Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
HI,
Can anyone help with the removal of this virus. My Norton virus software seems to pick it up and remove it when i book on the internet but its back after restarting my pc. Also from Norton a box appaers with the following:-
Intrusion: HTTP Malicious URL Download Request.
Is this related to the gnida[1].swf virus?Help would be much appreciated.
Thx
Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.Please download SmitFraudFix from this link:
Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
0 
Ok here's the 2 bits of info:-
Logfile of HijackThis v1.99.1
Scan saved at 2:16:18 PM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\WINDOWS\Explorer.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\WINDOWS\system32\drivers\CDAC11BA.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\VoyagerTest\fts.exe
D:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
D:\WINDOWS\system32\dla\tfswctrl.exe
D:\Program Files\Dell\Media Experience\PCMService.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\WINDOWS\vsnpstd3.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\camtool\VideoMonitor\CamTool.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Common Files\Teleca Shared\Generic.exe
D:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.exe
D:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\Rundll32.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dcads Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - D:\WINDOWS\system32\dcads_sidebar.dll
O2 - BHO: superiorads - {4AD44D3E-7316-4251-B754-9B10EC96AF92} - D:\WINDOWS\system32\sprt_ads.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - D:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: dcads - {6FC3C36D-7635-4D43-BA62-0D9D2F2CD06E} - D:\WINDOWS\system32\nsv4D.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: browser optimizer superiorads - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - D:\WINDOWS\system32\spads.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "D:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [DVDLauncher] "D:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] D:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "D:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "D:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] D:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSLSTATEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NapsterShell] D:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [spa_start] D:\WINDOWS\System32\Rundll32.exe "D:\WINDOWS\system32\sprt_ads.dll" DllStart
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: camtool.lnk = D:\Program Files\camtool\VideoMonitor\CamTool.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v31...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O17 - HKLM\System\CCS\Services\Tcpip\..\{321D2BA7-FE72-4F85-9515-0837782FE07D}: NameServer = 62.24.218.220 62.24.218.221
O17 - HKLM\System\CS1\Services\Tcpip\..\{321D2BA7-FE72-4F85-9515-0837782FE07D}: NameServer = 62.24.218.220 62.24.218.221
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINDOWS\system32\drivers\CDAC11BA.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: LiveUpdate Notice Service - Unknown owner - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
SmitFraudFix v2.130Scan done at 14:14:11.65, Sun 01/06/2008
Run from D:\VirusStuff\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» D:\
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\James
»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\James\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\James\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{01b55afa-f451-474b-9e91-c35b24d02641}"="boob"»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
0
Run Hijack This, close all windows and browsers except Hijack this, place a check to the left of the following items and press "fix checked":
O2 - BHO: Dcads Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - D:\WINDOWS\system32\dcads_sidebar.dll
O2 - BHO: superiorads - {4AD44D3E-7316-4251-B754-9B10EC96AF92} - D:\WINDOWS\system32\sprt_ads.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: dcads - {6FC3C36D-7635-4D43-BA62-0D9D2F2CD06E} - D:\WINDOWS\system32\nsv4D.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: browser optimizer superiorads - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - D:\WINDOWS\system32\spads.dll
O4 - HKLM\..\Run: [spa_start] D:\WINDOWS\System32\Rundll32.exe "D:\WINDOWS\system32\sprt_ads.dll"
Exit Hijack This.
Navigate to and delete these files if found:
D:\WINDOWS\system32\sprt_ads.dll
D:\WINDOWS\system32\nsv4D.dll
Please download ComboFix to the desktop from this link: ComboFix
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
0
Here is the log for combofix:-
ComboFix 08-01-06.5 - James 2008-01-06 15:12:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126 [GMT 0:00]
