Malware Removal & HijackThis Logs |
| |
Search | |
| | Thread Tools |
|
06-Nov-2009, 05:34 PM
#1 |
| i have a virus on my system called Tdlwsp.dll and it wont go. i really need to get rid of this. i have tried AVG (which only recognizes it but cannot delete it), Avast and Windows defender but it still won't go. can anyone help? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:27:44, on 06/11/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\netdde.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\clipsrv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\tlntsvr.exe C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\vssvc.exe C:\Program Files\Windows Live\installer\WLSetupSvc.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\System32\dmadmin.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\Explorer.exe C:\Program Files\Safari\Safari.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - *{2bae58c2-79f9-45d1-a286-81f911301c3a} - (no file) R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe oqrk.pso dkhsx F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" boot "C:\Documents and Settings\Tom\Local Settings\Application Data\NVIDIA Corporation\nTune\Profiles\osbootpf.nsu" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [WAB] C:\Documents and Settings\Tom\Application Data\Macromedia\Common\dfe1c07619.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Wireless Configuration Utility HW.15.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1201183267968 O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://138.237.46.59/activex/AMC.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe -- End of file - 14311 bytes |
| |
|
06-Nov-2009, 07:33 PM
#2 |
| Hello there Welcome to the Tech Support Guy forums.My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me. Please note the following:
Step 1 NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files. Download ComboFix from one of these locations: Link 1 Link 2 * IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. ![]() Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: ![]() Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Notes: 1. Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser. 3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea. 4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)
__________________ Please post the final results, good or bad. Let me know if you won't be responding any longer. If I have not responded in three days, please feel free to PM me with a friendly reminder. Please don't send me requests for help. Use the forums instead. |
|
21-Nov-2009, 03:30 PM
#3 |
| sorry for the late response, i've posted it in two parts. here it is: ComboFix 09-11-20.05 - Tom 21/11/2009 19:04.1.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3071.2465 [GMT 0:00] Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe AV: avast! antivirus 4.8.1335 [VPS 090919-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\desktop.ini c:\documents and settings\Tom\Favorites\Download programs.url c:\documents and settings\Tom\Favorites\Games.url c:\documents and settings\Tom\Favorites\Translator.url c:\documents and settings\Tom\Favorites\Videos.url c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc2F.tmp c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc75.tmp c:\documents and settings\Tom\Start Menu\Programs\Download programs.url c:\documents and settings\Tom\Start Menu\Programs\Games.url c:\documents and settings\Tom\Start Menu\Programs\Security Tool.lnk c:\documents and settings\Tom\Start Menu\Programs\Translator.url c:\documents and settings\Tom\Start Menu\Programs\Videos.url c:\program files\WinPCap c:\program files\WinPCap\rpcapd.exe c:\temp\vtmp2 c:\temp\vtmp2\ktnv33.log c:\windows\Install.txt c:\windows\rasqervy.dll c:\windows\sdfinacs.dll c:\windows\sdfixwcs.dll c:\windows\system32\BReWErS.dll c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common c:\windows\system32\config\systemprofile\Start Menu\Programs\Security Tool.lnk c:\windows\system32\drivers\npf.sys c:\windows\system32\Install.txt c:\windows\system32\Packet.