Trojan.pws.sinowal.au

Spaceman Spiff · May 2008

Hi, I am getting a an "Advanced VIsa Verification" popup when ever I visit a banking website. The pop up asks for card numbers, expiry dates, CVC codes and PINs. Needless to say to say it is not an authentic pop up. According to bitdefender its scanner is set up to remove the virus. Link: http://www.bitdefender.com/VIRUS-1000140-e...Sinowal.AU.html

I have run the scanner and it didn't find the virus and the pop up continues to pop up.

Any ideas on how to proceed?

thanks

rootkit · May 2008

Post here a HijackThis log !

Instructions: http://forum.bitdefender.com/index.php?showtopic=5668

Spaceman Spiff · May 2008

Thanks for the reply crysty2k5,

Here is the log report. Thanks for your help.

Spiff

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:28:30 PM, on 27/05/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by106fd.bay106.hotmail.msn.com/cgi-...626abf20a298644

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ca.dell.com/content/default.as...;l=en&s=gen

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ca.dell.com/content/default.as...;l=en&s=gen

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet

O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n024p/EN/install/gtdownlr.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://www.kaydee.ca:9040/activex/AMC.cab

O16 - DPF: {E7F2A7C5-E0FA-48F7-9893-DF78DDF131F2} (MC3LibControl.TclControl) - http://www.jeppesen.com/wlcs/services/char...in/mc3-1300.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--

End of file - 13171 bytes

rootkit · May 2008

Check and press Fix checked for:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

The log is clean, but not all malware are visible in the log.

Run a system scan with Bitdefender and SUPERAntiSpyware !

Spaceman Spiff · May 2008

Thanks for your help. I will try the superantispyware and see what happens as I am still getting the popup.

Spiff

I ran the superantispyware and it found 21 bad cookies. The pop up still comes up. Sighhhhh.

Spiff

crysty2k5's EDIT: posts merged

rootkit · May 2008

Hmmmm...

Malwarebytes' Anti-Malware version 1.14

http://www.malwarebytes.org/

Let's see if it's working !

Poste here a screenshot with the pop-up please !

Spaceman Spiff · June 2008

Hmmmm...

Malwarebytes' Anti-Malware version 1.14

http://www.malwarebytes.org/

Let's see if it's working !

Poste here a screenshot with the pop-up please !

Hi, how do I get a screenshot?

Spiff

Spaceman Spiff · June 2008

Hi, how do I get a screenshot?

Spiff

Here's the log report from Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware 1.14

Database version: 818

7:52:42 PM 03/06/2008

mbam-log-6-3-2008 (19-52-42).txt

Scan type: Full Scan (C:\|)

Objects scanned: 192830

Time elapsed: 1 hour(s), 42 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{def85c80-216a-43ab-af70-1665edbe2780} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

rootkit · June 2008

Press Print Screen key on your keyboard !

Open Paint and click Edit->Paste

Save the image with the pop-up and attach it here !

Niels · June 2008

Hello Spaceman Spiff,

Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post. So I or someone else can see if there is still some infections.

Best regards

Niels

Spaceman Spiff · June 2008

Hello Spaceman Spiff,

Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post. So I or someone else can see if there is still some infections.

Best regards

Niels

here is the log;

ComboFix 08-06-03.4 - Jon 2008-06-04 10:44:39.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1345 [GMT -6:00]

Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Jon\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

* Created a new restore point

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Jon\Application Data\inst.exe

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\system32\MSINET.oca

.

((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))

.

