Trojan TDSServe, Winfixer & Dialer

? / AMD ATHLON XP 3000+
December 21, 2008 at 18:49:04
Specs: Windows XP, AMD 4200 dual core/ 896mb
Hi guys and thanks for any help in advance.
Okay where to start. I believe the home computer was hit with a trojan last week, but it could have been longer. Webroot SpySweeper detected an attack. We ran the scan and it actually found Fakealert.

I read on this site about installing Malwarebytes, which I did. I ran the scan and it found plenty of nasties including Fakealert, but it also found TDSServe. It tried to fix everything, restarted the computer and as it fired back up, I noticed that something was also deleted. Happened very quickly, but I presume it was one of the trojans. I re-ran the scan and nothing was found.
Great I thought, but later that day, I discovererd a few problems in device manager.
Issue with Microsoft natural PS/2 keyboard driver and another Unknown USB device which wasn't recognised. While I was looking around, I noticed in the Non-Plug and Play Drivers this: TDSSserv.sys
I thought Malwarebytes had removed it. It certainly wasn't being picked up by it again even though I had done a reboot. I manually deleted the TDSSserv.sys driver and after a few reboots, can confirm that it is not there, but I still have the issue with the Microsoft natural PS/2 keyboard driver and another Unknown USB device!

I read somewhere here that Spyware Doctor could see the Trojan, but not remove it, so I installed Spyware Doctor, ran an Intel Scan and sure enough, there was the TDSServe Trojan together with Winfixer & Dialer.Fast_Video_Player. Spyware Doctor wanted me to pay $29 to fix it, but because I had read that it can't get rid of it, I decided to hand over the cash.

I then read this post: http://www.bullguard.com/forum/10/P...
Sounded like it was worth a try. I removed Malwarebytes from my PC, downloaded a copy with my laptop, renamed it etc. added it to this PC got it installed as per the instructions and ran it again, this time in safemode. Left it for 3-hours and nothing was found. Ran Spyware Doctor again and it's still there, so why can't Malwarebytes see it anymore. Has it become invisible to Malwarebytes? The only thing that didn't go exactly as per the instructions, was the claim by some that after renaming the file, it should take a while to install. People described it as though their PC had frozen for 10mins. I didn't have this problem as it installed straight away. Perhaps the original installation has some bearing on this or the fact that I deleted (Or thought I had) the TDSS virus on the normal installation of Malwarebytes and the virus is now keeping a low profile from this software!

Not really sure what to do next. I have decided to install HijackThis v2.0.2 to my desk top and provide those in the know with a logfile, if this will help. Edit, posted the Hijack this logfile, but wasn't able to post it at this stage!!

Any further advice would be most welcome.
Regards Chris.


See More: Trojan TDSServe, Winfixer & Dialer

Report •


#1
December 21, 2008 at 18:50:39
Try again.
Below is the HiJack Logfile:

Regards Chris.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:02:48, on 22/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Property Wizard 3\database\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\BlazeVideo\BlazeDTV2.1\MediaDetector.exe
C:\Program Files\Firetrust\Benign\B9.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Property Wizard 3\xfer.exe
C:\Program Files\Winzip\WZQKPICK.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Property Wizard 3\sysxfer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Property Wizard 3\xferservice.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
c:\program files\property wizard 3\sysxfer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Jasc Software Inc\Paint Shop Pro 8\Paint Shop Pro.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Chris\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O1 - Hosts: 127.98.9.2 mail.talktalk.net.b9
O1 - Hosts: 127.98.9.1 mail.325099.co.uk.b9
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] "C:\WINDOWS\SkyTel.EXE"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDTV2.1\MediaDetector.exe"
O4 - HKCU\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize
O4 - HKCU\..\Run: [SsAAD.exe] "C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1078081533-1935655697-1060284298-500\..\Run: [CTFMON.EXE] "C:\WINDOWS\system32\CTFMON.EXE" (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Property Wizard 3 Xfer.lnk = C:\Program Files\Property Wizard 3\xfer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Movies Extractor Scout - {A15C0C77-59B3-4FBA-90A6-22D9D82DC011} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.rightmove.co.uk
O15 - Trusted Zone: www.tomtom.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {644F656A-013E-4198-BE03-1D7A4F6AB550} (Promap Control) - https://www.promapserver.co.uk/controls/latest/promap.cab
O16 - DPF: {CDBA735B-38D8-477D-99E8-A2A397B12CDB} (MediaUploaderForm2 Control) - http://www.rightmove.co.uk/rmp/obj/...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Wizard Transfer Service (wizxfer) - Datamatix Ltd. - C:\Program Files\Property Wizard 3\xferservice.exe

