redir & virus site blocking virus

Computing.Net > Forums > Security and Virus > redir & virus site blocking virus

Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free!

redir & virus site blocking virus

Original Message

Name: BENDER
Date: September 9, 2008 at 02:59:31 Pacific
Subject: redir & virus site blocking virus
OS: WinXP SP2
CPU/Ram: p3.4 prescott / 2.75GB
Model/Manufacturer: medion 8383xl

Comment:

hi all, ive picked up a google redirecting virus and cant get rid of it. Its the type that wont let you access anything to do with antivirus sites. AVG freezes when a scan starts, it redirects or wont load search pages and wont download most files. (it downloads a small portion of the file and or its corrupt). Ive used a few different spyware programs and found and removed virus like backdoor rbot.ebl and obfuscate.AAX but i cant get rid of whatever it is. My pc is saying no antivirus program is installed in windows security centre but AVG is saying evertything is active. My java was out of date so i deleted it only to realise i cant manage to download a working file of the latest version, but i managed eventually to get malwarebytes and hijack this. Could someone please give me hand removing this? id appreciate it heaps. I've been trying for days and its so frustrating not being able to download or access anything to do with antivirus and removal. As well as pages redirecting or not loading all the time.

Report Offensive Message For Removal

Response Number 1

Name: jabuck
Date: September 9, 2008 at 15:35:40 Pacific

Reply: (edit)

Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Report Offensive Follow Up For Removal

Response Number 2

Name: BENDER
Date: September 9, 2008 at 20:56:24 Pacific

Reply: (edit)

hi jabuck, thanks heaps for your help buddy.
Malwarebytes' Anti-Malware 1.27
Database version: 1134
Windows 5.1.2600 Service Pack 2
10/09/2008 1:44:02 PM
mbam-log-2008-09-10 (13-44-02).txt
Scan type: Quick Scan
Objects scanned: 79234
Time elapsed: 1 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:50 PM, on 10/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS02
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optuszoo.com.au/welcome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.optuszoo.com.au/welcome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optuszoo.com.au/welcome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dit] "C:\WINDOWS\Dit.exe"
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"
O4 - HKLM\..\Run: [AutorunApp] C:\Documents and Settings\Bedes\Local Settings\Temp\Rar$EX00.250\[FSNNS].exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] "C:\WINDOWS\system32\HDAudPropShortcut.exe"
O4 - HKLM\..\Run: [Cmaudio] "C:\WINDOWS\system32\rundll32.exe" cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.70\AMVConverter\grab.html
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 3.70\MediaManager\grab.html
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/h...
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/pa...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnl...
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_list...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://hairtrigga.spaces.live.com//...
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpc...
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/dr...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
--
End of file - 11387 bytes

Report Offensive Follow Up For Removal

Response Number 3

Name: jabuck
Date: September 10, 2008 at 14:35:59 Pacific

Reply: (edit)

It appear that you have two antivirus programs running or one (Computer Associates) is still partailly installed. You sould only run one antivirus as they will conflict.Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your AVG and CA antivirus, Windows Defender, and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Report Offensive Follow Up For Removal

Response Number 4

Name: BENDER
Date: September 10, 2008 at 23:38:28 Pacific

Reply: (edit)

hi jabuck, stupid me shut all the antiviru/spyware down but forgot to go offline when i did the combofix scan. It hung during reboot, i rebooted and it continued to finish the log. Should i go back and do it again offline?
I musnt've uninstalled CA etrust antivirus properly before installing AVG. What should i do to remove the CA stuff? Should i uninstal AVG and reinstall again? Thanks again heaps for your help, i am deadset hopeless.

Report Offensive Follow Up For Removal

Response Number 5

Name: BENDER
Date: September 10, 2008 at 23:39:51 Pacific

Reply: (edit)

see what i mean, heres the combofix log file.
ComboFix 08-09-10.02 - Bedes 2008-09-11 14:31:18.1 - NTFSx86
Running from: D:\Bedes\My Documents\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Bedes\Cookies\bedes@hb.pcworld[2].txt
C:\Documents and Settings\Bedes\Cookies\bedes@visit.kodak[1].txt
C:\Documents and Settings\Bedes\Local Settings\Temporary Internet Files\firmware.inf
C:\Documents and Settings\Bedes\Local Settings\Temporary Internet Files\ip3picfile.temp
C:\Documents and Settings\Bedes\Local Settings\Temporary Internet Files\ip3Wmapic.temp
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\Bank.dll
C:\WINDOWS\temp\perflib_perfdata_1cc.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_TDSSSERV
-------\Service_TDSSserv

