Trojan.tdss.fm Annoying
Hi, my pc keeps displaying virus alert with virus name: Trojan.TDSS.FM,
the bitdefender antivirus says file was deleted but the virus keeps coming back..
still no problem with boot_s,connections,and hardware but every time bitdefender pops up....
am using bitdefender antivirus 2009..
I have tried run combofix but still the same...pls help...
below is the combofix log...
==================
ComboFix 09-04-24.01 - reelsyrhc 24/04/2009 17:39.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.65.1033.18.3069.1551 [GMT 8:00]
Running from: c:\users\reelsyrhc\Downloads\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\reelsyrhc\AppData\Roaming\inst.exe
c:\windows\emMON.exe
d:\recycler\Desktop.ini
d:\recycler\Folder.htt
d:\recycler\protect.chinese hong kong
d:\recycler\protect.chinese simplified
d:\recycler\protect.chinese traditional
d:\recycler\protect.czech
d:\recycler\protect.danish
d:\recycler\protect.dutch
d:\recycler\Protect.ed
d:\recycler\protect.english
d:\recycler\protect.finnish
d:\recycler\protect.french
d:\recycler\protect.german
d:\recycler\protect.greek
d:\recycler\protect.hebrew
d:\recycler\protect.hungarian
d:\recycler\protect.italian
d:\recycler\protect.japanese
d:\recycler\protect.korean
d:\recycler\protect.norwegian
d:\recycler\protect.polish
d:\recycler\protect.portuguese brazilian
d:\recycler\protect.portuguese
d:\recycler\protect.russian
d:\recycler\protect.spanish
d:\recycler\protect.swedish
d:\recycler\protect.turkish
.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.
2009-04-24 08:50 . 2009-04-24 08:50 61440 ----a-w c:\windows\system32\drivers\ljedl.sys
2009-04-24 06:23 . 2009-04-24 06:23 61440 ----a-w c:\windows\system32\drivers\tcrmdeu.sys
2009-04-24 05:44 . 2009-04-24 05:44 -------- d-----w c:\users\reelsyrhc\AppData\Roaming\Malwarebytes
2009-04-24 05:44 . 2009-04-06 07:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 05:44 . 2009-04-06 07:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 05:44 . 2009-04-24 05:44 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-24 05:44 . 2009-04-24 05:44 -------- d-----w c:\programdata\Malwarebytes
2009-04-24 05:44 . 2009-04-24 05:44 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-24 01:34 . 2009-04-24 01:34 -------- d-----w c:\program files\Lavasoft
2009-04-24 01:32 . 2009-04-24 01:32 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-24 01:20 . 2006-06-19 04:01 69632 ----a-w c:\windows\system32\ztvcabinet.dll
2009-04-24 01:20 . 2006-05-25 06:52 162304 ----a-w c:\windows\system32\ztvunrar36.dll
2009-04-24 01:20 . 2005-08-25 16:50 77312 ----a-w c:\windows\system32\ztvunace26.dll
2009-04-24 01:20 . 2003-02-02 11:06 153088 ----a-w c:\windows\system32\UNRAR3.dll
2009-04-24 01:20 . 2002-03-05 16:00 75264 ----a-w c:\windows\system32\unacev2.dll
2009-04-24 01:20 . 2009-04-24 06:21 -------- d-----w c:\program files\Trojan Remover
2009-04-23 15:16 . 2009-04-23 15:16 17 ----a-w c:\windows\popcinfo.dat
2009-04-23 15:08 . 2007-09-17 05:08 22486 --sha-r c:\windows\unins000.ico
2009-04-20 05:15 . 2009-04-20 05:59 -------- d-----w c:\users\All Users\Media Center Programs
2009-04-20 05:15 . 2009-04-20 05:59 -------- d-----w c:\programdata\Media Center Programs
2009-04-20 04:38 . 2009-04-20 04:38 -------- d-----w c:\program files\THQ
2009-04-19 06:06 . 2007-03-07 23:51 129784 ------w c:\windows\system32\pxafs.dll
2009-04-19 06:06 . 2009-04-24 08:39 -------- d-----w c:\program files\Winamp
2009-04-19 01:36 . 2009-04-19 01:36 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-06 07:26 . 2009-04-06 07:33 -------- d-----w c:\users\All Users\Yahoo!
