TDSSERV-Need help for manual remove

Computing.Net > Forums > Security and Virus > TDSSERV-Need help for manual remove

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

TDSSERV-Need help for manual remove

Name: ZODD
Date: October 1, 2008 at 20:00:19 Pacific
OS: Windows XP Professional
CPU/Ram: 1.6ghz processor, 1g ram
Product: intel

Comment:

I have had a string of Trojans and have been deleting them either manually or with scans from various virus programs, malware bytes anti-malware, trend micro, some others that scan but aren't free. None of them can delete tdsserv, i need help to manually delete it. I didn't want to delete all the reg keys encase i damaged the system.

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: October 1, 2008 at 20:20:11 Pacific

Reply:

We need to see the reports from Malwarebytes and Hijack This. Run both scans and post their logs.
Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 2

Name: ZODD
Date: October 2, 2008 at 01:29:41 Pacific

Reply:

Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:57 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Cannon MF5700\Software 1\OpwareSE2.exe
C:\Games\Mechcommander Gold\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Demos\UltimateZip\uzqkst.exe
C:\Demos\firefox.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\User\Desktop\Stuff on USB\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\Cannon MF5700\Software 1\OpwareSE2.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Games\Mechcommander Gold\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Mitch and Greg\Greg\Quick Time\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Veoh] "C:\Mitch and Greg\Greg\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Demos\UltimateZip\uzqkst.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.exe
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Mitch and Greg\Greg\pics\ImagineFX\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 9627 bytes
Malwarebytes scan
Malwarebytes' Anti-Malware 1.28
Database version: 1211
Windows 5.1.2600 Service Pack 2
2/10/2008 6:28:09 PM
mbam-log-2008-10-02 (18-28-09).txt
Scan type: Quick Scan
Objects scanned: 48683
Time elapsed: 4 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Response Number 3

Name: jabuck
Date: October 2, 2008 at 06:33:02 Pacific

Reply:

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 7 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your Nortons antivirus ,TrendSecure, Ad-Aware, Spyware Doctor and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 4

Name: ZODD
Date: October 2, 2008 at 20:10:05 Pacific

Reply:

OK here is the combofix log. But before i ran combofix i read that SDfix was good and ran that first. Sorry.
ComboFix 08-10-02.04 - User 2008-10-03 12:35:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.569 [GMT 10:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\MSINET.oca
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MCHINJDRV
-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
.
2008-10-03 12:25 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-03 12:24 . 2008-10-03 12:25 <DIR> d-------- C:\Program Files\Java
2008-10-03 12:24 . 2008-10-03 12:24 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-03 08:35 . 2008-10-03 08:35 <DIR> d-------- C:\Program Files\CCleaner
2008-10-02 19:29 . 2008-10-02 19:58 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-02 18:54 . 2008-10-02 18:54 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-02 18:30 . 2008-10-03 12:13 <DIR> d-------- C:\SDFix
2008-10-02 11:32 . 2008-10-02 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-10-02 11:01 . 2008-10-02 12:10 <DIR> d-------- C:\Documents and Settings\User\Application Data\Symantec
2008-10-02 10:59 . 2008-10-02 10:59 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-10-02 10:58 . 2008-10-02 11:39 <DIR> d-------- C:\Program Files\Norton 360 Premier Edition
2008-10-02 10:57 . 2008-10-02 11:18 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-02 10:57 . 2008-10-02 11:18 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-02 10:57 . 2008-10-02 11:18 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-02 10:57 . 2008-10-02 11:18 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-02 10:56 . 2008-10-02 11:18 <DIR> d-------- C:\Program Files\Symantec
2008-10-02 10:56 . 2008-10-02 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-02 10:55 . 2008-10-03 12:40 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-09-06 15:31 . 2008-09-06 15:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Avanquest
2008-09-06 15:30 . 2008-09-06 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-06 15:29 . 2008-09-06 15:29 <DIR> dr-hs---- C:\_Backup.RC
2008-09-06 15:29 . 2008-10-02 10:40 <DIR> d--h----- C:\_Backup
2008-09-06 15:27 . 2008-09-06 15:27 <DIR> d-------- C:\Program Files\Avanquest
2008-09-06 15:27 . 2008-09-06 15:27 <DIR> d-------- C:\Documents and Settings\User\Application Data\Avanquest
2008-09-05 09:39 . 2008-09-05 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\f-secure
2008-09-05 08:50 . 2008-09-05 08:50 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-05 07:57 . 2008-09-05 07:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 02:42 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-10-03 02:14 --------- d-----w C:\Documents and Settings\User\Application Data\skypePM
2008-10-02 22:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-02 22:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-02 09:39 --------- d-----w C:\Program Files\Spyware Doctor
2008-09-27 04:05 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
2008-09-27 04:05 722,472 ----a-w C:\WINDOWS\system32\kdfmgr.exe
2008-09-27 04:05 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
2008-09-27 04:05 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
2008-09-27 01:14 81,288 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-27 01:14 66,952 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-27 01:14 40,840 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-27 01:14 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-09 14:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 14:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-06 05:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-01 11:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-01 11:17 --------- d-----w C:\Program Files\Lavasoft
2008-09-01 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-01 10:38 --------- d-----w C:\Program Files\RegFix Mantra
2008-09-01 10:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-01 06:29 --------- d-----w C:\Documents and Settings\User\Application Data\Malwarebytes
2008-09-01 06:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-31 06:41 --------- d-----w C:\Program Files\DNA
2008-08-31 02:12 --------- d-----w C:\Program Files\Exterminate It!
2008-08-31 01:59 --------- d-----w C:\Documents and Settings\User\Application Data\Sunbelt
2008-08-31 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sunbelt
2008-08-31 01:58 --------- d-----w C:\Program Files\Sunbelt Software
2008-08-30 13:54 --------- d-----w C:\Program Files\Enigma Software Group
2008-08-30 13:46 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-08-30 13:46 --------- d-----w C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-08-30 13:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-30 13:33 --------- d-----w C:\Documents and Settings\User\Application Data\PC Tools
2008-08-30 12:06 --------- d-----w C:\Documents and Settings\User\Application Data\Uniblue
2008-08-30 12:05 --------- dc-h--w C:\Documents and Settings\All Users\Application Data\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2008-08-30 12:05 --------- d-----w C:\Program Files\Uniblue
2008-08-30 08:29 846,336 ----a-w C:\WINDOWS\system32\kdfinj.dll
2008-08-30 07:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-08-30 07:40 --------- d-----w C:\Program Files\Trend Micro
2008-08-26 07:20 59,176 ----a-w C:\WINDOWS\system32\sbbd.exe
2008-08-04 01:30 --------- d-----w C:\Documents and Settings\User\Application Data\SPORE Creature Creator
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-14 08:35 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-04-15 03:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-06 05:33 1 ----a-w C:\Documents and Settings\User\SI.bin
2005-03-31 11:17 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 18:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 18:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 18:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 1694208]