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\tdlcmd.dll c:\windows\system32\tmp73.tmp c:\windows\system32\tmp74.tmp c:\windows\system32\WanPacket.dll c:\windows\system32\wpcap.dll F:\Autorun.inf F:\install.exe Infected copy of c:\windows\system32\DRIVERS\nvgts.sys was found and disinfected Restored copy from - Kitty ate it ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\Service_npf ((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 ))))))))))))))))))))))))))))))) . 2009-11-21 18:55 . 2008-04-13 18:40 96512 -c--a-w- c:\windows\system32\drivers\atapi.sys 2009-11-21 18:55 . 2008-04-13 18:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys 2009-11-18 17:56 . 2009-11-21 18:52 12800 ----a-w- c:\windows\system32\tdlclk.dll 2009-11-17 15:38 . 2009-11-17 15:39 -------- d-----w- c:\program files\iTunes 2009-11-17 15:32 . 2009-11-17 15:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2009-11-15 19:30 . 2009-11-15 19:30 -------- d-----w- c:\program files\Mouse fix 2009-11-14 23:21 . 2009-11-14 23:21 -------- d-----w- c:\documents and settings\Tom\Application Data\Malwarebytes 2009-11-14 23:21 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-14 23:21 . 2009-11-14 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-14 23:21 . 2009-11-14 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-14 23:21 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-13 17:10 . 2009-11-13 18:00 117760 ----a-w- c:\documents and settings\Tom\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-11-13 17:09 . 2009-11-13 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-11-13 17:08 . 2009-11-13 17:09 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-11-13 17:08 . 2009-11-13 17:08 -------- d-----w- c:\documents and settings\Tom\Application Data\SUPERAntiSpyware.com 2009-11-12 15:24 . 2009-11-21 16:09 -------- d-----w- c:\program files\Steam 2009-11-12 15:22 . 2009-09-04 17:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll 2009-11-12 15:22 . 2009-09-04 17:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll 2009-11-12 15:22 . 2009-09-04 17:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll 2009-11-12 15:22 . 2009-09-04 17:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll 2009-11-12 15:22 . 2009-09-04 17:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll 2009-11-12 15:22 . 2009-09-04 17:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll 2009-11-12 15:22 . 2009-09-04 17:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll 2009-11-08 13:58 . 2009-11-08 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix 2009-11-08 13:57 . 2009-11-08 13:57 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Citrix 2009-11-08 13:57 . 2009-11-08 13:57 61480 ----a-w- c:\documents and settings\Tom\GoToAssistDownloadHelper.exe 2009-11-06 23:26 . 2009-11-06 23:26 -------- d-----w- c:\program files\Trend Micro 2009-11-06 20:19 . 2009-11-02 20:42 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-11-06 20:13 . 2009-11-06 20:13 -------- d-----w- c:\program files\Windows Defender 2009-11-06 15:49 . 2009-10-25 13:55 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-11-05 21:58 . 2009-11-08 16:20 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\AskToolbar 2009-11-04 16:34 . 2009-11-04 16:34 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys 2009-11-04 16:33 . 2009-11-04 16:33 -------- d-----w- c:\program files\802.11 Wireless LAN 2009-11-02 19:51 . 2009-11-02 20:10 -------- d-----w- c:\program files\Cheat Engine 2009-11-02 15:28 . 2009-10-25 13:55 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe 2009-11-01 10:50 . 2009-11-01 10:50 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Office Genuine Advantage 2009-10-31 22:17 . 2009-11-06 19:15 -------- d-----w- c:\program files\Ask.com 2009-10-31 20:05 . 2009-10-31 20:05 -------- d-----w- c:\program files\Common Files\xing shared 2009-10-31 20:04 . 2009-10-31 20:04 -------- d-----w- c:\program files\real 2009-10-26 11:59 . 2009-10-26 11:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-26 02:07 . 