Answers to your tech questions
Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

 
 Closed TopicStart new topic
> [Resolved] Infected with Spyware
jw577
post Oct 4 2008, 10:40 AM
Post #1


New Member
*

Group: New Member
Posts: 6
Joined: 4-October 08
Member No.: 81,807
Operating System: Windows XP
Hello,
My Pc is infected with spyware. It took over my desktop backround and added new icons, virus alerts and pop ups onto my desktop. It also prevented me from starting my pc in normal or safe mode, however i did managed to get it to start (by luck). Once infected i also coudnt use system restore. I have run scans with AVG antivirus, Ad-aware, Super-AntiSpyware and Windows Defender. This seems to have stopped the pop ups and removed the backround and most of the alerts but my computer still isnt running well. I have done a scan with HijackThis, here is my Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:34: VIRUS ALERT!, on 04/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\emaudsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=4061114
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/e...html?channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=4061114
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&...amp;ibd=4061114
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...095/mcfscan.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by109fd.bay109.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://spinpalace.microgaming.com/freeplay/FlashAX2.cab
O16 - DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} (FixUpdate Class) - http://69.59.149.193:82/enzf/TqUpdate_Release.CAB
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: onfwbsak - {CD44BEED-49F0-428A-A267-067C884184FF} - C:\WINDOWS\onfwbsak.dll (file missing)
O21 - SSODL: xgpsarbm - {7C0A68D2-6A70-42B0-9910-DFC527F93889} - C:\WINDOWS\xgpsarbm.dll (file missing)
O21 - SSODL: neksolda - {6393F1AC-F856-455A-AEDC-1B6626FBFAB6} - C:\WINDOWS\neksolda.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: E-MU Audio Service (emaudsv) - E-MU Systems - C:\WINDOWS\system32\emaudsv.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 13662 bytes


Any Help on what my next step should be would be much appreciated,
Thanks alot
Go to the top of the page
 
+Quote Post
Rorschach112
post Oct 4 2008, 11:21 AM
Post #2


SuperMember
*****

Group: Visiting Teacher
Posts: 2,131
Joined: 29-September 07
Member No.: 73,164
Operating System: Windows XP
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.




Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)
Go to the top of the page
 
+Quote Post
jw577
post Oct 4 2008, 12:33 PM
Post #3


New Member
*

Group: New Member
Posts: 6
Joined: 4-October 08
Member No.: 81,807
Operating System: Windows XP
Hi Again
I have run SDFix and Lop S&D and my computer seems to be running much better. All of the virus alerts have now gone aswell. Here are my logs from these scans:


SDFix: Version 1.231
Run by Joe Ward on 04/10/2008 at 18:53

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Windows Product ID To Remove Fake Virus Alert
Restoring Time Format To Remove Fake Virus Alert