"Steam"="c:\games\steam\steam.exe" [2008-03-28 1271032]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-04-23 77824]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Veoh"="C:\Mitch and Greg\Greg\Veoh\VeohClient.exe" [2008-02-22 3537968]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-03 21898024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 8466432]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-06-11 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 53248]
"OpwareSE2"="C:\Program Files\Cannon MF5700\Software 1\OpwareSE2.exe" [2003-05-08 49152]
"VirtualCloneDrive"="C:\Games\Mechcommander Gold\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"QuickTime Task"="C:\Mitch and Greg\Greg\Quick Time\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 81920]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"SBAMTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2008-08-26 677160]
"VirusScannerPro"="C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe" [2007-10-12 173312]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-19 51048]
"osCheck"="C:\Program Files\Norton 360 Premier Edition\osCheck.exe" [2008-02-27 988512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2007-06-29 C:\WINDOWS\system32\nwiz.exe]
C:\Documents and Settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
UltimateZip Quick Start.lnk - C:\Demos\UltimateZip\uzqkst.exe [2005-02-26 303616]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Demos\\Battlefield 2\\BF2.exe"=
"C:\\Demos\\Bet on Soldier Single Player Demo\\BoS.exe"=
"C:\\Games\\Game Spy\\Aphex.exe"=
"C:\\Games\\Little Fighter\\LF2_v1.9c\\lf2.exe"=
"C:\\Demos\\Battlefield 2\\Bf2_w32ded.exe"=
"C:\\Demos\\Battlefield 2\\BF2VoipServer_w32ded.exe"=
"C:\\Demos\\Battlefield 2\\BF2VoipServer.exe"=
"C:\\Games\\Steam\\SteamApps\\audio_stream\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Caplio Software\\RGateLXP.exe"=
"C:\\Games\\X Fire\\Xfire\\Xfire.exe"=
"C:\\Demos\\LimeWire\\LimeWire.exe"=
"C:\\Mitch and Greg\\Mitch\\LimeWire\\LimeWire.exe"=
"C:\\Demos\\firefox.exe"=
"C:\\Mitch and Greg\\Greg\\ChiChi\\Comet\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Games\\Never Winter Nights 2\\nwn2main.exe"=
"C:\\Games\\Never Winter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Games\\Never Winter Nights 2\\nwupdate.exe"=
"C:\\Games\\Never Winter Nights 2\\nwn2server.exe"=
"C:\\Games\\Counter-Strike\\cstrike.exe"=
"C:\\Mitch and Greg\\Greg\\pics\\ImagineFX\\3dsMax8\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\backburner\\server.exe"=
"C:\\Games\\Steam\\Steam.exe"=
"C:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"C:\\Mitch and Greg\\Greg\\Miller Stuff\\weird al\\Weird\\CounterStrike2D.exe"=
"C:\\Games\\Mechcommander Gold\\MCX.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\MicroProse\\MCX\\MCX.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Games\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Games\\World of Warcraft\\WoW.exe"=
"C:\\Games\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Games\\Soldat\\Soldat.exe"=
"C:\\Mitch and Greg\\Greg\\Bittorent\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Games\\Warcraft III\\GG-Client\\GGclient.exe"=
"C:\\Mitch and Greg\\Greg\\Veoh\\VeohClient.exe"=
"C:\\Games\\AOWSM\\Age of Wonders Shadow Magic\\AoWSM.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Games\\MC2\\Mc2Rel.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8940:TCP"= 8940:TCP:BitComet 8940 TCP
"8940:UDP"= 8940:UDP:BitComet 8940 UDP
"6112:TCP"= 6112:TCP:Port 6112 TCP
"6112:UDP"= 6112:UDP:warcraft3(1)
"6113:TCP"= 6113:TCP:warcaft3
"6114:TCP"= 6114:TCP:warcaft3
"6115:TCP"= 6115:TCP:warcaft4
"6116:TCP"= 6116:TCP:warcaft3
"6117:TCP"= 6117:TCP:warcraft3
"6118:TCP"= 6118:TCP:warcraft3
"6119:TCP"= 6119:TCP:warcraft3
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-19 149352]
S2 SBAMSvc;Sunbelt VIPRE Antivirus Service;C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe [2008-08-26 869672]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 MailScan;MailScan;C:\PROGRA~1\AVANQU~1\Fix-It\MailScan.sys [2007-10-12 20496]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [2007-11-06 87848]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdcb93cf-55f8-11dd-b276-0013d3635782}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
*Newly Created Service* - COMHOST
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-PowerBar - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9icl1eap.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.au/
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 12:41:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-03 12:47:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-03 02:47:23
Pre-Run: 82,341,744,640 bytes free
Post-Run: 82,276,352,000 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
280 --- E O F --- 2008-10-02 11:54:15
**************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:27 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Cannon MF5700\Software 1\OpwareSE2.exe
C:\Games\Mechcommander Gold\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Demos\UltimateZip\uzqkst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\Cannon MF5700\Software 1\OpwareSE2.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Games\Mechcommander Gold\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Mitch and Greg\Greg\Quick Time\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Veoh] "C:\Mitch and Greg\Greg\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: UltimateZip Quick Start.lnk = C:\Demos\UltimateZip\uzqkst.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: UltimateZip Quick Start.lnk = C:\Demos\UltimateZip\uzqkst.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Demos\UltimateZip\uzqkst.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Dow

