Frustrating Virus/trojan

original6

Alrighty, a few days ago I got a pop-up stating I was infected and should download some spyware. Of course, I knew it was bogus and didn't click on it. However, I could not get the pop-up to go away, so I shut down my pc. Upon restart, the same pop-up showed up, and after 10 seconds, my system automatically restarted. I started up in safe mode, ran HiJack This, SmitFraudFix, and SpyBot S&D, which got rid of the pop-up and allowed me to run in normal mode. Since then, I have downloaded and installed BD and have been in the process of cleaning up my pc but still have some strange things going on.

First, my pc will not run disk defrag even though I have enough available disk space (18%) and have manually gone in and had it reinstall. In addition, I know whatever it is that infected my pc is still there because I still get redirected to advertiser and miscellaneous websites when using Firefox or Explorer, particularly when trying to reach sites related to anti-spyware and Microsoft as well. On top of that, this infection has hijacked my security settings in some way in that it is preventing me from downloading files from the internet such as some recommended by this site.

My latest scan by BD found an infection called Java.Trojan.Exploit.Bytverify in a zip file located at C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-6425549-4fdf55b2 which contains 2 files, baaaa.baa.class and dvnny.class. For some reason, BD was not able to delete these files or do anything else. Right now, I'm kind of at a loss at what to do. Any help would be greatly appreciated.

rootkit

http://www.atribune.org/ccount/click.php?id=1

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

Post here BitDefnder scan log .

Corona

I got hit yesterday with several trojans and malware. Have 3 left which BD is "hopefully" working on since I haven't heard back yet. One of the trojans I was able to remove was Java.Trojan.Exploit.Byverify.

1. Disable the real-time protection

2. Clean up your browser cache

3. Clean the temporary files

4. Enable the real time protection

I followed these instruction and got rid of the Trojan.Exploit.Byverify.

Won't hurt giving this a try.

original6

Corona and crysty2k5, I have done as you suggested. Here is the latest BD scan log. Note that no problems detected this time. However, I don't like that SpyHunter has so many files unchecked. This program is not even actively running on my pc nor does it show up on the install/uninstall list. Hmmm....

/applications/core/interface/file/attachment.php?id=2895" data-fileid="2895" rel="">BDlog090208.xml

Niels

Hello original6,

For you redirecting problem do what I wrote here.

Can you please download combofix and save it on the root of your hard disk. Print the following instructions and read them carefully. Please post the output of the scan into your next post. So I or someone else can see if there is still some infections.

Kind regards,

Niels

csalgau

As far as I see all SpyHunter files are in the SpyBot undo archive. There's nothing wrong with that.

original6

Alrighty, Niels. Here's my ComboFix log. I think my system is running clean now.

ComboFix 08-09-04.02 - Steve 2008-09-04 19:35:06.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.588 [GMT -5:00]

Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Steve\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))

.

2008-08-31 23:09 . 2008-08-31 23:09 <DIR> d-------- C:\Program Files\ATI Technologies

2008-08-31 23:01 . 2008-08-31 23:01 <DIR> d-------- C:\Program Files\Safari

2008-08-31 22:23 . 2008-08-31 22:23 56,564 --ah----- C:\WINDOWS\system32\mlfcache.dat

2008-08-30 03:27 . 2008-08-30 03:27 <DIR> d-------- C:\Program Files\MSXML 6.0

2008-08-30 03:05 . 2008-08-31 22:43 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

2008-08-30 02:50 . 2008-08-30 02:50 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Research In Motion

2008-08-30 02:50 . 2008-08-30 03:02 256 --a------ C:\WINDOWS\system32\pool.bin

2008-08-30 02:20 . 2008-08-30 02:20 850 --a------ C:\WINDOWS\system32\ProductTweaks.xml

2008-08-30 02:20 . 2008-08-30 02:20 385 --a------ C:\WINDOWS\system32\user_gensett.xml

2008-08-30 02:17 . 2008-08-30 02:17 <DIR> d-------- C:\WINDOWS\system32\logs

2008-08-30 02:17 . 2008-08-30 02:17 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\BitDefender