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\EDLW.EXE - Deleted
C:\WINDOWS\EVQB.EXE - Deleted
C:\DOCUME~1\JOEWAR~1\LOCALS~1\Temp\pwrmgr.exe.bat - Deleted
C:\DOCUME~1\JOEWAR~1\LOCALS~1\Temp\smchk.exe.bat - Deleted
C:\DOCUME~1\JOEWAR~1\LOCALS~1\Temp\windfr.exe.bat - Deleted
C:\DOCUME~1\JOEWAR~1\LOCALS~1\Temp\pwrmgr.exe - Deleted
C:\DOCUME~1\JOEWAR~1\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINDOWS\system32\tdssadw.dll - Deleted
C:\WINDOWS\system32\TDSSerrors.log - Deleted
C:\WINDOWS\system32\tdssinit.dll - Deleted
C:\WINDOWS\system32\tdssservers.dat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-04 18:59:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ba,01,46,e2,28,3a,c5,57,80,2c,9e,83,a6,87,58,99,11,c2,24,0d,d0,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,33,91,9c,1a,d9,5a,5b,5f,67,97,8a,92,85,10,ab,08,f5,..
"khjeh"=hex:f1,fb,1c,b9,c0,b8,28,7f,92,81,7b,68,d2,7e,c7,b3,ae,2a,21,ef,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:19,55,48,9a,7f,12,4d,00,2b,ac,9e,17,76,67,a0,b6,87,07,1e,ce,ad,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:6f,b6,51,55,04,3b,98,cf,78,98,21,90,ac,4c,a7,ef,f1,59,98,c7,a4,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ba,01,46,e2,28,3a,c5,57,80,2c,9e,83,a6,87,58,99,11,c2,24,0d,d0,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,33,91,9c,1a,d9,5a,5b,5f,67,97,8a,92,85,10,ab,08,f5,..
"khjeh"=hex:f1,fb,1c,b9,c0,b8,28,7f,92,81,7b,68,d2,7e,c7,b3,ae,2a,21,ef,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:19,55,48,9a,7f,12,4d,00,2b,ac,9e,17,76,67,a0,b6,87,07,1e,ce,ad,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:32,f4,74,da,d9,d8,d4,2e,04,db,f0,49,3c,ac,30,fc,47,5b,32,26,71,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ba,01,46,e2,28,3a,c5,57,80,2c,9e,83,a6,87,58,99,11,c2,24,0d,d0,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,33,91,9c,1a,d9,5a,5b,5f,67,97,8a,92,85,10,ab,08,f5,..
"khjeh"=hex:f1,fb,1c,b9,c0,b8,28,7f,92,81,7b,68,d2,7e,c7,b3,ae,2a,21,ef,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:19,55,48,9a,7f,12,4d,00,2b,ac,9e,17,76,67,a0,b6,87,07,1e,ce,ad,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:32,f4,74,da,d9,d8,d4,2e,04,db,f0,49,3c,ac,30,fc,47,5b,32,26,71,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ba,01,46,e2,28,3a,c5,57,80,2c,9e,83,a6,87,58,99,11,c2,24,0d,d0,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,33,91,9c,1a,d9,5a,5b,5f,67,97,8a,92,85,10,ab,08,f5,..
"khjeh"=hex:f1,fb,1c,b9,c0,b8,28,7f,92,81,7b,68,d2,7e,c7,b3,ae,2a,21,ef,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:19,55,48,9a,7f,12,4d,00,2b,ac,9e,17,76,67,a0,b6,87,07,1e,ce,ad,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:32,f4,74,da,d9,d8,d4,2e,04,db,f0,49,3c,ac,30,fc,47,5b,32,26,71,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3AED2CD-8271-6152-F8C3-B463037F1251}]
"ablckpiebfjejhncdblaecpmpeaeacefdd"=hex:65,62,6c,63,6e,6e,65,6d,66,6b,63,63,69,64,61,6b,61,67,6c,69,64,..
"bblckpiebfjejhncdbeahmcalhkgbenafica"=hex:61,62,67,6a,65,67,6d,6f,6f,65,61,6d,6c,69,6f,65,69,6b,67,67,6c,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"="C:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe:*:Enabled:Device Monitor Application"
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"="C:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe:*:Enabled:Device Monitor"
"C:\\Program Files\\Lavasoft\\Ad-Aware 2007\\lsupdatemanager.exe"="C:\\Program Files\\Lavasoft\\Ad-Aware 2007\\lsupdatemanager.exe:*:Enabled:Ad-Aware Update Manager"
"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"C:\\WINDOWS\\system32\\lxdiih.exe"="C:\\WINDOWS\\system32\\lxdiih.exe:*:Enabled:Printer Communication System"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"="C:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 10 Feb 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 10 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 15 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 15 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 15 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Wed 15 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Wed 15 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Mon 2 Apr 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"

Finished!





and here is my Lop S&D report:





-------------------\\ Lop S&D 4.2.4-5 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel® Pentium® D CPU 2.80GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 1.0.2
USER : Joe Ward ( Administrator )
BOOT : Normal boot
Antivirus : AVG 7.5.524 7.5.524 (Not Activated)
Firewall : ZoneAlarm Firewall 7.0.462.000 (Activated)
C:\ (Local Disk) - NTFS - Total : 107 Go Free : 10 Go
D:\ (Local Disk) - NTFS - Total : 37 Go Free : 10 Go
E:\ (CD or DVD)
F:\ (CD or DVD)
G:\ (USB)
H:\ (USB)
I:\ (USB)
J:\ (USB)
K:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 02-10-2008|23:42 )
Option : [1] ( 04/10/2008|19:20 )

--------------------\\ Listing folders in APPLIC~1

[17/11/2006|12:47] C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
[15/11/2006|00:58] C:\DOCUME~1\ADMINI~1\APPLIC~1\GTek
[16/08/2005|05:50] C:\DOCUME~1\ADMINI~1\APPLIC~1\Identities
[16/08/2005|05:30] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft
[15/11/2006|00:50] C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
[15/11/2006|00:50] C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver

[26/12/2006|01:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ableton
[15/11/2006|00:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[17/11/2006|12:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
[16/02/2008|21:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7
[15/11/2006|00:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
[16/08/2005|21:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\DIGStream
[21/08/2007|16:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\FaxCtr
[19/02/2007|21:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
[02/07/2008|00:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Graboid Inc
[15/02/2008|23:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
[02/04/2007|12:42] C:\DOCUME~1\ALLUSE~1\APPLIC~1\GTek
[15/11/2006|00:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
[14/07/2008|00:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
[02/02/2007|15:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macromedia
[26/12/2006|03:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macrovision
[16/02/2008|21:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
[26/07/2008|13:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
[15/11/2006|00:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
[05/02/2007|19:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com Personal Firewall
[03/10/2008|22:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[21/02/2008|12:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[26/12/2006|02:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Minnetonka Audio Software
[03/12/2007|13:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound
[13/11/2007|22:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[10/03/2008|18:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Otto
[05/10/2007|13:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Propellerhead Software
[17/04/2007|00:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
[26/07/2008|13:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
[05/05/2008|13:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Smith Micro
[15/11/2006|00:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
[31/07/2007|11:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Corporation
[03/10/2008|22:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
[17/11/2006|13:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
[16/12/2007|22:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Syncrosoft
[28/09/2008|19:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ulead Systems
[27/03/2008|15:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
[16/02/2008|17:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
[09/12/2006|02:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[09/05/2008|15:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\yxulmred

[17/11/2006|12:47] C:\DOCUME~1\DEFAUL~1\APPLIC~1\AOL
[15/11/2006|00:58] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek
[16/08/2005|05:50] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Identities
[16/08/2005|05:30] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[15/11/2006|00:50] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Symantec
[15/11/2006|00:50] C:\DOCUME~1\DEFAUL~1\APPLIC~1\You've Got Pictures Screensaver

[26/12/2006|01:23] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Ableton
[16/08/2008|23:18] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Adobe
[05/02/2007|19:37] C:\DOCUME~1\JOEWAR~1\APPLIC~1\AdobeUM
[17/11/2006|12:47] C:\DOCUME~1\JOEWAR~1\APPLIC~1\AOL
[04/10/2008|19:04] C:\DOCUME~1\JOEWAR~1\APPLIC~1\AVG7
[26/12/2006|01:30] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Cakewalk
[17/11/2006|13:00] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Corel
[28/09/2008|18:30] C:\DOCUME~1\JOEWAR~1\APPLIC~1\COWON
[04/09/2008|10:20] C:\DOCUME~1\JOEWAR~1\APPLIC~1\DAEMON Tools
[04/02/2007|17:00] C:\DOCUME~1\JOEWAR~1\APPLIC~1\DivX
[23/08/2007|02:00] C:\DOCUME~1\JOEWAR~1\APPLIC~1\FaxCtr
[12/03/2007|22:33] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Google
[15/11/2006|00:58] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Gtek
[24/01/2007|13:10] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Help
[16/08/2005|05:50] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Identities
[22/11/2007|21:03] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Lavasoft
[20/11/2006|14:54] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Leadertech
[01/09/2007|14:35] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Lexmark Productivity Studio
[28/05/2007|14:12] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Macromedia
[21/12/2006|19:29] C:\DOCUME~1\JOEWAR~1\APPLIC~1\McAfee.com Personal Firewall
[19/02/2007|22:27] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Media Player Classic
[22/11/2007|20:25] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Microsoft
[01/09/2008|17:09] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Mozilla
[02/07/2008|00:28] C:\DOCUME~1\JOEWAR~1\APPLIC~1\MozillaControl
[10/03/2008|18:55] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Otto
[05/05/2008|13:17] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Propellerhead Software
[26/12/2006|03:31] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Proteus VX
[06/10/2007|18:56] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Shareaza
[09/09/2007|00:25] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Soldat
[20/11/2006|14:54] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Sonic
[13/08/2007|17:01] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Sony Corporation
[16/12/2007|22:11] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Steinberg
[16/12/2006|02:12] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Sun
[03/10/2008|22:50] C:\DOCUME~1\JOEWAR~1\APPLIC~1\SUPERAntiSpyware.com
[15/11/2006|00:50] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Symantec
[17/11/2006|16:03] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Template
[02/10/2008|19:52] C:\DOCUME~1\JOEWAR~1\APPLIC~1\TmpRecentIcons
[21/02/2008|12:43] C:\DOCUME~1\JOEWAR~1\APPLIC~1\U3
[27/03/2008|15:50] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Viewpoint
[24/12/2007|04:01] C:\DOCUME~1\JOEWAR~1\APPLIC~1\vlc
[16/02/2008|17:27] C:\DOCUME~1\JOEWAR~1\APPLIC~1\Webroot
[15/11/2006|00:50] C:\DOCUME~1\JOEWAR~1\APPLIC~1\You've Got Pictures Screensaver

