Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > Can't Remove The Spyware

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Can't Remove The Spyware

Reply to Message Icon

Name: Amirrr
Date: November 16, 2008 at 16:56:34 Pacific
OS: Xp Service Pack 3
CPU/Ram: Pentium 4 CPU 3.00 GHz, 1
Product: Intel
Comment:

Hello Everyone
I was surfing in a forum today when all of sudden my computer restarted. After that there was this red icon with a white “x” sayin that my computer is infected. First thing that came up to my mind was spyware so I ran a full scan using Ad-aware and another full virus scan using Avira Personal. Thinking its gonna solve the problems it actually made it worse. Now while im using the it just start restarting randomly. And also when I search something on google and the results come up. When I click on the results it goes to these pages about anti viruses and anti spywares. I really need help. I tried downloading Malwarebytes' Anti-Malware but somehow it wont let me open this program. I also wanted to burn a DVD in case I have to format my hard drive but somehow nero doesn’t open too. Its like affecting everything in my computer. I don’t want to format my hard drive because im a photographer and I have these pics on my computer that I don’t want to get erased.



Sponsored Link
Ads by Google

Response Number 1
Name: jabuck
Date: November 16, 2008 at 17:33:33 Pacific
Reply:

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


0

Response Number 2
Name: Amirrr
Date: November 16, 2008 at 18:41:02 Pacific
Reply:

i tried installing MalwareBytes & HijackThis but as soon as i download them and click on them nothing happens. This virus/spyware or whatever it is, is stopping me from running these programs. I can't even run Nero. When i click on them the install page never shows up and nothing happens. I tried to restore my computer but it didnt help at all. I can't even open Nero and burn the photos on CD. I guess i should buy an external hard drive tomorrow as soon as stores open up. Any ideas what i can do now that neither of MalwareBytes & HijackThis open?


0

Response Number 3
Name: jabuck
Date: November 16, 2008 at 19:07:39 Pacific
Reply:

If you got them downloaded rename the setup file then try installing them again.

Right click the mbam-setup.exe file> click rename> rename it Amirr.ex then try to run it. If it installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename the mbam.exe file then try to run it again, if still no luck rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

For Hijack This rename the Hijack This.exe file to something else and try installing it again.


0

Response Number 4
Name: Amirrr
Date: November 16, 2008 at 20:06:20 Pacific
Reply:

Tried running Malwarebytes' Anti-Malware in safe mode = No Luck..Still Wont Open

Tried changing the .exe names in the folder= No Luck...Gives me this Run Time Error:0

Tried installing HiJackthis in Safe Mode= Worked but still wont open in safe mode

Tried opening HiJackthis in Widows Mode= No Luck..The program doesn't run

to be honest i have no idea what i shoud do right now. And my computer keeps restarting like every 20 min. And i can't open half the programs on my computer. And when i search for something on google these weird pages open up instead of the original webpages.


0

Response Number 5
Name: Amirrr
Date: November 16, 2008 at 20:29:09 Pacific
Reply:

ok finally this HijackThis thing worked...here is the log but i got this error in the middle i dont know if its gonna effect the log. This is the picture of the error
http://i37.tinypic.com/29m0ums.jpg

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:33 PM, on 11/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc.exe
C:\Program Files\PowerISO\PWRISOVM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Samsung\Samsung ML-2510 Series\SPanel\Spanel.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\kk\jj.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.exe
O4 - HKLM\..\Run: [Prj] C:\Documents and Settings\Amir\Desktop\Yahoo Tools Persian.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [lphcvwgj0erdl] C:\WINDOWS\system32\lphcvwgj0erdl.exe
O4 - HKLM\..\Run: [SMrhcrwgj0erdl] C:\Program Files\rhcrwgj0erdl\rhcrwgj0erdl.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [brastk] brastk.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" -quiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKLM\..\Policies\Explorer\Run: [UpdateManager] C:\Program Files\Common Files\Microsoft Shared\TextConv\avupdate.exe
O4 - HKCU\..\Policies\Explorer\Run: [{28DD21FE-0BB0-1033-1031-030309020001}] "C:\Program Files\Common Files\{28DD21FE-0BB0-1033-1031-030309020001}\Update.exe" mc-110-12-0000651
O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menu...
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/...
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: karna.dat
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c91a1575b52ff6) (gupdate1c91a1575b52ff6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8635 bytes


0


Related Posts

See More



Response Number 6
Name: jabuck
Date: November 17, 2008 at 03:39:07 Pacific
Reply:

Please download the OTMoveIt2 by OldTimer and save it to your desktop.

1. Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
2. Copy the everything between the X's (not the X's) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
C:\WINDOWS\system32\lphcvwgj0erdl.exe
C:\Program Files\rhcrwgj0erdl\rhcrwgj0erdl.exe
C:\WINDOWS\system32\sysrest32.exe
C:\Program Files\rhcrwgj0erdl
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

4. Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
5. Click the red Moveit! button.
6. Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
6. Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Then try running MalwreBytes again.


0

Response Number 7
Name: sue_donym
Date: November 17, 2008 at 12:56:33 Pacific
Reply:

Hello

First can I say thanks in advance for all of the help and assistance offered, its very good of people to take the time to help others for no reward.

I had exactly the same experience as the initial poster, and took the steps outlined (ie downloading and running Malware Bytes. However once the scan was complete and I pressed 'Remove Selected' a Windows message box appeared with the message 'Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your Windows XP Professional CD-ROM now.' The options are Retry, More Information and Cancel.

Could you please advise as to what I should do next? Here is the log from Malware Bytes;

_________________________________________

Malwarebytes' Anti-Malware 1.30
Database version: 1405
Windows 5.1.2600 Service Pack 3

17/11/2008 20:49:09
mbam-log-2008-11-17 (20-49-09).txt

Scan type: Quick Scan
Objects scanned: 76408
Time elapsed: 18 minute(s), 53 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSbrsr.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSofxh.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSosvd.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\TDSS8f90.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\winzip100.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stefan Volkmann\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSmhxt.sys (Rootkit.Agent) -> Delete on reboot.
_________________________________________

Thanks again.


