hijacked by something

**mick warren** · 04-06-2012 01:23 AM

Hi Guys.

got some wierd happenings, started off with some browser redirects then browser buttons not working eg: Google search button does nothing but I,m Feeling Lucky does.

Now at Start Up everything freezes up and i can only access via Safe Mode.

My anti-virus is Trojan Killer hope its OK.

Running Windows XP SP3

Hope u can help. Here are the Logs

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 04/06/2012 at 12:08 PM

Application Version : 5.0.1146

Core Rules Database Version : 8424
Trace Rules Database Version: 6236

Scan type : Complete Scan
Total Scan Time : 00:50:45

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 285
Memory threats detected : 0
Registry items scanned : 34570
Registry threats detected : 6
File items scanned : 58471
File threats detected : 121

Browser Hijacker.Internet Explorer Settings Hijack
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
HKU\S-1-5-19_Classes\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
HKU\S-1-5-20_Classes\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]

Adware.Tracking Cookie
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@ad.sensismediasmart.com[1].txt [ /ad.sensismediasmart.com ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@ad2.doublepimp[1].txt [ /ad2.doublepimp ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@ads.adultadvertising[2].txt [ /ads.adultadvertising ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@adxpose[1].txt [ /adxpose ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@apmebf[1].txt [ /apmebf ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@ar.atwola[1].txt [ /ar.atwola ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@at.atwola[2].txt [ /at.atwola ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@doubleclick[2].txt [ /doubleclick ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@doubleclick[3].txt [ /doubleclick ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@ero-advertising[1].txt [ /ero-advertising ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@imrworldwide[2].txt [ /imrworldwide ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@media.sensis.com[2].txt [ /media.sensis.com ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@openx.altaporn[2].txt [ /openx.altaporn ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@partyaccount[1].txt [ /partyaccount ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@partypoker[2].txt [ /partypoker ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@pornhub[1].txt [ /pornhub ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@pornhub[2].txt [ /pornhub ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@rts.pgmediaserve[1].txt [ /rts.pgmediaserve ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@secure.partyaccount[1].txt [ /secure.partyaccount ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@statcounter[1].txt [ /statcounter ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@statcounter[2].txt [ /statcounter ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@tacoda.at.atwola[1].txt [ /tacoda.at.atwola ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@www.partypoker[1].txt [ /www.partypoker ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@www.pornhub[1].txt [ /www.pornhub ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@www.pornhub[2].txt [ /www.pornhub ]
C:\Documents and Settings\Mick Warren\Cookies\mick_warren@www.pornrabbit[1].txt [ /www.pornrabbit ]
C:\Documents and Settings\Mick Warren\Cookies\61U8IZKE.txt [ /ad.yieldmanager.com ]
C:\Documents and Settings\Mick Warren\Cookies\RTCHOWU5.txt [ /2o7.net ]
C:\Documents and Settings\Mick Warren\Cookies\K4WXKWXM.txt [ /australiapost.122.2o7.net ]
C:\Documents and Settings\Mick Warren\Cookies\7L3L0FIY.txt [ /revsci.net ]
C:\Documents and Settings\Mick Warren\Cookies\QKWEQ0Y2.txt [ /imrworldwide.com ]
C:\Documents and Settings\Mick Warren\Cookies\Q9ESULMI.txt [ /click.get-answers-fast.com ]
C:\Documents and Settings\Mick Warren\Cookies\DJR6FCGZ.txt [ /doubleclick.net ]
C:\Documents and Settings\Mick Warren\Cookies\U0L503D5.txt [ /serving-sys.com ]
C:\Documents and Settings\Mick Warren\Cookies\B9O11774.txt [ /msnportal.112.2o7.net ]
C:\Documents and Settings\Mick Warren\Cookies\TBMSYK0T.txt [ /statse.webtrendslive.com ]
C:\Documents and Settings\Mick Warren\Cookies\N3DZYQ7Q.txt [ /cba.122.2o7.net ]
C:\Documents and Settings\Mick Warren\Cookies\PPA6DOYX.txt [ /atdmt.com ]
C:\Documents and Settings\Mick Warren\Cookies\X17DDNB0.txt [ /overture.com ]
C:\Documents and Settings\Mick Warren\Cookies\HZLMB8EG.txt [ /findgala.com ]
C:\Documents and Settings\Mick Warren\Cookies\Y4JELVY7.txt [ /c.atdmt.com ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.WARREN\Cookies\QMTD21ZM.txt [ Cookie:administrator@atdmt.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.WARREN\Cookies\CL6K93AV.txt [ Cookie:administrator@2o7.net/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.WARREN\Cookies\UHFP2I3L.txt [ Cookie:administrator@interclick.com/ ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.WARREN\Cookies\6VSTVRJF.txt [ Cookie:administrator@fastclick.net/ ]
C:\DOCUMENTS AND SETTINGS\MICK WARREN\Cookies\3QL0T9TT.txt [ Cookie:mick warren@auspost.com.au/track/ ]
acvs.mediaonenetwork.net [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
assets.porn.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
banners.securedataimages.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
bc.youporn.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
cdn-www.pornhub.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
cdn1.image.freeporn.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
cdn1.static.pornhub.phncdn.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