2008-08-30 02:17 . 2008-08-30 02:20 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\BitDefender

2008-08-30 02:15 . 2008-08-30 02:17 <DIR> d-------- C:\Program Files\Common Files\BitDefender

2008-08-30 01:28 . 2008-08-30 01:28 <DIR> d-------- C:\Program Files\Common Files\Borland Shared

2008-08-30 01:27 . 2008-08-30 01:27 <DIR> d-------- C:\Program Files\Common Files\SWF Studio

2008-08-30 01:05 . 2008-08-30 01:06 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\sldIM

2008-08-30 01:04 . 2008-08-30 01:04 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SolidWorksNewsReader

2008-08-30 01:00 . 2008-08-30 01:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SolidWorks

2008-08-30 00:58 . 2008-08-30 00:58 <DIR> d-------- C:\Program Files\SolidWorks Installation Manager

2008-08-30 00:25 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-08-29 21:42 . 2008-08-29 21:42 <DIR> d----c--- C:\VundoFix Backups

2008-08-29 21:35 . 2008-08-29 21:35 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Apple Computer

2008-08-29 21:31 . 2003-08-15 14:36 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\MSN6

2008-08-29 21:31 . 2003-08-15 21:03 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\AdobeUM

2008-08-29 21:31 . 2008-08-29 21:31 <DIR> d----c--- C:\Documents and Settings\Administrator

2008-08-29 19:06 . 2008-08-29 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-08-29 01:34 . 2008-08-29 01:34 <DIR> d--h----- C:\WINDOWS\PIF

2008-08-28 23:26 . 2008-08-28 23:26 12,288 --a------ C:\WINDOWS\system32\tdssserf.dll

2008-08-14 18:54 . 2008-08-14 18:54 102,208 --a------ C:\WINDOWS\system32\drivers\bdfndisf.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-02 00:46 --------- d-----w C:\Documents and Settings\Steve\Application Data\SolidWorks

2008-09-01 20:21 --------- d-----w C:\Documents and Settings\Steve\Application Data\U3

2008-08-30 08:18 --------- d-----w C:\Program Files\Microsoft ActiveSync

2008-08-30 05:59 --------- d-----w C:\Program Files\Common Files\SolidWorks Shared

2008-08-30 05:57 --------- d-----w C:\Program Files\Common Files\eDrawings2007

2008-08-30 05:25 --------- d-----w C:\Program Files\Java

2008-08-30 02:18 --------- d-----w C:\Program Files\Common Files\Scanner

2008-07-26 16:38 --------- d-----w C:\Documents and Settings\Steve\Application Data\Apple Computer

2008-07-24 11:01 --------- d-----w C:\Program Files\iPod

2008-07-10 14:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys

2008-03-02 00:14 528 -c--a-w C:\Program Files\Shortcut to microsoft frontpage.lnk

2006-07-30 01:08 32 -csha-w C:\WINDOWS\{A5B063EF-75F2-4839-AB7C-2C0013992813}.dat

2006-07-30 01:08 32 -csha-w C:\WINDOWS\system32\{CBED5F42-E2FF-41D9-8C12-1B4091EA425A}.dat

.

((((((((((((((((((((((((((((( snapshot@2008-09-01_15.54.09.31 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-09-01 20:43:35 64,314 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-09-03 01:07:11 64,314 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-09-01 20:43:35 408,792 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-09-03 01:07:11 408,792 ----a-w C:\WINDOWS\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"BDAgent"="D:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" [2008-08-14 716800]

"BitDefender Antiphishing Helper"="D:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-10 69632]

"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.dvsd"= pdvcodec.dll

"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk

backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton Internet Security.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton Internet Security.lnk

backup=C:\WINDOWS\pss\Norton Internet Security.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk

backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk

backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

--a--c--- 2003-03-03 13:04 54520 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

--a--c--- 2003-03-03 13:04 58616 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]

--a------ 2002-08-20 12:29 40960 C:\WINDOWS\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a--c--- 2003-04-07 02:07 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-12 00:12 49152 \Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