2008-06-03 18:09 . 2008-06-03 18:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-06-03 18:09 . 2008-06-03 18:09 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\Malwarebytes

2008-06-03 18:09 . 2008-06-03 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-06-03 18:09 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-06-03 18:09 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-06-03 17:25 . 2008-06-03 17:39 <DIR> d-------- C:\Temp\intel motherboard driver

2008-05-27 20:07 . 2008-06-03 23:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-05-27 20:07 . 2008-06-03 23:06 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\SUPERAntiSpyware.com

2008-05-27 20:07 . 2008-05-27 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-05-27 09:45 . 2008-06-04 10:21 <DIR> d-------- C:\Temp\kill

2008-05-26 09:47 . 2008-05-26 09:47 <DIR> d-------- C:\Documents and Settings\Jon Ascasibar\Application Data\BitDefender

2008-05-26 09:46 . 2008-05-26 09:46 <DIR> d-------- C:\Program Files\BitDefender

2008-05-26 09:46 . 2008-05-26 09:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender

2008-05-26 09:45 . 2008-05-26 09:46 <DIR> d-------- C:\Program Files\Common Files\BitDefender

2008-05-26 08:52 . 2008-05-26 09:40 <DIR> d-------- C:\Temp\bitdefender

2008-05-25 22:37 . 2008-06-04 09:28 121 --a------ C:\WINDOWS\bdagent.INI

2008-05-25 21:10 . 2008-05-25 21:11 <DIR> d-------- C:\Program Files\QuickTime

2008-05-25 18:17 . 2008-05-25 18:21 <DIR> d-------- C:\Temp\van

2008-05-25 17:24 . 2008-05-25 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8

2008-05-25 16:13 . 2008-05-25 16:13 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys

2008-05-25 13:45 . 2008-05-25 13:45 <DIR> d-------- C:\Temp\Kaspersky2009byROCKSTAR

2008-05-25 08:36 . 2008-05-26 08:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2008-05-24 10:08 . 2008-05-24 11:51 164 --a------ C:\install.dat

2008-05-22 09:55 . 2008-05-25 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-05-20 21:19 . 2008-06-03 17:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-05-20 21:19 . 2008-05-20 21:19 1,409 --a------ C:\WINDOWS\QTFont.for

2008-05-13 13:52 . 2008-05-18 22:19 <DIR> d-------- C:\Program Files\Steam

2008-05-13 13:49 . 2008-05-13 13:49 <DIR> d-------- C:\Temp\halflife

2008-05-13 09:05 . 2008-05-13 09:05 <DIR> d-------- C:\Program Files\MSXML 6.0

2008-05-12 08:33 . 2008-05-12 08:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel

2008-05-12 08:33 . 2008-05-12 08:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Intel

2008-05-12 08:33 . 2008-05-12 08:33 21,425 --a------ C:\WINDOWS\system32\drivers\AegisP.sys

2008-05-12 08:33 . 2008-05-12 08:33 155 --a------ C:\version.ini

2008-05-12 08:32 . 2008-05-12 08:32 <DIR> d-------- C:\Documents and Settings\Gamer\Application Data\Intel

2008-05-12 08:32 . 2008-05-12 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel

2008-05-12 08:32 . 2008-05-12 08:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel

2008-05-12 08:32 . 2007-02-12 11:41 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll

2008-05-12 08:32 . 2007-02-12 11:40 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll

2008-05-12 08:30 . 2008-05-12 08:30 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\Intel

2008-05-12 07:16 . 2008-05-12 07:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix

2008-05-12 07:16 . 2008-05-12 07:16 61,224 --a------ C:\Documents and Settings\Jon\GoToAssistDownloadHelper.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-04 05:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-06-03 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-05-28 15:27 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2008-05-27 20:16 --------- d-----w C:\Program Files\Trend Micro

2008-05-26 15:53 114 ----a-w C:\sccfg.sys.bd.ren

2008-05-26 03:16 --------- d-----w C:\Program Files\Java

2008-05-25 22:14 --------- d-----w C:\Program Files\Folder Lock

2008-05-25 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro

2008-05-25 21:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-05-25 19:28 --------- d-----w C:\Documents and Settings\Jon\Application Data\Vso

2008-05-25 14:33 --------- d-----w C:\Program Files\LimeWire Turbo Accelerator

2008-05-16 18:37 --------- d-----w C:\Documents and Settings\Jon \Application Data\AdobeUM