cdn1.static1.pornrabbit.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
cdn5.specificclick.net [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
content.yieldmanager.edgesuite.net [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
files.youporn.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
gallys.legsex.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
h2porn.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
hornyheaven4u.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
ia.media-imdb.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
macromedia.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
media.khou.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
media.perthnow.com.au [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
media.scanscout.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
media1.shufuni.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
pornotube.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
rmd.atdmt.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
secure-uk.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
stat.easydate.biz [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
stat.ed.cupidplc.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
static.freecamsexposed.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
static.youporn.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
staticedge.hardsextube.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
vidii.hardsextube.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
www.8teenxxx.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
Alpha Porno - Free XXX porn TUBE MOVIES. Free Sex Video [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
www.hornyheaven4u.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
Free Porn Videos, Porn Tube Movies, Sex Tube Videos, XXX Sex Clips [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
LegSex.com - Home of Foot Fetish Enthusiasts and Slutty Leg Girls [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
www.naiadsystems.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
Free Sex Videos - Hot Sex Movies - Free Porn Tube [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
Free Porn Videos & Sex Movies - Porno, XXX, Porn Tube and Pussy Porn [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
Porn Movies | Sex tube | XXX Videos | Free Adult Clips - Pornicom.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
PornoTube.com - Age Verification - Free Porn Videos, Sex Movies - Adult Videos, Tits, Pussy, XXX [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
Free Porn Movies | PornTube.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
Sexy Videos Tube - Sexier than the other Tube :-) [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
wwwstatic.megaporn.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\82X4JB9J ]
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.content.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.questionmarket.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.questionmarket.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.questionmarket.com [ C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
acvs.mediaonenetwork.net [ C:\DOCUMENTS AND SETTINGS\WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2NGQNSYA ]
atdmt.com [ C:\DOCUMENTS AND SETTINGS\WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2NGQNSYA ]
c2.zedo.com [ C:\DOCUMENTS AND SETTINGS\WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2NGQNSYA ]
media.resulthost.org [ C:\DOCUMENTS AND SETTINGS\WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2NGQNSYA ]
media.tattomedia.com [ C:\DOCUMENTS AND SETTINGS\WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2NGQNSYA ]
mediaonenetwork.net [ C:\DOCUMENTS AND SETTINGS\WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2NGQNSYA ]
oddcast.com [ C:\DOCUMENTS AND SETTINGS\WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2NGQNSYA ]
spe.atdmt.com [ C:\DOCUMENTS AND SETTINGS\WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2NGQNSYA ]
speed.pointroll.com [ C:\DOCUMENTS AND SETTINGS\WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2NGQNSYA ]
SoundClick - Free MP3 music download and much, much more. [ C:\DOCUMENTS AND SETTINGS\WARREN\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2NGQNSYA ]

Trojan.Agent/Gen-Rimecud
C:\DOCUMENTS AND SETTINGS\MICK WARREN\LOCAL SETTINGS\TEMP\SDM143\RESOURCEDLL.DLL

PUP.MyWebSearch

========================================

Malwarebytes Anti-Malware 1.60.1.1000
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: v2012.04.02.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Mick Warren :: WARREN [administrator]

6/04/2012 12:53:01 PM
mbam-log-2012-04-06 (12-53-01).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 397436
Time elapsed: 34 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:35:09 AM, on 6/04/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\IProsetMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.25:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\prxtbZyn2.dll (file missing)
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Trojan Killer] "C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe" 0
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll (file missing)
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll (file missing)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/...nAxControl.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Intel(R) PROSet Monitoring Service - Intel Corporation - C:\WINDOWS\system32\IProsetMonitor.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 8826 bytes

**DonnaB** · 04-06-2012 06:41 PM

Hi mick warren,

Welcome to Help2Go!