2009-04-06 07:26 . 2009-04-06 07:33 -------- d-----w c:\programdata\Yahoo!
2009-04-06 03:28 . 2007-07-10 06:14 2245000 ------w c:\windows\system32\bgsview.exe
2009-04-06 03:28 . 2007-07-10 06:01 65928 ------w c:\windows\system32\bgsresfr.dll
2009-04-06 03:28 . 2007-07-10 06:01 65928 ------w c:\windows\system32\bgsreses.dll
2009-04-06 03:28 . 2007-07-10 06:01 65928 ------w c:\windows\system32\bgsresde.dll
2009-04-06 03:28 . 2007-07-10 06:01 56200 ------w c:\windows\system32\bgsresen.dll
2009-04-06 03:28 . 2007-07-10 06:00 160136 ------w c:\windows\system32\bgsmsnd.exe
2009-04-06 03:28 . 2007-02-03 04:00 516832 ------w c:\windows\system32\bgscapi.dll
2009-04-06 03:28 . 2007-07-10 06:01 270728 ------w c:\windows\system32\bgstb.dll
2009-04-06 03:28 . 2007-07-10 06:00 57736 ------w c:\windows\system32\bgspmnt.dll
2009-04-06 03:28 . 2007-07-10 06:00 455048 ------w c:\windows\system32\bgsofice.dll
2009-04-06 03:23 . 2007-07-10 06:01 270728 ------w c:\windows\system32\bgstb.dll.delme
2009-04-06 02:45 . 2009-04-06 03:30 -------- d-----w c:\users\reelsyrhc\AppData\Local\pdfMachine
2009-04-06 02:16 . 2009-04-06 02:16 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-05 15:35 . 2009-04-05 15:35 -------- d-----w c:\users\reelsyrhc\AppData\Roaming\DivX
2009-04-05 15:32 . 2009-04-05 15:32 -------- d-----w c:\program files\Common Files\Pinnacle
2009-04-05 14:50 . 2008-11-17 14:38 1673 ----a-w c:\windows\English.lng
2009-04-05 14:50 . 2008-01-25 08:54 303104 ----a-w c:\windows\emunist.exe
2009-04-05 14:30 . 2008-03-06 02:42 530944 ------w c:\windows\system32\drivers\emBDA.sys
2009-04-05 14:30 . 2008-03-06 02:39 106496 ------w c:\windows\system32\emPRP.ax
2009-04-05 14:30 . 2007-04-25 12:42 45696 ------w c:\windows\system32\drivers\emOEM.sys
2009-04-05 14:30 . 2006-11-09 04:50 16382 ------w c:\windows\system32\drivers\merlinC.rom
2009-04-05 14:25 . 2009-04-05 14:25 -------- d-----w c:\users\Public\CyberLink
2009-04-05 14:25 . 2009-04-05 14:25 -------- d-----w c:\users\reelsyrhc\AppData\Roaming\CyberLink
2009-04-03 17:03 . 2009-04-03 17:03 -------- d-----w c:\users\reelsyrhc\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-28 16:11 . 2009-03-28 16:11 0 ------w c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2009-03-28 16:08 . 2009-03-28 16:08 0 ------w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-03-28 16:06 . 2009-03-28 16:11 -------- d-----w c:\users\reelsyrhc\AppData\Roaming\PC Suite
2009-03-28 16:06 . 2009-03-28 16:11 -------- d-----w c:\users\reelsyrhc\AppData\Roaming\Nokia