[15/02/2008|23:43] C:\DOCUME~1\LOCALS~1\APPLIC~1\AVG7
[17/11/2006|12:42] C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee.com Personal Firewall
[16/08/2005|05:30] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[30/08/2008|16:16] C:\DOCUME~1\LOCALS~1\APPLIC~1\SACore
[16/02/2008|17:27] C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot

[16/08/2005|05:30] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
[04/10/2008|18:48] C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[04/10/2008 19:00][--ah-----] C:\WINDOWS\tasks\MP Scheduled Scan.job
[18/08/2008 02:00][--a------] C:\WINDOWS\tasks\wrSpySweeperTrialSweep.job
[04/10/2008 18:57][--ah-----] C:\WINDOWS\tasks\SA.DAT
[10/08/2004 06:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[29/05/2007|02:41] C:\Program Files\3D Relief Screensaver
[01/09/2007|14:36] C:\Program Files\Abbyy FineReader 6.0 Sprint
[25/12/2006|21:06] C:\Program Files\Ableton
[09/10/2007|22:37] C:\Program Files\Acoustica Beatcraft
[20/11/2006|15:49] C:\Program Files\Acoustica Mixcraft
[20/11/2006|15:49] C:\Program Files\Acoustica Shared Effects
[15/11/2006|00:57] C:\Program Files\Adobe
[17/11/2006|13:18] C:\Program Files\Alwil Software
[15/11/2006|00:55] C:\Program Files\BAE
[24/12/2006|01:40] C:\Program Files\Belkin(2)
[15/02/2008|19:36] C:\Program Files\BitComet
[05/06/2007|14:09] C:\Program Files\Buka
[27/09/2007|20:58] C:\Program Files\Bullfrog
[25/12/2006|21:16] C:\Program Files\Cakewalk
[21/08/2007|16:21] C:\Program Files\CCleaner
[20/11/2006|15:21] C:\Program Files\CDBurnerXP Pro 3
[22/11/2007|21:07] C:\Program Files\Combined Community Codec Pack
[28/09/2008|19:12] C:\Program Files\Common Files
[15/02/2008|19:37] C:\Program Files\Conquer 2.0
[17/11/2006|13:00] C:\Program Files\Corel
[25/12/2006|20:07] C:\Program Files\Creative
[26/12/2006|03:31] C:\Program Files\Creative Professional
[04/09/2008|10:27] C:\Program Files\DAEMON Tools Lite
[04/09/2008|10:27] C:\Program Files\DAEMON Tools Toolbar
[05/06/2007|16:26] C:\Program Files\dayam NFO Viewer
[17/11/2006|12:58] C:\Program Files\Dell
[15/11/2006|00:57] C:\Program Files\Dell Support
[16/08/2005|21:54] C:\Program Files\DIGStream
[15/02/2008|19:37] C:\Program Files\DirectVobSub
[02/05/2008|01:14] C:\Program Files\DivX
[16/08/2005|21:51] C:\Program Files\EnglishOtto
[16/08/2005|21:54] C:\Program Files\ESPNMotion
[30/05/2007|12:38] C:\Program Files\Full Throttle
[28/09/2008|18:29] C:\Program Files\Gabest
[15/02/2008|19:38] C:\Program Files\Game Cam v1.4
[16/08/2005|21:54] C:\Program Files\GemMaster
[27/05/2008|00:56] C:\Program Files\Google
[28/09/2008|18:31] C:\Program Files\Graboid
[15/02/2008|23:43] C:\Program Files\Grisoft
[25/05/2007|14:59] C:\Program Files\Guitar Pro 5
[29/02/2008|20:21] C:\Program Files\HooTech
[25/12/2006|21:11] C:\Program Files\IK Multimedia
[28/09/2008|19:16] C:\Program Files\InstallShield Installation Information
[15/11/2006|00:47] C:\Program Files\Intel
[15/11/2006|00:48] C:\Program Files\InterActual
[26/09/2008|00:13] C:\Program Files\Internet Explorer
[25/09/2008|23:47] C:\Program Files\Java
[15/09/2007|23:17] C:\Program Files\Labtec Wireless Desktop
[14/07/2008|00:42] C:\Program Files\Lavasoft
[15/11/2006|00:50] C:\Program Files\Learn2.com
[21/08/2007|16:38] C:\Program Files\Lexmark 3500-4500 Series