((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.
2009-03-30 02:18 . 2007-03-30 02:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2009-03-30 02:17 . 2006-11-08 12:36 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-09-10 13:50 . 2008-09-10 13:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-09 17:48 . 2008-09-09 17:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-09 17:48 . 2008-09-09 17:48 <DIR> d-------- C:\Documents and Settings\Bedes\Application Data\Malwarebytes
2008-09-09 17:48 . 2008-09-09 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-09 17:48 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 17:48 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 15:44 . 2008-09-11 08:47 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-09 15:44 . 2008-09-09 15:44 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-09 15:44 . 2008-09-09 15:44 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-09 15:44 . 2008-09-09 15:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-09 06:02 . 2008-09-09 06:02 <DIR> d-------- C:\temp
2008-09-09 05:19 . 2008-09-09 05:19 55,577 --a------ C:\Info.qhc
2008-09-09 03:34 . 2008-09-09 03:34 0 --a------ C:\WINDOWS\sensor.INI
2008-09-09 03:34 . 2008-09-09 03:34 0 --a------ C:\WINDOWS\hqstat.mtl
2008-09-09 03:34 . 2008-09-09 03:34 0 --a------ C:\WINDOWS\hqstat.mnt
2008-09-09 03:33 . 2008-09-09 03:33 <DIR> d-------- C:\Program Files\Quick Heal
2008-09-08 17:31 . 2008-09-08 17:31 <DIR> d-------- C:\Program Files\InCode Solutions
2008-09-08 13:18 . 2008-09-09 01:12 0 --a------ C:\log.tmp
2008-09-07 04:42 . 2008-09-11 12:52 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-07 04:29 . 2008-09-07 04:29 <DIR> d-------- C:\Program Files\AVG
2008-09-07 04:29 . 2008-09-09 15:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-06 16:04 . 2008-09-06 16:04 <DIR> d-------- C:\Program Files\ParetoLogic
2008-09-06 16:04 . 2008-09-06 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-09-05 15:03 . 2008-09-05 15:03 49,574 --a------ C:\WINDOWS\system32\ntbackup.chw
2008-09-05 04:42 . 2008-09-09 13:08 <DIR> d-------- C:\Program Files\XoftSpySE
2008-09-05 03:23 . 2008-09-05 03:24 310 --a------ C:\WINDOWS\system\cmicnfg.ini
2008-09-05 03:16 . 2004-12-10 18:26 4,009,984 --a------ C:\WINDOWS\system\cmicnfg.cpl
2008-09-05 03:16 . 2004-12-13 11:19 1,282,432 --a------ C:\WINDOWS\system32\drivers\cmudax.sys
2008-09-05 03:16 . 2002-04-29 15:04 917,504 --a------ C:\WINDOWS\system\cmids3d.dll
2008-09-05 03:16 . 2001-11-23 12:08 712,704 --a------ C:\WINDOWS\system32\Audio3D.dll
2008-09-05 03:16 . 2004-02-18 14:19 16,384 --a------ C:\WINDOWS\system32\udaprop.dll
2008-09-03 18:03 . 2008-09-03 18:03 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-09-03 18:03 . 2008-09-03 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-10 03:47 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS
2008-09-10 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-09-09 04:39 --------- d-----w C:\Program Files\Java
2008-09-08 07:55 --------- d-----w C:\Program Files\CA
2008-09-06 18:57 --------- d-----w C:\Program Files\GameSpy Arcade
2008-09-04 17:06 27,926 ----a-w C:\Documents and Settings\Bedes\Application Data\wklnhst.dat
2008-09-04 07:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 08:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-26 12:10 --------- d-----w C:\Program Files\Steam
2008-08-16 08:47 --------- d-----w C:\Program Files\Picture It! Premium 10
2008-07-29 06:15 --------- d-----w C:\Program Files\iriver
2008-07-28 17:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-28 17:45 --------- d-----w C:\Program Files\Lavasoft
2008-07-28 17:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 17:39 --------- d-----w C:\Documents and Settings\Bedes\Application Data\Lavasoft
2008-07-28 12:39 --------- d-----w C:\Program Files\AVIConverter
2008-07-28 08:22 --------- d-----w C:\Program Files\MP4TOOL
2008-07-09 11:36 98 ----a-w C:\drmHeader.bin
2008-04-19 15:51 71,416 ----a-w C:\Documents and Settings\Bedes\Application Data\GDIPFONTCACHEV1.DAT
2006-04-09 07:34 88 ----a-w C:\Documents and Settings\Bedes\PATCHINFO.BIN
2005-03-14 08:39 197 ----a-w C:\Program Files\INSTALL.LOG
2005-01-18 04:06 56 --sh--r C:\WINDOWS\system32\9F3F4E1886.sys
2004-10-07 00:28 8 --sh--r C:\WINDOWS\system32\FA3EC8D287.sys
2005-01-18 04:06 10,228 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-01-05 13:41 2857984 --a------ C:\Program Files\Protector Suite QL\farchns.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-01-05 13:41 2857984 --a------ C:\Program Files\Protector Suite QL\farchns.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 1694208]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-06 180269]
"Dit"="C:\WINDOWS\Dit.exe" [2004-07-21 90112]
"nwiz"="C:\WINDOWS\system32\nwiz.exe" [2006-08-11 1519616]
"Kernel and Hardware Abstraction Layer"="C:\WINDOWS\KHALMNPR.EXE" [2008-02-29 76304]