Running from: D:\VirusStuff\ComboFix.exe
* Created a new restore point
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.D:\Documents and Settings\James\Application Data\macromedia\Flash Player\#SharedObjects\97KG83FN\www.broadcaster.com
D:\Documents and Settings\James\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
D:\Documents and Settings\James\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
D:\WINDOWS\system32\_000006_.tmp.dll
D:\WINDOWS\system32\_000007_.tmp.dll
D:\WINDOWS\system32\_000008_.tmp.dll
D:\WINDOWS\system32\_000011_.tmp.dll
D:\WINDOWS\system32\_000012_.tmp.dll
D:\WINDOWS\system32\nsv4D.dll
D:\WINDOWS\system32\sprt_ads.dll
D:\WINDOWS\system32\UpMedia.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.2008-01-06 15:11 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-05 12:28 . 2008-01-05 12:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-05 11:44 . 2008-01-05 11:45 80,097 --a------ D:\WINDOWS\system32\dcads-remove.exe
2008-01-05 11:44 . 2008-01-05 11:45 77,360 --a------ D:\WINDOWS\system32\dcads_sidebar_uninstall.exe
2008-01-05 11:44 . 2008-01-05 11:46 40,734 --a------ D:\WINDOWS\system32\superiorads-uninst.exe
2008-01-02 20:08 . 2008-01-02 20:08 <DIR> d-------- D:\Program Files\TVAnts
2007-12-29 20:42 . 2007-04-24 11:33 108,680 -ra------ D:\WINDOWS\system32\drivers\s125mdm.sys
2007-12-29 20:42 . 2007-04-24 11:33 100,488 -ra------ D:\WINDOWS\system32\drivers\s125mgmt.sys
2007-12-29 20:42 . 2007-04-24 11:33 98,696 -ra------ D:\WINDOWS\system32\drivers\s125obex.sys
2007-12-29 20:42 . 2007-04-24 11:33 83,336 -ra------ D:\WINDOWS\system32\drivers\s125bus.sys
2007-12-29 20:42 . 2007-04-24 11:33 15,112 -ra------ D:\WINDOWS\system32\drivers\s125mdfl.sys
2007-12-29 20:42 . 2007-04-24 11:33 12,424 -ra------ D:\WINDOWS\system32\drivers\s125whnt.sys
2007-12-29 20:42 . 2007-04-24 11:33 12,424 -ra------ D:\WINDOWS\system32\drivers\s125wh.sys
2007-12-29 20:42 . 2007-04-24 11:33 12,424 -ra------ D:\WINDOWS\system32\drivers\s125cmnt.sys
2007-12-29 20:42 . 2007-04-24 11:33 12,424 -ra------ D:\WINDOWS\system32\drivers\s125cm.sys
2007-12-26 14:46 . 2007-12-26 15:00 <DIR> d-------- D:\Documents and Settings\James\Application Data\SopCast
2007-12-24 13:07 . 2007-12-24 13:07 319,488 --a------ D:\WINDOWS\system32\dcads_sidebar.dll
2007-12-21 10:39 . 2008-01-06 12:58 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2007-12-21 10:39 . 2007-12-21 10:39 1,409 --a------ D:\WINDOWS\QTFont.for.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 14:14 4,554 ----a-w D:\WINDOWS\system32\tmp.reg
2008-01-05 11:41 --------- d-----w D:\Documents and Settings\James\Application Data\LimeWire
2008-01-03 18:50 --------- d-----w D:\Documents and Settings\James\Application Data\uTorrent
2008-01-02 20:11 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-01-02 19:05 --------- d-----w D:\Documents and Settings\Hannah\Application Data\Apple Computer
2007-12-29 20:43 --------- d-----w D:\Documents and Settings\Hannah\Application Data\Teleca
2007-12-26 14:46 --------- d-----w D:\Program Files\SopCast
2007-12-24 13:08 --------- d-----w D:\Program Files\VoyagerTest
2007-12-24 10:51 805 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-24 10:51 60,800 ----a-w D:\WINDOWS\system32\S32EVNT1.DLL
2007-12-24 10:51 123,952 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-24 10:51 10,740 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-24 10:51 --------- d-----w D:\Program Files\Symantec
2007-12-24 10:50 --------- d-----w D:\Program Files\Norton AntiVirus
2007-12-20 17:31 --------- d-----w D:\Program Files\Sports Interactive
2007-12-19 19:28 --------- d-----w D:\Documents and Settings\Margaret\Application Data\Teleca
2007-12-05 21:15 --------- d-----w D:\Documents and Settings\Margaret\Application Data\LimeWire
2007-12-05 21:14 --------- d-----w D:\Program Files\LimeWire
2007-12-03 22:13 --------- d-----w D:\Program Files\uTorrent
2007-12-02 12:05 --------- d-----w D:\Program Files\Sony Ericsson
2007-12-02 12:05 --------- d-----w D:\Program Files\Common Files\Teleca Shared
2007-12-02 12:05 --------- d-----w D:\Program Files\Common Files\Sony Ericsson Shared
2007-12-02 12:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\Teleca
2007-12-02 12:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-11-30 09:36 --------- d-----w D:\Documents and Settings\Andrew\Application Data\uTorrent
2007-11-19 11:17 --------- d-----w D:\Program Files\iTunes
2007-11-19 11:17 --------- d-----w D:\Program Files\iPod
2007-11-19 11:15 --------- d-----w D:\Program Files\QuickTime
2007-11-19 10:36 64,000 ----a-w D:\WINDOWS\system32\spads.dll
2007-11-13 10:25 20,480 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 23:44 --------- d-----w D:\Program Files\ubi.com
2007-11-10 17:35 --------- d-----w D:\Documents and Settings\James\Application Data\ppStream
2007-11-10 17:25 --------- d-----w D:\Program Files\PPLive
2007-10-29 22:43 1,287,680 ----a-w D:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w D:\WINDOWS\system32\wmasf.dll
2007-10-27 15:22 107,888 ----a-w D:\WINDOWS\system32\CmdLineExt.dll
2007-10-22 03:39 267,272 ----a-w D:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 03:37 17,928 ----a-w D:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-17 17:23 10,752 ----a-w D:\WINDOWS\system32\WhoisCL.exe
2007-10-12 15:14 3,734,536 ----a-w D:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 15:14 1,374,232 ----a-w D:\WINDOWS\system32\D3DCompiler_36.dll
2006-12-09 17:07 62,024 ----a-w D:\Documents and Settings\James\Application Data\GDIPFONTCACHEV1.DAT
2006-12-04 16:52 62,024 ----a-w D:\Documents and Settings\Hannah\Application Data\GDIPFONTCACHEV1.DAT
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 14:16 171464][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%FP%Friendly fts.exe"="D:\Program Files\VoyagerTest\fts.exe" [2003-05-06 09:28 72192]
"DVDLauncher"="D:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248]
"dla"="D:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"UpdateManager"="D:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"PCMService"="D:\Program Files\Dell\Media Experience\PCMService.exe" [2005-03-14 12:38 335970]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"snpstd3"="D:\WINDOWS\vsnpstd3.exe" [2005-01-14 11:00 339968]
"NeroCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 02:49 155648]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-29 20:47 180269]
"DSLSTATEXE"="D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 16:10 1658965]
"DSLAGENTEXE"="D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 13:47 16384]
"Symantec PIF AlertEng"="D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"NapsterShell"="D:\Program Files\Napster\napster.exe" [ ]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 16:22 86016 D:\WINDOWS\system32\nvmctray.dll]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"Sony Ericsson PC Suite"="D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 08:16 528384][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\System32\CTFMON.exe" [2004-08-04 00:56 15360]D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
camtool.lnk - D:\Program Files\camtool\VideoMonitor\CamTool.exe [2006-11-04 22:24:28]
EPSON Status Monitor 3 Environment Check 2.lnk - D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.exe [2006-11-04 15:25:36]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 01:01:04][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)R3 lanusb;GlobeSpan USB ADSL LAN Modem;D:\WINDOWS\system32\DRIVERS\glausb.sys [2003-08-15 13:56]
R3 PPPoEWin;PPPoEWin Miniport;D:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS [2003-09-25 16:52]
S3 kbeepm;kbeepm;D:\DOCUME~1\Carey\LOCALS~1\Temp\kbeepm.sys []
S3 s125bus;Sony Ericsson Device 125 driver (WDM);D:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 11:33]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;D:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 11:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;D:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 11:33]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);D:\WINDOWS\system32\DRIVERS\s125mgmt.sys [2007-04-24 11:33]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;D:\WINDOWS\system32\DRIVERS\s125obex.sys [2007-04-24 11:33][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 11:06:02 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-04 20:00:00 D:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Carey.job"
- D:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 15:19:04
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-01-06 15:19:54
ComboFix-quarantined-files.txt 2008-01-06 15:19:33
.
2007-12-12 18:23:05 --- E O F ---
0
You were probably infected through LimeWire or utorrent, I would suggest that you uninstall them.
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.Navigate to and delete tis file if found:
D:\WINDOWS\system32\spads.dll
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
ATF Cleaner
Next, please reboot your computer in Safe Mode by doing the following :
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Please run the BitDefender online scan this link:
Bitdefender Online Scanner
You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.Let us know how the computer is operating.
0
It wont allow me to delete the spads.dll
It says "Make sure the disk is not full or write-protected and that the file is not currently in use".
0
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
D:\WINDOWS\system32\spads.dll
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new combofix log.
Run the Bitdefender scan.
0
Just checked the 'System32' folder and the spads.dll has gone. Hoping thats a good sign.
Heres the new combofix log:-ComboFix 08-01-06.5 - James 2008-01-06 16:50:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.102 [GMT 0:00]Running from: D:\VirusStuff\ComboFix.exe
Command switches used :: D:\Documents and Settings\James\Desktop\CFScript.txt
* Created a new restore pointFILE
D:\WINDOWS\system32\spads.dll
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.D:\WINDOWS\system32\spads.dll
.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.2008-01-06 15:11 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-05 12:28 . 2008-01-05 12:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-05 11:44 . 2008-01-05 11:45 80,097 --a------ D:\WINDOWS\system32\dcads-remove.exe
2008-01-05 11:44 . 2008-01-05 11:45 77,360 --a------ D:\WINDOWS\system32\dcads_sidebar_uninstall.exe
2008-01-05 11:44 . 2008-01-05 11:46 40,734 --a------ D:\WINDOWS\system32\superiorads-uninst.exe
2008-01-02 20:08 . 2008-01-02 20:08 <DIR> d-------- D:\Program Files\TVAnts
2007-12-29 20:42 . 2007-04-24 11:33 108,680 -ra------ D:\WINDOWS\system32\drivers\s125mdm.sys
2007-12-29 20:42 . 2007-04-24 11:33 100,488 -ra------ D:\WINDOWS\system32\drivers\s125mgmt.sys
2007-12-29 20:42 . 2007-04-24 11:33 98,696 -ra------ D:\WINDOWS\system32\drivers\s125obex.sys
2007-12-29 20:42 . 2007-04-24 11:33 83,336 -ra------ D:\WINDOWS\system32\drivers\s125bus.sys
2007-12-29 20:42 . 2007-04-24 11:33 15,112 -ra------ D:\WINDOWS\system32\drivers\s125mdfl.sys
2007-12-29 20:42 . 2007-04-24 11:33 12,424 -ra------ D:\WINDOWS\system32\drivers\s125whnt.sys
2007-12-29 20:42 . 2007-04-24 11:33 12,424 -ra------ D:\WINDOWS\system32\drivers\s125wh.sys
2007-12-29 20:42 . 2007-04-24 11:33 12,424 -ra------ D:\WINDOWS\system32\drivers\s125cmnt.sys
2007-12-29 20:42 . 2007-04-24 11:33 12,424 -ra------ D:\WINDOWS\system32\drivers\s125cm.sys
2007-12-26 14:46 . 2007-12-26 15:00 <DIR> d-------- D:\Documents and Settings\James\Application Data\SopCast
2007-12-24 13:07 . 2007-12-24 13:07 319,488 --a------ D:\WINDOWS\system32\dcads_sidebar.dll
2007-12-21 10:39 . 2008-01-06 16:42 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2007-12-21 10:39 . 2007-12-21 10:39 1,409 --a------ D:\WINDOWS\QTFont.for.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 14:14 4,554 ----a-w D:\WINDOWS\system32\tmp.reg
2008-01-05 11:41 --------- d-----w D:\Documents and Settings\James\Application Data\LimeWire
2008-01-03 18:50 --------- d-----w D:\Documents and Settings\James\Application Data\uTorrent
2008-01-02 20:11 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-01-02 19:05 --------- d-----w D:\Documents and Settings\Hannah\Application Data\Apple Computer
2007-12-29 20:43 --------- d-----w D:\Documents and Settings\Hannah\Application Data\Teleca
2007-12-26 14:46 --------- d-----w D:\Program Files\SopCast
2007-12-24 13:08 --------- d-----w D:\Program Files\VoyagerTest
2007-12-24 10:51 805 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-24 10:51 60,800 ----a-w D:\WINDOWS\system32\S32EVNT1.DLL
2007-12-24 10:51 123,952 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-24 10:51 10,740 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-24 10:51 --------- d-----w D:\Program Files\Symantec
2007-12-24 10:50 --------- d-----w D:\Program Files\Norton AntiVirus
2007-12-20 17:31 --------- d-----w D:\Program Files\Sports Interactive
2007-12-19 19:28 --------- d-----w D:\Documents and Settings\Margaret\Application Data\Teleca
2007-12-05 21:15 --------- d-----w D:\Documents and Settings\Margaret\Application Data\LimeWire
2007-12-05 21:14 --------- d-----w D:\Program Files\LimeWire
2007-12-03 22:13 --------- d-----w D:\Program Files\uTorrent
2007-12-02 12:05 --------- d-----w D:\Program Files\Sony Ericsson
2007-12-02 12:05 --------- d-----w D:\Program Files\Common Files\Teleca Shared
2007-12-02 12:05 --------- d-----w D:\Program Files\Common Files\Sony Ericsson Shared
2007-12-02 12:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\Teleca
2007-12-02 12:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-11-30 09:36 --------- d-----w D:\Documents and Settings\Andrew\Application Data\uTorrent
2007-11-19 11:17 --------- d-----w D:\Program Files\iTunes
2007-11-19 11:17 --------- d-----w D:\Program Files\iPod
2007-11-19 11:15 --------- d-----w D:\Program Files\QuickTime
2007-11-13 10:25 20,480 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 23:44 --------- d-----w D:\Program Files\ubi.com
2007-11-10 17:35 --------- d-----w D:\Documents and Settings\James\Application Data\ppStream
2007-11-10 17:25 --------- d-----w D:\Program Files\PPLive
2007-10-29 22:43 1,287,680 ----a-w D:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w D:\WINDOWS\system32\wmasf.dll
2007-10-27 15:22 107,888 ----a-w D:\WINDOWS\system32\CmdLineExt.dll
2007-10-22 03:39 267,272 ----a-w D:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 03:37 17,928 ----a-w D:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-17 17:23 10,752 ----a-w D:\WINDOWS\system32\WhoisCL.exe
2007-10-12 15:14 3,734,536 ----a-w D:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 15:14 1,374,232 ----a-w D:\WINDOWS\system32\D3DCompiler_36.dll