We apologize for the delay in responding to your request for help. Here at Help2Go we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

My anti-virus is Trojan Killer hope its OK.

Truly...I had never heard of Trojan Killer by GridinSoft till now. I took it upon myself to do some research on the software and just can't find anything nice to say about it. A majority of the sites that link you to the download are very suspicious. A couple of security experts even considered it a rogue program.

My personal recommendation would be to get rid of it and not take the chance, then install a well known AV software such as Microsoft Security Essentials.

If you choose to do so, select the enus\x86\mseinstall.exe 32-bit free download found under Files in this download that is 7.7MB in size from the link above.

Download the setup file to your desktop but DO NOT install it till after you uninstall Trojan Killer by GridinSoft.

Next:

Please perform the following scans so our expert can have a look before we proceed:

DDS
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

GMER

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Thank you!

**mick warren** · 04-07-2012 08:28 AM

Hi Donna,

Thanks for the speedy reply.....no seriously..i would never have expected anyone to pick it up for at least 48hrs ! so there u go you have blown me away!

Trojan Killer was installed maybe 4 or 5 months back when i got a bad trojan or worm, cant quite remember, i could'nt find Kevin at KRC anymore so i actually got suckered into buying that program.....what can i say ... i was desperate...anyway it did what i needed it to at that time.

When i ran GMER it only appeared to scan my C:/

Trojan Killer is now history and MSE installed, your further instructions c/o logs follow.

Thanks once more

Mick Warren

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mick Warren at 9:34:30 on 2012-04-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.335 [GMT 8:00]
.
AV: Malware Protection Center *Enabled/Updated* {DB6EEB75-16F3-4FB0-9277-14BBA06AF5F2}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Malware Protection Center *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyServer = 192.168.0.25:80
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\prxtbZyn2.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Trojan Killer] "c:\program files\gridinsoft trojan killer\trojankiller.exe" 0
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\mick warren\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe" /runonstartup
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D7D0C876-3569-40BF-882A-6F179F662BAA} : DhcpNameServer = 192.168.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-23 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-13 652872]
R2 X4HSEx;X4HSEx;c:\program files\free ride games\X4HSEx.sys [2011-7-29 56424]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-13 20464]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-7 135664]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 7\incd\nbhregincdsrv.exe --> c:\program files\nero\nero 7\incd\NBHRegInCDSrv.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-7 135664]
S4 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2011-7-10 112800]
.
=============== Created Last 30 ================
.
2012-04-07 01:24:46 6582328 ----a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{fec44d9b-4008-482f-9f22-e0404e58af1a}\mpengine.dll
2012-04-07 01:24:39 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-04-07 01:19:28 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-06 02:58:28 -------- d-----w- c:\documents and settings\mick warren\application data\SUPERAntiSpyware.com
2012-04-06 02:57:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-06 02:57:17 -------- d-----w- c:\documents and settings\all users.windows\application data\SUPERAntiSpyware.com
2012-04-06 02:54:45 15770528 ----a-w- c:\program files\SUPERAntiSpyware.exe
2012-04-06 01:34:40 388096 ----a-r- c:\documents and settings\mick warren\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-04-06 01:34:39 -------- d-----w- c:\program files\Trend Micro
2012-04-02 00:36:47 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-04-02 00:36:47 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-02 00:35:41 -------- d-----w- c:\program files\iPod
2012-04-02 00:35:40 -------- d-----w- c:\program files\iTunes
2012-03-27 14:32:10 -------- d-----w- c:\program files\iPod(2)
2012-03-27 14:32:07 -------- d-----w- c:\program files\iTunes(2)
2012-03-26 10:54:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-25 16:11:32 -------- d-----w- c:\documents and settings\mick warren\application data\PC Cleaners
2012-03-25 16:11:27 -------- d-----w- c:\documents and settings\mick warren\application data\PCPro
2012-03-25 16:11:25 -------- d-----w- c:\program files\PC Cleaners
2012-03-11 08:13:08 -------- d-----w- c:\documents and settings\mick warren\application data\PC-FAX TX
.
==================== Find3M ====================
.
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ------w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 9:36:22.37 ===============