"Logitech Hardware Abstraction Layer"="C:\WINDOWS\KHALMNPR.EXE" [2008-02-29 76304]
"PCMService"="C:\Program Files\Home Cinema\PowerCinema\PCMService.exe" [2004-10-06 81920]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2007-01-05 49168]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-04-08 296631]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 7630848]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"High Definition Audio Property Page Shortcut"="C:\WINDOWS\system32\HDAudPropShortcut.exe" [2004-03-18 61952]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-09 1235736]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 C:\WINDOWS\system32\nvmctray.dll]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-08-08 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-01-05 13:28 90112 C:\WINDOWS\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Loadout Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk
backup=C:\WINDOWS\pss\Loadout Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
--a------ 2008-08-10 19:44 652528 C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2004-08-20 11:47 1912832 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\GigaByte\\VGA Utility Manager\\G-vga.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Call of Duty\\CoDMP.exe"=
"C:\\Valve\\Condition Zero\\czero.exe"=
"C:\\Program Files\\Day of Defeat\\dod.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe"=
"C:\\Program Files\\Steam\\SteamApps\\nelsonmunkshaha\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\hairtrigga\\team fortress classic\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\hairtrigga\\half-life\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\hairtrigga\\day of defeat\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\hairtrigga\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\hairtrigga\\condition zero\\hl.exe"=
"C:\\PROGAMFILES\\SteamApps\\nelsonmunkshaha\\counter-strike\\hl.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Warthog\\Rally Championship Xtreme\\Rally.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Return to Castle Wolfenstein - Game of The Year Edition\\WolfMP.exe"=
"C:\\Program Files\\Steam\\SteamApps\\benderrules\\counter-strike\\hl.exe"=
"C:\\PROGAMFILES\\SteamApps\\benderrules\\counter-strike\\hl.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Serious Sam 2\\Bin\\Sam2.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
[HKLM\~\Services\\_common\\RWVoice.exe"=]
"C:\\Program Files\\Steam\\SteamApps\\benderrules\\condition zero\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\benderrules\\race\\Race_Steam.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-09 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-09 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-09 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-09 76040]
R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 53248]
R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-06-05 350752]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-12-13 1282432]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-06-12 24704]
R3 UKBFLT;UKBFLT;C:\WINDOWS\system32\DRIVERS\UKBFLT.sys [2003-12-19 11672]
R3 wbscr;Winbond Smartcard Reader for I/O;C:\WINDOWS\system32\drivers\wbscr.sys [2002-04-25 19928]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys [2003-07-24 22821]
S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 77824]
S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 77824]
S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-09-10 17408]
S3 cg300;cg300VidCap;C:\WINDOWS\system32\DRIVERS\cg300vc.sys [2002-08-27 13468]
S3 cg300Au;cg300 Audio Capture;C:\WINDOWS\system32\DRIVERS\cg300au.sys [2002-08-27 17167]
S3 GPCIDrv;GPCIDrv;C:\WINDOWS\GPCIDrv.sys [2007-04-28 5112]
S3 ihidfilt;Immersion ihidfilt Driver;C:\WINDOWS\system32\DRIVERS\ihidfilt.sys [2001-08-22 28784]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-AutorunApp - C:\Documents and Settings\Bedes\Local Settings\Temp\Rar$EX00.250\[FSNNS].exe
HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-mmtask - C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Bedes\Application Data\Mozilla\Firefox\Profiles\gsrnaizk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.optuszoo.com.au/welcome
FF -: plugin - C:\Program Files\IGN\Download Manager\npfpdlm.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbtplug.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-11 14:51:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\TDSSserv]
"imagepath"="\systemroot\system32\drivers\TDSSserv.sys"
.
r Running Proce
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\COMMON~1\X10\Common\X10nets.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-11 15:00:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-11 04:59:17
Pre-Run: 58,581,753,856 bytes free
Post-Run: 59,485,081,600 bytes free
267 --- E O F --- 2008-09-10 02:23:07