2009-03-28 16:06 . 2009-03-28 16:11 -------- d-----w c:\users\All Users\PC Suite
2009-03-28 16:06 . 2009-03-28 16:11 -------- d-----w c:\programdata\PC Suite
2009-03-28 16:05 . 2009-03-28 16:05 -------- d-----w c:\program files\Common Files\PCSuite
2009-03-28 16:05 . 2009-03-28 16:05 -------- d-----w c:\program files\Common Files\Nokia
2009-03-28 16:04 . 2009-03-28 16:04 -------- d-----w c:\program files\DIFX
2009-03-28 16:04 . 2008-08-26 01:26 18816 ------w c:\windows\system32\drivers\pccsmcfd.sys
2009-03-28 16:03 . 2009-03-28 16:04 -------- dc----w c:\windows\system32\DRVSTORE
2009-03-28 16:03 . 2009-03-28 16:03 -------- d-----w c:\program files\PC Connectivity Solution
2009-03-28 16:00 . 2008-09-14 23:56 91136 ------w c:\windows\system32\nmwcdcls.dll
2009-03-28 16:00 . 2009-03-28 16:05 -------- d-----w c:\program files\Nokia
2009-03-28 15:59 . 2009-03-28 15:59 -------- d-----w c:\users\All Users\Installations
2009-03-28 15:59 . 2009-03-28 15:59 -------- d-----w c:\programdata\Installations
2009-03-27 08:16 . 2009-03-27 08:20 -------- d-----w c:\users\reelsyrhc\AppData\Roaming\Red Alert 3 Uprising
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 06:47 . 2009-02-26 02:17 -------- d---a-w c:\programdata\TEMP
2009-04-24 06:23 . 2009-04-24 06:23 682 ----a-w c:\program files\ltmo.txt
2009-04-24 06:12 . 2009-02-14 13:09 81984 ----a-w c:\windows\System32\bdod.bin
2009-04-24 03:10 . 2009-02-26 02:16 -------- d-----w c:\program files\Spyware Doctor
2009-04-24 01:39 . 2008-04-21 07:08 12632 ----a-w c:\windows\System32\lsdelete.exe
2009-04-24 01:34 . 2009-02-15 03:32 -------- d-----w c:\programdata\Lavasoft
2009-04-23 06:55 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-23 06:55 . 2006-11-02 10:25 143360 ----a-w c:\windows\Inf\infstrng.dat
2009-04-20 07:09 . 2009-02-23 12:06 -------- d-----w c:\program files\Groove Games
2009-04-19 06:03 . 2008-06-17 12:38 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-19 06:00 . 2009-02-20 15:46 -------- d-----w c:\program files\Common Files\Microsoft Games
2009-04-17 12:48 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-13 13:02 . 2008-06-17 14:28 -------- d-----w c:\program files\Common Files\Adobe
2009-04-11 11:14 . 2009-02-28 14:56 -------- d-----w c:\program files\SMART BRO
2009-04-11 10:58 . 2009-02-14 17:55 -------- d-----w c:\users\reelsyrhc\AppData\Roaming\Vso
2009-04-07 00:47 . 2009-02-17 16:30 -------- d-----w c:\programdata\Pinnacle
2009-04-06 07:26 . 2009-02-15 16:05 -------- d-----w c:\program files\Yahoo!