2008-05-12 18:07 --------- d-----w C:\Program Files\DVDFab Platinum 4

2008-05-12 13:16 --------- d-----w C:\Program Files\Citrix

2008-05-01 04:46 --------- d-----w C:\Program Files\Wide Angle Software

2008-04-30 20:48 --------- d-----w C:\Program Files\Electronic Arts

2008-04-25 20:37 88,192 -c--a-w C:\Documents and Settings\Jon\Application Data\GDIPFONTCACHEV1.DAT

2008-04-13 13:20 768,544 ----a-w C:\WINDOWS\system32\nvcplui.exe

2008-04-13 13:20 442,368 ----a-w C:\WINDOWS\system32\nvudisp.exe

2008-04-13 13:20 313,888 ----a-w C:\WINDOWS\system32\nvexpbar.dll

2008-04-13 13:20 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll

2008-04-13 13:20 1,126,400 ----a-w C:\WINDOWS\system32\nvcuda.dll

2008-04-13 00:59 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys

2008-04-13 00:59 47,360 ----a-w C:\Documents and Settings\Jon\Application Data\pcouffin.sys

2008-04-10 23:07 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE

2008-04-09 22:22 --------- d-----w C:\Program Files\DivX

2008-04-08 22:31 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2008-04-08 22:31 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll

2008-04-08 22:28 --------- d-----w C:\Program Files\Futuremark

2008-04-08 22:12 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll

2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll

2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll

2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys

2006-12-11 21:41 251 ----a-w C:\Program Files\wt3d.ini

2006-01-12 00:34 56 --sh--r C:\WINDOWS\system32\F8D494A91E.sys

2006-01-12 00:34 1,890 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33 155648]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 05:00 33280 C:\WINDOWS\system32\rundll32.exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]

"nwiz"="nwiz.exe" [2007-12-11 13:06 1626112 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="RUNDLL32.exe" [2004-08-10 05:00 33280 C:\WINDOWS\system32\rundll32.exe]

"NVHotkey"="rundll32.exe" [2004-08-10 05:00 33280 C:\WINDOWS\system32\rundll32.exe]

"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 11:19 819200]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 11:17 970752]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]

"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-16 17:45 360448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region-Free\DVDShell.dll [2003-10-29 17:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MSACM.sx5363s"= sx5363s.acm

"VIDC.MJPG"= PMJPEG32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^LimeWire Turbo Accelerator.lnk]

backup=C:\WINDOWS\pss\LimeWire Turbo Accelerator.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]

--a------ 2008-02-16 17:45 360448 C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper]

--a------ 2007-10-09 15:46 61440 C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-10 05:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

--a------ 2005-09-29 14:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

--a------ 2008-02-18 04:58 206184 C:\Program Files\TomTom HOME 2\HOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRobotics USB Internet Mini Phone]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRobotics USB Internet Mini Phone Control Panel]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

"C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"=

"C:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"=

"C:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\THQ\\Company of Heroes\\BugReport\\BugReport.exe"=

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=

"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-10 05:00]

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-25 15:40]

R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-11-28 14:55]

S3 Gonzales;Gonzales;C:\WINDOWS\system32\DRIVERS\Gonzales.sys [2005-12-13 08:10]

S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-27 10:20]

S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys [2005-08-15 08:05]

S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys [2005-08-15 08:05]

S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys [2005-08-15 08:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17df4f18-07d0-11dc-a1eb-001422def047}]

\Shell\AutoRun\command - E:\Snap-Link.exe

\Shell\help\command - E:\Snap-Link.chm

\Shell\Snap-Link\command - E:\Snap-Link.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2008-05-30 23:47:09 C:\WINDOWS\Tasks\1-Click Maintenance.job"

- C:\Program Files\TuneUp Utilities 2008\OneClick.exe

"2008-03-08 14:11:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-06-04 15:34:15 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Program Files\Windows Defender\MpCmdRun.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-04 10:50:07

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\system32\drivers\

disk error: C:\DOCUME~1\JONASC~1\LOCALS~1\Temp\

disk error: C:\WINDOWS\TEMP\

disk error: C:\WINDOWS\

disk error: C:\WINDOWS\system32\

disk error: C:\WINDOWS\system32\wbem\

disk error: C:\Program Files\Common Files\

disk error: C:\Documents and Settings\Jon\Application Data\

disk error: C:\

disk error: C:\Program Files\

disk error: C:\WINDOWS\Fonts\

disk error: C:\Documents and Settings\Jon\Local Settings\Application Data\

disk error: C:\WINDOWS\Downloaded Program Files\

disk error: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

disk error: C:\Documents and Settings\Jon\Start Menu\Programs\Startup\

scan completed successfully

hidden files:

**************************************************************************

.

