brastk and tdssserv + can't use .exe

[mogul]

Hi,
I had brastk infection a couple of week ago and sorted it with Smitfraudfix and Malwarebytes Anti Malware. Well, I obviously didn't sort it completely as it's back, with a vengeance! I've tried various things and removed part of it, but can't get exe files to run - so can't use Malwarebyte. Managed to run Smitfraudfix by going to the .cmd file and running it from there. Tried uninstalling MBAM but then couldn't reinstall - because it needs to run an exe! Tried to introduce XoftSpySE which installed, but can't run the exe.

I think I've removed tdssserv (tidserv) but who knows....

I also had karna.dat at the same time, which I think I've removed.

By the way I have disconnected the infected PC from the internet - the logs probably show this.

The current visible symptoms are the google search results redirecting to go.google.com. Dunno what's going on under the covers tho'.

Below is the DDS result and attached is the attach.txt. Can't run GMER as it's an exe, so sorry no results from it.

Please see what you can do to help me!

Thanks

DDS (Version 1.0) - NTFSx86
Run by Roger at 21:18:41.09 on 17/11/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.196 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\E_S40RP7.EXE
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Roger\Desktop\gmer.exe
F:\dds.scr

============== Psuedo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 192.168.2.1:80
uInternet Settings,ProxyOverride = *.local
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\program files\microsoft money\system\mnyside.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
BHO: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_1.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EPSON Stylus DX4400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticae.exe /fu "c:\windows\temp\E_S88.tmp" /EF "HKCU"
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SpeedTouch USB Diagnostics] "c:\program files\alcatel\speedtouch usb\Dragdiag.exe" /icon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [brastk] c:\windows\system32\brastk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: &Windows Live Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - c:\windows\system32\upnpui.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);c:\windows\system32\drivers\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;c:\windows\system32\drivers\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;c:\windows\system32\drivers\ss_mdm.sys
S4 PCFService;PCFService2;c:\program files\gigasoft denmark\pc finder net\pcfservice.exe

=============== Created Last 30 ================

2008-11-16 21:42 <DIR> --d----- c:\program files\XoftSpySE
2008-11-16 21:22 28,672 a------- c:\windows\system32\Partizan.exe
2008-11-16 21:17 2 a--shrot c:\windows\winstart.bat
2008-11-16 19:17 99,367 a------- C:\Undo WATFORD-UMG8D90 20081116 191706.Reg
2008-11-16 18:23 <DIR> --d----- c:\program files\Exterminate It!
2008-11-15 00:10 23,040 ac------ c:\windows\system32\dllcache\beep.sys
2008-11-15 00:10 114 a------- c:\windows\system32\delself.bat
2008-11-12 09:50 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:50 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-10-30 21:00 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2008-10-30 21:00 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2008-10-30 21:00 <DIR> --d----- c:\windows\system32\IOSUBSYS
2008-10-26 17:54 <DIR> --d----- c:\program files\RogueRemover FREE
2008-10-26 17:20 <DIR> --d----- c:\docume~1\roger\applic~1\Malwarebytes
2008-10-26 17:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-10-26 08:48 100,202 a------- C:\Undo WATFORD-UMG8D90 20081026 084841.Reg
2008-10-26 01:02 2,846 a------- c:\windows\system32\tmp.reg
2008-10-26 00:56 <DIR> --d----- c:\windows\pss
2008-10-26 00:11 100,202 a------- C:\Undo WATFORD-UMG8D90 20081026 011120.Reg
2008-10-24 09:46 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-10-24 00:18 2,302,017 a------- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2008-11-17 21:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kontiki
2008-11-16 23:21 <DIR> --d----- c:\program files\Norton Security Scan
2008-11-14 18:00 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-10 08:58 82,944 a------- c:\windows\system32\o4Patch.exe
2008-10-10 08:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-10-01 15:51 87,552 a------- c:\windows\system32\VACFix.exe
2008-10-01 15:17 <DIR> --d----- c:\program files\LucasArts
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-08 23:38 88,576 a------- c:\windows\system32\AntiXPVSTFix.exe
2008-09-04 17:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-09-02 11:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-08-26 07:24 826,368 a------- c:\windows\system32\wininet.dll
2008-08-24 17:23 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-08-08 18:48 <DIR> --d----- c:\docume~1\roger\applic~1\AdobeAUM
2008-07-11 17:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-05-17 17:46 <DIR> --d----- c:\docume~1\roger\applic~1\TransRender
2008-05-17 17:44 <DIR> --d----- c:\docume~1\roger\applic~1\Temporary
2008-04-05 19:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EPSON
2008-04-01 13:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\UDL
2008-03-26 15:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-01-14 09:17 <DIR> --d----- c:\docume~1\roger\applic~1\iolo
2008-01-14 09:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\iolo
2007-11-30 17:20 <DIR> --d----- c:\docume~1\roger\applic~1\ConvertTemp
2007-11-30 17:13 <DIR> --d----- c:\docume~1\roger\applic~1\Samsung
2007-09-13 20:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Windows Live Toolbar
2007-07-07 15:15 <DIR> --d----- c:\docume~1\roger\applic~1\MSN6
2007-07-07 15:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6
2007-04-25 18:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Creative
2006-09-06 20:24 <DIR> --d----- c:\docume~1\roger\applic~1\Teleca
2005-12-28 16:16 <DIR> --d----- c:\docume~1\roger\applic~1\Nikon
2005-03-28 09:36 <DIR> --d----- c:\docume~1\roger\applic~1\SpamBayes
2004-05-27 16:53 <DIR> --d----- c:\docume~1\roger\applic~1\Serif
2004-01-30 19:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BVRP Software
2004-01-08 11:33 <DIR> --d----- c:\docume~1\roger\applic~1\InterTrust
2005-07-29 13:04 1,030 ---sh--- c:\windows\system\nodemgr.sys

