Tech Support Forum - View Single Post

Xagest · 11-18-2008, 07:39 PM

Much thanks. Here are the logs

COMBOFIX LOG
-
ComboFix 08-11-18.03 - Thang 2008-11-18 19:08:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.212 [GMT -7:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Guest\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\program files\Win Stream plugin
c:\program files\Win Stream plugin\basis.xml
c:\program files\Win Stream plugin\cache\815dbd2ede4878fd25d37fe37f5d968c
c:\program files\Win Stream plugin\download.html
c:\program files\Win Stream plugin\icons.bmp_16.bmp
c:\program files\Win Stream plugin\Thumbs.db
c:\program files\Win Stream plugin\version.txt
c:\program files\Win Stream plugin\win_stream_plugin.crc
c:\windows\system32\{B8FB6A08-1DB7-4A91-BFD0-9BEE3DD1536C}.exe
c:\windows\system32\DelSelf.bat
c:\windows\system32\drivers\TDSSmvpt.sys
c:\windows\system32\kernel32.exe
c:\windows\system32\TDSSbvqo.dll
c:\windows\system32\TDSSckhc.dll
c:\windows\system32\TDSScrrx.dll
c:\windows\system32\TDSSjnsm.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSofxb.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\TDSSublj.dll
c:\windows\system32\TDSSwhym.log
c:\windows\system32\TDSSwpyh.dat
c:\windows\system32\wini108019.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-15 17:52 . 2008-11-15 17:52 <DIR> d-------- c:\program files\RealVNC
2008-11-15 16:01 . 2008-11-15 16:01 <DIR> d-------- c:\program files\Lavasoft
2008-11-15 16:01 . 2008-11-15 16:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-15 15:53 . 2008-11-15 15:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-14 18:34 . 2008-11-14 18:34 <DIR> d-------- c:\documents and settings\Administrator.DADCOMP\Application Data\Share-to-Web Upload Folder
2008-11-13 21:34 . 2008-11-13 21:34 <DIR> d-------- c:\documents and settings\Administrator.DADCOMP
2008-11-13 21:14 . 2008-11-13 21:14 19,860 --a------ c:\windows\anejuzy._sy
2008-11-13 21:14 . 2008-11-13 21:14 19,580 --a------ c:\windows\usuzusa.sys
2008-11-13 21:14 . 2008-11-13 21:14 19,264 --a------ c:\windows\ropov.reg
2008-11-13 21:14 . 2008-11-13 21:14 16,387 --a------ c:\documents and settings\Thang\Application Data\ujumag.pif
2008-11-13 21:14 . 2008-11-13 21:14 15,934 --a------ c:\documents and settings\Thang\Application Data\exega.exe
2008-11-13 21:14 . 2008-11-13 21:14 15,140 --a------ c:\documents and settings\All Users\Application Data\kukofukali.com
2008-11-13 21:14 . 2008-11-13 21:14 14,506 --a------ c:\program files\Common Files\zekuwiq.exe
2008-11-13 21:14 . 2008-11-13 21:14 14,421 --a------ c:\windows\ehyleka.db
2008-11-13 21:14 . 2008-11-13 21:14 13,185 --a------ c:\documents and settings\Thang\Application Data\ozefoge.dll
2008-11-13 21:14 . 2008-11-13 21:14 10,947 --a------ c:\documents and settings\All Users\Application Data\cakyjumyb.vbs
2008-11-13 21:14 . 2008-11-13 21:14 10,697 --a------ c:\windows\system32\yfaq.pif
2008-11-13 21:14 . 2008-11-13 21:14 10,384 --a------ c:\windows\cuwe._sy
2008-11-13 21:13 . 2008-11-13 22:22 <DIR> d-------- c:\program files\AntivirusPro2009
2008-11-04 17:49 . 2008-11-04 17:49 <DIR> d-------- c:\documents and settings\Thang\Application Data\Kodak
2008-11-04 17:47 . 2008-11-04 17:47 <DIR> d-------- c:\program files\Kodak
2008-10-31 18:59 . 2008-10-31 18:59 291 --a------ c:\documents and settings\Thang\Application Data\mdbu.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 17:14 --------- d-----w c:\program files\AskTBar
2008-11-15 21:37 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-15 21:37 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-14 04:14 18,040 ----a-w c:\program files\Common Files\keni.db
2008-11-09 19:10 --------- d-----w c:\program files\Symantec
2008-11-09 19:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-09 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-08 15:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-08 15:13 --------- d-----w c:\documents and settings\All Users\Application Data\ArcSoft
2008-11-07 04:47 --------- d-----w c:\documents and settings\Thang\Application Data\ArcSoft
2008-11-06 04:27 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-01 03:10 --------- d-----w c:\program files\Greeting Card Creator 32
2008-11-01 03:07 --------- d-----w c:\program files\VideoLAN
2008-11-01 03:05 --------- d-----w c:\documents and settings\All Users\Application Data\PictureMover
2008-11-01 03:03 --------- d-----w c:\program files\ArcSoft
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 00:53 --------- d-----w c:\program files\Common Files\ArcSoft
2008-10-15 00:46 --------- d-----w c:\program files\OVT
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:33 667,648 ----a-w c:\windows\system32\wininet.dll
2008-05-28 03:34 0 --sha-w c:\documents and settings\Thang\Application Data\00483ca7064b0f0d91a71d6018ec157bc3aad48c768f757348.dat
2008-04-05 03:53 321 ---ha-w c:\documents and settings\Thang\hpothb07.dat
2007-09-09 03:25 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 79224]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"WG511WLU"="c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-11-09 475136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-08-27 282624]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-10-17 162304]
"LTWinModem1"="ltmsg.exe" [2003-10-28 c:\windows\system32\ltmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-10-21 278528]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-27 78416]
R2 ACDaemon;ArcSoft Connect Daemon;c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-10-14 109056]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-27 20560]
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\DRIVERS\WG511ICB.sys [2007-05-13 393472]
S3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys [2006-07-31 580992]
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\c:\windows\system32\AWINDIS5.SYS [2006-10-24 16194]
S3 JL2004A;JL2004A Photo Viewer;c:\windows\system32\Drivers\pv_wdm.sys [2007-02-13 63289]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-31 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-09-18 23:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Thang\Application Data\Mozilla\Firefox\Profiles\u03grm7t.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 19:21:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmvpt.sys"
.
Completion time: 2008-11-18 19:23:28
ComboFix-quarantined-files.txt 2008-11-19 02:23:09