Completion time: 2008-06-04 10:50:56

ComboFix-quarantined-files.txt 2008-06-04 16:50:51

Pre-Run: 16,537,243,648 bytes free

Post-Run: 16,926,695,424 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

280 --- E O F --- 2008-05-30 14:43:16

Spaceman Spiff · June 2008

Press Print Screen key on your keyboard !

Open Paint and click Edit->Paste

Save the image with the pop-up and attach it here !

I have the scrrenshot but it wont upload as it times out (pic size is 168kb). I will try again later.

Spiff

rootkit · June 2008

Combofix deleted some things !

You can use http://imagehost.rophotoshop.com/ to upload the image and leave here the 3rd link !

Spaceman Spiff · June 2008

Combofix deleted some things !

You can use http://imagehost.rophotoshop.com/ to upload the image and leave here the 3rd link !

Thank you crysty2k5

http://imagehost.rophotoshop.com/pics/2121...d4a214cfb6e.JPG

Spiff

rootkit · June 2008

Change IE homepage to blank !

Tools->Internet Options->General

After that, Tools->Internet Options->Security->Trusted sites and remove all the sites !

Go to: C:\Program Files\Common Files\Microsoft Shared\Web Folders\ and post here another screenshot with the folder content !

Spaceman Spiff · June 2008

Change IE homepage to blank !

Tools->Internet Options->General

After that, Tools->Internet Options->Security->Trusted sites and remove all the sites !

Go to: C:\Program Files\Common Files\Microsoft Shared\Web Folders\ and post here another screenshot with the folder content !

Hi, crysty2k5 here is the link:

http://imagehost.rophotoshop.com/pics/af42...9d6b11bd15f.JPG

multumesc

Spiff

adt · June 2008

delete all of em

crysty2k5's EDIT: Bad advice !

Warn !(MS Office will stop working !)

Spaceman Spiff · June 2008

delete all of em

I have done everything mentioned on this thread and I am still getting the popup. Seems like I can't win

Spiff

rootkit · June 2008

Valid files. Check if MS Office is still working !

Spaceman Spiff · June 2008

Valid files. Check if MS Office is still working !

Office stopped working, I had to a quick reinstall.

Spiff

Spaceman Spiff · June 2008

I am getting concerned about this. I am thinking I may do a reinstall of XP. Should I do a format too? Can I save my bookmarks for IE or is there a chance that may carry my virus?

Spiff

rootkit · June 2008

Windows reinstall is the last option !

Spaceman Spiff · June 2008

Windows reinstall is the last option !

Hi crysty2k5, do you have any other ideas before I do the reinstall?

Thanks for all of your help

Spiff

Spaceman Spiff · June 2008

Hi crysty2k5, do you have any other ideas before I do the reinstall?

Thanks for all of your help

Spiff

Hi, I ran a deep scan last night and this link shows the screenshot;

http://imagehost.rophotoshop.com/pics/0f0b...9688f44436b.JPG

Items 1. Generic Keylogger, 3. Trojan Spy perlfloger ab and 4. Trojan Spy Perfloger AG I cannot delete as they are in the system volume and I can't gain access to it. How do I remove those manually?

thanks

Niels · June 2008

Hello Spaceman Spiff,

Can you please download sdfix from here. Double click on it allow it to install in C:\SDFIX

Now reboot your pc into safe by pressing several times on the F8 button before the windows splash screen select safe mode press enter. Log in with your account. Now go to C:\SDFIX and double click on RunThis.bat Type y to start the cleaning process. When it finishes you will be prompted to press any key on your keyboard do that. Once you are in normal mode wait till you see finished and press again any key now you will get back on your desktop. Please post the content of Report into your next reply.