[21/08/2007|16:38] C:\Program Files\Lexmark Fax Solutions
[21/08/2007|17:12] C:\Program Files\Lexmark Toolbar
[05/09/2008|17:31] C:\Program Files\LibUSB-Win32-0.1.10.1
[21/08/2007|16:26] C:\Program Files\LucasArts
[09/04/2007|22:52] C:\Program Files\Macromedia
[31/12/2007|01:05] C:\Program Files\M-Audio MA_CMIDI
[29/09/2008|09:55] C:\Program Files\McAfee
[26/09/2008|00:19] C:\Program Files\Messenger
[16/08/2005|05:43] C:\Program Files\microsoft frontpage
[27/01/2007|14:22] C:\Program Files\Microsoft IntelliPoint
[17/04/2007|00:22] C:\Program Files\Microsoft Office
[15/08/2008|18:42] C:\Program Files\Microsoft Silverlight
[17/04/2007|00:22] C:\Program Files\Microsoft Works
[08/02/2007|21:28] C:\Program Files\Microsoft.NET
[26/09/2008|00:13] C:\Program Files\Movie Maker
[02/07/2008|00:27] C:\Program Files\Mozilla ActiveX Control v1.7.12
[03/10/2008|17:09] C:\Program Files\Mozilla Firefox
[07/12/2006|17:43] C:\Program Files\MSN
[16/08/2005|05:37] C:\Program Files\MSN Gaming Zone
[26/09/2008|18:16] C:\Program Files\MSN Messenger
[18/11/2006|04:05] C:\Program Files\MSXML 4.0
[24/02/2007|15:43] C:\Program Files\MyWiki
[26/09/2008|00:05] C:\Program Files\NetMeeting
[16/08/2005|05:38] C:\Program Files\Online Services
[26/09/2008|00:04] C:\Program Files\Outlook Express
[25/11/2007|00:59] C:\Program Files\PFConfig
[05/05/2008|14:43] C:\Program Files\Propellerhead
[17/04/2007|00:02] C:\Program Files\QuickTime
[06/10/2007|17:54] C:\Program Files\Real
[05/05/2008|15:24] C:\Program Files\Recycle
[23/02/2008|22:45] C:\Program Files\Red Kawa
[04/09/2008|10:46] C:\Program Files\rFactor
[16/08/2005|21:58] C:\Program Files\RGB
[15/11/2006|00:54] C:\Program Files\Roxio
[17/06/2007|00:34] C:\Program Files\Samsung
[15/02/2008|19:42] C:\Program Files\ScummVM
[06/10/2007|18:56] C:\Program Files\Shareaza
[15/11/2006|00:45] C:\Program Files\Sigmatel
[15/11/2006|00:55] C:\Program Files\Sonic
[13/08/2007|15:52] C:\Program Files\Sony
[15/02/2008|19:40] C:\Program Files\Steam
[16/12/2007|22:11] C:\Program Files\Steinberg
[30/05/2007|02:15] C:\Program Files\Submachine4_at
[25/09/2008|23:48] C:\Program Files\Sun
[03/10/2008|22:50] C:\Program Files\SUPERAntiSpyware
[15/11/2006|00:50] C:\Program Files\Symantec
[16/12/2007|22:11] C:\Program Files\Syncrosoft
[22/02/2008|22:00] C:\Program Files\Telltale
[28/09/2008|18:58] C:\Program Files\Telltale Games
[04/10/2008|17:33] C:\Program Files\Trend Micro
[09/12/2006|02:15] C:\Program Files\Uninstall Information
[05/06/2007|17:04] C:\Program Files\VDMSound
[24/12/2007|04:00] C:\Program Files\VideoLAN
[15/11/2006|00:50] C:\Program Files\Viewpoint
[02/04/2007|12:42] C:\Program Files\WebCyberCoach
[16/02/2008|17:27] C:\Program Files\Webroot
[03/10/2008|22:52] C:\Program Files\Windows Defender
[10/03/2008|18:49] C:\Program Files\Windows Media Connect 2
[10/02/2007|02:35] C:\Program Files\Windows Media Player
[26/09/2008|00:04] C:\Program Files\Windows NT
[16/08/2005|05:37] C:\Program Files\Windows Plus
[17/11/2006|13:36] C:\Program Files\WindowsUpdate
[20/11/2006|15:46] C:\Program Files\WinRAR
[16/08/2005|05:43] C:\Program Files\xerox
[15/08/2007|23:17] C:\Program Files\Xilisoft
[20/05/2008|22:47] C:\Program Files\XviD
[16/02/2008|15:50] C:\Program Files\ZDaemon
[16/02/2008|21:46] C:\Program Files\Zone Labs
[16/02/2008|21:52] C:\Program Files\ZoneAlarmSB