--
End of file - 11850 bytes


Report •

#2
December 21, 2008 at 18:56:53
First go to start> control panel> add/remove programs and uninstall Malwarebytes, SpySweeper, and anything with Winfixer written in it.

Then post a Hijack This log please.


Report •

#3
December 22, 2008 at 14:01:51
Hi, thanks for your help.
Spysweeper gone, Malwarebytes gone, nothing else in add/ remove programs that has the words winfixer in, so nothing to remove on this, rebooted machine & new logfile below.
Hope it tells you something. Cheers Chris.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:49:26, on 22/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Property Wizard 3\xferservice.exe
C:\Program Files\BlazeVideo\BlazeDTV2.1\MediaDetector.exe
C:\Program Files\Firetrust\Benign\B9.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Property Wizard 3\xfer.exe
C:\Program Files\Winzip\WZQKPICK.EXE
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Property Wizard 3\sysxfer.exe
c:\program files\property wizard 3\sysxfer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O1 - Hosts: 127.98.9.2 mail.talktalk.net.b9
O1 - Hosts: 127.98.9.1 mail.325099.co.uk.b9
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] "C:\WINDOWS\SkyTel.EXE"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDTV2.1\MediaDetector.exe"
O4 - HKCU\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize
O4 - HKCU\..\Run: [SsAAD.exe] "C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Property Wizard 3 Xfer.lnk = C:\Program Files\Property Wizard 3\xfer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Movies Extractor Scout - {A15C0C77-59B3-4FBA-90A6-22D9D82DC011} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.rightmove.co.uk
O15 - Trusted Zone: www.tomtom.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {644F656A-013E-4198-BE03-1D7A4F6AB550} (Promap Control) - https://www.promapserver.co.uk/controls/latest/promap.cab
O16 - DPF: {CDBA735B-38D8-477D-99E8-A2A397B12CDB} (MediaUploaderForm2 Control) - http://www.rightmove.co.uk/rmp/obj/...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Wizard Transfer Service (wizxfer) - Datamatix Ltd. - C:\Program Files\Property Wizard 3\xferservice.exe

--
End of file - 10973 bytes


Report •

Related Solutions

#4
December 23, 2008 at 12:54:24
Once you get SDFix downloaded go offline, turn off your antivirus, and turn off any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt


Report •

#5
January 4, 2009 at 16:03:55
Hi, Thanks for the info. I have just got back from our Christmas break (Been visiting family in Holland, but now back in the UK again) so sorry for not replying earlier.

It's late at the moment and I'm tired, so I will study what you have written tomorrow with a clear head. Thanks again.
Update to follow soon. :-)


Report •

#6
January 5, 2009 at 15:43:32
Hi again,
Okay, followed your instructions apart from the fact that my keyboard kept freezing up when trying to boot into safemode, so I ran msconfig and on the BootINI tab selected Safeboot and rebooted into safemode.
At the end of SDfix when it asked me to press any key to continue, it rebooted, but instead of back to normal mode, it went back into safemode, but seems to have worked, judging by the report anyway. Still haven't carried out a scan to check yet.

Here is the contents of the Report.txt:
Do you think I have got it?
-----------

[b]SDFix: Version 1.240 [/b]
Run by Chris on 05/01/2009 at 23:02

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

[b]Name [/b]:
TDSSserv.sys

[b]Path [/b]:
\systemroot\system32\drivers\TDSSmpct.sys

TDSSserv.sys - Deleted

Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\WINDOWS\system32\drivers\TDSSmpct.sys - Deleted
C:\WINDOWS\system32\TDSSmtve.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSMTVE.dat - Deleted


Report •

#7
January 5, 2009 at 19:55:07
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Be sure to alert me when you respond.