0

Response Number 8
Name: sue_donym
Date: November 17, 2008 at 13:16:44 Pacific
Reply:

For the record, I put my Windows XP cd which made the box described above disappear straight away, but didnt seem to do anything else. I left it a few minutes, and then re-booted as instructed to do by Malware Bytes. On reboot, the problem seems to be fixed (no red circle with white cross icon in bottom right). However I ran HijackThis just in case and this is the log;

_________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:14:12, on 17/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Labtec\Mouse\2.1\moffice.exe
C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Labtec\Mouse\2.1\MOUSE32A.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\\My Documents\Downloads\HiJackThis.exe
C:\Program Files\Opera\Opera.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\2.1\moffice.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra button: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - http://www.littlewoodscasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - http://www.littlewoodscasino.com (file missing) (HKCU)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f002.mail.lycos.co.uk/app/up...
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8310 bytes

________________________________________

If you think I should take any further action please let me know. Thanks very much.


0

Response Number 9
Name: Amirrr
Date: November 17, 2008 at 13:58:02 Pacific
Reply:

thx jabuck..
here is the log...

File/Folder C:\WINDOWS\system32\lphcvwgj0erdl.exe not found.
File/Folder C:\Program Files\rhcrwgj0erdl\rhcrwgj0erdl.exe not found.
File/Folder C:\WINDOWS\system32\sysrest32.exe not found.
C:\Program Files\rhcrwgj0erdl moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 11172008_165319


0

Response Number 10
Name: jabuck
Date: November 17, 2008 at 18:42:07 Pacific
Reply:

Run OTMoveIt2 again and remove this file:

C:\WINDOWS\system32\brastk.exe

Then try to run Malwarebytes.


0

Response Number 11
Name: Amirrr
Date: November 17, 2008 at 19:50:54 Pacific
Reply:

ok i ran OTMoveIt2 and tried removing brastk.exe but i get this error message that access is denied.its being used by..


0

Response Number 12
Name: jabuck
Date: November 17, 2008 at 20:03:31 Pacific
Reply:

Go to start>run>type in "notepad" with out the quotes>ok.Click file>new then and paste the following text into a new file(just the part between the lines):
_____________________________________
attrib -r -h -s C:\Windows\System32\brastk.exe
del C:\Windows\System32\brastk.exe

___________________________________
Save the file to the desktop as remove.bat and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on remove.bat.Allow to run.

Try to download and run Malwarebytes again.


0

Response Number 13
Name: Amirrr
Date: November 17, 2008 at 20:40:49 Pacific
Reply:

i did everything u told me to do..no luck
i tired deleting karna.dat and brastk.exe from windows/system but as soon as i restart they are back again..its like they are hiding in this root file..i also tried running a software called BrastkRemover.exe and that didnt solve the problem either..


0

Response Number 14
Name: jabuck
Date: November 17, 2008 at 20:52:54 Pacific
Reply:

Did you try downloading and running malwarebytes again?

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt


0

Response Number 15
Name: Amirrr
Date: November 17, 2008 at 21:37:08 Pacific
Reply:


[b]SDFix: Version 1.240 [/b]
Run by Administrator on Tue 11/18/2008 at 12:23 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

[b]Name [/b]:
sysrest.sys

[b]Path [/b]:
\??\C:\WINDOWS\system32\sysrest.sys

sysrest.sys - Deleted

Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper
Resetting AppInit_DLLs value


Rebooting


[b]Infected beep.sys Found![/b]

beep.sys File Locations:

"C:\WINDOWS\system32\drivers\beep.sys" 23040 11/17/2008 08:37 PM

Infected File Listed Below:

C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\system32\dllcache\beep.sys" 4224 08/07/2008 03:27 PM
"C:\WINDOWS\system32\drivers\beep.sys" 4224 08/07/2008 03:27 PM

[b]Checking Files [/b]:

Trojan Files Found:

C:\WINDOWS\system32\phcvwgj0erdl.bmp - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk - Deleted
C:\WINDOWS\system32\wini10802.exe - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk - Deleted
C:\WINDOWS\brastk.exe - Deleted
C:\WINDOWS\karna.dat - Deleted
C:\WINDOWS\smdat32a.sys - Deleted
C:\WINDOWS\system32\av.dat - Deleted
C:\WINDOWS\system32\brastk.exe - Deleted
C:\WINDOWS\system32\karna.dat - Deleted
C:\WINDOWS\system32\TDSSinxt.dll - Deleted
C:\WINDOWS\system32\TDSSkiuj.dat - Deleted
C:\WINDOWS\system32\TDSSajbv.log - Deleted


Could Not Remove C:\WINDOWS\system32\TDSStftl.dll
Could Not Remove C:\WINDOWS\system32\TDSSkrhi.dll
Could Not Remove C:\WINDOWS\system32\TDSShojs.dll
Could Not Remove C:\WINDOWS\system32\TDSSfwyx.dll