2009-04-05 16:04 . 2009-02-14 08:52 137032 ----a-w c:\users\reelsyrhc\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-05 16:03 . 2008-06-17 14:39 -------- d-----w c:\program files\CyberLink
2009-04-05 15:33 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-04-05 14:25 . 2009-02-15 00:29 -------- d-----w c:\programdata\CyberLink
2009-03-27 07:37 . 2009-02-14 15:10 -------- d-----w c:\program files\Electronic Arts
2009-03-25 02:59 . 2009-03-25 02:59 -------- d-----w c:\users\reelsyrhc\AppData\Roaming\GTek
2009-03-23 15:13 . 2009-03-23 15:06 -------- d-----w c:\program files\IncrediFace
2009-03-23 15:06 . 2009-03-23 15:06 -------- d--h--w c:\users\reelsyrhc\AppData\Roaming\IFBuilder
2009-03-17 03:38 . 2009-04-16 12:46 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-16 12:46 13824 ----a-w c:\windows\System32\apilogen.dll
2009-03-17 03:38 . 2009-04-16 12:46 24064 ----a-w c:\windows\System32\amxread.dll
2009-03-15 16:37 . 2009-03-11 21:00 680 ----a-w c:\users\reelsyrhc\AppData\Local\d3d9caps.dat
2009-03-09 18:27 . 2009-02-15 00:05 -------- d-----w c:\program files\ATI
2009-03-03 04:46 . 2009-04-16 12:46 3599328 ----a-w c:\windows\System32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-16 12:46 3547632 ----a-w c:\windows\System32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-16 12:45 827392 ----a-w c:\windows\System32\wininet.dll
2009-03-03 04:39 . 2009-04-16 12:46 183296 ----a-w c:\windows\System32\sdohlp.dll
2009-03-03 04:39 . 2009-04-16 12:46 551424 ----a-w c:\windows\System32\rpcss.dll
2009-03-03 04:39 . 2009-04-16 12:46 26112 ----a-w c:\windows\System32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-16 12:45 78336 ----a-w c:\windows\System32\ieencode.dll
2009-03-03 04:37 . 2009-04-16 12:46 98304 ----a-w c:\windows\System32\iasrecst.dll
2009-03-03 04:37 . 2009-04-16 12:46 44032 ----a-w c:\windows\System32\iasdatastore.dll
2009-03-03 04:37 . 2009-04-16 12:46 54784 ----a-w c:\windows\System32\iasads.dll
2009-03-03 03:04 . 2009-04-16 12:46 666624 ----a-w c:\windows\System32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-16 12:46 17408 ----a-w c:\windows\System32\iashost.exe
2009-03-03 02:28 . 2009-04-16 12:45 26624 ----a-w c:\windows\System32\ieUnatt.exe
2009-03-01 16:25 . 2009-03-01 15:29 -------- d-----w c:\programdata\FarmFrenzy-PizzaParty
2009-03-01 15:28 . 2009-03-01 15:28 -------- d-----w c:\program files\Alawar
2009-02-28 15:00 . 2009-02-28 15:00 0 ------w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-02-26 02:33 . 2009-02-26 02:17 -------- d-----w c:\program files\Common Files\PC Tools
2009-02-26 02:16 . 2009-02-26 02:16 -------- d-----w c:\users\reelsyrhc\AppData\Roaming\PC Tools
2009-02-26 02:16 . 2009-02-26 02:16 -------- d-----w c:\programdata\PC Tools
2009-02-25 15:00 . 2009-02-25 14:27 -------- d-----w c:\users\reelsyrhc\AppData\Roaming\Red Alert 3
2009-02-25 14:26 . 2009-02-25 14:26 -------- d--h--r c:\users\reelsyrhc\AppData\Roaming\SecuROM
2009-02-25 14:19 . 2009-02-25 14:19 -------- d-----w c:\programdata\Electronic Arts
2009-02-25 14:18 . 2009-02-25 14:18 4378 ------w c:\windows\System32\ealregsnapshot1.reg
2009-02-25 14:16 . 2009-02-25 14:16 -------- d-----w c:\program files\GameSpy
2009-02-22 19:19 . 2008-04-23 10:34 192512 ------w c:\windows\System32\txmlutil.dll
2009-02-21 21:34 . 2009-02-21 21:34 4159 ----a-w c:\windows\unins000.dat
2009-02-21 21:34 . 2009-02-21 21:34 794906 ----a-w c:\windows\unins000.exe
2009-02-20 11:59 . 2009-02-20 10:08 157428 ----a-w c:\windows\hpoins27.dat
2009-02-19 12:27 . 2009-02-19 12:27 603904 ------w c:\windows\System32\TUProgSt.exe
2009-02-19 12:26 . 2009-02-19 12:26 362240 ------w c:\windows\System32\TuneUpDefragService.exe
2009-02-18 18:45 . 2009-02-18 18:45 74703 ------w c:\windows\System32\mfc45.dll
2009-02-15 00:56 . 2009-02-15 00:56 108544 ------w c:\windows\System32\pxcpyi64.exe