Report •

#8
January 6, 2009 at 15:28:58
Okay my friend, did as you asked.
Please find below a copy of the log Combofix produced.

I would also like to point out that I ran a scan yesterday with malwarebytes after I ran the SDfix program. It didn't find any sign of the TDSServe trojan, but that doesn't mean very much, it did however find a Fakealert trojan! I moved this to quarantine, deleted it and rebooted. I then ran the scan again and this time nothing was found. I thought I had cleared the Fakealert trojan several weeks back. I am hoping that this in not another one of those un-deletable trojans that re-appear months after you thought you had cleared it.
Anyway, here's the Combofix log:

-----------

ComboFix 09-01-05.05 - Chris 2009-01-06 22:46:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.304 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: ActiveArmor Firewall *disabled*
* Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-06 00:35 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 00:35 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-05 23:01 . 2009-01-05 23:01 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-05 22:58 . 2009-01-05 22:58 <DIR> d-------- c:\windows\ERUNT
2009-01-05 22:38 . 2009-01-05 23:25 <DIR> d-------- C:\SDFix
2008-12-22 23:21 . 2008-12-22 23:22 <DIR> d-------- c:\program files\Microsoft IntelliType Pro
2008-12-22 23:08 . 2008-12-22 23:10 <DIR> d-------- C:\Keyboard Driver
2008-12-21 22:44 . 2008-12-21 22:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-21 22:06 . 2009-01-06 00:35 <DIR> d-------- c:\program files\Malware
2008-12-21 21:52 . 2008-12-21 21:52 <DIR> d-------- C:\setup
2008-12-21 02:10 . 2008-12-21 02:10 <DIR> d-------- c:\documents and settings\Chris\Application Data\Malwarebytes
2008-12-21 02:10 . 2008-12-21 02:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 22:04 . 2008-12-20 23:06 <DIR> d-------- c:\documents and settings\Chris\Application Data\Power Sound Editor Free
2008-12-20 22:03 . 2008-12-20 22:04 <DIR> d-------- c:\program files\Power Sound Editor Free
2008-12-20 22:03 . 2005-05-17 12:37 1,986,560 --a------ c:\windows\system32\NCTAudioFile2.dll
2008-12-20 22:03 . 2005-05-18 11:52 1,212,416 --a------ c:\windows\system32\NCTAudioInformation2.dll
2008-12-20 22:03 . 2005-04-15 12:08 880,640 --a------ c:\windows\system32\NCTAudioEditor2.dll
2008-12-20 22:03 . 2004-11-04 13:31 835,584 --a------ c:\windows\system32\NCTAudioCDGrabber2.dll
2008-12-20 22:03 . 2005-04-04 17:21 602,112 --a------ c:\windows\system32\NCTAudioTransform2.dll
2008-12-20 22:03 . 2005-03-28 15:54 479,232 --a------ c:\windows\system32\NCTAudioVisualization2.dll
2008-12-20 22:03 . 2005-04-25 13:01 458,752 --a------ c:\windows\system32\NCTAudioRecord2.dll
2008-12-20 22:03 . 2005-04-25 13:01 458,752 --a------ c:\windows\system32\NCTAudioPlayer2.dll
2008-12-20 22:03 . 2005-03-28 15:52 417,792 --a------ c:\windows\system32\NCTTextToAudio2.dll
2008-12-20 22:03 . 2005-02-24 11:51 348,160 --a------ c:\windows\system32\NCTWMAFile2.dll
2008-12-20 22:03 . 2006-03-23 12:56 113,486 --a------ c:\windows\system32\NCTWMAProfiles.prx
2008-12-20 16:31 . 2008-12-20 16:31 <DIR> d-------- c:\program files\BlazeVideo
2008-12-20 16:31 . 2008-12-20 16:31 <DIR> d-------- C:\BlazeVideo
2008-12-20 16:13 . 2008-12-20 16:34 <DIR> d-------- c:\program files\InterActual
2008-12-20 15:53 . 2008-12-20 15:53 0 --a------ c:\windows\iPlayer.INI
2008-12-08 01:48 . 2008-12-08 02:49 75,776 --a------ c:\documents and settings\Interst Only Calc Monthly Saving.xls
2008-12-08 01:27 . 2008-12-08 01:27 21,504 --a------ c:\documents and settings\Interst Only Calc 2.xls
2008-12-08 01:17 . 2008-12-08 01:17 17,408 --a------ c:\documents and settings\Interst Only Calc 1.xls
2008-12-07 13:18 . 2008-12-07 13:18 <DIR> d-------- c:\program files\AskBarDis
2008-12-07 13:18 . 2008-12-21 16:16 <DIR> d-------- C:\DVDVideoSoft
2008-12-07 13:17 . 2008-12-07 13:17 <DIR> d-------- c:\program files\DVDVideoSoft