--------------------\\ Listing Folders in C:\Program Files\Common Files

[15/11/2006|00:57] C:\Program Files\Common Files\Adobe
[17/11/2006|12:57] C:\Program Files\Common Files\AOL
[26/12/2006|03:38] C:\Program Files\Common Files\Creative Professional
[08/02/2007|21:33] C:\Program Files\Common Files\DESIGNER
[18/09/2007|13:14] C:\Program Files\Common Files\Download Manager
[17/11/2006|13:30] C:\Program Files\Common Files\InstallShield
[30/04/2008|23:31] C:\Program Files\Common Files\InterVideo
[15/11/2006|00:41] C:\Program Files\Common Files\Java
[30/04/2008|23:29] C:\Program Files\Common Files\LightScribe
[09/04/2007|22:52] C:\Program Files\Common Files\Macromedia
[26/12/2006|03:33] C:\Program Files\Common Files\Macrovision Shared
[26/07/2008|13:02] C:\Program Files\Common Files\McAfee
[30/04/2008|23:25] C:\Program Files\Common Files\Microsoft Shared
[16/08/2005|05:40] C:\Program Files\Common Files\MSSoap
[15/11/2006|00:50] C:\Program Files\Common Files\Nullsoft
[20/11/2006|15:40] C:\Program Files\Common Files\ODBC
[17/11/2006|13:08] C:\Program Files\Common Files\Real
[15/11/2006|00:54] C:\Program Files\Common Files\Roxio Shared
[16/08/2005|05:40] C:\Program Files\Common Files\Services
[12/12/2006|22:02] C:\Program Files\Common Files\Sonic Shared
[22/11/2007|21:10] C:\Program Files\Common Files\Sony Shared
[16/08/2005|05:33] C:\Program Files\Common Files\SpeechEngines
[17/11/2006|13:15] C:\Program Files\Common Files\Symantec Shared
[26/09/2008|00:04] C:\Program Files\Common Files\System
[15/11/2006|00:54] C:\Program Files\Common Files\TiVo Shared
[03/10/2008|22:49] C:\Program Files\Common Files\Wise Installation Wizard

--------------------\\ Process

( 68 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-04 19:22:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 1

--------------------\\ Searching for other infections

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKLM\..\ControlSet001\Enum\Root\LEGACY_TDSSSERV]
Rootkit Tibs ! .. [HKLM\..\ControlSet001\Services\tdssserv]
Rootkit Tibs ! .. [HKLM\..\ControlSet001\Enum\Root\tdssserv]

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\JOEWAR~1\Application Data\Shareaza\Torrents\Reason 4 + Keygen + Patch RPS.torrent
C:\DOCUME~1\JOEWAR~1\Application Data\Shareaza\Torrents\Rfactor Crack v1.255 (Reloaded).zip.torrent
C:\DOCUME~1\JOEWAR~1\Desktop\crack_ver1.454.0.exe
C:\DOCUME~1\JOEWAR~1\Desktop\Games\Rfactor\Rfactor Crack v1.255 (Reloaded)
C:\DOCUME~1\JOEWAR~1\Desktop\Games\Rfactor\Rfactor Crack v1.255 (Reloaded)\rFactor Crack v.1.255 (Reloaded)
C:\DOCUME~1\JOEWAR~1\Desktop\Games\Rfactor\Rfactor Crack v1.255 (Reloaded)\rFactor Crack v.1.255 (Reloaded)\reloaded.nfo


[F:7][D:7]-> C:\DOCUME~1\JOEWAR~1\LOCALS~1\Temp
[F:148][D:0]-> C:\DOCUME~1\JOEWAR~1\Cookies
[F:318][D:4]-> C:\DOCUME~1\JOEWAR~1\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 04/10/2008|19:23 - Option : [1]

--------------------\\ Scan completed at 19:23:30



Please let me know what my next steps should be if any.
Thanks alot, Jw577
Go to the top of the page
 