Report Offensive Follow Up For Removal


Link redirects/virus sites blocks Virus blocks AV sites and more... McAfee Virus .DAT Update Problem Acces Blocked Virus Warning MSN virus	Tdss virus problem Virus Alert! strikes again serious virus/trojan program Virus Alert in Task Bar! Need help! Some Trojan Virus Help Needed

Response Number 6

Name: jabuck
Date: September 11, 2008 at 18:09:00 Pacific

Reply: (edit)

Looks much better.
Run Hijack This, cloase all windows and browsers except Hijack This, place a check to the lef tof the following items and press "fix checked":
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res...
Exit Hijack This.
Navigate to and delete this folder if found:
C:\Program Files\DAP
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Report Offensive Follow Up For Removal

Response Number 7

Name: BENDER
Date: September 12, 2008 at 12:28:54 Pacific

Reply: (edit)

hi Jabuck, i've done your last instructions. Kapersky picked up a fair few, i didnt expect so much to be still on there. I know its a little off topic but can you advise me what to do about this CA etrust license stuff still left. I removed 2 parts of it from add/remove programs before installing AVG but realised later it was still showing CA license in there and there was no uninstall option. There was only the "used rarely" message nothing else. I removed all the traces i could find in the registry and its finally gone from add remove programs. I'm still getting virus protection not found in windows security centre? Although AVG says everything is active. Should i uninstall AVG and reinstall again now that CA is hopefully all gone? Or wait until its cleaned first? I think my ebay account was hijacked because my password had changed so i'm spinning out a little.
----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, September 13, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 12, 2008 07:25:27
Records in database: 1216023
----------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan statistics:
Files scanned: 194589
Threat name: 28
Infected objects: 129
Suspicious objects: 1
Duration of the scan: 04:50:44

File name / Threat name / Threats count
C:\Documents and Settings\Bedes\.housecall6.6\Quarantine\__Premonition__.rar.bac_a01880 Infected: Virus.Win32.Hidrag.a 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Ashampoo Antivirus\Quarantine\AV12.QRT Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Ashampoo Antivirus\Quarantine\AV2.QRT Infected: not-a-virus:AdWare.Win32.Azesearch.h 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Ashampoo Antivirus\Quarantine\AV23.QRT Infected: not-a-virus:RiskTool.Win32.Deleter.e 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Ashampoo Antivirus\Quarantine\AV8.QRT Infected: not-a-virus:AdWare.Win32.NewDotNet.e 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Crypt.lf 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.Win32.Zbot.ehe 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Worm.Win32.AutoRun.lua 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Worm.Win32.AutoRun.lru 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Worm.Win32.AutoRun.lut 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.Win32.Zbot.ejx 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.Win32.Zbot.ejy 2
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.Win32.Zbot.ejw 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.Win32.Zbot.ekq 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.Win32.Zbot.eks 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.Win32.Zbot.enm 2
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.Win32.Zbot.eod 2
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.FraudPack.gen 1
C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\MP3 Player Utilities 3.70\DelDrv.exe Infected: not-a-virus:RiskTool.Win32.Deleter.e 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCA918GK6.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCA9RRQCX.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCABPEJUD.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCACOOR1T.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCADFSMFD.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCAEORO21.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCAGDYZJC.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCAH1BQRA.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCAICMG00.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCAKN9G94.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCAM12AJI.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCAO4AO3H.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCARDPD8P.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\acCAWZASBU.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\ac[10].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\ac[11].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\ac[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\ac[4].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\ac[5].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\ac[6].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\ac[8].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T\ac[9].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\acCA6AOSKZ.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\acCAGPK7VU.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\acCAS2ZP14.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\acCAYV19KZ.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\acCAZNSSQE.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\ac[10].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\ac[11].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\ac[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\ac[4].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\ac[5].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\ac[6].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\ac[8].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\ac[9].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT\jump1[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\acCA2QXYOA.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\acCA37PGHW.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\acCA3OVP37.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\acCA5UIL10.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\acCAAI9FG3.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\acCABRG17D.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\acCABS9JKK.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\acCAJ2343Q.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\acCAK9CFZ0.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\acCAQNA5CW.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\acCAV5JI43.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\ac[10].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\ac[11].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\ac[5].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\ac[6].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\ac[8].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\ac[9].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS\jump1[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\acCAH9VU22.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\acCAJ3UT4O.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\acCAST0OM6.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\acCAWQLYP5.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\ac[10].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\ac[11].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\ac[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\ac[4].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\ac[5].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\ac[6].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\ac[8].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV\ac[9].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\acCA05QZC9.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\acCAJ3NVSY.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\acCALMZBLG.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\acCAMLE9EA.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\acCANJZ34R.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\acCAY4W2H3.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\ac[10].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\ac[11].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\ac[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\ac[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\ac[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\ac[4].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\ac[5].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\ac[6].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\ac[8].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7\ac[9].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
D:\Bedes\My Documents\black game player software\3050\TranscodingSetupKit\StormCodec6.04.08.exe Infected: not-a-virus:AdWare.Win32.Boran.e 1
D:\Bedes\My Documents\game files n patches\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Bedes\My Documents\my driver downloads\DriverDetective.exe Infected: not-a-virus:AdWare.Win32.Dm.sd 1
D:\Bedes\My Documents\New Folder\0.8.2.0\TranscodingSetupKit\StormCodec6.04.08.exe Infected: not-a-virus:AdWare.Win32.Boran.e 1
D:\Bedes\My Documents\patches n files\1.8寸屏AMV视频转换工具软件.rar Infected: not-a-virus:RiskTool.Win32.Deleter.b 1
D:\Bedes\My Documents\patches n files\Antiwpa_Site_Sep_07.7z Infected: not-a-virus:PSWTool.Win32.RAS.a 3
D:\Bedes\My Documents\patches n files\fp2006-final-3.00-setup.zip Infected: not-virus:BadJoke.JS.RJump 1
D:\Bedes\My Documents\patches n files\transcoding tool\TranscodingSetupKit\StormCodec6.04.08.exe Infected: not-a-virus:AdWare.Win32.Boran.e 1
D:\Bedes\My Documents\setupxv.exe Infected: not-a-virus:FraudTool.Win32.AntiSpyware.cw 1
D:\Bedes\My Documents\setupxv.exe Infected: not-a-virus:FraudTool.Win32.SpywareStop.cp 2
D:\Bedes\My Documents\tsnteval.exe Infected: Trojan-Downloader.Win32.Agent.aacq 1
The selected area was scanned.