2008-12-07 13:17 . 2008-12-07 13:18 <DIR> d-------- c:\program files\Common Files\DVDVideoSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 22:58 --------- d-----w c:\documents and settings\Chris\Application Data\MailWasherPro
2009-01-06 00:48 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-22 01:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-20 16:07 --------- d-----w c:\program files\DivX
2008-11-25 16:34 --------- d-----w c:\program files\Property Wizard 3
2008-11-25 16:24 --------- d-----w c:\program files\Microsoft SQL Server
2008-11-25 16:20 --------- d-----w c:\program files\Microsoft.NET
2008-11-24 19:13 --------- d-----w c:\program files\RADVideo
2008-10-10 09:02 164 ----a-w C:\install.dat
2007-08-20 00:11 2,293,712 ------w c:\program files\FLV PlayerFCSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-26 10:32 279944 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BlazeServoTool"="c:\program files\BlazeVideo\BlazeDTV2.1\MediaDetector.exe" [2006-06-20 286720]
"b9"="c:\program files\Firetrust\Benign\B9.exe" [2004-08-28 2412544]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2007-02-20 476728]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-09-26 206184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-03-23 888832]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"nwiz"="c:\windows\system32\nwiz.exe" [2006-10-31 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"SkyTel"="c:\windows\SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2006-08-01 16049664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-16 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-30 1261336]
"UserFaultCheck"="c:\windows\system32\dumprep.exe" [2008-04-14 10752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
MailWasherPro.lnk - c:\program files\FireTrust\MailWasher Pro\MailWasher.exe [2007-07-26 16667786]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [1999-10-22 217600]
Exif Launcher.lnk - c:\program files\Exif Launcher\QuickDCF.exe [2005-04-21 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Property Wizard 3 Xfer.lnk - c:\program files\Property Wizard 3\xfer.exe [2008-05-09 20480]
WinZip Quick Pick.lnk - c:\program files\Winzip\WZQKPICK.EXE [2006-11-21 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2005-12-05 13:56 10472 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Ubi Soft\\IL-2 Sturmovik Forgotten Battles\\il2fb.exe"=
"c:\\Program Files\\ubi.com\\Core\\GS4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Jade Tools\\Jade Property Suite\\Jade.exe"=
"c:\\Program Files\\FireTrust\\Benign\\B9.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\sopvod.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"21000:TCP"= 21000:TCP:IL2 GAME
"21000:UDP"= 21000:UDP:IL2 GAME b
"21010:TCP"= 21010:TCP:IL2 GAME c
"21010:UDP"= 21010:UDP:IL2 GAME d
"43500:TCP"= 43500:TCP:IL2 GAME e
"43500:UDP"= 43500:UDP:IL2 GAME f

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-24 97928]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-04 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-24 76040]
R4 MSSQL$PWIZARD;SQL Server (PWIZARD);c:\program files\Property Wizard 3\database\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R4 wizxfer;Wizard Transfer Service;c:\program files\Property Wizard 3\xferservice.exe [2008-05-09 24576]
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [2000-09-14 159867]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\RaInfo.sys --> c:\program files\LogMeIn\RaInfo.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12710162-060e-11dd-a85d-00196606d5dd}]
\Shell\AutoRun\command - G:\Launch.exe /run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38c160e2-b9f8-11db-b5d3-0030bdbb6c8e}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e45cf8bc-4ce7-11dd-a8ce-00196606d5dd}]
\Shell\AutoRun\command - F:\ShellExecute.bat LaunchMaterial.wsf