2009-10-26 02:07 -------- d-----w- c:\documents and settings\Tom\Application Data\Jasc 2009-10-26 02:06 . 2009-10-26 02:06 -------- d-----w- c:\program files\Jasc Software Inc 2009-10-25 20:59 . 2009-10-25 20:59 3584 ----a-r- c:\documents and settings\Tom\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe 2009-10-25 20:59 . 2009-10-25 20:59 -------- d-----w- c:\program files\Windows Installer Clean Up 2009-10-23 17:39 . 2009-11-17 15:38 -------- d-----w- c:\program files\iPod 2009-10-23 17:39 . 2009-10-23 17:39 -------- d-----w- c:\program files\QuickTime . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-21 21:09 . 2009-06-04 21:13 4536608 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2009-11-21 21:01 . 2009-06-04 21:13 96149792 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-11-21 19:23 . 2009-06-04 21:13 429320 --sha-w- c:\windows\system32\drivers\fidbox2.idx 2009-11-21 19:23 . 2009-06-04 21:13 1291472 --sha-w- c:\windows\system32\drivers\fidbox.idx 2009-11-21 19:23 . 2009-04-06 23:08 3887208 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-11-21 17:46 . 2008-08-09 10:59 -------- d-----w- c:\documents and settings\Tom\Application Data\DMCache 2009-11-21 17:32 . 2009-11-01 01:09 5632 --sha-w- c:\program files\Thumbs.db 2009-11-21 17:28 . 2009-04-05 20:54 -------- d-----w- c:\documents and settings\Tom\Application Data\uTorrent 2009-11-21 15:31 . 2009-05-28 19:56 -------- d-----w- c:\program files\MSECACHE 2009-11-17 15:38 . 2008-03-02 11:20 -------- d-----w- c:\program files\Common Files\Apple 2009-11-16 18:15 . 2008-04-12 16:14 -------- d-----w- c:\program files\Common Files\Adobe 2009-11-14 23:01 . 2008-10-06 20:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-11-13 21:30 . 2009-09-01 18:42 -------- d-----w- c:\program files\Temp 2009-11-13 17:08 . 2008-09-28 10:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-11-13 16:47 . 2008-01-24 13:54 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-11-11 19:09 . 2009-02-13 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-11-11 17:36 . 2008-03-28 15:02 189104 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-11-11 16:50 . 2008-06-28 17:42 139584 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-11-06 20:44 . 2009-09-02 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-11-01 10:32 . 2009-04-05 20:54 -------- d-----w- c:\program files\uTorrent 2009-10-31 22:17 . 2009-04-05 20:10 -------- d-----w- c:\program files\BitComet 2009-10-31 20:05 . 2008-03-24 19:22 -------- d-----w- c:\program files\Common Files\Real 2009-10-31 11:33 . 2008-03-02 11:25 73984 -c--a-w- c:\documents and settings\Tom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-29 14:04 . 2009-02-13 22:38 -------- d-----w- c:\program files\Microsoft Works 2009-10-27 21:28 . 2009-04-09 09:37 -------- d-----w- c:\program files\Xvid 2009-10-27 21:28 . 2009-04-02 18:38 -------- d-----w- c:\program files\WorldOfGoo 2009-10-27 21:28 . 2008-01-25 09:44 -------- d-----w- c:\program files\Windows Media Connect 2 2009-10-27 21:28 . 2009-05-09 23:15 -------- d-----w- c:\program files\RegCure 2009-10-27 21:28 . 2009-04-09 09:37 -------- d-----w- c:\program files\AoA DVD Ripper 2009-10-27 21:28 . 2009-05-30 10:59 -------- d-----w- c:\program files\Heli Traffic 2009 2009-10-27 21:28 . 2008-03-27 19:23 -------- d-----w- c:\program files\Incomplete 2009-10-27 21:28 . 2008-10-29 09:50 -------- d-----w- c:\program files\FlashGet 2009-10-26 16:54 . 2009-02-18 16:30 588392 ----a-w- c:\windows\system32\NVUNINST.EXE 2009-10-25 19:53 . 2009-06-28 11:54 58884 ---ha-w- c:\windows\system32\mlfcache.dat 2009-10-24 21:51 . 2008-06-27 19:25 75064 ----a-w- c:\windows\system32\PnkBstrA.exe 2009-10-21 15:49 . 2009-10-21 15:49 -------- d-----w- c:\documents and settings\Tom\Application Data\Mael 2009-10-21 15:40 . 2009-10-21 15:40 -------- d-----w- c:\program files\HxD 2009-10-18 16:22 . 2009-10-18 16:22 -------- d-----w- c:\documents and settings\Tom\Application Data\Flight One Software 2009-10-18 15:26 . 2009-10-18 15:26 1032192 ----a-w- c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\ucsn8dxp.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll 2009-10-14 15:38 . 2009-09-24 20:25 -------- d-----w- c:\documents and settings\Tom\Application Data\IDM 2009-10-08 21:59 . 2009-09-26 17:27 -------- d-----w- c:\program files\Registry Easy 2009-10-08 20:13 . 2008-09-28 11:18 -------- d-----w- c:\program files\NVIDIA Corporation 2009-10-06 18:54 . 2009-02-18 16:41 5922816 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys 2009-10-06 16:34 . 2009-02-18 16:40 18750976 ----a-w- c:\windows\RTHDCPL.EXE 2009-10-06 07:12 . 2007-01-29 16:27 823936 ----a-w- c:\windows\system32\drivers\rtl8185.sys 2009-10-02 14:41 . 2009-10-02 14:41 -------- d-----w- c:\documents and settings\Tom\Application Data\Office Genuine Advantage 2009-09-29 18:38 . 2009-06-20 19:44 352256 ----a-w- c:\windows\vncutil.exe 2009-09-28 19:49 . 2009-09-28 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2009-09-28 15:08 . 2008-08-16 12:44 -------- d-----w- c:\program files\Yahoo! 2009-09-28 15:08 . 2009-09-28 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-09-27 18:22 . 2009-09-27 18:22 -------- d-----w- c:\program files\BTHomeHub 2009-09-25 15:17 . 2008-08-06 23:24 -------- d-----w- c:\documents and settings\Tom\Application Data\Media Player Classic 2009-09-25 14:34 . 2009-09-25 14:33 198064 ----a-w- c:\documents and settings\Tom\Application Data\IDM\idmmzcc3\components\idmmzcc.dll 2009-09-25 14:34 . 2009-01-29 18:31 -------- d-----w- c:\program files\Internet Download Manager 2009-09-23 16:41 . 2009-09-23 16:41 8704 ----a-w- c:\documents and settings\Tom\cpuxp.sys 2009-09-23 16:17 . 2008-05-22 14:34 -------- d-----w- c:\documents and settings\Tom\Application Data\Skype 2009-09-23 15:39 . 2008-05-22 14:42 -------- d-----w- c:\documents and settings\Tom\Application Data\skypePM 2009-09-22 18:45 . 2008-01-25 10:01 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-21 16:47 . 2009-06-20 19:44 41472 ----a-w- c:\windows\system32\RtkCoInstXP.dll 2009-09-11 14:18 . 2004-08-03 23:56 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-04 17:44 . 2009-05-04 11:48 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll 2009-09-03 21:37 . 2009-09-03 21:32 6110 ----a-w- c:\windows\BricoPackFoldersDelete.cmd 2009-09-03 21:37 . 2009-09-03 21:37 67021 ----a-w- c:\windows\BricoPackUninst.cmd 2009-09-03 21:36 . 2004-08-03 23:56 218624 ----a-w- c:\windows\system32\uxtheme.dll 2009-09-02 21:36 . 2009-09-02 21:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-09-02 21:36 . 2009-09-02 21:36 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-09-02 21:36 . 2009-09-02 21:36 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-09-02 21:36 . 2009-09-02 21:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-09-02 10:58 . 2009-09-20 11:40 1107200 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-08-29 07:36 . 2004-08-03 23:56 832512 ----a-w- c:\windows\system32\wininet.dll 2009-08-29 07:36 . 2009-07-11 11:56 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-08-29 07:36 . 2004-08-03 23:56 17408 ----a-w- c:\windows\system32\corpol.dll 2009-08-27 12:57 . 2009-07-18 17:21 107888 ----a-w- c:\windows\system32\CmdLineExt.dll 2009-08-26 08:00 . 2004-08-03 23:56 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-05-01 21:16 . 2009-05-01 21:16 61 --sh--w- c:\windows\cnerolf.bin . ------- Sigcheck ------- [-] 2009-06-03 . 7EE936A57B5901D6B1C4AF9A9E6C500A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys [-] 2009-06-03 . 7EE936A57B5901D6B1C4AF9A9E6C500A . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys [-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-09-02 10:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2009-09-02 14:56 1175944 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-08-18 106496] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-31 198160] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584] "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2008-09-05 159744] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-10-06 18750976] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2009-09-19 21:12 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-09-02 21:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^My applications^Tibia Client.exe] backup=c:\windows\pss\Tibia Client.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.15.lnk] backup=c:\windows\pss\Wireless Configuration Utility HW.15.lnkCommon Startup path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.15.lnk [HKLM\~\startupfolder\C:^Documents and Settings^Tom^Start Menu^Programs^Startup^MagicDisc.lnk] backup=c:\windows\pss\MagicDisc.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ParetoLogic Anti-Virus PLUS HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WLSetupSvc"=2 (0x2) "GoToAssist"=2 (0x2) ".norton2009Reset"=2 (0x2) "usnjsvc"=2 (0x2) "IDriverT"=3 (0x3) "UpdateCenterService"=2 (0x2) "prfldsvc"=2 (0x2) "Pml Driver HPZ12"=2 (0x2) "ose"=3 (0x3) "Microsoft Office Groove Audit Service"=3 (0x3) "McciCMService"=2 (0x2) "JavaQuickStarterService"=2 (0x2) "idsvc"=2 (0x2) "McAfee SiteAdvisor Service"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "f:\\Call Of Duty Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\Safari\\Safari.exe"= "f:\\Call of Duty WAW\\CoDWaWmp.exe"= "c:\\Documents and Settings\\Tom\\My Documents\\My Games saves\\Left 4 Dead\\left4dead.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [21/03/2009 20:30 114768] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/09/2009 21:36 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/09/2009 21:36 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 74480] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/03/2009 20:30 20560] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/09/2009 21:36 297752] R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [21/04/2006 07:22 70912] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592] R3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [27/12/2008 17:40 17152] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [04/10/2008 07:42 22784] S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [03/12/2008 22:28 4224] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [18/02/2009 16:40 1684736] S3 cpuxp;cpuxp;c:\documents and settings\Tom\cpuxp.sys [23/09/2009 16:41 8704] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 7408] S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [06/04/2009 12:19 23064] S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?] S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [02/10/2002 09:57 13532] S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [28/07/2008 23:12 210216] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [28/01/2008 09:14 721904] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs BtwSrv . Contents of the 'Scheduled Tasks' folder 2009-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1383384898-2147175445-1003Core.job - c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:38] 2009-11-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1383384898-2147175445-1003UA.job - c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:38] 2009-11-21 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20] 2009-11-21 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07] 2009-11-21 c:\windows\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2007-08-02 08:20] 2009-07-05 c:\windows\Tasks\RegCure.job - c:\program files\RegCure\RegCure.exe [2007-08-02 08:20] 2009-11-14 c:\windows\Tasks\Schedule Task Weekly.job - c:\program files\Registry Easy\RE.exe [2009-09-26 15:43] 2009-11-21 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2009-09-02 14:56] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = hxxp://www.bt.com/gta uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/ IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\windows\system32\idmmbc.dll DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://138.237.46.59/activex/AMC.cab . - - - - ORPHANS REMOVED - - - - URLSearchHooks-*{2bae58c2-79f9-45d1-a286-81f911301c3a} - (no file) HKLM-Run-81640726 - c:\docume~1\ALLUSE~1\APPLIC~1\81640726\81640726.exe MSConfigStartUp-Comrade - (no file) AddRemove-Aircraft Factory F4u Corsair - f:\micros~3\\UNWISE.EXE ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-21 21:00 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . |
|
21-Nov-2009, 03:31 PM
#4 |
| --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-725345543-1383384898-2147175445-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID] @Denied: (Full) (LocalSystem) [HKEY_USERS\S-1-5-21-725345543-1383384898-2147175445-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{14FF0484-2225-1D25-13C3-AAC73DB4B65B}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "abpipjcgpeajimlehbldlbmcbmfchhfbfb"=hex:65,62,70,69,6f,68,6e,6a,69,70,6c,6 c, 69,68,6a,64,6a,6f,64,69,6a,68,6a,65,70,6a,70,63,61,6b,68,6a,62,64,65,6e,6e, \ "bbpipjcgpeajimlehbgdccoaipdegmcimclm"=hex:61,62,63,64,6c,6f,6f,6a,61,65,6e ,70, 6d,61,65,6f,6f,66,6a,6a,69,61,66,63,65,65,6f,69,67,63,6b,67,6f,6a,00,6e [HKEY_USERS\S-1-5-21-725345543-1383384898-2147175445-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:8a,fc,34,80,7e,87,8b,38,b4,ff,f7,f2,61,cf,0d,0d,a1,16,91,9e,51,83, ea, 6f,9f,1e,c0,59,b8,18,50,5a,da,37,b6,38,82,bc,98,77,39,a9,f0,20,b4,31,c4,b8, \ "??"=hex:25,65,bb,27,8b,92,55,34,10,3f,d9,49,2f,0e,31,37 [HKEY_USERS\S-1-5-21-725345543-1383384898-2147175445-1003\Software\SecuROM\License information*] "datasecu"=hex:90,4f,ff,89,3d,a3,23,02,4e,01,39,af,a5,a0,91,04,c6,e4,58,ce, f0, ac,91,a9,85,06,f7,69,b6,30,b4,0d,56,0d,38,bb,48,6c,07,16,b9,cd,5f,fc,c1,5e, \ "rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}] @Denied: (Full) (Everyone) "scansk"=hex(0):f9,0b,34,a4,4c,82,b8,c5,dd,cd,ca,81,0e,97,ef,1f,c1,fd,7f,bb ,f8, 67,ee,03,ff,27,d3,fa,62,a5,4f,21,91,f6,d1,34,0f,73,12,cf,00,00,00,00,00,00, \ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{65117192-79ea-4fbb-a7a9-9d2f21292b4c}] @Denied: (Full) (Everyone) "Model"=dword:00000123 "Therad"=dword:0000002d "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81, 26, 38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab, \ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}] @Denied: (Full) (Everyone) "scansk"=hex(0):b4,2d,cc,e5,d1,92,51,b0,21,48,17,e4,1f,eb,dd,34,75,6e,75,15 ,d5, 2f,07,22,95,52,21,8a,79,a7,78,03,69,82,a7,58,08,43,d5,f3,00,00,00,00,00,00, \ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f4e7ddaf-a7b5-437f-903d-af997877dbc2}] @Denied: (Full) (Everyone) "Model"=dword:00000067 "Therad"=dword:0000000f "MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,98,07,ff,fc, 5d, df,1c,2f,3b,8a,0a,32,11,89,01,b5,0c,b3,1d,9e,a2,08,6f,a3,74,fe,7e,25,5f,c0, \ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1016) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll - - - - - - - > 'lsass.exe'(1084) c:\windows\system32\idmmbc.dll - - - - - - - > 'explorer.exe'(656) c:\windows\system32\WININET.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\hnetcfg.dll c:\windows\system32\idmmbc.dll c:\program files\Microsoft Private Folder 1.0\ShellExt.dll c:\windows\system32\PFLib.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll f:\spybot~1\SDHelper.dll c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll c:\progra~1\mcafee\SITEAD~1\mcieplg.dll c:\program files\Ask.com\GenericAskToolbar.dll c:\windows\system32\mmfinfo.dll c:\windows\system32\mkunicode.dll c:\program files\SUPERAntiSpyware\SASSEH.DLL . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\windows\System32\SCardSvr.exe c:\windows\system32\netdde.exe c:\windows\system32\msdtc.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe c:\program files\Bonjour\mDNSResponder.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\windows\system32\dllhost.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe c:\program files\NVIDIA Corporation\nTune\nTuneService.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\windows\system32\locator.exe c:\program files\Razer\DeathAdder\razerofa.exe c:\windows\system32\dllhost.exe c:\windows\system32\tlntsvr.exe c:\windows\System32\vssvc.exe c:\windows\system32\wbem\wmiapsrv.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\NOTEPAD.EXE . ************************************************************************** . Completion time: 2009-11-21 21:20 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-21 21:19 Pre-Run: 116,194,099,200 bytes free Post-Run: 116,411,695,104 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8 - - End Of File - - 20A3039B198A76A2049270D5C00A8F4D |