Response Number 5

Name: jabuck
Date: October 3, 2008 at 09:07:12 Pacific

Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\kdfinj.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Please run Esets online scanner from this link:
ESET
1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.

removing vista i586 awk remove first word del command switches swf plugin for firefox java plugin for firefox group manager.exe ntbackup logfile location dplaysvr.exe fix msiexec exe	j2se removal services.exe removal remove WBEM msinet server2008 remove csrss.exe Norton 360 Quarantine bios v2.05.13 user manual remove ccapp fastaccess installation wizard reboot helper ES1938/41/46 SOLO-1(E) AudioDrive Driver Download (.exe OR .zip)
See More

Response Number 6

Name: ZODD
Date: October 3, 2008 at 20:09:10 Pacific

Reply:

I did the ATF cleaner step fine. When i tryed to do the ESET scan it failed twice due to the slow internet and probably my old internet ie.
So sorry about that i dont think I can do the ESET scan.
The notepad thing i didnt do because i dont know whether its safe or not. If you could explain what that step does in more detail so i can execute it that would great.
Thanks for all the help, so if you could explain what the combofix notepad step did that would be great but i don't think i can do the ESET step.

Response Number 7

Name: jabuck
Date: October 3, 2008 at 20:15:19 Pacific

Reply:

It deletes the virus.

Response Number 8

Name: ZODD
Date: October 4, 2008 at 18:28:45 Pacific

Reply:

Sorry I will reply with the results within 2 days please come back and see. I have been hung up in arrangements I appreciate you waiting.
THankyou

Response Number 9

Name: ZODD
Date: October 5, 2008 at 04:53:31 Pacific

Reply:

I am extremely sorry, a meeting was put back a few days so i will have my reply in the nest 4 days.
Thankyou for waiting.

Response Number 10

Name: ZODD
Date: October 6, 2008 at 20:05:13 Pacific

Reply:

I will no longer need assistance, my friend helped me with with the last few steps. THANK YOU very much for your help with my problem.
I owe you a lot and thank you for helping.

Response Number 11

Name: jabuck
Date: October 7, 2008 at 19:26:36 Pacific

Reply:

Glad we could help.

Sponsored Link

Ads by Google

have been hacked, need he...

Local disk c missing fro...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: TDSSERV-Need help for manual remove

need fix for conflicker removal

Summary

www.computing.net/answers/security/need-fix-for-conflicker-removal/25483.html

have been hacked, need help

Summary

www.computing.net/answers/security/have-been-hacked-need-help/23544.html

Weird virus need help!

Summary

www.computing.net/answers/security/weird-virus-need-help/24449.html

From the Geek Dictionary
DLL - A Dynamic Link Library (DLL) is an executable module that a library of prog...

Ask a Question!

Weekly Poll
Did you go shopping on Black Friday?

Poll Finishes In 2 Days.
Discuss in The Lounge
Poll History

Recent Posts
No desktop icons

Screen is appearing with dull font

LCD display only showing 2 or 16 colors

Pxe e-61 error

how to make changes in a scanned program

All Awaiting Reply

Tom's News
New Super Mario Bros. Wii Looks Great in 1080p

Parents Pull Girl's Tooth, Scares Cat With RC Car

Xbox Live Marketplace Getting Pets

Snoop Dogg Lends His Voice to GPS Navigation

Roomba Saves Family From Poisonous Snake

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE