[Trojan or Vundo] HJT Log - Tdsserv HELP in Security Cleanup http://www.dslreports.com/forum/r21121671 en Wed, 11 Nov 2009 09:30:42 EDT Wed, 11 Nov 2009 09:30:42 EDT Re: [Trojan or Vundo] HJT Log - Tdsserv HELP http://www.dslreports.com/forum/remark,21146546 lilhurricane : I love a

:)]]> http://www.dslreports.com/forum/remark,21146546 Sun, 21 Sep 2008 18:43:48 EDT Re: [Trojan or Vundo] HJT Log - Tdsserv HELP http://www.dslreports.com/forum/remark,21146488 PPL : Thanks for your time and Support!]]> http://www.dslreports.com/forum/remark,21146488 Sun, 21 Sep 2008 18:27:07 EDT Re: [Trojan or Vundo] HJT Log - Tdsserv HELP http://www.dslreports.com/forum/remark,21145504 LoPhatPhuud : The last HJT log is clean too, so we are finished.

You can enable the Spyware Doctor realtime protection and see see if using it affects your response.

Yes, Zone Alarm is your firewall.
--
When angry count four; when very angry, swear.

Microsoft MVP/Consumer Security 2005-2008

Gladiator Security Forum]]> http://www.dslreports.com/forum/remark,21145504 Sun, 21 Sep 2008 14:02:13 EDT Re: [Trojan or Vundo] HJT Log - Tdsserv HELP http://www.dslreports.com/forum/remark,21143359 PPL : This is the hijackthis log for the other account on the same computer.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:16 PM, on 9/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-1444666018-1835601529-2086350918-1009\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" (User 'Jonathan')
O4 - HKUS\S-1-5-21-1444666018-1835601529-2086350918-1009\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Jonathan')
O4 - HKUS\S-1-5-21-1444666018-1835601529-2086350918-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Jonathan')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &7 Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Fill Id - {320AF880-6646-11D3-ABEE-C5DBF3571F47} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &5 Fill from Identity - {320AF880-6646-11D3-ABEE-C5DBF3571F47} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Fill Pass - {320AF880-6646-11D3-ABEE-C5DBF3571F48} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &6 Fill from Passcard - {320AF880-6646-11D3-ABEE-C5DBF3571F48} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &8 Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Go Fill - {320AF880-6646-11D3-ABEE-C5DBF3571F4A} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &Go && Fill from Passcard - {320AF880-6646-11D3-ABEE-C5DBF3571F4A} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Login - {320AF880-6646-11D3-ABEE-C5DBF3571F4B} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &Login (Go, Fill, Submit) - {320AF880-6646-11D3-ABEE-C5DBF3571F4B} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - C:\Program Files\Siber Systems\AI RoboForm\Identities.exe
O9 - Extra 'Tools' menuitem: &3 Edit Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - C:\Program Files\Siber Systems\AI RoboForm\Identities.exe
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - C:\Program Files\Siber Systems\AI RoboForm\Passcards.exe
O9 - Extra 'Tools' menuitem: &4 Edit Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - C:\Program Files\Siber Systems\AI RoboForm\Passcards.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RF toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···39999628
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - »www.acclaim.com/cabs/acclaim_v4.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 15255 bytes

P.S. I have Spyware Doctor downloaded and I was wondering if I should enable its Intelli-guard. A real time protection from Spyware Doctor, because some reviews says that spyware doctor lags the computer up. Right now I have Avast on access protection and zone labs running. Zone Labs counts as a firewall right?]]> http://www.dslreports.com/forum/remark,21143359 Sat, 20 Sep 2008 21:29:48 EDT Re: [Trojan or Vundo] HJT Log - Tdsserv HELP http://www.dslreports.com/forum/remark,21143299 LoPhatPhuud : There may be nothing to do on the other logon. Log into it, run HiJackThis and post that log in this thread. Be sure to indicate that this is a different logon for the same computer.