|
21-Nov-2009, 04:10 PM
#5 |
| Good Job. Please do the following: STEP 1 Please uninstall the following by going to Start > Control Panel > Add/Remove Programs Ask ToolBar STEP 2 1. Close any open open programs before running the fix. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it: Code: KillAll::
FCopy::
c:\windows\ServicePackFiles\i386\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\windows\ServicePackFiles\i386\tcpip.sys | c:\windows\system32\dllcache\tcpip.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ParetoLogic Anti-Virus PLUS]
File::
d:\ntglm7x.sys
C:\Windows\btwsrv.dll
C:\Windows\System32\btwsrv.dll
c:\windows\system32\tdlclk.dll
c:\windows\system32\tdlwsp.dll
Driver::
BtwSrv
SetupNTGLM7X
NetSvc::
BtwSrv
Folder::
c:\docume~1\ALLUSE~1\APPLIC~1\81640726
c:\program files\Ask.com
c:\documents and settings\Tom\Local Settings\Application Data\AskToolbar
RegLock::
[HKEY_USERS\S-1-5-21-725345543-1383384898-2147175445-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
RegLockDel::
[HKEY_USERS\S-1-5-21-725345543-1383384898-2147175445-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{14FF0484-2225-1D25-13C3-AAC73DB4B65B}*]
Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. You can attach it instead of copy and pasting it by clicking on either the blue Reply button or the Go Advanced button and then on the "Manage Attachments" button.
__________________ Please post the final results, good or bad. Let me know if you won't be responding any longer. If I have not responded in three days, please feel free to PM me with a friendly reminder. Please don't send me requests for help. Use the forums instead. |
|
21-Nov-2009, 06:19 PM
#6 |
| i have attached the new log. |
|
21-Nov-2009, 06:24 PM
#7 |
| Good. That should have fixed the problem. I see you have MalwareBytes installed so let's run a full scan with it. I want to see if there's something I missed. STEP 1 Download TFC to your desktop
STEP 2
Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
__________________ Please post the final results, good or bad. Let me know if you won't be responding any longer. If I have not responded in three days, please feel free to PM me with a friendly reminder. Please don't send me requests for help. Use the forums instead. |
|
21-Nov-2009, 09:19 PM
#8 |
| i think its back |
|
22-Nov-2009, 05:15 AM
#10 |
| Posted via Mobile Device |
|
22-Nov-2009, 05:16 AM
#11 |
| Because it said in the log that it found tdlcmd |
|
22-Nov-2009, 01:03 PM
#12 |
| It's not back. If you'll notice it's in our Quarantine folder Which means we already took care of it. Let's do the following to make absolutely sure you're clean. The online scan will take a while but it's well worth it as it can often find things all other scanners will miss. STEP 1 The online scanner uses Java, so I will need you to download and install the latest version for that. Please go here to download the installer: http://java.com/en/download/index.jsp Reboot your machine when that's done. STEP 2 Using Internet Explorer or Firefox, visit Kaspersky Online Scanner 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review:
3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take quite a long time to download.
__________________ Please post the final results, good or bad. Let me know if you won't be responding any longer. If I have not responded in three days, please feel free to PM me with a friendly reminder. Please don't send me requests for help. Use the forums instead. |
![]() | |
| Tags |
tdlwsp.dll ![]() |

| Smart Search |
Find your solution! |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |

| Thread Tools | |
| |
| You Are Using: |
Advertisements do not imply our endorsement of that product or service. All times are GMT -5. The time now is 02:36 AM. Copyright © 1996 - 2010 TechGuy, Inc. All rights reserved. | |