2009-02-15 00:56 . 2009-02-15 00:56 109568 ------w c:\windows\System32\pxinsi64.exe
2009-02-15 00:47 . 2009-02-15 00:47 988216 ----a-w c:\windows\System32\winload.exe
2009-02-15 00:47 . 2009-02-15 00:47 927288 ----a-w c:\windows\System32\winresume.exe
2009-02-15 00:47 . 2009-02-15 00:47 6656 ----a-w c:\windows\System32\kbd106n.dll
2009-02-15 00:47 . 2009-02-15 00:47 46592 ----a-w c:\windows\System32\setbcdlocale.dll
2009-02-15 00:47 . 2009-02-15 00:47 40960 ----a-w c:\windows\System32\srclient.dll
2009-02-15 00:47 . 2009-02-15 00:47 378368 ----a-w c:\windows\System32\srcore.dll
2009-02-15 00:47 . 2009-02-15 00:47 318464 ----a-w c:\windows\System32\rstrui.exe
2009-02-15 00:47 . 2009-02-15 00:47 19000 ----a-w c:\windows\System32\kd1394.dll
2009-02-15 00:47 . 2009-02-15 00:47 14848 ----a-w c:\windows\System32\srdelayed.exe
2009-02-15 00:47 . 2009-02-15 00:47 615992 ----a-w c:\windows\System32\ci.dll
2009-02-15 00:04 . 2009-02-15 00:04 87328 ------w c:\windows\System32\bcmwlcoi.dll
2009-02-15 00:04 . 2009-02-15 00:04 3141632 ------w c:\windows\System32\bcmihvui.dll
2009-02-15 00:04 . 2009-02-15 00:04 3481600 ------w c:\windows\System32\bcmihvsrv.dll
2009-02-14 17:55 . 2009-02-14 17:55 47360 ----a-w c:\users\reelsyrhc\AppData\Roaming\pcouffin.sys
2009-02-14 10:00 . 2009-02-14 10:01 410984 ------w c:\windows\System32\deploytk.dll
2009-02-13 08:49 . 2009-04-16 12:46 72704 ----a-w c:\windows\System32\secur32.dll
2009-02-13 08:49 . 2009-04-16 12:46 1255936 ----a-w c:\windows\System32\lsasrv.dll
2009-02-09 18:56 . 2009-02-19 16:05 67584 ------w c:\windows\System32\ff_vfw.dll
2009-02-09 03:10 . 2009-03-11 19:04 2033152 ----a-w c:\windows\System32\win32k.sys
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2009-04-01 15:2008-08-13 11:02 14:41 . c:\program files\mozilla firefox\components\FFComm.dll
2009-01-01 10:17 . 2009-02-15 00:41 22 --sha-w c:\windows\SMINST\HPCD.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
2008-02-14 06:54 1555480 ----a-w c:\program files\free-downloads.net\tbfree.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2008-02-14 1555480]
[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{ECDEE021-0D17-467F-A1FF-C7A115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2008-02-14 1555480]
[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-31 217088]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-04-16 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632]
"bgsmsnd.exe"="c:\windows\system32\bgsmsnd.exe" [2007-07-10 160136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
"EA Core"=c:\program files\Electronic Arts\EADM\Core.exe -silent
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
"HP Health Check Scheduler"=c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"QPService"="c:\program files\HP\QuickPlay\QPService.exe"
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1BC44168-3862-437E-A160-89C148E6D074}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{E016A0CC-B6ED-49A6-9233-8C28820700B1}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{F7DD4F01-A161-4B24-9531-1CAE6BC1BCF4}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{90AB0BE1-1B0B-4CB5-9689-2B757BF05E17}"= UDP:c:\program files\Electronic Arts\Burnout Paradise The Ultimate Box\BurnoutLauncher.exe:Burnout Paradise The Ultimate Box
"{5B54CDC5-8FCF-4539-989D-3F6A35460019}"= TCP:c:\program files\Electronic Arts\Burnout Paradise The Ultimate Box\BurnoutLauncher.exe:Burnout Paradise The Ultimate Box
"{E22E26AF-1B2D-40CD-BB84-91170C1D3D37}"= UDP:c:\program files\Electronic Arts\Burnout Paradise The Ultimate Box\BurnoutConfigTool.exe:Burnout Paradise The Ultimate Box
"{1E174BBD-5D6F-41C4-971B-277302088A07}"= TCP:c:\program files\Electronic Arts\Burnout Paradise The Ultimate Box\BurnoutConfigTool.exe:Burnout Paradise The Ultimate Box