You can remove MBAM, FixPolicies, and ATF that we installed as part of the cleaning process. You may want to retain MBAM and ATF. They are excellent programs and MBAM is one of the very few programs that can entirely rmeove the tds variation of Vundo. After the trial period expires, MBAM will become the free version without the realtime protection.

YOu will have to decide whether to remove programs installed prior to this infection. THere is nothing wrong with running more than one AntiSpyware program that offer realtime protection.

Just be sure you only have one AV and one firewall active.
--
When angry count four; when very angry, swear.

Microsoft MVP/Consumer Security 2005-2008

Gladiator Security Forum]]> http://www.dslreports.com/forum/remark,21143299 Sat, 20 Sep 2008 21:12:51 EDT Re: [Trojan or Vundo] HJT Log - Tdsserv HELP http://www.dslreports.com/forum/remark,21142453 PPL : Thanks for you time and support, and Just a couple questions. should I do all the steps before for the other account on the computer too? And I have a couple anti spyware and virus things installed, should I just unistall it all and just have one? Last question, can I delete ATF-Cleaner, MBAM and the other stuff like spybot?

P.S. I use Avast and ZoneLabs
DO you exactly know what virus/vundo/trojan I had?]]> http://www.dslreports.com/forum/remark,21142453 Sat, 20 Sep 2008 16:55:56 EDT Re: [Trojan or Vundo] HJT Log - Tdsserv HELP http://www.dslreports.com/forum/remark,21142352 LoPhatPhuud : Your system appears clean. Just a bit of cleanup left.

First:
Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.


Second:
Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All
Click the Empty Selected button.
[u]If you use Firefox browser[/u]Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[u]If you use Opera browser[/u]Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

--
When angry count four; when very angry, swear.

Microsoft MVP/Consumer Security 2005-2008

Gladiator Security Forum]]> http://www.dslreports.com/forum/remark,21142352 Sat, 20 Sep 2008 16:29:18 EDT Re: [Trojan or Vundo] HJT Log - Tdsserv HELP http://www.dslreports.com/forum/remark,21140035 PPL : Okay, I did the ComboFix, HiJackThis, and MBAM but when I did MBAM, it didn't ask for what drives to scan for unless I do full scan. So i just went ahead and did a full scan. Anyways, here are the logs. Lets start with the MBAM log:

Malwarebytes' Anti-Malware 1.28
Database version: 1179
Windows 5.1.2600 Service Pack 2

9/19/2008 9:51:24 PM
mbam-log-2008-09-19 (21-51-24).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 183317
Time elapsed: 53 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP3\A0000137.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jonathan\Local Settings\Temp\????.doc (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jonathan\Local Settings\Temp\??.doc (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\???.doc (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jonathan\Desktop\????.doc (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.

Here is the ComboFix LOG:

ComboFix 08-09-19.06 - Jonathan 2008-09-19 21:56:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.354 [GMT -5:00]
Running from: C:\Documents and Settings\Jonathan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\p4p
C:\Documents and Settings\All Users\Application Data\p4p\Downloaded\3620_3660PCSuite.exe.lnk
C:\Documents and Settings\All Users\Application Data\p4p\Downloaded\avg6762fu_free.exe.lnk
C:\Documents and Settings\All Users\Application Data\p4p\Downloaded\avi_mpg_splitter.exe.lnk
C:\Documents and Settings\All Users\Application Data\p4p\Downloaded\dvtool053.exe.lnk
C:\Documents and Settings\All Users\Application Data\p4p\Downloaded\DXX13.exe.lnk
C:\Documents and Settings\All Users\Application Data\p4p\Downloaded\DXX22.exe.lnk
C:\Documents and Settings\All Users\Application Data\p4p\Downloaded\DXX23.exe.lnk
C:\Documents and Settings\All Users\Application Data\p4p\Downloaded\Epson660PrinterDriver.EXE.lnk
C:\Documents and Settings\All Users\Application Data\p4p\Downloaded\microsoftofficekeygenrb.zip.lnk
C:\Documents and Settings\All Users\Application Data\p4p\Downloaded\zweifull.exe.lnk
C:\Documents and Settings\All Users\Application Data\p4p\metafile.dat
C:\Documents and Settings\Jonathan\Application Data\inst.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2008-08-20 to 2008-09-20 )))))))))))))))))))))))))))))))
.