============= FINISH: 21:20:13.56 ===============

[Angelfire777]

Hi,

Please avoid fixing things on your own while I'm helping you because that will make things more complicated.

Download this file: http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip
and open it. Extract the REG file to your desktop and double click it. Answer yes to the import prompt.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[mogul]

Hi,
I downloaded and ran xp_exe_fix.reg. It seemed to complete successfully.

However, having downloaded ComboFix it wouldn't run. This goes back to my 'exe files don't run' problem.

All that happens with exe's is that the egg timer turns for a few seconds then disappears. Nothing further happens. In Task Manager the job is present as a process with no CPU usage, but with Memory usage (2024k in the case of ComboFix.exe).

Any ideas what I can check to get exe's running again?

I really appreciate you assistance with this challenge.

Many thanks

[Angelfire777]

Hi,

• Click Start.
• Open My Computer..
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• tick the box next to "hide extensions for known file types"
• Click Yes to confirm.
• Click OK.

Please rename combofix.exe to combofix.com then follow the instructions again.

[mogul]

Hi Angelfire777,
Thanks for the exe workaround. I got ComboFix to run and have attached the log.
The MS Windows Recovery Console failed to install, so ComboFix just continued. Let me know if I can/should run it again to get the Recovery Console installed.
As suggested, when it found a Rootfix it went into a reboot.
Hopefully the log should show progress is being made...

Thanks again for all your help so far.