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9968600-0986-11dc-b64d-0030bdbb6c8e}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-gcasServ - c:\program files\Microsoft AntiSpyware\gcasServ.exe
HKLM-Run-switp - c:\windows\switpa.exe
HKLM-Run-NI.UWFX5LP_0001_0803 - c:\windows\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = about:blank
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: {{A15C0C77-59B3-4FBA-90A6-22D9D82DC011} - c:\program files\Bytescout Movies Extractor Scout\flashextract.exe
Trusted Zone: www.mybusinessbank.co.uk
Trusted Zone: www.rightmove.co.uk
Trusted Zone: www.tomtom.com

c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll - c:\windows\Downloaded Program Files\Promap.dll
c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll
O16 -: {644F656A-013E-4198-BE03-1D7A4F6AB550}
hxxps://www.promapserver.co.uk/controls/latest/promap.cab
c:\windows\Downloaded Program Files\promap.inf

c:\windows\Downloaded Program Files\mediaupload.ocx - O16 -: {CDBA735B-38D8-477D-99E8-A2A397B12CDB}
hxxp://www.rightmove.co.uk/rmp/obj/activex41/mediaupload.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 22:57:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\LMIinit.dll
.
r Running Proce
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Property Wizard 3\sysxfer.exe
c:\program files\Property Wizard 3\sysxfer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-06 23:07:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-06 23:06:03

Pre-Run: 34,468,265,984 bytes free
Post-Run: 36,987,891,712 bytes free

218 --- E O F --- 2008-12-20 16:18:37


Report •

#9
January 6, 2009 at 17:24:51
You would be better off uninstalling this:

AskBarDis

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 11 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#10
January 7, 2009 at 18:23:17
Hello again.
Followed your instructions exactly.
3 threats found during scan, though they may be nothing.

Have we got anything to be worried about?
Regards Chris

----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, January 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, January 07, 2009 22:14:16
Records in database: 1581636
----------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 133861
Threat name: 2
Infected objects: 1
Suspicious objects: 2
Duration of the scan: 02:05:03


File name / Threat name / Threats count
C:\Documents and Settings\Chris\Local Settings\Application Data\Identities\{E78E6B35-1D8E-403D-8308-62E87788306C}\Microsoft\Outlook Express\Sent Items.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Chris\Local Settings\Application Data\Identities\{E78E6B35-1D8E-403D-8308-62E87788306C}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Old D Drive\My Documents\My Documents Main Area\freeripmp3.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ak 1

The selected area was scanned.


Report •

#11
January 7, 2009 at 20:55:36
Look in the following file and delete everything tou can:

C:\Documents and Settings\Chris\Local Settings\Application Data\Identities\{E78E6B35-1D8E-403D-8308-62E87788306C}\Microsoft\Outlook Express\Sent Items.bak

Navigate to and delete this file:

C:\Old D Drive\My Documents\My Documents Main Area\freeripmp3.exe

You computer appears to be clean other than the above items.

Navigate to and delete this folder:

C:\SDFix

Empty the recycle bin.

Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •

#12
January 8, 2009 at 05:46:28
Hi again,
Okay done all that but worried about deleting:

C:\Documents and Settings\Chris\Local Settings\Application Data\Identities\{E78E6B35-1D8E-403D-8308-62E87788306C}\Microsoft\Outlook Express\Sent Items.bak

I am not exactly sure what this file does and I do not want to lose all my sent emails within my sent folder of outlook express!
If I delete this file will I lose my sent folder emails?

Other than that, the computer seems a lot faster.
My brother thinks that I should buy a full copy of Kaspersky 2009 as apparently it is very good. Would you suggest this also?

Regards Chris.


Report •

#13
January 8, 2009 at 20:36:33
You need to weed those files out when you can as one of them is infected with something.

And Kaspersky is not stopping this type of infection any better than any other antivirus, just a fyi.

Glad we could help.


Report •

#14
January 9, 2009 at 03:47:10
Okay and thanks again for your kind assistance on this.

Regards Chris.


Report •


Ask Question