2006-12-09 17:07 62,024 ----a-w D:\Documents and Settings\James\Application Data\GDIPFONTCACHEV1.DAT
2006-12-04 16:52 62,024 ----a-w D:\Documents and Settings\Hannah\Application Data\GDIPFONTCACHEV1.DAT
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 14:16 171464][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%FP%Friendly fts.exe"="D:\Program Files\VoyagerTest\fts.exe" [2003-05-06 09:28 72192]
"DVDLauncher"="D:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248]
"dla"="D:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"UpdateManager"="D:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"PCMService"="D:\Program Files\Dell\Media Experience\PCMService.exe" [2005-03-14 12:38 335970]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"snpstd3"="D:\WINDOWS\vsnpstd3.exe" [2005-01-14 11:00 339968]
"NeroCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 02:49 155648]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-29 20:47 180269]
"DSLSTATEXE"="D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 16:10 1658965]
"DSLAGENTEXE"="D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 13:47 16384]
"Symantec PIF AlertEng"="D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"NapsterShell"="D:\Program Files\Napster\napster.exe" [ ]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 16:22 86016 D:\WINDOWS\system32\nvmctray.dll]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"Sony Ericsson PC Suite"="D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 08:16 528384][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\System32\CTFMON.exe" [2004-08-04 00:56 15360]D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
camtool.lnk - D:\Program Files\camtool\VideoMonitor\CamTool.exe [2006-11-04 22:24:28]
EPSON Status Monitor 3 Environment Check 2.lnk - D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.exe [2006-11-04 15:25:36]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 01:01:04][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)R3 lanusb;GlobeSpan USB ADSL LAN Modem;D:\WINDOWS\system32\DRIVERS\glausb.sys [2003-08-15 13:56]
R3 PPPoEWin;PPPoEWin Miniport;D:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS [2003-09-25 16:52]
S3 kbeepm;kbeepm;D:\DOCUME~1\Carey\LOCALS~1\Temp\kbeepm.sys []
S3 s125bus;Sony Ericsson Device 125 driver (WDM);D:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 11:33]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;D:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 11:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;D:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 11:33]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);D:\WINDOWS\system32\DRIVERS\s125mgmt.sys [2007-04-24 11:33]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;D:\WINDOWS\system32\DRIVERS\s125obex.sys [2007-04-24 11:33][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 11:06:02 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-04 20:00:00 D:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Carey.job"
- D:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 16:58:37
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-01-06 16:59:24
ComboFix-quarantined-files.txt 2008-01-06 16:59:05
.
2007-12-12 18:23:05 --- E O F ---
0
Looks better, run the bitdefender scan and post a new Combofix log once the scan has finished please.
0
Would it be better if i buy the full bitdefender package rather than downloading it? The reason why i ask is that ive downloaded other anti-virus software in the past and as its not bought it doesnt contain the full package of firewall,antispyware...etc
0
No I would not buy it.
This is a free online scanner that will scan and remove viri. It is not reusable as the updates are so frequent that by the time you run it agian it it would be out of date and does not have an update engine that I know of.
Should you need to run the scanner again you need to go to add/remove programs and uninstall it or it may not update.
0
ok ive scan my pc using bitdefender and also run combofix. Heres the log:-
ComboFix 08-01-06.5 - James 2008-01-06 19:31:07.3 - NTFSx86
Running from: D:\VirusStuff\ComboFix.exe
.((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.2008-01-06 19:25 . 2008-01-06 19:35 121 --a------ D:\WINDOWS\bdagent.INI
2008-01-06 18:28 . 2008-01-06 18:28 <DIR> d-------- D:\Documents and Settings\James\Application Data\BitDefender
2008-01-06 18:27 . 2008-01-06 18:27 <DIR> d-------- D:\Program Files\BitDefender
2008-01-06 18:27 . 2008-01-06 18:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\BitDefender
2008-01-06 18:20 . 2008-01-06 18:24 <DIR> d-------- D:\WINDOWS\BDOSCAN8
2008-01-06 18:07 . 2008-01-06 18:27 <DIR> d-------- D:\Program Files\Common Files\BitDefender
2008-01-06 15:11 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-05 12:28 . 2008-01-05 12:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-05 11:44 . 2008-01-05 11:45 80,097 --a------ D:\WINDOWS\system32\dcads-remove.exe
2008-01-05 11:44 . 2008-01-05 11:45 77,360 --a------ D:\WINDOWS\system32\dcads_sidebar_uninstall.exe