"{37D97131-5E8C-4F55-AB59-C2F88A982DED}"= UDP:c:\program files\Electronic Arts\Burnout Paradise The Ultimate Box\BurnoutParadise.exe:Burnout Paradise The Ultimate Box
"{6073BC88-C979-49FB-9CF5-A9588A41FA3C}"= TCP:c:\program files\Electronic Arts\Burnout Paradise The Ultimate Box\BurnoutParadise.exe:Burnout Paradise The Ultimate Box
"{FF08E0E8-E206-4675-8075-0D4A46412792}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{BFC934DF-8A01-4E6C-A117-6656E0E66014}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"TCP Query User{2FC1A07F-D801-4F78-B49C-29F0F31DA5E5}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{85BD23E4-007F-4F81-8585-A985DC21543C}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{3ACF44F0-C8E6-420F-941E-12BB9507D99E}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{A3297D0F-D0AE-43B1-AB12-4E1AB85C1D96}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{4B6D1361-89AB-462A-B7D4-F32AE82782AF}c:\\users\\default\\appdata\\local\\temp\\flgpxtryd\\flashget.exe"= UDP:c:\users\default\appdata\local\temp\flgpxtryd\flashget.exe:FlashGet
"UDP Query User{FD30E3C2-20D6-4820-A926-4492B6BAE14F}c:\\users\\default\\appdata\\local\\temp\\flgpxtryd\\flashget.exe"= TCP:c:\users\default\appdata\local\temp\flgpxtryd\flashget.exe:FlashGet
"{BF50F2D9-5126-4262-8260-39855A5E7C4F}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{94C2E092-BBC8-4805-9788-A1B625106DAA}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{32F4351A-3B36-40AC-897E-12AA75F7E389}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{E326FE40-4563-4078-A2EF-5540F90836D8}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{E9F62EC5-B936-471F-92E6-08C522C360B7}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{DD46A31B-2D36-44CF-A257-53360BDC0429}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{C99BE805-4562-4B81-A062-3BABC4425DD2}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{BF065C5E-8396-41AD-8229-1CA651841814}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{A4F7BB75-9D9A-4E5E-AE4B-465465BD8BB3}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{6DF45E7F-D9C4-4419-855C-E671367E3084}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{5B9B9F1F-A33F-4855-A251-1894A19ECCD3}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{E2E02092-5A67-4DC0-AAC9-46363EAF1743}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"TCP Query User{F402AC82-8B4C-42C2-9344-2A569172B552}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= UDP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"UDP Query User{9846EDF4-435C-4A84-87C9-2692DF98A721}c:\\program files\\camfrog\\camfrog video chat\\camfrog video chat.exe"= TCP:c:\program files\camfrog\camfrog video chat\camfrog video chat.exe:Camfrog Client Module
"TCP Query User{8FBA7091-11A2-4B86-815D-0FDADC22CA50}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{89BBC4FE-9316-4B29-BA70-D8B15090FF7A}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{250D5514-3B3D-404B-A77C-65D194ECF9D5}c:\\users\\default\\appdata\\local\\temp\\flgpxtryd\\flashget.exe"= UDP:c:\users\default\appdata\local\temp\flgpxtryd\flashget.exe:FlashGet
"UDP Query User{0BEB1582-9A9F-447C-8B32-042B97371B6A}c:\\users\\default\\appdata\\local\\temp\\flgpxtryd\\flashget.exe"= TCP:c:\users\default\appdata\local\temp\flgpxtryd\flashget.exe:FlashGet
"{5656B589-0F40-4021-BBE3-2437E2026636}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
R3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-02-23 130424]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2008-12-09 20392]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_04e021df\aestsrv.exe [2008-02-12 73728]
S2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [2009-01-09 81920]
S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-25 361808]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-02-19 603904]