2008-09-19 20:47 . 2008-09-19 20:48 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-19 20:47 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-19 20:47 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-18 19:47 . 2008-09-18 19:47 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-09-18 19:47 . 2008-09-18 19:47 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-18 19:01 . 2008-09-18 19:01 d--hs---- C:\Documents and Settings\Jonathan\PrivacIE
2008-09-18 18:15 . 2008-09-18 18:16 d--h-c--- C:\WINDOWS\ie8
2008-09-16 18:24 . 2008-09-16 18:24 d-------- C:\Program Files\Windows Defender
2008-09-15 20:37 . 2008-09-15 20:37 110 --a------ C:\Documents and Settings\Jonathan\Application Data\netstat.bat
2008-09-15 19:22 . 2008-09-15 19:22 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt
2008-09-11 17:55 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-11 17:55 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-11 17:55 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-11 17:55 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-11 17:54 . 2008-09-11 20:14 d-------- C:\Program Files\Spyware Doctor
2008-09-11 17:54 . 2008-09-11 17:54 d-------- C:\Documents and Settings\Jonathan\Application Data\PC Tools
2008-09-11 17:35 . 2008-09-11 17:46 d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-09 20:16 . 2008-09-09 20:16 d-------- C:\Documents and Settings\Jonathan\Application Data\SUPERAntiSpyware.com
2008-09-09 20:15 . 2008-09-09 20:15 d-------- C:\Documents and Settings\Jonathan\Application Data\Malwarebytes
2008-09-09 16:47 . 2008-09-09 16:47 d-------- C:\Program Files\SUPERAntiSpyware
2008-09-09 16:47 . 2008-09-09 16:47 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-09-09 16:47 . 2008-09-09 16:47 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-08 21:42 . 2008-09-08 21:42 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-09-08 21:41 . 2008-09-08 21:41 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-08 19:16 . 2008-09-09 16:45 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-07 10:32 . 2008-09-16 18:54 d-------- C:\Documents and Settings\Jonathan\.housecall6.6
2008-09-06 22:47 . 2008-09-06 22:47 d-------- C:\Program Files\CCleaner
2008-09-06 13:21 . 2008-09-16 16:16 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-06 13:06 . 2008-09-11 17:54 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-05 19:29 . 2008-09-08 19:19 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-05 18:51 . 2004-05-12 22:57 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-09-05 18:51 . 2004-05-15 06:16 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-09-05 18:51 . 2004-05-13 00:19 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-09-05 18:51 . 2008-09-05 18:51 d-------- C:\Documents and Settings\Administrator
2008-09-04 19:48 . 2008-09-16 19:22 d-------- C:\Program Files\Trend Micro
2008-09-01 21:14 . 2008-09-01 21:14 18 --ah----- C:\SYSREST
2008-09-01 14:20 . 2008-09-01 14:20 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-09-01 11:05 . 2008-09-12 17:43 d-------- C:\Program Files\Enigma Software Group
2008-08-31 09:33 . 2008-08-31 09:33 123 --a------ C:\WINDOWS\system32\msexcr.ini
2008-08-30 21:44 . 2008-09-07 10:19 174 --a------ C:\Documents and Settings\Jonathan\xrt_log.dat