First print what is written here and here.

Please put in your installation cd-rom of BitDefender. Now reboot your pc and follow the instructions that are described in the first link. If you don't have a cd-rom version of BitDefender please download this bootable image of the rescue cd-rom. You have to run it as an bootable disk in your burning program.

Best regards

Niels

Spaceman Spiff · June 2008

Hello Spaceman Spiff,

Can you please download sdfix from here. Double click on it allow it to install in C:\SDFIX

Now reboot your pc into safe by pressing several times on the F8 button before the windows splash screen select safe mode press enter. Log in with your account. Now go to C:\SDFIX and double click on RunThis.bat Type y to start the cleaning process. When it finishes you will be prompted to press any key on your keyboard do that. Once you are in normal mode wait till you see finished and press again any key now you will get back on your desktop. Please post the content of Report into your next reply.

First print what is written here and here.

Please put in your installation cd-rom of BitDefender. Now reboot your pc and follow the instructions that are described in the first link. If you don't have a cd-rom version of BitDefender please download this bootable image of the rescue cd-rom. You have to run it as an bootable disk in your burning program.

Best regards

Niels

Hi Niels, here is the log report:

SDFix: Version 1.189

Run by Administrator on 07/06/2008 at 10:53 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\ed47fa.$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use Gmer or Dr.Web CureIt

Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$

Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-07 23:05:40

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 3

scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 3

disk error: C:\Documents and Settings\Jon A\ntuser.dat, 3

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"

"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Disabled:CoD2MP_s"

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"

"C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"="C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat:*:Enabled:patchgrabber"

"C:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"="C:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat:*:Enabled:patchgrabber"

"C:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\THQ\\Company of Heroes\\BugReport\\BugReport.exe"="C:\\Program Files\\THQ\\Company of Heroes\\BugReport\\BugReport.exe:*:Enabled:BugReport"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:*:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"

"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

C:\WINDOWS\Temp\bca4e2da.$$$ Found

C:\WINDOWS\Temp\fa56d7ec.$$$ Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 11 Jan 2006 56 A.SHR --- "C:\i386\F8D494A91E.sys"

Wed 11 Jan 2006 1,890 A.SH. --- "C:\i386\KGyGaAvL.sys"

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"

Mon 17 Mar 2008 2,451,968 ..SH. --- "C:\Stuff\ut\KxP4Kf_cfdg.exe"

Sat 5 Apr 2008 2,451,968 ..SH. --- "C:\Stuff\ut\NcO4Yk_cfdg.exe"

Sat 5 Apr 2008 2,451,968 ..SH. --- "C:\Stuff\ut\Tus62h_cfdg.exe"

Fri 21 Mar 2008 2,451,968 ..SH. --- "C:\Stuff\ut\WaA6H6_cfdg.exe"

Wed 11 Jan 2006 56 ..SHR --- "C:\WINDOWS\system32\F8D494A91E.sys"

Wed 11 Jan 2006 1,890 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"

Sat 21 Jan 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Sun 31 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Mon 2 Oct 2006 50,280 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT8.tmp"

Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT6.tmp"

Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BITA.tmp"

Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT9.tmp"

Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BITB.tmp"

Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT7.tmp"

Fri 9 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT9.tmp"

Thu 5 Jun 2008 1,714 ...HR --- "C:\Documents and Settings\Jon A\Application Data\SecuROM\UserData\securom_v7_01.bak"

Sat 24 Apr 1999 93,890 A..H. --- "C:\NorUtilPk\Support\GBW\common\MSDOS\COMMAND.COM"

Sat 14 Apr 2007 8 A..H. --- "C:\Documents and Settings\Jon A\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"

Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Jon A\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"

Wed 25 Apr 2007 8 A..H. --- "C:\Documents and Settings\Jon A\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"

Wed 25 Apr 2007 8 A..H. --- "C:\Documents and Settings\Jon A\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

rootkit · June 2008

Run these tools http://www.gmer.net/gmer.zip && http://www.freedrweb.com/cureit

Niels · June 2008

Hello Spaceman Spiff,

Please download avenger that you can download here and save it on your desktop.