Folder C:\Program Files\InetGet2 - Removed


Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 00:34:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Amir\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SHOUTcast\\sc_serv.exe"="C:\\Program Files\\SHOUTcast\\sc_serv.exe:*:Enabled:sc_serv"
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Messenger"
"C:\\Program Files\\LM\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LM\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Disabled:btdownloadgui"
"C:\\Program Files\\GetThis4Free\\GetThis4Free.exe"="C:\\Program Files\\GetThis4Free\\GetThis4Free.exe:*:Disabled:GetThis4Free"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Disabled:Kazaa"
"C:\\Program Files\\Valve\\hl.exe"="C:\\Program Files\\Valve\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Valve\\hltv.exe"="C:\\Program Files\\Valve\\hltv.exe:*:Enabled:HLTV Launcher"
"C:\\Documents and Settings\\Amir\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Amir\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Valve\\hlds.exe"="C:\\Program Files\\Valve\\hlds.exe:*:Enabled:HLDS Launcher"
"C:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"="C:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe:*:Enabled:GRAW"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"D:\\83 (2)\\GRAW.exe"="D:\\83 (2)\\GRAW.exe:*:Enabled:GRAW"
"C:\\Documents and Settings\\Amir\\Local Settings\\Temp\\Rar$EX01.797\\StrongDC.exe"="C:\\Documents and Settings\\Amir\\Local Settings\\Temp\\Rar$EX01.797\\StrongDC.exe:*:Enabled:StrongDC++"
"C:\\Documents and Settings\\Amir\\Local Settings\\Temp\\Rar$EX08.171\\StrongDC.exe"="C:\\Documents and Settings\\Amir\\Local Settings\\Temp\\Rar$EX08.171\\StrongDC.exe:*:Enabled:StrongDC++"
"C:\\Program Files\\fulDC\\DCPlusPlus.exe"="C:\\Program Files\\fulDC\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program Files\\Winamp\\winamp.exe"="C:\\Program Files\\Winamp\\winamp.exe:*:Enabled:Winamp"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Ultra MSN Spy Monitor\\MSNMonitor.exe"="C:\\Program Files\\Ultra MSN Spy Monitor\\MSNMonitor.exe:*:Enabled:MSNMonitor"
"C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"="C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe:*:Enabled:Speed"
"C:\\Documents and Settings\\Amir\\Desktop\\New Folder (5)\\utorrent.exe"="C:\\Documents and Settings\\Amir\\Desktop\\New Folder (5)\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\PPLive\\PPLive.exe"="C:\\Program Files\\PPLive\\PPLive.exe:*:Enabled:PPLive"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Documents and Settings\\Amir\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\Amir\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVU Player Component"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\D\\Kazaa\\kazaa.exe"="C:\\D\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\amirvscas\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\amirvscas\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Opera\\opera.exe"="C:\\Program Files\\Opera\\opera.exe:*:Enabled:Opera Internet Browser"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[b]Remaining Files [/b]:

C:\WINDOWS\system32\TDSStftl.dll Found
C:\WINDOWS\system32\TDSSkrhi.dll Found
C:\WINDOWS\system32\TDSShojs.dll Found
C:\WINDOWS\system32\TDSSfwyx.dll Found

File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Tue 5 Aug 2008 48 A.SH. --- "C:\WINDOWS\SA22C7A38.tmp"
Wed 31 Jul 2002 104 ..SH. --- "C:\WINDOWS\WSYS049.SYS"
Sun 24 Feb 2008 72,704 ..SHR --- "C:\Program Files\Artizen HDR\Setup.exe"
Sat 23 Aug 2008 635,848 ..SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 22 Aug 2006 8 ..SHR --- "C:\WINDOWS\system32\99978D3B35.dll"
Wed 16 Nov 2005 56 ..SHR --- "C:\WINDOWS\system32\99978D3B35.sys"
Wed 16 Nov 2005 3,350 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 14 May 2006 253 ...H. --- "C:\WINDOWS\system32\xpsys323132.DLL"
Sun 18 Sep 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 1 Oct 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"
Mon 23 Apr 2007 21,504 ...H. --- "C:\Documents and Settings\Amir\My Documents\~WRL2866.tmp"
Thu 30 Nov 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 20 Oct 2008 243,712 A..H. --- "C:\Documents and Settings\Amir\Local Settings\Temp\~949.tmp"
Mon 21 Jun 1999 0 A..H. --- "C:\Program Files\Adobe\Adobe Photoshop CS2\KPT Goo\MetaImage.dll"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Tue 24 Apr 2007 22,016 ...H. --- "C:\Documents and Settings\Amir\Application Data\Microsoft\Word\~WRL2847.tmp"
Thu 18 Aug 2005 312 A.SH. --- "C:\Documents and Settings\Amir\My Documents\My Music\License Backup\drmv2key.bak"

[b]Finished![/b]


0

Response Number 16
Name: Amirrr
Date: November 17, 2008 at 21:40:47 Pacific
Reply:

wooow it worked..the red icon is gone..google is back to normal..i can run malwayrebytes and that's what im doing right now..i really appreciate the time u spent on replying and helping me jabuck..thank U :)


0

Response Number 17
Name: Amirrr
Date: November 17, 2008 at 21:52:22 Pacific
Reply:

just to make sure..is the virus completely gone..im scanning my computer with Malwarebytes and it has found 9 infected files and the scan is not complete yet..so i guess Malwarebytes is gonna take care of the rest of the infected files?


0

Response Number 18
Name: Amirrr
Date: November 17, 2008 at 22:47:06 Pacific
Reply:

I CANT BELIEVE THIS...ITS BACK !

The red icon with the white x is gone but again Malwarebytes doesn't work. When i click on the results in Google it redirects me to other webpages. My connection is super slow. I thought stupid thing was gone. But it seems that i still have to look for a way to remove this completely.


0

Response Number 19
Name: abrahamx
Date: November 18, 2008 at 05:10:27 Pacific
Reply:

Having the same issue everyone on this board is having. Exactally the same as this thread. Cant load any antivirus program. Took out windows defender and mccafee. The download link for moveit2 was broke and after a little research I was told it is obsolete and not available for download anymore. What steps do we need to take now. This sucks. Having to borrow a comp for three days now.


0

Response Number 20
Name: jabuck
Date: November 18, 2008 at 16:42:27 Pacific
Reply:

Run SDFix again from safe mode, follow all the above directions.

