam-log-2008-11-28 (15-23-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 262915
Time elapsed: 3 hour(s), 40 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP497\A0033336.dll (Trojan.FakeAlert) -> No action taken.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users