GMER 1.0.15.15641 - GMER - Rootkit Detector and Remover
Rootkit scan 2012-04-07 15:03:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e WDC_WD2500JS-75NCB1 rev.10.02E01
Running: fcx36r0k.exe; Driver: C:\DOCUME~1\MICKWA~1\LOCALS~1\Temp\uxtdqpog.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE572640]

---- Kernel code sections - GMER 1.0.15 ----

.text atapi.sys F743B852 1 Byte [CC] {INT 3 }
? C:\DOCUME~1\MICKWA~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2692] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2692] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2692] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2692] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2692] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2692] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2692] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2692] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2692] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AA5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD119 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254686 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[3672] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat ADBC8D20

AttachedDevice \FileSystem\Fastfat \Fat InCDRec.sys (InCD File System Recognizer/Nero AG)

---- Threads - GMER 1.0.15 ----

Thread System [4:156] 86E6239F
Thread System [4:580] 868E40F4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\Temp\TMP0000BEE2CE627C7BF55FE212 0 bytes

---- EOF - GMER 1.0.15 ----

**DonnaB** · 04-08-2012 12:00 AM

Hi Mick,

Thanks for the speedy reply.....no seriously..i would never have expected anyone to pick it up for at least 48hrs ! so there u go you have blown me away!

You're very welcome. After discussing your scans with our expert I will have to turn your thread over to him so he can guide you further in the cleansing process since I am still in training. Your patience is truly appreciated.

Thank you,

Donna

**fireman4it** · 04-09-2012 05:55 PM

Hello,

Welcome to Help2Go I will be assisting you with your malware removal.

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C.
Copy and paste the contents of that file in your next reply.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
Close any open windows, including this one.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply::
TdssKIller log
Combofix.txt
How is your machine running now?

**mick warren** · 04-11-2012 03:10 PM

tdss

[InfectedObject]
Verdict: Virus.Win32.Rloader.a

[InfectedObject]
Type: Service
Name: ACPI
Type: Kernel driver (0x1)
Start: Boot (0x0)
ImagePath: system32\DRIVERS\ACPI.sys
Suspicious states: Forged file;