Report Offensive Follow Up For Removal

Response Number 8

Name: jabuck
Date: September 12, 2008 at 14:28:47 Pacific

Reply: (edit)

Navigate to and delete the contents of these folders but not the folder themselves:

1. C:\Documents and Settings\Bedes\.housecall6.6\Quarantine
2. C:\Documents and Settings\Bedes\Local Settings\Application Data\Ashampoo Antivirus\Quarantine
3. C:\Documents and Settings\Bedes\Local Settings\Application Data\Identities\{6A4E777C-7BE4-46BF-A32B-17BA965C440C}\Microsoft\Outlook Express\Deleted Items.dbx
Next, open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47ELAT2T
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8715K1AT
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\91HF25PS
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0OTYITV
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YJDIGHH7
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
The rest appear to be false positives but to double check run the following scan.
Please run the BitDefender online scan this link:
Bitdefender Online Scanner

You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.

Report Offensive Follow Up For Removal

Response Number 9

Name: BENDER
Date: September 12, 2008 at 18:31:47 Pacific

Reply: (edit)

BitDefender Online Scanner

Scan report generated at: Sat, Sep 13, 2008 - 11:09:32
Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;

Statistics
Time

02:43:25
Files

786531
Folders

12900
Boot Sectors

0
Archives
103783
Packed Files

37600

Results
Identified Viruses
5
Infected Files
5
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
5

Engines Info
Virus Definitions
1754595
Engine build
AVCORE v1.7 (build 8314.19) (i386) (Sep 10 2008 19:37:42)
Scan plugins
16
Archive plugins
43
Unpack plugins
7
E-mail plugins
6
System plugins
4
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes

Scanned File
Status
C:\Program Files\Codemasters\Race Driver\RaceDriver.exe=>(Embedded EXE 2o)

Infected with: Trojan.Generic.370919
C:\Program Files\Codemasters\Race Driver\RaceDriver.exe=>(Embedded EXE 2o)

Deleted
C:\Program Files\Codemasters\Race Driver\RaceDriver.exe

Update failed
D:\Bedes\My Documents\patches n files\18AMV~1.RAR=>1.8????AMV????????????????\MSI.CAB=>_6227252443C841BF9FFDFF29A9856421

Infected with: Trojan.Delall.Q
D:\Bedes\My Documents\patches n files\18AMV~1.RAR=>1.8????AMV????????????????\MSI.CAB=>_6227252443C841BF9FFDFF29A9856421

Deleted
D:\Bedes\My Documents\patches n files\18AMV~1.RAR=>1.8????AMV????????????????\MSI.CAB

Update failed
D:\Bedes\My Documents\patches n files\Antiwpa_Site_Sep_07.7z=>Other\Office2k3&XP\Anti-MSOPA 2k3 & XP\src\Anti-MSOPA_1-3_src.zip=>reset5setup.exe

Infected with: Trojan.Generic.205475
D:\Bedes\My Documents\patches n files\Antiwpa_Site_Sep_07.7z=>Other\Office2k3&XP\Anti-MSOPA 2k3 & XP\src\Anti-MSOPA_1-3_src.zip=>reset5setup.exe

Deleted
D:\Bedes\My Documents\patches n files\Antiwpa_Site_Sep_07.7z=>Other\Office2k3&XP\Anti-MSOPA 2k3 & XP\src\Anti-MSOPA_1-3_src.zip

Update failed
D:\Bedes\My Documents\patches n files\Antiwpa_Site_Sep_07.7z=>Other\Office2k3&XP\Anti-MSOPA 2k3 & XP\src\Anti-MSOPA_1-4_src.zip=>TS-Free-1.2.exe=>(RAR Sfx o)=>WPA_Kill.exe

Infected with: Trojan.Agent.JH
D:\Bedes\My Documents\patches n files\Antiwpa_Site_Sep_07.7z=>Other\Office2k3&XP\Anti-MSOPA 2k3 & XP\src\Anti-MSOPA_1-4_src.zip=>TS-Free-1.2.exe=>(RAR Sfx o)=>WPA_Kill.exe