Unzip it and double click on avenger.exe

In the input ****** here section please type this: (you need to type Files to delete:)

Files to delete:

C:\WINDOWS\Temp\bca4e2da.$$$

C:\WINDOWS\Temp\fa56d7ec.$$$

Click on the execute button. Choose yes to proceed and to reboot your pc. If your pc doesn't reboot, reboot it yourself.

Can you please upload the following files to this website? What is the result?

C:\Stuff\ut\KxP4Kf_cfdg.exe

C:\Stuff\ut\NcO4Yk_cfdg.exe

C:\Stuff\ut\Tus62h_cfdg.exe

C:\Stuff\ut\WaA6H6_cfdg.exe

Or can you explain what these files are for? These look suspecious for me.

Best regards

Niels

Spaceman Spiff · June 2008

Run these tools http://www.gmer.net/gmer.zip && http://www.freedrweb.com/cureit

Here is the log from gmer:

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-06-08 09:40:17

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT ??C:WINDOWSsystem32windrvNT.sys

ZwCreateFile [0xBA40C36A]

SSDT ??C:WINDOWSsystem32windrvNT.sys

ZwOpenFile [0xBA40CCD8]

SSDT ??C:Program FilesBitDefenderBitDefender 2008bdselfpr.sys (BitDefender Self Protection Driver/BitDefender

S.R.L.) ZwOpenProcess [0xB57B6B4C]

SSDT ??C:Program FilesBitDefenderBitDefender 2008bdselfpr.sys (BitDefender Self Protection Driver/BitDefender

S.R.L.) ZwOpenThread [0xB57B6C3A]

SSDT ??C:WINDOWSsystem32windrvNT.sys

ZwQueryDirectoryFile [0xBA40C842]

SSDT ??C:WINDOWSsystem32windrvNT.sys

ZwQueryInformationProcess [0xBA4091E0]

SSDT ??C:WINDOWSsystem32windrvNT.sys

ZwSetInformationFile [0xBA40D142]

SSDT ??C:Program FilesBitDefenderBitDefender 2008bdselfpr.sys (BitDefender Self Protection Driver/BitDefender

S.R.L.) ZwTerminateProcess [0xB57B6AB0]

---- User code sections - GMER 1.0.14 ----

.text C:WINDOW###plorer.EXE[3916] kernel32.dll!CreateProcessW

7C802332 5 Bytes JMP 51981DEE C:Program FilesDVD Region-FreeDVDShell.dll (DVD Region-Free Shell Module/Fengtao Software)

---- Devices - GMER 1.0.14 ----

AttachedDevice DriverTcpip DeviceIp

bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

AttachedDevice DriverTcpip DeviceTcp

bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

Device Driveratapi DeviceIdeIdeDeviceP0T0L0-3

sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device Driveratapi DeviceIdeIdePort0

sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device Driveratapi DeviceIdeIdePort1

sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

Device Driveratapi DeviceIdeIdeDeviceP1T0L0-e

sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice DriverTcpip DeviceUdp

bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

AttachedDevice DriverTcpip DeviceRawIp

bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)

AttachedDevice FileSystemFastfat Fat

fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device FileSystemCdfs Cdfs

tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Disk sectors - GMER 1.0.14 ----

Disk DeviceHarddisk0DR0

sector 61: malicious code @ sector 0xba4cf80 size 0x1a8

Disk DeviceHarddisk0DR0

sector 62: copy of MBR

---- EOF - GMER 1.0.14 ----

Run these tools http://www.gmer.net/gmer.zip && http://www.freedrweb.com/cureit

Dr. Web found a backdoor.maosboot and didn't like the bitdefender live update. It also found a file called "gtdownlr_134.OCX"

Hello Spaceman Spiff,

Please download avenger that you can download here and save it on your desktop.