2008-01-05 11:44 . 2008-01-05 11:46 40,734 --a------ D:\WINDOWS\system32\superiorads-uninst.exe
2008-01-02 20:08 . 2008-01-02 20:08 <DIR> d-------- D:\Program Files\TVAnts
2007-12-29 20:42 . 2007-04-24 11:33 108,680 -ra------ D:\WINDOWS\system32\drivers\s125mdm.sys
2007-12-29 20:42 . 2007-04-24 11:33 100,488 -ra------ D:\WINDOWS\system32\drivers\s125mgmt.sys
2007-12-29 20:42 . 2007-04-24 11:33 98,696 -ra------ D:\WINDOWS\system32\drivers\s125obex.sys
2007-12-29 20:42 . 2007-04-24 11:33 83,336 -ra------ D:\WINDOWS\system32\drivers\s125bus.sys
2007-12-29 20:42 . 2007-04-24 11:33 15,112 -ra------ D:\WINDOWS\system32\drivers\s125mdfl.sys
2007-12-29 20:42 . 2007-04-24 11:33 12,424 -ra------ D:\WINDOWS\system32\drivers\s125whnt.sys
2007-12-29 20:42 . 2007-04-24 11:33 12,424 -ra------ D:\WINDOWS\system32\drivers\s125wh.sys
2007-12-29 20:42 . 2007-04-24 11:33 12,424 -ra------ D:\WINDOWS\system32\drivers\s125cmnt.sys
2007-12-29 20:42 . 2007-04-24 11:33 12,424 -ra------ D:\WINDOWS\system32\drivers\s125cm.sys
2007-12-26 14:46 . 2007-12-26 15:00 <DIR> d-------- D:\Documents and Settings\James\Application Data\SopCast
2007-12-24 13:07 . 2007-12-24 13:07 319,488 --a------ D:\WINDOWS\system32\dcads_sidebar.dll
2007-12-21 10:39 . 2008-01-06 19:27 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2007-12-21 10:39 . 2007-12-21 10:39 1,409 --a------ D:\WINDOWS\QTFont.for.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 18:16 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-01-06 18:16 --------- d-----w D:\Documents and Settings\James\Application Data\Symantec
2008-01-06 18:16 --------- d-----w D:\Documents and Settings\All Users\Application Data\Symantec
2008-01-06 18:14 --------- d-----w D:\Program Files\Symantec
2008-01-06 14:14 4,554 ----a-w D:\WINDOWS\system32\tmp.reg
2008-01-05 11:41 --------- d-----w D:\Documents and Settings\James\Application Data\LimeWire
2008-01-03 18:50 --------- d-----w D:\Documents and Settings\James\Application Data\uTorrent
2008-01-02 19:05 --------- d-----w D:\Documents and Settings\Hannah\Application Data\Apple Computer
2007-12-29 20:43 --------- d-----w D:\Documents and Settings\Hannah\Application Data\Teleca
2007-12-26 14:46 --------- d-----w D:\Program Files\SopCast
2007-12-24 13:08 --------- d-----w D:\Program Files\VoyagerTest
2007-12-20 17:31 --------- d-----w D:\Program Files\Sports Interactive
2007-12-19 19:28 --------- d-----w D:\Documents and Settings\Margaret\Application Data\Teleca
2007-12-05 21:15 --------- d-----w D:\Documents and Settings\Margaret\Application Data\LimeWire
2007-12-05 21:14 --------- d-----w D:\Program Files\LimeWire
2007-12-03 22:13 --------- d-----w D:\Program Files\uTorrent
2007-12-02 12:05 --------- d-----w D:\Program Files\Sony Ericsson
2007-12-02 12:05 --------- d-----w D:\Program Files\Common Files\Teleca Shared
2007-12-02 12:05 --------- d-----w D:\Program Files\Common Files\Sony Ericsson Shared
2007-12-02 12:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\Teleca
2007-12-02 12:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-11-30 09:36 --------- d-----w D:\Documents and Settings\Andrew\Application Data\uTorrent
2007-11-27 16:46 77,824 ----a-w D:\WINDOWS\system32\xcomm.dll
2007-11-19 11:17 --------- d-----w D:\Program Files\iTunes
2007-11-19 11:17 --------- d-----w D:\Program Files\iPod
2007-11-19 11:15 --------- d-----w D:\Program Files\QuickTime
2007-11-13 10:25 20,480 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 16:27 87,952 ----a-w D:\WINDOWS\system32\drivers\bdfndisf.sys
2007-11-11 23:44 --------- d-----w D:\Program Files\ubi.com
2007-11-10 17:35 --------- d-----w D:\Documents and Settings\James\Application Data\ppStream
2007-11-10 17:25 --------- d-----w D:\Program Files\PPLive
2007-10-29 22:43 1,287,680 ----a-w D:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w D:\WINDOWS\system32\wmasf.dll
2007-10-27 15:22 107,888 ----a-w D:\WINDOWS\system32\CmdLineExt.dll
2007-10-25 10:26 53,248 ----a-w D:\WINDOWS\bdoscandel.exe
2007-10-22 03:39 267,272 ----a-w D:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 03:37 17,928 ----a-w D:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-17 17:23 10,752 ----a-w D:\WINDOWS\system32\WhoisCL.exe
2007-10-12 15:14 3,734,536 ----a-w D:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 15:14 1,374,232 ----a-w D:\WINDOWS\system32\D3DCompiler_36.dll
2006-12-09 17:07 62,024 ----a-w D:\Documents and Settings\James\Application Data\GDIPFONTCACHEV1.DAT
2006-12-04 16:52 62,024 ----a-w D:\Documents and Settings\Hannah\Application Data\GDIPFONTCACHEV1.DAT
.((((((((((((((((((((((((((((( snapshot@2008-01-06_15.19.12.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-06 18:21:13 45,056 ----a-w D:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2008-01-06 18:21:13 10,240 ----a-w D:\WINDOWS\BDOSCAN8\avxs.dll
+ 2008-01-06 18:21:13 27,136 ----a-w D:\WINDOWS\BDOSCAN8\avxt.dll
+ 2008-01-06 18:21:17 181,760 ----a-w D:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-25 10:26:48 118,784 ----a-w D:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2007-10-25 10:26:48 53,248 ----a-w D:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-01-06 18:21:18 142,848 ----a-w D:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-01-06 18:21:14 86,016 ----a-w D:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2007-10-25 10:26:48 118,784 ----a-w D:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2007-10-25 10:26:48 53,248 ----a-w D:\WINDOWS\Downloaded Program Files\ipsupd.dll
+ 2008-01-06 18:28:45 61,440 ----a-r D:\WINDOWS\Installer\{C33A19F0-A3D8-45B4-B067-251D2DBABB1A}\helpicon.exe
+ 2008-01-06 18:28:45 32,768 ----a-r D:\WINDOWS\Installer\{C33A19F0-A3D8-45B4-B067-251D2DBABB1A}\maintenance_icon.exe
+ 2008-01-06 18:28:45 22,486 ----a-r D:\WINDOWS\Installer\{C33A19F0-A3D8-45B4-B067-251D2DBABB1A}\register_icon.exe
+ 2008-01-06 18:28:45 57,344 ----a-r D:\WINDOWS\Installer\{C33A19F0-A3D8-45B4-B067-251D2DBABB1A}\texticon.exe
+ 2007-08-02 16:03:44 188,432 ----a-w D:\WINDOWS\system32\drivers\bdfsfltr.sys
- 2003-07-16 20:32:26 112,128 ----a-w D:\WINDOWS\system32\mapi32.dll
+ 2004-03-31 12:28:00 131,072 ----a-w D:\WINDOWS\system32\mapi32.dll
+ 2002-01-05 02:48:16 974,848 ----a-w D:\WINDOWS\system32\mfc70.dll
+ 2002-01-05 02:36:38 964,608 ----a-w D:\WINDOWS\system32\mfc70u.dll
- 2003-03-18 21:20:00 1,060,864 ----a-w D:\WINDOWS\system32\mfc71.dll
+ 2003-03-18 20:20:00 1,060,864 ----a-w D:\WINDOWS\system32\mfc71.dll
- 2003-03-18 21:12:12 1,047,552 ----a-w D:\WINDOWS\system32\mfc71u.dll
+ 2003-03-18 20:12:12 1,047,552 ----a-w D:\WINDOWS\system32\mfc71u.dll
+ 2002-01-05 02:38:38 54,784 ----a-w D:\WINDOWS\system32\msvci70.dll
- 2002-01-05 03:40:20 487,424 ----a-w D:\WINDOWS\system32\msvcp70.dll
+ 2002-01-05 02:40:20 487,424 ----a-w D:\WINDOWS\system32\msvcp70.dll
- 2003-03-18 20:14:52 499,712 ----a-w D:\WINDOWS\system32\msvcp71.dll
+ 2003-03-18 19:14:52 499,712 ----a-w D:\WINDOWS\system32\msvcp71.dll
- 2002-01-05 06:37:26 344,064 ----a-w D:\WINDOWS\system32\msvcr70.dll
+ 2002-01-05 01:37:28 344,064 ----a-w D:\WINDOWS\system32\msvcr70.dll
- 2003-02-21 04:42:22 348,160 ----a-w D:\WINDOWS\system32\msvcr71.dll
+ 2003-02-21 03:42:22 348,160 ----a-w D:\WINDOWS\system32\msvcr71.dll
+ 2007-01-31 13:50:32 913,408 ----a-w D:\WINDOWS\system32\xreglib.dll
+ 2006-12-01 23:25:52 1,101,824 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 23:25:56 1,093,120 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 23:25:58 69,632 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 23:26:00 57,856 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 23:08:00 40,960 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 23:08:00 45,056 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 23:08:00 65,536 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 23:08:00 57,344 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 23:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 23:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 23:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 23:08:00 49,152 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 23:08:00 49,152 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{381FFDE8-2394-4F90-B10D-FC6124A40F8C}[HKEY_CLASSES_ROOT\clsid\{381ffde8-2394-4f90-b10d-fc6124a40f8c}]
[HKEY_CLASSES_ROOT\BitDefender Toolbar][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 14:16 171464][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%FP%Friendly fts.exe"="D:\Program Files\VoyagerTest\fts.exe" [2003-05-06 09:28 72192]
"DVDLauncher"="D:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248]
"dla"="D:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"UpdateManager"="D:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"PCMService"="D:\Program Files\Dell\Media Experience\PCMService.exe" [2005-03-14 12:38 335970]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"snpstd3"="D:\WINDOWS\vsnpstd3.exe" [2005-01-14 11:00 339968]
"NeroCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 02:49 155648]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-29 20:47 180269]
"DSLSTATEXE"="D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 16:10 1658965]
"DSLAGENTEXE"="D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 13:47 16384]
"Symantec PIF AlertEng"="D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"NapsterShell"="D:\Program Files\Napster\napster.exe" [ ]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 16:22 86016 D:\WINDOWS\system32\nvmctray.dll]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"Sony Ericsson PC Suite"="D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 08:16 528384]
"BitDefender Antiphishing Helper"="D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2007-11-16 16:37 319488][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\System32\CTFMON.exe" [2004-08-04 00:56 15360]D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
camtool.lnk - D:\Program Files\camtool\VideoMonitor\CamTool.exe [2006-11-04 22:24:28]
