Hello, I'm trying to troubleshoot a computer with the TDSServ trojan, as identified by SuperAntispyware. I've read the other posts, but don't have a lot of familiarity with HijackThis. I believe I'm done to about 10 files and could use assistance manually removing.

Run MalwareBytes that you are ready have and post its log. Follow the directions exactly, especially the bolded items. Malwarebytes procedure: 1. Double Click mbam-setup.exe to install the application. 2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. 3. If an update is found, it will download and install the latest version. 4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. 5. When the scan is complete, click OK, then Show Results to view the results. 6. Make sure that everything found is checked, and click Remove Selected. 7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. 8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. 9. Copy&Paste the entire report in your next reply. Next Download SDFix.exe and save it to your Desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. Remember to re-enable the protection again afterwards before connecting to the Internet. 1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. 2. Open the c:\SDFix folder and double click RunThis.cmd to start the script. Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC. 3. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. 4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt Please download and install the latest version of HijackThis v2.0.2: Download the "HijackThis" Installer from this link: Hijack This 1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Malwarebytes came back clean, it is SuperAntispyware that catches the trojan. Here is the Malwarebytes log: ########## Malwarebytes' Anti-Malware 1.31 Database version: 1456 Windows 5.1.2600 Service Pack 3 03/12/2008 07:11:43 PM mbam-log-2008-12-03 (19-11-43).txt Scan type: Quick Scan Objects scanned: 47886 Time elapsed: 2 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ########## ########## SDFix log: [b]SDFix: Version 1.240 [/b] Run by Roberto Carlos on 03/12/2008 at 07:19 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\Documents and Settings\Roberto Carlos\Desktop\SDFix [b]Checking Services [/b]: [b]Name [/b]: TDSSserv.sys [b]Path [/b]: \systemroot\system32\drivers\TDSSpaxt.sys TDSSserv.sys - Deleted Restoring Default Security Values Restoring Default Hosts File Rebooting [b]Checking Files [/b]: Trojan Files Found: C:\WINDOWS\system32\winsrc.dll.tmp - Deleted C:\WINDOWS\system32\drivers\TDSSpaxt.sys - Deleted Removing Temp Files [b]ADS Check [/b]: [b]Final Check [/b]: catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-03 19:37:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 [b]Remaining Services [/b]: Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX" "C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe" "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX" "C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [b]Remaining Files [/b]: File Backups: - C:\DOCUME~1\ROBERT~1\Desktop\SDFix\backups\backups.zip [b]Files with Hidden Attributes [/b]: [b]Finished![/b] ########## ########## HiJack This log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 08:01:23 PM, on 03/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\984661f6-8434-43d0-b820-d540c4d72868.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080402 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://latino.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080402 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\984661f6-8434-43d0-b820-d540c4d72868.exe O4 - Startup: AutorunsDisabled O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 5208 bytes ########## Thanks!

Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3 Combofix is a powerful tool so follow the instructions exactly or you could damage your computer. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. In your case to run Combofix do the following: 1. Go offline turn off your AVG antivirus, and any antispyware that you may have. 2. Run Combofix and save its log. 3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned. 4. Post the Combofix log. Remember to re-enable the protection again afterwards before connecting to the Internet. Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running or move the mouse, it will cause your system to hang.) Please post the log it produces.