omboFix 12-04-09.06 - Mick Warren 10/04/2012 21:23:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.452 [GMT 8:00]
Running from: c:\documents and settings\Mick Warren\Desktop\ComboFix.exe
AV: Malware Protection Center *Enabled/Updated* {DB6EEB75-16F3-4FB0-9277-14BBA06AF5F2}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Malware Protection Center *Enabled* {2648C9A4-4ECE-4F2E-95A7-78DAC514615F}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINDOWS\Application Data\a22e0b
c:\documents and settings\All Users.WINDOWS\Application Data\a22e0b\4641.mof
c:\documents and settings\All Users.WINDOWS\Application Data\a22e0b\BackUp\Microsoft Office.lnk
c:\documents and settings\All Users.WINDOWS\Application Data\a22e0b\MPC.ico
c:\documents and settings\Mick Warren\Recent\DBOLE.tmp
c:\documents and settings\Mick Warren\Recent\delfile.exe
c:\documents and settings\Mick Warren\Recent\FS.dll
c:\documents and settings\Mick Warren\Recent\FW.exe
c:\documents and settings\Mick Warren\Recent\FW.sys
c:\documents and settings\Mick Warren\Recent\gid.dll
c:\documents and settings\Mick Warren\Recent\hymt.tmp
c:\documents and settings\Mick Warren\Recent\kernel32.tmp
c:\documents and settings\Mick Warren\Recent\runddlkey.sys
c:\documents and settings\Mick Warren\Recent\SM.sys
c:\documents and settings\Mick Warren\Recent\snl2w.dll
c:\documents and settings\Mick Warren\Recent\snl2w.drv
c:\documents and settings\Mick Warren\Recent\snl2w.tmp
c:\documents and settings\Mick Warren\Recent\tempdoc.exe
c:\documents and settings\Warren\My Documents\$AP29D.tmp
c:\documents and settings\Warren\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2012-03-10 to 2012-04-10 )))))))))))))))))))))))))))))))
.
.
2012-04-10 12:59 . 2012-04-10 12:59 711240 ----a-w- c:\windows\is-CK6M3.exe
2012-04-10 00:10 . 2012-04-10 00:10 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-09 12:56 . 2012-03-13 11:15 6582328 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C2E0F8A3-E395-488C-BFA5-1AB37A0E56ED}\mpengine.dll
2012-04-07 18:00 . 2012-03-13 11:15 6582328 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-07 17:52 . 2009-08-06 11:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-04-07 17:52 . 2009-08-06 11:23 215920 ----a-w- c:\windows\system32\muweb.dll
2012-04-07 01:24 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-04-07 01:19 . 2012-04-07 01:20 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-06 02:58 . 2012-04-06 02:58 -------- d-----w- c:\documents and settings\Mick Warren\Application Data\SUPERAntiSpyware.com
2012-04-06 02:57 . 2012-04-06 02:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-06 02:57 . 2012-04-06 02:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2012-04-06 01:34 . 2012-04-06 01:34 388096 ----a-r- c:\documents and settings\Mick Warren\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-06 01:34 . 2012-04-06 01:34 -------- d-----w- c:\program files\Trend Micro
2012-04-02 00:36 . 2012-04-02 00:36 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-02 00:35 . 2012-04-02 00:35 -------- d-----w- c:\program files\iPod
2012-04-02 00:35 . 2012-04-02 00:36 -------- d-----w- c:\program files\iTunes
2012-03-26 10:54 . 2012-03-26 10:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-25 16:11 . 2012-03-25 16:11 -------- d-----w- c:\documents and settings\Mick Warren\Application Data\PC Cleaners
2012-03-25 16:11 . 2012-03-25 16:11 -------- d-----w- c:\documents and settings\Mick Warren\Application Data\PCPro
2012-03-25 16:11 . 2012-03-25 16:40 -------- d-----w- c:\program files\PC Cleaners
2012-03-25 13:21 . 2012-03-25 13:21 -------- d-----w- c:\documents and settings\Administrator.WARREN\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-10 00:23 . 2004-08-04 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-04-04 07:56 . 2011-02-13 04:52 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-16 05:50 3072 ------w- c:\windows\system32\iacenc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]
"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-09-01 1408872]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"InnoSetupRegFile.0000000001"="c:\windows\is-CK6M3.exe" [2012-04-10 711240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2011-06-22 4837808]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/07/2011 12:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [13/07/2011 5:55 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 7:38 AM 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [13/02/2011 12:52 PM 652872]
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [29/07/2011 7:56 AM 56424]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13/02/2011 12:52 PM 22344]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/04/2010 9:52 PM 135664]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/04/2010 9:52 PM 135664]
S4 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [10/07/2011 9:54 PM 112800]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 29070268
*Deregistered* - 29070268
*Deregistered* - uxtdqpog
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 09:57]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-07 13:52]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-07 13:52]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-115176313-1801674531-1003Core.job
- c:\documents and settings\Mick Warren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-10 10:20]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-115176313-1801674531-1003UA.job
- c:\documents and settings\Mick Warren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-10 10:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Settings,ProxyServer = 192.168.0.25:80
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - c:\program files\Zynga\prxtbZyn2.dll
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\ConduitEngine\prxConduitEngine.dll
HKCU-Run-Trojan Killer - c:\program files\GridinSoft Trojan Killer\trojankiller.exe
SafeBoot-63969059.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-04-10 21:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-04-10 21:32:46
ComboFix-quarantined-files.txt 2012-04-10 13:32
.
Pre-Run: 20,413,763,584 bytes free
Post-Run: 23,952,740,352 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - BA39524F48040B7FFC5D2CDAD7F22F4D

**fireman4it** · 04-11-2012 05:18 PM

Hello,

I need to see the whole TdssKiller log. Pleae re-run TDssKIller and post its entire log. Also how is your machine running?

**fireman4it** · 04-18-2012 06:21 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
fireman4it

Thread: hijacked by something

LinkBack

Thread Tools

hijacked by something