EPSON Status Monitor 3 Environment Check 2.lnk - D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.exe [2006-11-04 15:25:36]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 01:01:04][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)R1 bdftdif;bdftdif;D:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys [2007-11-12 16:28]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;D:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2007-11-12 16:27]
R3 bdfsfltr;bdfsfltr;D:\WINDOWS\system32\drivers\bdfsfltr.sys [2007-08-02 16:03]
R3 BDSelfPr;BDSelfPr;D:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys [2007-08-08 13:12]
R3 lanusb;GlobeSpan USB ADSL LAN Modem;D:\WINDOWS\system32\DRIVERS\glausb.sys [2003-08-15 13:56]
R3 PPPoEWin;PPPoEWin Miniport;D:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS [2003-09-25 16:52]
R3 scan;BitDefender Threat Scanner;D:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 kbeepm;kbeepm;D:\DOCUME~1\Carey\LOCALS~1\Temp\kbeepm.sys []
S3 s125bus;Sony Ericsson Device 125 driver (WDM);D:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 11:33]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;D:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 11:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;D:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 11:33]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);D:\WINDOWS\system32\DRIVERS\s125mgmt.sys [2007-04-24 11:33]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;D:\WINDOWS\system32\DRIVERS\s125obex.sys [2007-04-24 11:33][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe*Newly Created Service* - BDFSFLTR
*Newly Created Service* - BDFTDIF
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 19:35:58
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-01-06 19:37:04
ComboFix-quarantined-files.txt 2008-01-06 19:36:38
.
2007-12-12 18:23:05 --- E O F ---
0
A lot better. Ive noticed my internet is now running much faster and without the pop-ups.
I cant thank you enough. Great Job.
0
The same thing just happened to me this morning. Could you please tell me what to delete? Thanks.
Here are the results from hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:22 AM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ADP\CollectAll\ADPSCHEDULE.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Folding@Home\FahCore_81.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microsoft Office\Office10\MSTORDB.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\kburkhart\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [mySHCCommunity] c:\windows\system32\srhc.exe -boot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\RunOnce: [B Register C:\Program Files\DivX\DivX Web Player\npdivx32.dll] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\DivX\DivX Web Player\npdivx32.dll",DllRegisterServer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Macromed\SHOCKW~2\SWHELP~1.exe -Update -1020023 -iexplore.exe7.0
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: Picaboo.lnk = C:\Program Files\Picaboo\Picaboo\PicabooMain.exe
O4 - Startup: Shortcut to ADPSchedule.exe.lnk = Program Files\ADP\CollectAll\ADPSchedule.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: Inquisit by Millisecond Software - file://C:\DOCUME~1\KBURKH~1\LOCALS~1\Temp\IXP000.TMP\InquisitAx.cab
O16 - DPF: {0A891521-685E-4B6D-A9FD-759BB2CD6A66} (SecureImage Control) - http://www.psapoll.com/img/secure/S...
O16 - DPF: {163A949D-2A1F-4B4C-AE46-83D0F59BE189} (X4 Control) - http://192.168.0.106/XHD.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Lin...
O16 - DPF: {22536211-E807-49CD-A24E-A903AF91FEB1} (nsBrowserConfig Class 2) - https://www.marketscore.com/globalconfig/ngc_activex.cab
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - http://www.myshccommunity.com/Confi...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://eversave.coupons.smartsource...
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xcle...
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14f2d17...
O16 - DPF: {7BA16120-B314-4EE4-A676-8B4B33909513} (Invoke Solutions MILive Participant Control(MR)) - http://157.238.134.97/events/bin/me...
O16 - DPF: {7EC687F9-9EFB-4FA3-A5BA-197C3461448A} (Rm Control) - http://192.168.0.106/RM.cab
O16 - DPF: {91602283-B7B5-11D3-A32A-005004B0E00E} (DiscoverWhy Class) - http://216.132.173.29/CabFiles/dwIn...
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.adoramapix.com/component...
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/do...
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/active...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/Dr...
O16 - DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} (Invoke Solutions Compatibility Test Control) - http://157.238.134.97/events/bin/co...
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://imagelab.bestbuy.com/en/ulco...
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CAL.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = CAL.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CAL.LOCAL
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe--
End of file - 12895 bytes
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