I was unsure if I was to run Combofix again after it generated the log the first time. Here is the combofix log: ComboFix 08-12-02.02 - Roberto Carlos 2008-12-03 20:16:37.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703 [GMT -8:00] Running from: c:\documents and settings\Roberto Carlos\Desktop\ComboFix.exe * Created a new restore point [COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\x64 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_PACKET ((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 ))))))))))))))))))))))))))))))) . 2008-12-03 19:18 . 2008-12-03 19:18 578,560 --a------ c:\windows\system32\dllcache\user32.dll 2008-12-03 19:17 . 2008-12-03 19:17 <DIR> d-------- c:\windows\ERUNT 2008-12-03 18:48 . 2008-12-03 18:48 <DIR> d-------- c:\program files\Trend Micro 2008-12-03 08:46 . 2008-12-03 08:46 <DIR> d-------- c:\windows\system32\scripting 2008-12-03 08:46 . 2008-12-03 08:46 <DIR> d-------- c:\windows\system32\en 2008-12-03 08:46 . 2008-12-03 08:46 <DIR> d-------- c:\windows\system32\bits 2008-12-03 08:46 . 2008-12-03 08:46 <DIR> d-------- c:\windows\l2schemas 2008-12-03 08:44 . 2008-12-03 08:44 <DIR> d-------- c:\windows\ServicePackFiles 2008-12-03 08:39 . 2008-12-03 08:39 <DIR> d-------- c:\windows\EHome 2008-12-02 22:38 . 2008-12-03 20:14 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-12-02 22:38 . 2008-12-02 22:38 <DIR> d-------- c:\documents and settings\Roberto Carlos\Application Data\SUPERAntiSpyware.com 2008-12-02 22:38 . 2008-12-02 22:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-12-02 22:32 . 2008-10-03 09:41 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll 2008-12-02 22:32 . 2007-04-17 01:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat 2008-12-02 22:32 . 2007-03-07 21:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui 2008-12-02 22:32 . 2008-08-25 23:24 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll 2008-12-02 22:32 . 2008-08-25 23:24 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll 2008-12-02 22:32 . 2008-08-25 23:24 267,776 --------- c:\windows\system32\dllcache\iertutil.dll 2008-12-02 22:32 . 2008-08-25 23:24 63,488 --------- c:\windows\system32\dllcache\icardie.dll 2008-12-02 22:32 . 2008-08-25 23:24 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll 2008-12-02 22:32 . 2008-08-25 00:38 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe 2008-12-02 22:29 . 2007-08-13 19:54 33,792 --a------ c:\windows\system32\dllcache\custsat.dll 2008-12-02 22:23 . 2008-12-02 22:38 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-02 22:23 . 2008-12-02 22:23 <DIR> d-------- c:\program files\CCleaner 2008-12-02 22:08 . 2008-12-02 22:08 <DIR> d-------- c:\documents and settings\Roberto Carlos\Application Data\Malwarebytes 2008-12-02 22:08 . 2008-12-02 22:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-02 22:08 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-02 22:08 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-02 19:16 . 2008-12-03 08:02 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-12-02 19:11 . 2008-04-01 15:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield 2008-12-02 19:11 . 2008-12-02 19:13 <DIR> d-------- c:\documents and settings\Administrator 2008-12-02 19:02 . 2003-01-03 22:36 77,824 --a------ c:\windows\Startup.exe 2008-12-02 18:35 . 2008-12-03 09:10 <DIR> d-------- c:\windows\system32\drivers\Avg 2008-12-02 18:35 . 2008-12-02 18:35 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2008-12-02 18:35 . 2008-12-02 18:35 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys 2008-12-02 18:35 . 2008-12-02 18:35 10,520 --a------ c:\windows\system32\avgrsstx.dll 2008-12-02 18:34 . 2008-12-02 18:34 <DIR> d-------- c:\program files\AVG 2008-12-02 18:34 . 2008-12-02 18:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-12-02 18:23 . 2008-12-02 18:23 15,464 --a------ c:\windows\system32\securable.sys 2008-12-02 11:15 . 2008-12-03 19:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-01 19:08 . 2008-04-13 10:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys 2008-12-01 19:08 . 2008-04-13 16:11 21,504 --a------ c:\windows\system32\hidserv.dll 2008-11-12 21:41 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-03 02:56 --------- d-----w c:\program files\Dell DataSafe Online 2008-12-03 02:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-12-03 02:28 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee 2008-11-18 03:34 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore 2008-11-08 04:14 --------- d-----w c:\documents and settings\Roberto Carlos\Application Data\LimeWire 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 23:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 23:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 23:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 23:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 23:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 23:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 23:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 23:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 23:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 23:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 23:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 23:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 23:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 23:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 23:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll 2008-10-06 01:23 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll 2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-09-04 17:15 1,106,944 ------w c:\windows\system32\dllcache\msxml3.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] c:\documents and settings\Roberto Carlos\Start Menu\Programs\Startup\AutorunsDisabled Herramienta de b£squeda de soportes de Picture Motion Browser.lnk - c:\program files\Windows Media Player\VolumeWatcher\SPUVolumeWatcher.exe [2008-04-04 344064] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-02 97928] R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2008-04-01 28184] R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944] R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-02 875288] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-02 231704] R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-02 76040] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-01 29744] S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408] S3 SecurAble;SecurAble CPU Probe Driver;\??\c:\windows\system32\securable.sys [2008-12-02 15464] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aceb150-c0e0-11dd-82fc-001d098f5f2e}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-03 20:18:39 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(500) c:\program files\SUPERAntiSpyware\SASWINLO.dll . r Running Proce . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\AVG\AVG8\avgrsx.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-12-03 20:19:40 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-04 04:19:38 Pre-Run: 149,177,991,168 bytes free Post-Run: 149,120,372,736 bytes free 168 --- E O F --- 2008-12-04 04:08:37

Looks much better. Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link: http://www.majorgeeks.com/ATF_Cleaner_d4949.html Run ATF-Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Please run Esets online scanner from this link: ESET 1. Note: You will need to use Internet explorer for this scan 2. Tick the box next to YES, I accept the Terms of Use. 3. Click Start 4. When asked, allow the activex control to install 5. Click Start 6. Make sure that the option Remove found threats is unticked ( I want to see what is found first), and the option Scan unwanted applications is checked 7. Click Scan 8. Wait for the scan to finish 9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt 10. Copy and paste that log in your next reply.

Here is the log from ESET: # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3662 (20081203) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=ca1c0faf12b61240b9c566cc601827b2 # end=finished # remove_checked=true # unwanted_checked=true # utc_time=2008-12-04 06:51:21 # local_time=2008-12-03 10:51:21 (-0800, Pacific Standard Time) # country="Trinidad and Tobago" # osver=5.1.2600 NT Service Pack 3 # scanned=138094 # found=0 # scan_time=1081