Unzip it and double click on avenger.exe

In the input ****** here section please type this: (you need to type Files to delete:)

Files to delete:

C:WINDOWSTempbca4e2da.$$$

C:WINDOWSTempfa56d7ec.$$$

Click on the execute button. Choose yes to proceed and to reboot your pc. If your pc doesn't reboot, reboot it yourself.

Can you please upload the following files to this website? What is the result?

C:StuffutKxP4Kf_cfdg.exe

C:StuffutNcO4Yk_cfdg.exe

C:StuffutTus62h_cfdg.exe

C:StuffutWaA6H6_cfdg.exe

Or can you explain what these files are for? These look suspecious for me.

Best regards

Niels

When I tried typing the ****** into avenger I was getting an error:

The error read: Error invalid ******, A valid ****** must begin with a command directive. Aborting execution.

Thanks

Spiff

Spaceman Spiff · June 2008

Hello Spaceman Spiff,

Can you please download sdfix from here. Double click on it allow it to install in C:SDFIX

Now reboot your pc into safe by pressing several times on the F8 button before the windows splash screen select safe mode press enter. Log in with your account. Now go to C:SDFIX and double click on RunThis.bat Type y to start the cleaning process. When it finishes you will be prompted to press any key on your keyboard do that. Once you are in normal mode wait till you see finished and press again any key now you will get back on your desktop. Please post the content of Report into your next reply.

First print what is written here and here.

Please put in your installation cd-rom of BitDefender. Now reboot your pc and follow the instructions that are described in the first link. If you don't have a cd-rom version of BitDefender please download this bootable image of the rescue cd-rom. You have to run it as an bootable disk in your burning program.

Best regards

Niels

Hi Niels, I am going to run the cd and see what happens.

Spiff

Hello Spaceman Spiff,

Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post. So I or someone else can see if there is still some infections.

Best regards

Niels

Hi Niels, ever since I downloaded and installed combo fix and the windows recovery console and I get a prompt during the start up of windows. Should I leave this recovery prompt ie: is it useful or should I get it uninstalled?

Spiff

Niels · June 2008

Hello Spaceman Spiff,

Please retry but type this in notepad.

Files to delete:

C:\WINDOWS\Temp\bca4e2da.$$$

C:\WINDOWS\Temp\fa56d7ec.$$$

Be sure that word wrap is not checked.

Restart avenger but now click on

Press on the exucte button.

Recovery console can be very handy if you even can't get into safe mode. If I understand correctly now when you boot your pc you have the choice to either boot into your windows version or in recovery console? If you don't want to see the recovery console I will post it how to disable it. It could be that that recovery console keep preinstalled on your computer.

Best regards

Niels

Spaceman Spiff · June 2008

Hello Spaceman Spiff,

Please retry but type this in notepad.

Files to delete:

C:\WINDOWS\Temp\bca4e2da.$$$

C:\WINDOWS\Temp\fa56d7ec.$$$

Be sure that word wrap is not checked.

Restart avenger but now click on

Press on the exucte button.

Recovery console can be very handy if you even can't get into safe mode. If I understand correctly now when you boot your pc you have the choice to either boot into your windows version or in recovery console? If you don't want to see the recovery console I will post it how to disable it. It could be that that recovery console keep preinstalled on your computer.

Best regards

Niels

Hi Neils, the recovery prompt is only displayed for about two seconds then it continues with the regular boot up. It's no big deal to leave it there as you say it may come in handy later on.

I still have avenger giving me the error.

The good news is that it would appear the Visa popup is gone. It hasn't come up in a day and half. Is there a way of configuring Bitdefender to prevent these finacial spyware pop ups?

Spiff

Niels · June 2008

Hello Spaceman Spiff,

When you copy and paste what I said was the section input ****** here empty? It should be empty. So delete any other line.

And must only contain:

Files to delete:

C:\WINDOWS\Temp\bca4e2da.$$$

C:\WINDOWS\Temp\fa56d7ec.$$$

If it still fails please download killbox. Double click on it to run. Open wordpad where you already have typed

C:\WINDOWS\Temp\bca4e2da.$$$ (it must be typed on a separate line)

C:\WINDOWS\Temp\fa56d7ec.$$$

Be sure that you select both items so that they are in blue.