ComboFix 08-11-18.02 - Roger 2008-11-19 20:15:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.208 [GMT 0:00]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\DelSelf.bat
c:\windows\system32\drivers\TDSSmxwe.sys
c:\windows\system32\drivers\tdssserv.sys
c:\windows\system32\TDSSarxx.dll
c:\windows\system32\TDSSdxgp.dll
c:\windows\system32\TDSSmqlt.log
c:\windows\system32\TDSSmtpe.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnpur.dll
c:\windows\system32\TDSSoiqh.log
c:\windows\system32\TDSSoitu.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSshyf.dll
c:\windows\system32\TDSSvoqm.dll
c:\windows\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-16 21:42 . 2008-11-16 21:42 <DIR> d-------- c:\program files\XoftSpySE
2008-11-16 21:22 . 2008-11-16 21:22 28,672 --a------ c:\windows\system32\Partizan.exe
2008-11-16 21:17 . 2008-11-16 21:17 (2) -rahs-ot- c:\windows\winstart.bat
2008-11-16 19:58 . 2007-09-06 00:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-16 19:58 . 2006-04-27 17:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-16 19:58 . 2008-09-08 23:38 88,576 --a------ c:\windows\system32\AntiXPVSTFix.exe
2008-11-16 19:58 . 2008-10-01 15:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-16 19:58 . 2008-10-10 08:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-16 19:58 . 2008-05-18 21:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-16 19:58 . 2008-10-10 08:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-16 19:58 . 2008-08-18 12:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-16 19:58 . 2003-06-05 21:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-16 19:58 . 2004-07-31 18:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-16 19:58 . 2007-10-04 00:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-16 19:17 . 2008-11-16 19:17 99,367 --a------ C:\Undo WATFORD-UMG8D90 20081116 191706.Reg
2008-11-16 18:23 . 2008-11-16 19:34 <DIR> d-------- c:\program files\Exterminate It!
2008-11-12 09:50 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 09:50 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-30 21:00 . 2008-10-30 21:00 <DIR> d-------- c:\windows\system32\IOSUBSYS
2008-10-30 21:00 . 2008-04-07 23:16 9,200 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-10-30 21:00 . 2008-04-07 23:16 9,072 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-10-26 17:54 . 2008-10-26 17:54 <DIR> d-------- c:\program files\RogueRemover FREE
2008-10-26 17:20 . 2008-10-26 17:20 <DIR> d-------- c:\documents and settings\Roger\Application Data\Malwarebytes
2008-10-26 17:20 . 2008-10-26 17:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-26 08:48 . 2008-10-26 08:48 100,202 --a------ C:\Undo WATFORD-UMG8D90 20081026 084841.Reg
2008-10-26 01:02 . 2008-11-16 21:02 2,846 --a------ c:\windows\system32\tmp.reg
2008-10-26 00:11 . 2008-10-26 00:11 100,202 --a------ C:\Undo WATFORD-UMG8D90 20081026 011120.Reg
2008-10-24 09:46 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-24 00:18 . 2008-10-24 00:18 2,302,017 --a------ c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-19 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-11-16 23:21 --------- d-----w c:\program files\Norton Security Scan
2008-11-16 15:41 --------- d-----w c:\program files\Google
2008-11-15 00:15 1,400,320 ----a-w c:\windows\Internet Logs\xDBE.tmp
2008-11-15 00:05 190,842,912 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-14 18:00 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-13 23:55 2,213,924 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-01 15:17 --------- d-----w c:\program files\LucasArts
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 20:10 147,456 ----a-w c:\windows\Internet Logs\xDBD.tmp
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-19 20:35 3,141,120 ----a-w c:\windows\Internet Logs\xDB24.tmp
2008-08-19 20:35 2,865,664 ----a-w c:\windows\Internet Logs\xDB23.tmp
2008-04-23 18:23 63,576 ----a-w c:\documents and settings\Roger\Application Data\GDIPFONTCACHEV1.DAT
2005-05-25 09:54 266 --sh--w c:\program files\desktop.ini
2005-05-25 09:54 11,079 ---h--w c:\program files\folder.htt
2005-07-29 13:04 1,030 --sh--w c:\windows\system\nodemgr.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"EPSON Stylus DX4400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE" [2007-03-01 180736]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 919016]
"SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 861184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-18 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-18 231704]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\DRIVERS\alcan5ln.sys [2007-06-30 36048]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);c:\windows\system32\DRIVERS\ss_bus.sys [2007-01-03 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;c:\windows\system32\DRIVERS\ss_mdfl.sys [2007-01-03 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;c:\windows\system32\DRIVERS\ss_mdm.sys [2007-01-03 94000]
S4 PCFService;PCFService2;c:\program files\gigasoft denmark\pc finder net\pcfservice.exe []

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2004-03-02 c:\windows\Tasks\BUP1.job
- c:\windows\system32\ntbackup.exe [2008-04-14 00:12]

2008-11-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-04-07 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]

2008-11-14 c:\windows\Tasks\Norton Security Scan for Roger.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 03:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKU-Default-Run-brastk - c:\windows\system32\brastk.exe


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 192.168.2.1:80
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites
IE: E&xport to Microsoft Excel