As soon as SDFix reboot turn off the computer> reboot into safe mode and run this batch file:

Go to start>run>type in "notepad" with out the quotes>ok.Click file>new then and paste the following text into a new file(just the part between the lines) and at the very top of the notepad page:
_____________________________________
attrib -r -h -s C:\Windows\System32\TDSStftl.dll
del C:\Windows\System32\TDSStftl.dll
attrib -r -h -s C:\Windows\System32\TDSSkrhi.dll
del C:\Windows\System32\TDSSkrhi.dll
attrib -r -h -s C:\Windows\System32\TDSShojs.dll
del C:\Windows\System32\TDSShojs.dll
attrib -r -h -s C:\Windows\System32\TDSSfwyx.dll
del C:\Windows\System32\TDSSfwyx.dll
__________________________________________
Save the file to the desktop as remove.bat and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on remove.bat.Allow to run.

Immediately run Malwarebytes and post its log.


0

Response Number 21
Name: Amirrr
Date: November 18, 2008 at 19:13:33 Pacific
Reply:

thanks jabuck..i ran SDFix again from safe mode and after i rebooted the computer i was able to open Malwarebytes and did a full scan and it found 99 infected files without making the notepad file..my computer is back to normal again but this is what happened last night too but like after 20 min the spyware trojan or wut ever its called was back!! I included both the Malwarebytes log and the SDFix log


Malwarebytes' Anti-Malware 1.30
Database version: 1406
Windows 5.1.2600 Service Pack 3

11/18/2008 10:02:57 PM
mbam-log-2008-11-18 (22-02-57).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 158606
Time elapsed: 50 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 13
Files Infected: 81

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\rhcrwgj0erdl (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcrwgj0erdl (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\rhcrwgj0erdl (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\rhcrwgj0erdl\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\rhcrwgj0erdl\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\rhcrwgj0erdl\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\rhcrwgj0erdl\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\rhcrwgj0erdl\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\rhcrwgj0erdl\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\rhcrwgj0erdl\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\rhcrwgj0erdl\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\rhcrwgj0erdl\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\rhcrwgj0erdl\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\NetPumper (Adware.NetPumper) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\TDSSfwyx.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSShojs.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSkrhi.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSStftl.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSfdmt.sys (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\TDSS10c4.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS1680.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS2eea.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS3137.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS317b.tmp (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\TDSS3454.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS36e9.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS3713.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS396a.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS3adc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS68b7.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS6944.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS69a2.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS6abb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS6b57.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS6d7a.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS6f30.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS6f9d.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7402.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS820c.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS8315.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS841f.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS845d.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS8509.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS8529.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS8623.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS870d.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS895f.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS897e.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS8b43.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS8b62.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS8cba.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS912f.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS91db.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS932.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS76c1.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS77bb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS78d4.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7a1c.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7af7.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7b74.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7b93.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7c4f.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7ceb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7d0a.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7e72.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7f4d.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7f5c.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSbd2.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSe191.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSe411.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSe634.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSe8d4.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSec20.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS51b.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS5d9c.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS5e57.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS5f41.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS60e7.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS625e.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS626e.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS6452.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS64ef.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS651d.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS66c3.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS6750.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS3f41.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS67bd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS81be.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A372027B-0298-471B-881A-A2CD814B6F31}\RP1284\A0974889.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A372027B-0298-471B-881A-A2CD814B6F31}\RP1284\A0974894.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{A372027B-0298-471B-881A-A2CD814B6F31}\RP1285\A0974922.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\VideoEgg\user.dat (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\NetPumper\Amir.ini (Adware.NetPumper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amir\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

- - - -
- - - -
- - - -
- - - -
- - - -
- - - -
- - - -

here is the log from SDFix


[b]SDFix: Version 1.240 [/b]
Run by Administrator on Tue 11/18/2008 at 06:51 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\WINDOWS\system32\TDSSinxt.dll - Deleted
C:\WINDOWS\system32\TDSSkiuj.dat - Deleted
C:\WINDOWS\system32\TDSSajbv.log - Deleted


Could Not Remove C:\WINDOWS\system32\TDSStftl.dll
Could Not Remove C:\WINDOWS\system32\TDSSkrhi.dll
Could Not Remove C:\WINDOWS\system32\TDSShojs.dll
Could Not Remove C:\WINDOWS\system32\TDSSfwyx.dll

Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 20:13:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Amir\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SHOUTcast\\sc_serv.exe"="C:\\Program Files\\SHOUTcast\\sc_serv.exe:*:Enabled:sc_serv"
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Messenger"
"C:\\Program Files\\LM\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LM\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Disabled:btdownloadgui"
"C:\\Program Files\\GetThis4Free\\GetThis4Free.exe"="C:\\Program Files\\GetThis4Free\\GetThis4Free.exe:*:Disabled:GetThis4Free"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Disabled:Kazaa"
"C:\\Program Files\\Valve\\hl.exe"="C:\\Program Files\\Valve\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Valve\\hltv.exe"="C:\\Program Files\\Valve\\hltv.exe:*:Enabled:HLTV Launcher"
"C:\\Documents and Settings\\Amir\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Amir\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Valve\\hlds.exe"="C:\\Program Files\\Valve\\hlds.exe:*:Enabled:HLDS Launcher"
"C:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe"="C:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\GRAW.exe:*:Enabled:GRAW"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"D:\\83 (2)\\GRAW.exe"="D:\\83 (2)\\GRAW.exe:*:Enabled:GRAW"
"C:\\Documents and Settings\\Amir\\Local Settings\\Temp\\Rar$EX01.797\\StrongDC.exe"="C:\\Documents and Settings\\Amir\\Local Settings\\Temp\\Rar$EX01.797\\StrongDC.exe:*:Enabled:StrongDC++"
"C:\\Documents and Settings\\Amir\\Local Settings\\Temp\\Rar$EX08.171\\StrongDC.exe"="C:\\Documents and Settings\\Amir\\Local Settings\\Temp\\Rar$EX08.171\\StrongDC.exe:*:Enabled:StrongDC++"
"C:\\Program Files\\fulDC\\DCPlusPlus.exe"="C:\\Program Files\\fulDC\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program Files\\Winamp\\winamp.exe"="C:\\Program Files\\Winamp\\winamp.exe:*:Enabled:Winamp"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Ultra MSN Spy Monitor\\MSNMonitor.exe"="C:\\Program Files\\Ultra MSN Spy Monitor\\MSNMonitor.exe:*:Enabled:MSNMonitor"
"C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"="C:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe:*:Enabled:Speed"
"C:\\Documents and Settings\\Amir\\Desktop\\New Folder (5)\\utorrent.exe"="C:\\Documents and Settings\\Amir\\Desktop\\New Folder (5)\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\PPLive\\PPLive.exe"="C:\\Program Files\\PPLive\\PPLive.exe:*:Enabled:PPLive"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Documents and Settings\\Amir\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\Amir\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVU Player Component"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\D\\Kazaa\\kazaa.exe"="C:\\D\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\amirvscas\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\amirvscas\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Opera\\opera.exe"="C:\\Program Files\\Opera\\opera.exe:*:Enabled:Opera Internet Browser"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[b]Remaining Files [/b]:

C:\WINDOWS\system32\TDSStftl.dll Found
C:\WINDOWS\system32\TDSSkrhi.dll Found
C:\WINDOWS\system32\TDSShojs.dll Found
C:\WINDOWS\system32\TDSSfwyx.dll Found

File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Tue 5 Aug 2008 48 A.SH. --- "C:\WINDOWS\SA22C7A38.tmp"
Wed 31 Jul 2002 104 ..SH. --- "C:\WINDOWS\WSYS049.SYS"
Sun 24 Feb 2008 72,704 ..SHR --- "C:\Program Files\Artizen HDR\Setup.exe"
Sat 23 Aug 2008 635,848 ..SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 22 Aug 2006 8 ..SHR --- "C:\WINDOWS\system32\99978D3B35.dll"
Wed 16 Nov 2005 56 ..SHR --- "C:\WINDOWS\system32\99978D3B35.sys"
Wed 16 Nov 2005 3,350 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 14 May 2006 253 ...H. --- "C:\WINDOWS\system32\xpsys323132.DLL"
Sun 18 Sep 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 1 Oct 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"
Mon 23 Apr 2007 21,504 ...H. --- "C:\Documents and Settings\Amir\My Documents\~WRL2866.tmp"
Thu 30 Nov 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 20 Oct 2008 243,712 A..H. --- "C:\Documents and Settings\Amir\Local Settings\Temp\~949.tmp"
Mon 21 Jun 1999 0 A..H. --- "C:\Program Files\Adobe\Adobe Photoshop CS2\KPT Goo\MetaImage.dll"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Tue 24 Apr 2007 22,016 ...H. --- "C:\Documents and Settings\Amir\Application Data\Microsoft\Word\~WRL2847.tmp"
Thu 18 Aug 2005 312 A.SH. --- "C:\Documents and Settings\Amir\My Documents\My Music\License Backup\drmv2key.bak"

[b]Finished![/b]


0

Response Number 22
Name: jabuck
Date: November 18, 2008 at 19:28:41 Pacific
Reply:

Did you run the batch file?

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your McAfee antivirus, and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


0

Response Number 23
Name: Amirrr
Date: November 18, 2008 at 20:21:57 Pacific
Reply:

ComboFix 08-11-18.03 - Amir 2008-11-18 23:08:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.501 [GMT -5:00]
Running from: D:\ComboFix.exe
* Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\{28DD2~1
c:\program files\Mozilla Firefox\plugins\npclntax.dll
c:\program files\Mozilla Firefox\plugins\NPNd2fn.dll
c:\program files\winupdates
c:\windows\system32\drivers\npf.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_TDSSSERV.SYS
-------\Service_NPF
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-18 16:51 . 2008-11-18 16:51 <DIR> d-------- c:\documents and settings\Amir\.SunDownloadManager
2008-11-18 00:36 . 2008-11-18 00:36 <DIR> d-------- c:\documents and settings\Amir\Application Data\Malwarebytes
2008-11-18 00:36 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-18 00:35 . 2008-11-18 00:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-18 00:35 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-18 00:20 . 2008-11-18 00:20 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-18 00:13 . 2008-11-18 00:13 <DIR> d-------- c:\windows\ERUNT
2008-11-18 00:09 . 2008-11-18 20:13 <DIR> d-------- C:\SDFix
2008-11-17 16:53 . 2008-11-17 16:53 <DIR> d-------- C:\_OTMoveIt
2008-11-17 00:37 . 2008-11-17 00:37 51 --a------ c:\windows\system32\Partizan.RRI
2008-11-17 00:34 . 2008-11-17 00:34 (2) -rahs-ot- c:\windows\winstart.bat
2008-11-17 00:16 . 2008-11-17 00:34 <DIR> d-------- c:\program files\Network Associates
2008-11-17 00:07 . 2008-11-17 00:07 <DIR> d-------- c:\documents and settings\Administrator
2008-11-16 22:54 . 2008-11-16 22:54 <DIR> d-------- c:\program files\Trend Micro
2008-11-16 19:06 . 2008-08-07 15:27 4,224 --a------ c:\windows\system32\drivers\beep.sys
2008-11-16 19:06 . 2008-08-07 15:27 4,224 --a--c--- c:\windows\system32\dllcache\beep.sys
2008-11-16 16:06 . 2008-11-16 16:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-16 14:00 . 2008-11-16 15:38 5,120 --a------ C:\ARK5.tmp
2008-11-11 16:28 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 16:27 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-10-23 15:19 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-20 20:15 . 2008-10-20 20:15 <DIR> d-------- c:\program files\Goto.Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 05:37 --------- d-----w c:\program files\Google
2008-11-17 16:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 05:31 --------- d-----w c:\documents and settings\Amir\Application Data\uTorrent
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-06 01:15 --------- d-----w c:\program files\MSECache
2008-10-05 21:50 36,864 ----a-w C:\nphssb.dll
2008-10-05 21:49 91,648 ----a-w c:\windows\gzip.exe
2008-10-05 21:49 --------- d-----w c:\program files\Homestead
2008-09-29 23:53 --------- d-----w c:\program files\ImageSkill
2008-09-19 04:13 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-09-19 04:12 --------- d-----w c:\program files\Ulead Systems
2008-09-19 04:12 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-09-19 04:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-04-10 03:14 169,160 -c--a-w c:\documents and settings\Amir\Application Data\GDIPFONTCACHEV1.DAT
2008-03-15 18:52 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-08-16 04:20 141,000 -c--a-w c:\program files\DJ Boo Boo 2.0ErrorLog.log
2005-09-04 03:08 143,680 -c--a-w c:\documents and settings\Amir\DynGate_Setup.exe
2005-08-26 08:34 0 -c-h--w c:\documents and settings\Amir\Application Data\TurboLaunch_IconCache.dat
2006-08-22 21:08 8 --sh--r c:\windows\system32\99978D3B35.dll
2005-11-17 00:58 56 -csh--r c:\windows\system32\99978D3B35.sys
2005-11-17 00:58 3,350 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-04 155648]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Mn@iboddPubswLfov"= 0 (0x0)
"Mn@mlrf"= 0 (0x0)
"MnOndNeg"= 0 (0x0)
"MnQtm"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.fraunhoferacm"= l3codecp.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Amir^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Amir^Start Menu^Programs^Startup^TeamViewer.lnk]
backup=c:\windows\pss\TeamViewer.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIP
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glass2k
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Longhorn SideBar
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Calendar Checker

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray]
--a------ 2006-03-20 14:43 331776 c:\program files\AGEIA Technologies\TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2001-11-15 12:00 196608 c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 19:05 200704 c:\program files\PowerISO\PWRISOVM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-04 21:43 155648 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
-----c--- 2003-07-03 14:31 45056 c:\program files\Brother\Brmfl03a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-09 16:28 1410296 c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-06-03 02:52 36975 c:\program files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector]
-----c--- 2005-07-28 07:32 94208 c:\program files\Common Files\Ulead Systems\AutoDetector\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--a------ 2007-03-03 13:12 341488 c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a--c--- 2002-07-02 17:56 24576 c:\windows\system32\CTHELPER.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SHOUTcast\\sc_serv.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 sdpiosys;sdpiosys;c:\windows\system32\drivers\sdpiosys.sys [2004-11-30 161792]
S2 WUVXQAFG;WUVXQAFG;\??\c:\windows\system32\wuvxqafg.otn []
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\Drivers\Brfilt.sys [2005-09-18 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\Drivers\BrSerWdm.sys [2005-09-18 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\Drivers\BrUsbMdm.sys [2005-09-18 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\Drivers\BrUsbScn.sys [2005-09-18 10368]
S3 RenameMe;RenameMe;\??\c:\windows\system32\RenameMe.sys [2007-01-14 8320]
S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service []
S4 hpt3xx;hpt3xx; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a80d5b2-0ac5-11db-87e5-806d6172696f}]
\Shell\AutoRun\command - g:\autorun\UbiAutorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-10 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2007-08-28 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-LogitechSoftwareUpdate - c:\program files\Logitech\Video\ManifestEngine.exe
MSConfigStartUp-LogitechVideoRepair - c:\program files\Logitech\Video\ISStart.exe
MSConfigStartUp-LogitechVideoTray - c:\program files\Logitech\Video\LogiTray.exe
MSConfigStartUp-LVCOMSX - c:\windows\system32\LVCOMSX.exe
MSConfigStartUp-Network Associates Error Reporting Service - c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe
MSConfigStartUp-Prj - c:\documents and settings\Amir\Desktop\Yahoo Tools Persian.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Amir\Application Data\Mozilla\Firefox\Profiles\eclyjcwx.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npclntax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPNd2fn.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - c:\program files\Opera\program\plugins\NPTURNMED.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 23:12:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_sugo3_FUService]
"ImagePath"="\"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WUVXQAFG]
"ImagePath"="\??\c:\windows\system32\wuvxqafg.otn"
.
r Running Proce
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-18 23:18:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-19 04:18:12

Pre-Run: 4,468,805,632 bytes free
Post-Run: 4,406,173,696 bytes free

247 --- E O F --- 2008-11-18 06:06:17


0

Response Number 24
Name: jabuck
Date: November 18, 2008 at 20:44:44 Pacific
Reply:

Did you run the batch file in response #20?

Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\ARK5.tmp

Folder::
C:\ARK5.tmp
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Mn@iboddPubswLfov"=-
"Mn@mlrf"=-
"MnOndNeg"=-
"MnQtm"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 10 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

Post a new Combofix log following the previous directions.


0

Response Number 25
Name: Amirrr
Date: November 18, 2008 at 21:24:35 Pacific
Reply:

Okay I Updatet Java and removed the old one...