Press ctrl+c (to copy). Once you are in killbox go to file,paste from clipboard. Select the option delete on reboot. Now press on the delete icon which looks like a red circle with a white cross inside. You will be asked to reboot your pc choose yes.

To be able to let BitDefender block the popup's. BitDefender virus researchers first need the files that cause the pop-up's.

Best regards,

Niels

Spaceman Spiff · June 2008

Hello Spaceman Spiff,

When you copy and paste what I said was the section input ****** here empty? It should be empty. So delete any other line.

And must only contain:

Files to delete:

C:WINDOWSTempbca4e2da.$$$

C:WINDOWSTempfa56d7ec.$$$

If it still fails please download killbox. Double click on it to run. Open wordpad where you already have typed

C:WINDOWSTempbca4e2da.$$$ (it must be typed on a separate line)

C:WINDOWSTempfa56d7ec.$$$

Be sure that you select both items so that they are in blue.

Press ctrl+c (to copy). Once you are in killbox go to file,paste from clipboard. Select the option delete on reboot. Now press on the delete icon which looks like a red circle with a white cross inside. You will be asked to reboot your pc choose yes.

To be able to let BitDefender block the popup's. BitDefender virus researchers first need the files that cause the pop-up's.

Best regards,

Niels

Thanks once again for the help. I did the kill box thing with no issues. So far the visa pop up has not come up again. Hopefully it will stay that way.

Thanks for all your help Niels and crysty2k5!

Spiff

I ran another deep scan and it came up clean!

What additional programs should I run with bitdefender?

Thanks so much to everyone who helped! Superantispyware, Antimalware?

Spiff

Niels · June 2008

Hello Spaceman Spiff,

That is good to hear that your scan came clear. Can you please post a new SDFix report? Just to be sure.

Superantispyware free or Malwarebytes Anti-Malware will be enough as back-up. Change this setting also open BitDefender by right clicking on the red BitDefender icon near the system tray press on open advanced settings navigate to the antivirus section see that the shield tab is high lighted press on custom level expand scan accessed files by clicking on +. You will see scan for riskware expand that also and uncheck skip dialers and applications from scan press on ok. This might prevent these kind of pop-up's in the future.

Best regards

Niels

Spaceman Spiff · June 2008

Hello Spaceman Spiff,

That is good to hear that your scan came clear. Can you please post a new SDFix report? Just to be sure.

Superantispyware free or Malwarebytes Anti-Malware will be enough as back-up. Change this setting also open BitDefender by right clicking on the red BitDefender icon near the system tray press on open advanced settings navigate to the antivirus section see that the shield tab is high lighted press on custom level expand scan accessed files by clicking on +. You will see scan for riskware expand that also and uncheck skip dialers and applications from scan press on ok. This might prevent these kind of pop-up's in the future.

Best regards

Niels

Hi Niels, here is the log.

Thanks for your help.

Spiff

b]SDFix: Version 1.189 [/b]

Run by Administrator on 10/06/2008 at 09:44 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\ed47fa.$ - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-10 12:26:53

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 3

scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 3

disk error: C:\Documents and Settings\Jon\ntuser.dat, 3

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\l

ist]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"

"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2

\\CoD2MP_s.exe:*:Disabled:CoD2MP_s"

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"

"C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"="C:\\Program Files\\EA Games\\Command & Conquer

Generals Zero Hour\\patchget.dat:*:Enabled:patchgrabber"

"C:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"="C:\\Program Files\\EA Games\\Command and Conquer

Generals\\patchget.dat:*:Enabled:patchgrabber"

"C:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\THQ\\Company of Heroes\\BugReport\\BugReport.exe"="C:\\Program Files\\THQ\\Company of

Heroes\\BugReport\\BugReport.exe:*:Enabled:BugReport"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:*:Enabled:ActiveSync

RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft

ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft

ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12

\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12

\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"

"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12

\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern

Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\lis

t]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft

ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft

ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft

ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1

(Phone)"