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\System32\shlwapi.dll - c:\windows\System32\mshtml.tlb
c:\program files\Gigasoft Denmark\PC Finder NET\HDSNLIB.DLL
c:\windows\System32\Wbem\wbemdisp.tlb
c:\program files\Common Files\System\msadc\msdfmap.dll
c:\windows\System32\mscomctl.ocx
c:\windows\System32\msvbvm60.dll
c:\windows\System32\oleaut32.dll
c:\windows\System32\olepro32.dll
c:\windows\System32\asycfilt.dll
c:\windows\System32\stdole2.tlb
c:\windows\System32\COMCAT.DLL
c:\windows\Downloaded Program Files\PC_Scanner.ocx
O16 -: {1ED6685D-DFC1-4981-81EE-77C56849101D}
hxxp://www.gigasoft.dk/pcscaneng/PC_Scanner.CAB
c:\windows\Downloaded Program Files\PC_Scanner.INF
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 20:24:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmxwe.sys"
.
Completion time: 2008-11-19 20:31:28
ComboFix-quarantined-files.txt 2008-11-19 20:30:21

Pre-Run: 43,711,090,688 bytes free
Post-Run: 44,544,196,608 bytes free

202 --- E O F --- 2008-11-13 0752

[Angelfire777]

Do exes work okay now? If yes,

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
• At the next prompt, click 'No' and do not run another combofix scan.
  
  
  
• When the tool is finished, it will produce a report for you.

Please post the contents of the log that it created.

[mogul]

Hi Angelfire777,

Yes thanks, the exe files work fine now.

I downloaded and ran the MS Setup boot. As you stated, I didn't run ComboFix again.

Here's the log...

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn


Assuming this log is ok, the questions now are "am I clean?" and "how can I protect against it happening again?".

As ever, I'm really grateful for your assistance.

[Angelfire777]

Hi,

You seem to have downloaded the wrong packaege for recovery console. Nevertheless, it should work in case we need it..

Quote:

Assuming this log is ok, the questions now are "am I clean?" and "how can I protect against it happening again?".

not yet. I will give you protection advice after we clean your computer.


Configure your machine to view hidden files:

• Click Start.
• Open My Computer..
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the "Hidden files and folders" heading select Show hidden files and folders.
• Uncheck the Hide Protected Operating System Files Option.
• Click Yes to confirm.
• Click OK.

*Using Windows Explorer, find and delete these files:

c:\windows\winstart.bat
c:\program files\folder.htt


*Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems

On your next reply, please include a

• Fresh dds log
• eset scan log

[mogul]

Hi Angelfire777,
Please see logs below as requested. I'm not experiencing any further problems at the moment.
Many thanks...

DDS Log
======

DDS (Version 1.0) - NTFSx86
Run by Roger at 23:29:38.98 on 21/11/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.102 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\E_S40RP7.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
F:\dds.scr

============== Psuedo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 192.168.2.1:80
uInternet Settings,ProxyOverride = *.local
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\program files\microsoft money\system\mnyside.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
BHO: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_1.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EPSON Stylus DX4400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticae.exe /fu "c:\windows\temp\E_S88.tmp" /EF "HKCU"
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SpeedTouch USB Diagnostics] "c:\program files\alcatel\speedtouch usb\Dragdiag.exe" /icon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: &Windows Live Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - c:\windows\system32\upnpui.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);c:\windows\system32\drivers\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;c:\windows\system32\drivers\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;c:\windows\system32\drivers\ss_mdm.sys
S4 PCFService;PCFService2;c:\program files\gigasoft denmark\pc finder net\pcfservice.exe