Did you run the batch file in response #20?
No, Bcs i was able to get Malwarebytes work without any problems

it seems that the problem is fixed..my connection speed is back to normal..the red icon is gone..google problem is solved..computer doesn't reboot automatically..but i still cant trust this..because thats wut i thought last night but i was wrong and my computer was still infected

once again i thank you for taking ur time and helping me out...


here is the new log

ComboFix 08-11-18.03 - Amir 2008-11-19 0:07:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.627 [GMT -5:00]
Running from: c:\documents and settings\Amir\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Amir\Desktop\CFScript.txt
* Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]

FILE ::
C:\ARK5.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ARK5.tmp

.
((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-19 00:06 . 2008-11-19 00:05 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-19 00:06 . 2008-11-19 00:05 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-18 16:51 . 2008-11-18 16:51 <DIR> d-------- c:\documents and settings\Amir\.SunDownloadManager
2008-11-18 00:36 . 2008-11-18 00:36 <DIR> d-------- c:\documents and settings\Amir\Application Data\Malwarebytes
2008-11-18 00:36 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-18 00:35 . 2008-11-18 00:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-18 00:35 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-18 00:20 . 2008-11-18 00:20 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-18 00:13 . 2008-11-18 00:13 <DIR> d-------- c:\windows\ERUNT
2008-11-18 00:09 . 2008-11-18 20:13 <DIR> d-------- C:\SDFix
2008-11-17 16:53 . 2008-11-17 16:53 <DIR> d-------- C:\_OTMoveIt
2008-11-17 00:37 . 2008-11-17 00:37 51 --a------ c:\windows\system32\Partizan.RRI
2008-11-17 00:34 . 2008-11-17 00:34 (2) -rahs-ot- c:\windows\winstart.bat
2008-11-17 00:16 . 2008-11-17 00:34 <DIR> d-------- c:\program files\Network Associates
2008-11-17 00:07 . 2008-11-17 00:07 <DIR> d-------- c:\documents and settings\Administrator
2008-11-16 22:54 . 2008-11-16 22:54 <DIR> d-------- c:\program files\Trend Micro
2008-11-16 19:06 . 2008-08-07 15:27 4,224 --a------ c:\windows\system32\drivers\beep.sys
2008-11-16 19:06 . 2008-08-07 15:27 4,224 --a--c--- c:\windows\system32\dllcache\beep.sys
2008-11-16 16:06 . 2008-11-16 16:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-11 16:28 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 16:27 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-10-23 15:19 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-20 20:15 . 2008-10-20 20:15 <DIR> d-------- c:\program files\Goto.Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-19 05:05 --------- d-----w c:\program files\Java
2008-11-18 05:37 --------- d-----w c:\program files\Google
2008-11-17 16:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 05:31 --------- d-----w c:\documents and settings\Amir\Application Data\uTorrent
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-06 01:15 --------- d-----w c:\program files\MSECache
2008-10-05 21:50 36,864 ----a-w C:\nphssb.dll
2008-10-05 21:49 91,648 ----a-w c:\windows\gzip.exe
2008-10-05 21:49 --------- d-----w c:\program files\Homestead
2008-09-29 23:53 --------- d-----w c:\program files\ImageSkill
2008-09-19 04:13 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-09-19 04:12 --------- d-----w c:\program files\Ulead Systems
2008-09-19 04:12 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-09-19 04:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-04-10 03:14 169,160 -c--a-w c:\documents and settings\Amir\Application Data\GDIPFONTCACHEV1.DAT
2008-03-15 18:52 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-08-16 04:20 141,000 -c--a-w c:\program files\DJ Boo Boo 2.0ErrorLog.log
2005-09-04 03:08 143,680 -c--a-w c:\documents and settings\Amir\DynGate_Setup.exe
2005-08-26 08:34 0 -c-h--w c:\documents and settings\Amir\Application Data\TurboLaunch_IconCache.dat
2006-08-22 21:08 8 --sh--r c:\windows\system32\99978D3B35.dll
2005-11-17 00:58 56 -csh--r c:\windows\system32\99978D3B35.sys
2005-11-17 00:58 3,350 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-18_23.17.41.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-06-03 06:24:06 49,248 -c--a-w c:\windows\system32\java.exe
+ 2008-11-19 05:05:56 144,792 ----a-w c:\windows\system32\java.exe
- 2005-06-03 06:24:14 49,250 -c--a-w c:\windows\system32\javaw.exe
+ 2008-11-19 05:05:56 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-06-03 07:52:56 127,078 -c--a-w c:\windows\system32\javaws.exe
+ 2008-11-19 05:05:56 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-19 05:11:30 16,384 ----atw c:\windows\temp\Perflib_Perfdata_ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-04 155648]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-19 136600]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.fraunhoferacm"= l3codecp.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Amir^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Amir^Start Menu^Programs^Startup^TeamViewer.lnk]
backup=c:\windows\pss\TeamViewer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray]
--a------ 2006-03-20 14:43 331776 c:\program files\AGEIA Technologies\TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2001-11-15 12:00 196608 c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 19:05 200704 c:\program files\PowerISO\PWRISOVM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-04 21:43 155648 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
-----c--- 2003-07-03 14:31 45056 c:\program files\Brother\Brmfl03a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-09 16:28 1410296 c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector]
-----c--- 2005-07-28 07:32 94208 c:\program files\Common Files\Ulead Systems\AutoDetector\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--a------ 2007-03-03 13:12 341488 c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a--c--- 2002-07-02 17:56 24576 c:\windows\system32\CTHELPER.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SHOUTcast\\sc_serv.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 sdpiosys;sdpiosys;c:\windows\system32\drivers\sdpiosys.sys [2004-11-30 161792]
S2 WUVXQAFG;WUVXQAFG;\??\c:\windows\system32\wuvxqafg.otn []
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\Drivers\Brfilt.sys [2005-09-18 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\Drivers\BrSerWdm.sys [2005-09-18 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\Drivers\BrUsbMdm.sys [2005-09-18 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\Drivers\BrUsbScn.sys [2005-09-18 10368]
S3 RenameMe;RenameMe;\??\c:\windows\system32\RenameMe.sys [2007-01-14 8320]
S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service []
S4 hpt3xx;hpt3xx; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a80d5b2-0ac5-11db-87e5-806d6172696f}]
\Shell\AutoRun\command - g:\autorun\UbiAutorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-10 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2007-08-28 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_04\bin\jusched.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 00:11:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_sugo3_FUService]
"ImagePath"="\"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WUVXQAFG]
"ImagePath"="\??\c:\windows\system32\wuvxqafg.otn"
.
r Running Proce
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
.
**************************************************************************
.
Completion time: 2008-11-19 0:18:10 - machine was rebooted [Amir]
ComboFix-quarantined-files.txt 2008-11-19 05:17:57
ComboFix2.txt 2008-11-19 04:18:29

Pre-Run: 4,216,541,184 bytes free
Post-Run: 4,205,907,968 bytes free

204 --- E O F --- 2008-11-18 06:06:17


0

Response Number 26
Name: jabuck
Date: November 19, 2008 at 03:33:26 Pacific
Reply:

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Please run Esets online scanner from this link:

ESET

1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.


0

Response Number 27
Name: Amirrr
Date: November 19, 2008 at 07:37:53 Pacific
Reply:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3624 (20081119)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=e08262a107a4814090643f687ae2c06b
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-19 03:20:02
# local_time=2008-11-19 10:20:02 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=247044
# found=19
# scan_time=2787
C:\Documents and Settings\Administrator\Desktop\catchme.zip multiple infiltrations C9629E7EDDB717648A40F12FB1884B4F
C:\Documents and Settings\Administrator\Desktop\catchme.zip »ZIP »beep.sys Win32/Adware.UltimateDefender application 00000000000000000000000000000000
C:\Documents and Settings\Administrator\Desktop\catchme.zip »ZIP »TDSStftl.dll Win32/Agent.ODG trojan 00000000000000000000000000000000
C:\Documents and Settings\Administrator\Desktop\catchme.zip »ZIP »TDSSkrhi.dll Win32/Agent.OIK trojan 00000000000000000000000000000000
C:\Documents and Settings\Administrator\Desktop\catchme.zip »ZIP »TDSShojs.dll Win32/Agent.OIK trojan 00000000000000000000000000000000
C:\Documents and Settings\Administrator\Desktop\catchme.zip »ZIP »TDSSfwyx.dll Win32/Agent.ODG trojan 00000000000000000000000000000000
C:\Documents and Settings\Administrator\Desktop\catchme.zip »ZIP »TDSStftl.dll.1 Win32/Agent.ODG trojan 00000000000000000000000000000000
C:\Documents and Settings\Administrator\Desktop\catchme.zip »ZIP »TDSSkrhi.dll.1 Win32/Agent.OIK trojan 00000000000000000000000000000000
C:\Documents and Settings\Administrator\Desktop\catchme.zip »ZIP »TDSShojs.dll.1 Win32/Agent.OIK trojan 00000000000000000000000000000000
C:\Documents and Settings\Administrator\Desktop\catchme.zip »ZIP »TDSSfwyx.dll.1 Win32/Agent.ODG trojan 00000000000000000000000000000000
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\msclevi.exe probably a variant of Win32/Agent trojan 2A92DB1EE37C627A832E8952C76C390C
C:\Qoobox\Quarantine\C\ARK5.tmp.vir a variant of Win32/TrojanDownloader.FakeAlert.GU trojan 14EA89B3F2000D5DFB1F352306583DA0
C:\SDFix\backups_old\backups.zip multiple infiltrations 4B9C316A3EF51BC9EA852C327F597A92
C:\SDFix\backups_old\backups.zip »ZIP »backups/av.dat a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000
C:\SDFix\backups_old\backups.zip »ZIP »backups/beep.sys Win32/Adware.UltimateDefender application 00000000000000000000000000000000
C:\SDFix\backups_old\backups.zip »ZIP »backups/brastk.exe a variant of Win32/TrojanDownloader.FakeAlert.GU trojan 00000000000000000000000000000000
C:\SDFix\backups_old\backups.zip »ZIP »backups/karna.dat Win32/TrojanProxy.Agent.NER trojan 00000000000000000000000000000000
C:\SDFix\backups_old\backups.zip »ZIP »backups/phcvwgj0erdl.bmp Win32/TrojanDownloader.FakeAlert.DJ trojan 00000000000000000000000000000000
C:\SDFix\backups_old\backups.zip »ZIP »backups/wini10802.exe Win32/Adware.XPAntiSpyware.AA application 00000000000000000000000000000000


0

Response Number 28
Name: jabuck
Date: November 19, 2008 at 15:10:51 Pacific
Reply:

You computer appears to be clean.
This is most likely a false positive so don't delete it:

C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\msclevi.exe

Navigate to and delete these files/folders:

C:\SDFix (folder)
C:\Documents and Settings\Administrator\Desktop\catchme.zip (file)
C:\Qoobox (folder)

Empty the recycle bin.

Go to start> run> combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Eset

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


0

Response Number 29
Name: Amirrr
Date: November 19, 2008 at 18:11:52 Pacific
Reply:

The computer is operating like before. There seems to be no problems and it seems like its all clean. I really thank you for the time and help you provide us here @ this forum. Appreciate it.


0

Response Number 30
Name: jabuck
Date: November 19, 2008 at 20:01:29 Pacific
Reply:

Glad we could help.


0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: Can't Remove The Spyware
help i can't remove my adware www.computing.net/answers/security/help-i-cant-remove-my-adware/11334.html

Can't run Malwarebytes/IE redirects www.computing.net/answers/security/cant-run-malwarebytesie-redirects/24459.html

Can't remove IE spyware www.computing.net/answers/security/cant-remove-ie-spyware/9022.html