Pre-Run: 19,341,369,344 bytes free
Post-Run: 25,677,709,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

179 --- E O F --- 2008-11-12 04:24:18

HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:39, on 11/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1161124745673
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

--
End of file - 6258 bytes

11-18-2008, 07:39 PM	#3 (permalink)
Xagest Registered User Join Date: Nov 2008 Posts: 5 OS: XP SP2	Re: AntiVirus Pro 2009 Much thanks. Here are the logs COMBOFIX LOG - ComboFix 08-11-18.03 - Thang 2008-11-18 19:08:23.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.212 [GMT -7:00] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Guest\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML c:\program files\Win Stream plugin c:\program files\Win Stream plugin\basis.xml c:\program files\Win Stream plugin\cache\815dbd2ede4878fd25d37fe37f5d968c c:\program files\Win Stream plugin\download.html c:\program files\Win Stream plugin\icons.bmp_16.bmp c:\program files\Win Stream plugin\Thumbs.db c:\program files\Win Stream plugin\version.txt c:\program files\Win Stream plugin\win_stream_plugin.crc c:\windows\system32\{B8FB6A08-1DB7-4A91-BFD0-9BEE3DD1536C}.exe c:\windows\system32\DelSelf.bat c:\windows\system32\drivers\TDSSmvpt.sys c:\windows\system32\kernel32.exe c:\windows\system32\TDSSbvqo.dll c:\windows\system32\TDSSckhc.dll c:\windows\system32\TDSScrrx.dll c:\windows\system32\TDSSjnsm.dll c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSofxb.dll c:\windows\system32\TDSStkdv.log c:\windows\system32\TDSSublj.dll c:\windows\system32\TDSSwhym.log c:\windows\system32\TDSSwpyh.dat c:\windows\system32\wini108019.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSSERV.SYS -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 ))))))))))))))))))))))))))))))) . 2008-11-15 17:52 . 2008-11-15 17:52 <DIR> d-------- c:\program files\RealVNC 2008-11-15 16:01 . 2008-11-15 16:01 <DIR> d-------- c:\program files\Lavasoft 2008-11-15 16:01 . 2008-11-15 16:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-15 15:53 . 2008-11-15 15:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-14 18:34 . 2008-11-14 18:34 <DIR> d-------- c:\documents and settings\Administrator.DADCOMP\Application Data\Share-to-Web Upload Folder 2008-11-13 21:34 . 2008-11-13 21:34 <DIR> d-------- c:\documents and settings\Administrator.DADCOMP 2008-11-13 21:14 . 2008-11-13 21:14 19,860 --a------ c:\windows\anejuzy._sy 2008-11-13 21:14 . 2008-11-13 21:14 19,580 --a------ c:\windows\usuzusa.sys 2008-11-13 21:14 . 2008-11-13 21:14 19,264 --a------ c:\windows\ropov.reg 2008-11-13 21:14 . 2008-11-13 21:14 16,387 --a------ c:\documents and settings\Thang\Application Data\ujumag.pif 2008-11-13 21:14 . 2008-11-13 21:14 15,934 --a------ c:\documents and settings\Thang\Application Data\exega.exe 2008-11-13 21:14 . 2008-11-13 21:14 15,140 --a------ c:\documents and settings\All Users\Application Data\kukofukali.com 2008-11-13 21:14 . 2008-11-13 21:14 14,506 --a------ c:\program files\Common Files\zekuwiq.exe 2008-11-13 21:14 . 2008-11-13 21:14 14,421 --a------ c:\windows\ehyleka.db 2008-11-13 21:14 . 2008-11-13 21:14 13,185 --a------ c:\documents and settings\Thang\Application Data\ozefoge.dll 2008-11-13 21:14 . 2008-11-13 21:14 10,947 --a------ c:\documents and settings\All Users\Application Data\cakyjumyb.vbs 2008-11-13 21:14 . 2008-11-13 21:14 10,697 --a------ c:\windows\system32\yfaq.pif 2008-11-13 21:14 . 2008-11-13 21:14 10,384 --a------ c:\windows\cuwe._sy 2008-11-13 21:13 . 2008-11-13 22:22 <DIR> d-------- c:\program files\AntivirusPro2009 2008-11-04 17:49 . 2008-11-04 17:49 <DIR> d-------- c:\documents and settings\Thang\Application Data\Kodak 2008-11-04 17:47 . 2008-11-04 17:47 <DIR> d-------- c:\program files\Kodak 2008-10-31 18:59 . 2008-10-31 18:59 291 --a------ c:\documents and settings\Thang\Application Data\mdbu.bin . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-16 17:14 --------- d-----w c:\program files\AskTBar 2008-11-15 21:37 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-15 21:37 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-14 04:14 18,040 ----a-w c:\program files\Common Files\keni.db 2008-11-09 19:10 --------- d-----w c:\program files\Symantec 2008-11-09 19:10 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-11-09 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-11-08 15:14 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-08 15:13 --------- d-----w c:\documents and settings\All Users\Application Data\ArcSoft 2008-11-07 04:47 --------- d-----w c:\documents and settings\Thang\Application Data\ArcSoft 2008-11-06 04:27 --------- d-----w c:\documents and settings\All Users\Application Data\Nero 2008-11-01 03:10 --------- d-----w c:\program files\Greeting Card Creator 32 2008-11-01 03:07 --------- d-----w c:\program files\VideoLAN 2008-11-01 03:05 --------- d-----w c:\documents and settings\All Users\Application Data\PictureMover 2008-11-01 03:03 --------- d-----w c:\program files\ArcSoft 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-15 00:53 --------- d-----w c:\program files\Common Files\ArcSoft 2008-10-15 00:46 --------- d-----w c:\program files\OVT 2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys 2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-08-20 05:33 667,648 ----a-w c:\windows\system32\wininet.dll 2008-05-28 03:34 0 --sha-w c:\documents and settings\Thang\Application Data\00483ca7064b0f0d91a71d6018ec157bc3aad48c768f757348.dat 2008-04-05 03:53 321 ---ha-w c:\documents and settings\Thang\hpothb07.dat 2007-09-09 03:25 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 79224] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 344064] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263] "WG511WLU"="c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe" [2004-11-09 475136] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-08-27 282624] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-10-17 162304] "LTWinModem1"="ltmsg.exe" [2003-10-28 c:\windows\system32\ltmsg.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-10-21 278528] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-27 78416] R2 ACDaemon;ArcSoft Connect Daemon;c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-10-14 109056] R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-27 20560] R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\DRIVERS\WG511ICB.sys [2007-05-13 393472] S3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys [2006-07-31 580992] S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\c:\windows\system32\AWINDIS5.SYS [2006-10-24 16194] S3 JL2004A;JL2004A Photo Viewer;c:\windows\system32\Drivers\pv_wdm.sys [2007-02-13 63289] Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-10-31 c:\windows\Tasks\Norton Security Scan.job - c:\program files\Norton Security Scan\Nss.exe [2007-09-18 23:42] . - - - - ORPHANS REMOVED - - - - HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Thang\Application Data\Mozilla\Firefox\Profiles\u03grm7t.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/ FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll FF -: plugin - c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-18 19:21:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys] "imagepath"="\systemroot\system32\drivers\TDSSmvpt.sys" . Completion time: 2008-11-18 19:23:28 ComboFix-quarantined-files.txt 2008-11-19 02:23:09 Pre-Run: 19,341,369,344 bytes free Post-Run: 25,677,709,312 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 179 --- E O F --- 2008-11-12 04:24:18 HIJACK THIS** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:39, on 11/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9 O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1161124745673 O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE -- End of file - 6258 bytes