=============== Created Last 30 ================

2008-11-21 22:08 <DIR> --d----- c:\program files\EsetOnlineScanner
2008-11-20 22:23 <DIR> a-dshr-- C:\cmdcons
2008-11-20 22:21 <DIR> --d----- C:\ComboFix.com
2008-11-19 20:06 161,792 a------- c:\windows\SWREG.exe
2008-11-19 20:06 98,816 a------- c:\windows\sed.exe
2008-11-16 21:42 <DIR> --d----- c:\program files\XoftSpySE
2008-11-16 21:22 28,672 a------- c:\windows\system32\Partizan.exe
2008-11-16 19:58 289,144 a------- c:\windows\system32\VCCLSID.exe
2008-11-16 19:58 88,576 a------- c:\windows\system32\AntiXPVSTFix.exe
2008-11-16 19:58 87,552 a------- c:\windows\system32\VACFix.exe
2008-11-16 19:58 82,944 a------- c:\windows\system32\o4Patch.exe
2008-11-16 19:58 82,944 a------- c:\windows\system32\IEDFix.exe
2008-11-16 19:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-11-16 19:58 82,432 a------- c:\windows\system32\404Fix.exe
2008-11-16 19:58 51,200 a------- c:\windows\system32\dumphive.exe
2008-11-16 19:58 25,600 a------- c:\windows\system32\WS2Fix.exe
2008-11-16 19:58 288,417 a------- c:\windows\system32\SrchSTS.exe
2008-11-16 19:58 53,248 a------- c:\windows\system32\Process.exe
2008-11-16 19:17 99,367 a------- C:\Undo WATFORD-UMG8D90 20081116 191706.Reg
2008-11-16 18:23 <DIR> --d----- c:\program files\Exterminate It!
2008-11-12 09:50 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:50 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-10-30 21:00 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2008-10-30 21:00 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2008-10-30 21:00 <DIR> --d----- c:\windows\system32\IOSUBSYS
2008-10-26 17:54 <DIR> --d----- c:\program files\RogueRemover FREE
2008-10-26 17:20 <DIR> --d----- c:\docume~1\roger\applic~1\Malwarebytes
2008-10-26 17:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-10-26 08:48 100,202 a------- C:\Undo WATFORD-UMG8D90 20081026 084841.Reg
2008-10-26 01:02 2,846 a------- c:\windows\system32\tmp.reg
2008-10-26 00:56 <DIR> --d----- c:\windows\pss
2008-10-26 00:11 100,202 a------- C:\Undo WATFORD-UMG8D90 20081026 011120.Reg
2008-10-24 09:46 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-10-24 00:18 2,302,017 a------- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2008-11-21 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kontiki
2008-11-21 18:00 <DIR> --d----- c:\program files\Norton Security Scan
2008-11-14 18:00 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-01 15:17 <DIR> --d----- c:\program files\LucasArts
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-09-02 11:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-08-26 07:24 826,368 a------- c:\windows\system32\wininet.dll
2008-08-24 17:23 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-08-08 18:48 <DIR> --d----- c:\docume~1\roger\applic~1\AdobeAUM
2008-07-11 17:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-05-17 17:46 <DIR> --d----- c:\docume~1\roger\applic~1\TransRender
2008-05-17 17:44 <DIR> --d----- c:\docume~1\roger\applic~1\Temporary
2008-04-05 19:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EPSON
2008-04-01 13:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\UDL
2008-03-26 15:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-01-14 09:17 <DIR> --d----- c:\docume~1\roger\applic~1\iolo
2008-01-14 09:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\iolo
2007-11-30 17:20 <DIR> --d----- c:\docume~1\roger\applic~1\ConvertTemp
2007-11-30 17:13 <DIR> --d----- c:\docume~1\roger\applic~1\Samsung
2007-09-13 20:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Windows Live Toolbar
2007-07-07 15:15 <DIR> --d----- c:\docume~1\roger\applic~1\MSN6
2007-07-07 15:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6
2007-04-25 18:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Creative
2006-09-06 20:24 <DIR> --d----- c:\docume~1\roger\applic~1\Teleca
2005-12-28 16:16 <DIR> --d----- c:\docume~1\roger\applic~1\Nikon
2005-03-28 09:36 <DIR> --d----- c:\docume~1\roger\applic~1\SpamBayes
2004-05-27 16:53 <DIR> --d----- c:\docume~1\roger\applic~1\Serif
2004-01-30 19:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BVRP Software
2004-01-08 11:33 <DIR> --d----- c:\docume~1\roger\applic~1\InterTrust
2005-07-29 13:04 1,030 ---sh--- c:\windows\system\nodemgr.sys

============= FINISH: 23:30:40.65 ===============


ESET Log
=======
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3632 (20081121)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=80b5843d4154b04894499547b2ac6b59
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-21 11:27:18
# local_time=2008-11-21 11:27:18 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=213446
# found=0
# scan_time=4561

[Angelfire777]

Congratulations! Your log looks clean!

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.


Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

And miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

[mogul]

Hi Angelfire777,

Thank you so much for sorting out my problems.

I had tried but failed and was desperate. Then you stepped in to help and rescued me.

Certainly, in future I won't hesitate to come to techsupportforum. But hopefully I won't need to!

Thanks, cheers and best regards...