+Quote Post
Rorschach112
post Oct 5 2008, 04:05 AM
Post #4


SuperMember
*****

Group: Visiting Teacher
Posts: 2,131
Joined: 29-September 07
Member No.: 73,164
Operating System: Windows XP
You got infected because you downloaded cracks

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    CODE
    :Processes
    explorer.exe

    :Services

    :Reg

    :Files
    C:\DOCUME~1\JOEWAR~1\Application Data\Shareaza\Torrents\Reason 4 + Keygen + Patch RPS.torrent
    C:\DOCUME~1\JOEWAR~1\Application Data\Shareaza\Torrents\Rfactor Crack v1.255 (Reloaded).zip.torrent
    C:\DOCUME~1\JOEWAR~1\Desktop\crack_ver1.454.0.exe
    C:\DOCUME~1\JOEWAR~1\Desktop\Games\Rfactor\Rfactor Crack v1.255 (Reloaded)

    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
Go to the top of the page
 
+Quote Post
jw577
post Oct 5 2008, 05:58 AM
Post #5


New Member
*

Group: New Member
Posts: 6
Joined: 4-October 08
Member No.: 81,807
Operating System: Windows XP
Hello
Thanks alot for your help so far. I have now run OTmove, Combofix and HijackThis again, here are my logs from these scans:


OTMove:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\DOCUME~1\JOEWAR~1\Application Data\Shareaza\Torrents\Reason 4 + Keygen + Patch RPS.torrent moved successfully.
C:\DOCUME~1\JOEWAR~1\Application Data\Shareaza\Torrents\Rfactor Crack v1.255 (Reloaded).zip.torrent moved successfully.
File/Folder C:\DOCUME~1\JOEWAR~1\Desktop\crack_ver1.454.0.exe not found.
C:\DOCUME~1\JOEWAR~1\Desktop\Games\Rfactor\Rfactor Crack v1.255 (Reloaded)\rFactor Crack v.1.255 (Reloaded) moved successfully.
C:\DOCUME~1\JOEWAR~1\Desktop\Games\Rfactor\Rfactor Crack v1.255 (Reloaded) moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\sqlite_cFOLg4O24VBU3hx scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_chyi5uA3mOETLSC scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_sxxfqcahuvd4rtx scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT03b32.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT06d49.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.3.1 log created on 10052008_122115

Files moved on Reboot...
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\WINDOWS\temp\sqlite_cFOLg4O24VBU3hx moved successfully.
C:\WINDOWS\temp\sqlite_chyi5uA3mOETLSC moved successfully.
C:\WINDOWS\temp\sqlite_sxxfqcahuvd4rtx moved successfully.
C:\WINDOWS\temp\ZLT03b32.TMP moved successfully.
C:\WINDOWS\temp\ZLT06d49.TMP moved successfully.






Combo Fix:



ComboFix 08-10-04.07 - Joe Ward 2008-10-05 12:37:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1513 [GMT 1:00]
Running from: C:\Documents and Settings\Joe Ward\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\msvcsv60.dll
.
---- Previous Run -------
.
C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET


((((((((((((((((((((((((( Files Created from 2008-09-05 to 2008-10-05 )))))))))))))))))))))))))))))))
.