S3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2009-02-22 111112]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-01-24 52736]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-05-07 85136]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
*Deregistered* - PCTSDInjDriver32
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-2-4-81-100009356-100030156-100021876-2770.com h:\
\shell\Open\command - RECYCLER\S-2-4-81-100009356-100030156-100021876-2770.com h:\
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-2-4-81-100009356-100030156-100021876-2770.com h:\
\shell\Open\command - RECYCLER\S-2-4-81-100009356-100030156-100021876-2770.com h:\
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85468514-fef0-11dd-92ca-00218671afe8}]
\shell\AutoRun\command - H:\Autoplay.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85abd778-1943-11de-9379-001eeca4cf43}]
\shell\auto\command - G:\Scrap
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Scrap
\shell\explore\command - G:\Scrap
\shell\open\command - G:\Scrap
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-04-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 08:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_sg&c=83&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_sg&c=83&bd=Presario&pf=cnnb
IE: &Download All with FlashGet - c:\documents and settings\Default User\Local Settings\Temp\flgpxtryd\jc_all.htm
IE: &Download with FlashGet - c:\documents and settings\Default User\Local Settings\Temp\flgpxtryd\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\reelsyrhc\AppData\Roaming\Mozilla\Firefox\Profiles\y5u0rbbk.default\
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 17:49
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\drivers\ovfsthxpdpyeqqo.sys 83456 bytes executable <==========================?
c:\windows\system32\drivers\ovfsthxqvipwpfi.sys 83456 bytes executable
c:\users\REELSY~1\AppData\Local\Temp\ovfsthxfivpvyrsyx.tmp 132096 bytes executable
c:\users\REELSY~1\AppData\Local\Temp\ovfsthxfjisxjockh.tmp 132096 bytes executable
c:\windows\system32\ovfsthxjdtbnefx.dat 341229 bytes
c:\windows\system32\ovfsthxmpysmgov.dat 43 bytes
c:\windows\system32\ovfsthxoipydnec.dat 43 bytes
c:\windows\system32\ovfsthxyivnempq.dat 1271 bytes
scan completed successfully
hidden files: 8
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxfxicdeob]
"imagepath"="\systemroot\system32\drivers\ovfsthxpdpyeqqo.sys"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxumpdnhev]
"imagepath"="\systemroot\system32\drivers\ovfsthxqvipwpfi.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-04-24 17:53
ComboFix-quarantined-files.txt 2009-04-24 09:53
Pre-Run: 47,272,456,192 bytes free
Post-Run: 51,262,201,856 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=9 Sets=1,2,3,4,5,6,7,8,9
417 --- E O F --- 2009-04-17 12:42
======================
Comments
-
Hi
it is going to the sys restore folder. disable and re-enable sys restore to delete the trojan permanently.0 -
Hi, can u teach me how to disable and enable sys restore?
many thanksHi
it is going to the sys restore folder. disable and re-enable sys restore to delete the trojan permanently.0 -
Hi,
I tried diabling the sys restore folder and after I rebooted, it is still found by bitdefender antivirus 2009
and repeatedly deleted it, after that i rebooted again but it is still the same.
pls help.
many thanks.
many thanksHi, can u teach me how to disable and enable sys restore?
many thanks0 -
Hi
what is the location of the trojan when BD detects it?
Hemanth0 -
I have the same problem, has some one found a solution?
Thanks in advance.0 -
I suspect this trojan is installed when you installed limewire and launched at startup after limewire was uninstalled, asking you for reinstalling limewire again.
Anyway, I don't know how to delete the trojan if bitdefender cannot do it.0