Disinfection failed
D:\Bedes\My Documents\patches n files\Antiwpa_Site_Sep_07.7z=>Other\Office2k3&XP\Anti-MSOPA 2k3 & XP\src\Anti-MSOPA_1-4_src.zip=>TS-Free-1.2.exe=>(RAR Sfx o)=>WPA_Kill.exe

Deleted
D:\Bedes\My Documents\patches n files\Antiwpa_Site_Sep_07.7z=>Other\Office2k3&XP\Anti-MSOPA 2k3 & XP\src\Anti-MSOPA_1-4_src.zip=>TS-Free-1.2.exe=>(RAR Sfx o)

Update failed
D:\Bedes\My Documents\patches n files\Antiwpa_Site_Sep_07.7z=>Antiwpa-V3.4.6 for X64 and X86.zip=>Universal Patch for 5xxxx 32+64 bit\vista..5xxx patch.exe

Infected with: Trojan.Keygen.Q
D:\Bedes\My Documents\patches n files\Antiwpa_Site_Sep_07.7z=>Antiwpa-V3.4.6 for X64 and X86.zip=>Universal Patch for 5xxxx 32+64 bit\vista..5xxx patch.exe

Deleted
D:\Bedes\My Documents\patches n files\Antiwpa_Site_Sep_07.7z=>Antiwpa-V3.4.6 for X64 and X86.zip

Update failed

Report Offensive Follow Up For Removal

Response Number 10

Name: jabuck
Date: September 13, 2008 at 10:12:20 Pacific

Reply: (edit)

Locks like your computer is clean. You may need to reinstall any games that are not updating.
How is the computer operating?

Report Offensive Follow Up For Removal

Response Number 11

Name: BENDER
Date: September 13, 2008 at 19:42:39 Pacific

Reply: (edit)

it seems pretty good but theres something still not right somewhere. The windows security centre is still saying virus protection not found. i tried uninstalling/reinstalling AVG again. Any ideas how to fix that? How can i be sure AVG is protecting me?
Theres a few other things not right. I'm a small ebay seller and weird things are happening with my ebay pages after all the cleaning up. Mainly while using firefox. My password was changed, im not sure if it was hijacked or not. I've had that sorted but it wont let me reset my password in my ebay account settings, although it accepts my new password when i login. The fonts have changed and some links on pages wont work or are grayed out or missing. I cant revise pictures in listings or select other options. Most of these things dont happen with ie explorer but ebay pages run really, really slow. I think i might have removed something when cleaning the pc. Can you recommend anything or any programs that might help analyse or fix these problems?
Thanks heaps Jabuck for your all your help. I really appreciate it. Apart from those issues above the system seems to run better than it has for a while. The load time has halved. cheers

Report Offensive Follow Up For Removal

Response Number 12

Name: jabuck
Date: September 13, 2008 at 20:34:41 Pacific

Reply: (edit)

If your AVG antivirus is updating it is protecting your computer.
Lets remove the CA drivers and folder, maybe confusing Microsoft Security Center.
Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, driver Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Driver::
CA_LIC_CLNT
CA_LIC_SRVR
Folder::
C:\Program Files\CA

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
There is a mew firefox update, you should get a notification. Install the update and see if that help firefox.
Restart the computer, let us know if that helped.

Report Offensive Follow Up For Removal

Response Number 13

Name: BENDER
Date: September 13, 2008 at 21:16:50 Pacific

Reply: (edit)