--a--c--- 2002-07-24 23:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2003-07-16 13:22 4743168 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIS2PostReboot]

--a------ 2005-05-12 00:12 49152 \Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]

--a--c--- 2003-04-20 00:08 28672 C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]

--a--c--- 2003-06-23 19:32 1409024 c:\Program Files\support.com\client\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

--a--c--- 2003-05-23 12:43 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]

--a--c--- 2003-07-02 19:51 28672 C:\WINDOWS\system32\cthelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a--c--- 2003-07-16 13:22 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"D:\\Program Files\\AIM\\aim.exe"=

"D:\\Program Files\\Ubisoft\\Gearbox Software\\BrothersInArmsEiB\\System\\EiB.exe"=

"D:\\Program Files\\Eagletron\\DVdriver\\dvdriver.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\MSN\\MSNCoreFiles\\msn6.exe"=

"D:\\Program Files\\7-Zip\\7zFM.exe"=

"D:\\Program Files\\Trillian\\trillian.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"D:\\Program Files\\The Print Shop 21\\tps.exe"=

"D:\\Program Files\\LEGO MINDSTORMS\\RIS 2.0\\RIS2.exe"=

"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"D:\\Program Files\\itunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 BDVEDISK;BDVEDISK;D:\Program Files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 82568]

R2 DVDRIVER;DVdriver;C:\WINDOWS\system32\DRIVERS\dvdriver.sys [2005-08-29 30296]

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-08-14 102208]

R3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys [2004-01-22 39936]

S3 Arrakis3;BitDefender Arrakis Server;C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]

S3 CamdDriverV32;CamdDriverV32;C:\WINDOWS\system32\drivers\CamdDriverV32.sys [2008-06-04 508544]

S3 CamdVideo32;CamdVideo32;C:\WINDOWS\system32\DRIVERS\CamdVideo32.sys [2008-06-04 3768]

S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31150e90-fd31-11db-81dd-000c6ef632ab}]

\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e1f5fc7-228f-11db-8152-000f666e420a}]

\Shell\AutoRun\command - K:\setupSNK.exe

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\yj3y854j.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll

FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll

FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprpjplug.dll

FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF -: plugin - \Program Files\itunes\Mozilla Plugins\npitunes.dll

FF -: plugin - \Program Files\Mozilla Firefox\plugins\npnul32.dll

FF -: plugin - d:\program files\Plugins\npqtplugin.dll

FF -: plugin - d:\program files\Plugins\npqtplugin2.dll

FF -: plugin - d:\program files\Plugins\npqtplugin3.dll

FF -: plugin - d:\program files\Plugins\npqtplugin4.dll

FF -: plugin - d:\program files\Plugins\npqtplugin5.dll

FF -: plugin - d:\program files\Plugins\npqtplugin6.dll

FF -: plugin - d:\program files\Plugins\npqtplugin7.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-04 19:39:13

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe

-> ?:\WINDOWS\system32\ATL.DLL

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

\Program Files\BitDefender\BitDefender 2009\vsserv.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton Internet Security\NISUM.EXE

C:\Program Files\Norton Internet Security\ccPxySvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

\Program Files\BitDefender\BitDefender 2009\seccenter.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

.

**************************************************************************

.

Completion time: 2008-09-04 19:46:36 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-05 00:46:22

ComboFix2.txt 2008-09-01 20:55:17

Pre-Run: 2,259,210,240 bytes free

Post-Run: 2,240,651,264 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

259 --- E O F --- 2008-09-01 01:25:40

Niels

Hello original6,

I can still see 1 leftover:

C:\WINDOWS\system32\tdssserf.dll

Please do this press the windows button together with r now type this:

regsvr32 -u "C:\WINDOWS\system32\tdssserf.dll" press enter.

After you have done that please open wordpad and write:

FILE::

C:\WINDOWS\system32\tdssserf.dll

You need to save the file as CFscript.

Now drag and drop the CFscript file on the combofix icon.

I could also see some remaints of Norton (Symantec). You can use this tool to remove the leftovers.

Kind regards,

Niels