2008-10-05 12:21 . 2008-10-05 12:21 <DIR> d-------- C:\_OTMoveIt
2008-10-04 19:17 . 2008-10-04 19:23 <DIR> d-------- C:\Lop SD
2008-10-04 18:52 . 2008-10-04 18:52 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-10-04 18:50 . 2008-10-04 18:50 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-04 18:48 . 2008-10-04 18:48 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-10-04 18:43 . 2008-10-04 19:03 <DIR> d-------- C:\SDFix
2008-10-04 17:33 . 2008-10-04 17:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-03 22:54 . 2008-10-03 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-03 22:52 . 2008-10-03 22:52 <DIR> d-------- C:\Program Files\Windows Defender
2008-10-03 22:50 . 2008-10-03 22:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-03 22:50 . 2008-10-03 22:50 <DIR> d-------- C:\Documents and Settings\Joe Ward\Application Data\SUPERAntiSpyware.com
2008-09-26 17:46 . 2008-09-26 17:47 <DIR> d-------- C:\ERDNT1
2008-09-26 00:13 . 2008-09-26 00:13 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-26 00:13 . 2008-09-26 00:13 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-26 00:13 . 2008-09-26 00:13 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-26 00:13 . 2008-09-26 00:13 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-26 00:05 . 2008-09-26 00:13 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-25 23:48 . 2008-09-25 23:48 <DIR> d-------- C:\Program Files\Sun
2008-09-05 17:31 . 2008-09-05 17:31 <DIR> d-------- C:\Program Files\LibUSB-Win32-0.1.10.1
2008-09-05 17:31 . 2005-03-09 20:50 46,592 --a------ C:\WINDOWS\system32\libusb0.dll
2008-09-05 17:31 . 2005-03-09 20:50 33,792 --a------ C:\WINDOWS\system32\drivers\libusb0.sys
2008-09-05 17:31 . 2005-03-09 20:50 19,456 --a------ C:\WINDOWS\system32\libusbd-9x.exe
2008-09-05 17:31 . 2005-03-09 20:50 18,944 --a------ C:\WINDOWS\system32\libusbd-nt.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-05 11:25 --------- d-----w C:\Documents and Settings\Joe Ward\Application Data\AVG7
2008-10-05 11:23 4,257,400 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-10-03 21:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-02 19:50 98,304 ----a-w C:\WINDOWS\DUMP57d4.tmp
2008-10-02 19:13 98,304 ----a-w C:\WINDOWS\DUMP42c5.tmp
2008-09-29 08:55 --------- d-----w C:\Program Files\McAfee
2008-09-28 18:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-28 18:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-09-28 17:58 --------- d-----w C:\Program Files\Telltale Games
2008-09-28 17:31 --------- d-----w C:\Program Files\Graboid
2008-09-28 17:30 --------- d-----w C:\Documents and Settings\Joe Ward\Application Data\COWON
2008-09-28 17:29 --------- d-----w C:\Program Files\Gabest
2008-09-26 17:16 --------- d-----w C:\Program Files\MSN Messenger
2008-09-25 22:47 --------- d-----w C:\Program Files\Java
2008-09-25 15:27 13,390 -c--a-w C:\Documents and Settings\Joe Ward\Application Data\wklnhst.dat
2008-09-04 09:46 --------- d-----w C:\Program Files\rFactor
2008-09-04 09:27 --------- d-----w C:\Program Files\DAEMON Tools Toolbar
2008-09-04 09:27 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-09-04 09:21 425,326,624 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-04 09:21 4,986,416 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-04 09:20 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-09-04 09:20 --------- d-----w C:\Documents and Settings\Joe Ward\Application Data\DAEMON Tools
2008-08-30 15:16 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-15 17:42 --------- d-----w C:\Program Files\Microsoft Silverlight
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-07-17 490952]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 8491008]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-08 600896]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"lxdimon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]
"lxdiamon"="C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]
"FaxCenterServer"="C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 579584]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 919016]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 C:\WINDOWS\stsystra.exe]
"nwiz"="nwiz.exe" [2007-09-17 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-15 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Enable Labtec Wireless Desktop.lnk - C:\Program Files\Labtec Wireless Desktop\MagicKey.exe [2007-09-15 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= ma_cmidn.dll
"midi2"= ma_cmidn.dll
"midi3"= ma_cmidn.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"C:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\WINDOWS\\system32\\lxdiih.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 MUsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\MUsbFltr.sys [2005-12-21 9060]
R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys [2005-12-21 8963]
R2 emaudsv;E-MU Audio Service;C:\WINDOWS\system32\emaudsv.exe [2006-08-10 10240]
R2 lxdi_device;lxdi_device;C:\WINDOWS\system32\lxdicoms.exe [2007-04-26 517040]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-09-08 198944]
R3 emusba10;E-MU USB-Audio 1.0 Driver;C:\WINDOWS\system32\DRIVERS\emusba10.sys [2006-08-10 142208]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\WINDOWS\system32\drivers\libusb0.sys [2005-03-09 33792]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-04-26 99248]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
S3 CPWGU(Philips);Philips SNU5600 Wireless USB Adapter 11b/g(Philips);C:\WINDOWS\system32\DRIVERS\CPWGU.sys [ ]
S3 MA_CMIDI;%EVOL_USB.SvcDesc%;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2005-06-14 21888]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 24064]
S3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys [2006-11-23 18432]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-05 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-08-18 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 21:56]

2008-08-18 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 21:56]

2008-08-18 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job
- C:\","D:\","E:\","F:\" []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Steam - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Joe Ward\Application Data\Mozilla\Firefox\Profiles\nrhhqyej.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.anglia.ac.uk/mail
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 12:43:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
-> C:\Program Files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program