didnt help, its still the same. I'm pretty sure i'd already removed every visible CA file from program files and the registry. When i started combo fix then the AVG scan box icon showed in the sys tray next to the AVG icon. This has happened before but it appears it is not scanning and wont pause or stop.
ComboFix 08-09-10.02 - Bedes 2008-09-14 13:55:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2248 [GMT 10:00]
Running from: D:\Bedes\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bedes\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-08-14 to 2008-09-14 )))))))))))))))))))))))))))))))
.
2009-03-30 02:18 . 2007-03-30 02:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2009-03-30 02:17 . 2006-11-08 12:36 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-09-14 11:13 . 2008-09-14 11:13 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-13 14:58 . 2008-09-13 14:58 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-13 14:58 . 2008-09-13 14:58 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-13 14:58 . 2008-09-13 14:58 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-13 14:57 . 2008-09-14 11:13 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-13 06:06 . 2008-09-14 11:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-13 06:06 . 2008-09-13 06:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-12 17:56 . 2008-09-12 17:56 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-12 17:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-11 17:55 . 2008-09-11 17:55 <DIR> d-------- C:\Program Files\CCleaner
2008-09-10 13:50 . 2008-09-10 13:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-09 17:48 . 2008-09-09 17:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-09 17:48 . 2008-09-09 17:48 <DIR> d-------- C:\Documents and Settings\Bedes\Application Data\Malwarebytes
2008-09-09 17:48 . 2008-09-09 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-09 17:48 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 17:48 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 06:02 . 2008-09-09 06:02 <DIR> d-------- C:\temp
2008-09-09 05:19 . 2008-09-09 05:19 55,577 --a------ C:\Info.qhc
2008-09-09 03:34 . 2008-09-09 03:34 0 --a------ C:\WINDOWS\sensor.INI
2008-09-09 03:34 . 2008-09-09 03:34 0 --a------ C:\WINDOWS\hqstat.mtl
2008-09-09 03:34 . 2008-09-09 03:34 0 --a------ C:\WINDOWS\hqstat.mnt
2008-09-09 03:33 . 2008-09-09 03:33 <DIR> d-------- C:\Program Files\Quick Heal
2008-09-08 17:31 . 2008-09-08 17:31 <DIR> d-------- C:\Program Files\InCode Solutions
2008-09-08 13:18 . 2008-09-09 01:12 0 --a------ C:\log.tmp
2008-09-07 04:29 . 2008-09-07 04:29 <DIR> d-------- C:\Program Files\AVG
2008-09-07 04:29 . 2008-09-13 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-06 16:04 . 2008-09-06 16:04 <DIR> d-------- C:\Program Files\ParetoLogic
2008-09-06 16:04 . 2008-09-06 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-09-05 15:03 . 2008-09-05 15:03 49,574 --a------ C:\WINDOWS\system32\ntbackup.chw
2008-09-05 04:42 . 2008-09-09 13:08 <DIR> d-------- C:\Program Files\XoftSpySE
2008-09-05 03:23 . 2008-09-05 03:24 310 --a------ C:\WINDOWS\system\cmicnfg.ini
2008-09-05 03:16 . 2004-12-10 18:26 4,009,984 --a------ C:\WINDOWS\system\cmicnfg.cpl
2008-09-05 03:16 . 2004-12-13 11:19 1,282,432 --a------ C:\WINDOWS\system32\drivers\cmudax.sys
2008-09-05 03:16 . 2002-04-29 15:04 917,504 --a------ C:\WINDOWS\system\cmids3d.dll
2008-09-05 03:16 . 2001-11-23 12:08 712,704 --a------ C:\WINDOWS\system32\Audio3D.dll
2008-09-05 03:16 . 2004-02-18 14:19 16,384 --a------ C:\WINDOWS\system32\udaprop.dll
2008-09-03 18:03 . 2008-09-03 18:03 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-09-03 18:03 . 2008-09-03 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-14 01:12 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS
2008-09-12 07:56 --------- d-----w C:\Program Files\Java
2008-09-10 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-09-06 18:57 --------- d-----w C:\Program Files\GameSpy Arcade
2008-09-04 17:06 27,926 ----a-w C:\Documents and Settings\Bedes\Application Data\wklnhst.dat
2008-09-04 07:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 08:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-26 12:10 --------- d-----w C:\Program Files\Steam
2008-08-16 08:47 --------- d-----w C:\Program Files\Picture It! Premium 10
2008-07-29 06:15 --------- d-----w C:\Program Files\iriver
2008-07-28 17:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-28 17:45 --------- d-----w C:\Program Files\Lavasoft
2008-07-28 17:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 17:39 --------- d-----w C:\Documents and Settings\Bedes\Application Data\Lavasoft
2008-07-28 12:39 --------- d-----w C:\Program Files\AVIConverter
2008-07-28 08:22 --------- d-----w C:\Program Files\MP4TOOL
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 12:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 12:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-09 11:36 98 ----a-w C:\drmHeader.bin
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 08:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-19 15:51 71,416 ----a-w C:\Documents and Settings\Bedes\Application Data\GDIPFONTCACHEV1.DAT
2006-04-09 07:34 88 ----a-w C:\Documents and Settings\Bedes\PATCHINFO.BIN
2005-03-14 08:39 197 ----a-w C:\Program Files\INSTALL.LOG
2005-01-18 04:06 56 --sh--r C:\WINDOWS\system32\9F3F4E1886.sys
2004-10-07 00:28 8 --sh--r C:\WINDOWS\system32\FA3EC8D287.sys
2005-01-18 04:06 10,228 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-09-11_14.58.44.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-11-06 08:16:34 160,768 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-09-12 22:16:45 102,400 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
- 2005-03-01 03:08:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 05:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
- 2005-03-01 03:08:52 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-01-09 05:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
- 2006-11-06 08:16:37 133,120 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-09-12 22:16:49 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-01-09 05:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\bdupd.dll
+ 2008-01-09 05:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ipsupd.dll
- 2008-09-09 05:44:07 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-09-13 04:58:00 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-06-09 15:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-09 15:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-09 16:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-04-11 15:46:32 95,116 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-09-13 13:44:04 95,116 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-11 15:46:32 505,160 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-13 13:44:04 505,160 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-14 01:10:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_744.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-01-05 13:41 2857984 --a------ C:\Program Files\Protector Suite QL\farchns.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-01-05 13:41 2857984 --a------ C:\Program Files\Protector Suite QL\farchns.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 1694208]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-06 180269]
"Dit"="C:\WINDOWS\Dit.exe" [2004-07-21 90112]
"nwiz"="C:\WINDOWS\system32\nwiz.exe" [2006-08-11 1519616]
"Kernel and Hardware Abstraction Layer"="C:\WINDOWS\KHALMNPR.EXE" [2008-02-29 76304]
"Logitech Hardware Abstraction Layer"="C:\WINDOWS\KHALMNPR.EXE" [2008-02-29 76304]
"PCMService"="C:\Program Files\Home Cinema\PowerCinema\PCMService.exe" [2004-10-06 81920]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2007-01-05 49168]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-04-08 296631]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 7630848]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"High Definition Audio Property Page Shortcut"="C:\WINDOWS\system32\HDAudPropShortcut.exe" [2004-03-18 61952]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-13 1235736]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 C:\WINDOWS\system32\nvmctray.dll]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2004-04-06 454656]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-08-08 805392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-01-05 13:28 90112 C:\WINDOWS\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
--a------ 2008-08-10 19:44 652528 C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2004-08-20 11:47 1912832 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Call of Duty\\CoDMP.exe"=
"C:\\Valve\\Condition Zero\\czero.exe"=
"C:\\Program Files\\Day of Defeat\\dod.exe"=
"C:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe"=
"C:\\Program Files\\Steam\\SteamApps\\nelsonmunkshaha\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\hairtrigga\\team fortress classic\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\hairtrigga\\half-life\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\hairtrigga\\day of defeat\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\hairtrigga\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\SteamApps\\hairtrigga\\condition zero\\hl.exe"=
"C:\\PROGAMFILES\\SteamApps\\nelsonmunkshaha\\counter-strike\\hl.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Warthog\\Rally Championship Xtreme\\Rally.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Return to Castle Wolfenstein - Game of The Year Edition\\WolfMP.exe"=
"C:\\Program Files\\Steam\\SteamApps\\benderrules\\counter-strike\\hl.exe"=
"C:\\PROGAMFILES\\SteamApps\\benderrules\\counter-strike\\hl.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Steam\\SteamApps\\benderrules\\condition zero\\hl.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\GigaByte\\VGA Utility Manager\\G-vga.exe"=
"C:\\Program Files\\Steam\\SteamApps\\benderrules\\race\\Race_Steam.exe"=
[HKLM\~\Services\\_common\\RWVoice.exe"=]
"C:\\Program Files\\Serious Sam 2\\Bin\\Sam2.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-13 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-13 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-13 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-13 76040]
R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-06-05 350752]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-12-13 1282432]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-06-12 24704]
R3 UKBFLT;UKBFLT;C:\WINDOWS\system32\DRIVERS\UKBFLT.sys [2003-12-19 11672]
R3 wbscr;Winbond Smartcard Reader for I/O;C:\WINDOWS\system32\drivers\wbscr.sys [2002-04-25 19928]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys [2003-07-24 22821]
S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-09-14 17408]
S3 cg300;cg300VidCap;C:\WINDOWS\system32\DRIVERS\cg300vc.sys [2002-08-27 13468]
S3 cg300Au;cg300 Audio Capture;C:\WINDOWS\system32\DRIVERS\cg300au.sys [2002-08-27 17167]
S3 GPCIDrv;GPCIDrv;C:\WINDOWS\GPCIDrv.sys [2007-04-28 5112]
S3 ihidfilt;Immersion ihidfilt Driver;C:\WINDOWS\system32\DRIVERS\ihidfilt.sys [2001-08-22 28784]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-14 13:57:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-14 13:59:48
ComboFix-quarantined-files.txt 2008-09-14 03:59:05
ComboFix2.txt 2008-09-12 22:02:51
ComboFix3.txt 2008-09-11 05:00:29
Pre-Run: 58,934,288,384 bytes free
Post-Run: 59,018,125,312 bytes free
253 --- E O F --- 2008-09-10 02:23:07

Report Offensive Follow Up For Removal

Response Number 14

Name: jabuck
Date: September 14, 2008 at 05:33:46 Pacific

Reply: (edit)

Re-download AVG to your desktop. Go offline> uninstall the one you now have and install the new one> go online and update the new one.
Did the firefox updated version help?

Report Offensive Follow Up For Removal

Response Number 15

Name: BENDER
Date: September 14, 2008 at 06:18:39 Pacific

Reply: (edit)

no firefox three hasnt helped. i'll get back after i reinstall AVG again. cheers

Report Offensive Follow Up For Removal

Malicious iexplore.exe

Outlook Express checking ...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home