2008-08-28 17:32 . 2008-08-28 17:32 d-------- C:\Documents and Settings\Jonathan\Application Data\iolo
2008-08-28 17:32 . 2008-08-28 17:32 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-08-28 17:32 . 2008-08-28 17:32 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-08-26 17:20 . 2008-08-26 17:20 59,176 --a------ C:\WINDOWS\system32\sbbd.exe
2008-08-25 11:45 . 2008-09-06 13:04 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-08-24 09:33 . 2008-08-24 09:33 d-------- C:\Documents and Settings\Jonathan\Application Data\Syntrillium
2008-08-24 09:10 . 2008-08-24 09:10 d-------- C:\Program Files\MP3 Recorder 2008
2008-08-22 10:39 . 2008-09-05 18:26 d-------- C:\WINDOWS\system32\scripting
2008-08-22 10:39 . 2008-09-05 18:26 d-------- C:\WINDOWS\system32\en
2008-08-22 10:39 . 2008-09-05 18:26 d-------- C:\WINDOWS\l2schemas
2008-08-22 10:29 . 2008-08-22 03:09 5,699,584 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2008-08-22 10:28 . 2007-10-25 22:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-22 09:19 . 2008-05-19 18:16 186,407 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-08-22 03:16 . 2008-08-22 03:16 637,984 -----c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2008-08-22 03:15 . 2008-08-22 03:15 1,216,512 --------- C:\WINDOWS\system32\ieframe.dll.mui
2008-08-22 03:14 . 2008-08-22 03:14 10,240 --------- C:\WINDOWS\system32\advpack.dll.mui
2008-08-22 03:08 . 2008-08-22 03:08 1,415,680 -----c--- C:\WINDOWS\system32\dllcache\inetcpl.cpl
2008-08-22 03:08 . 2008-08-22 03:08 236,544 -----c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2008-08-22 03:08 . 2008-08-22 03:08 43,008 -----c--- C:\WINDOWS\system32\dllcache\licmgr10.dll
2008-08-22 03:07 . 2008-08-22 03:07 116,224 -----c--- C:\WINDOWS\system32\dllcache\occache.dll
2008-08-22 03:07 . 2008-08-22 03:07 105,984 -----c--- C:\WINDOWS\system32\dllcache\url.dll
2008-08-22 03:07 . 2008-08-22 03:07 18,944 -----c--- C:\WINDOWS\system32\dllcache\corpol.dll
2008-08-22 03:06 . 2008-08-22 03:06 385,024 -----c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2008-08-22 03:06 . 2008-08-22 03:06 228,864 -----c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2008-08-22 03:06 . 2008-08-22 03:06 162,304 -----c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-08-22 03:06 . 2008-08-22 03:06 128,512 -----c--- C:\WINDOWS\system32\dllcache\advpack.dll
2008-08-22 03:06 . 2008-08-22 03:06 124,928 -----c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2008-08-22 03:06 . 2008-08-22 03:06 72,704 -----c--- C:\WINDOWS\system32\dllcache\admparse.dll
2008-08-22 03:06 . 2008-08-22 03:06 71,680 -----c--- C:\WINDOWS\system32\dllcache\iesetup.dll
2008-08-22 03:06 . 2008-08-22 03:06 55,808 -----c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2008-08-22 03:05 . 2008-08-22 03:05 48,640 --------- C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 03:05 . 2008-08-22 03:05 48,128 -----c--- C:\WINDOWS\system32\dllcache\mshtmler.dll
2008-08-22 03:05 . 2008-08-22 03:05 35,840 -----c--- C:\WINDOWS\system32\dllcache\imgutil.dll
2008-08-22 03:04 . 2008-08-22 03:04 1,659,392 -----c--- C:\WINDOWS\system32\dllcache\mshtml.tlb
2008-08-22 03:04 . 2008-08-22 03:04 66,560 -----c--- C:\WINDOWS\system32\dllcache\tdc.ocx
2008-08-22 03:04 . 2008-08-22 03:04 45,568 -----c--- C:\WINDOWS\system32\dllcache\mshta.exe
2008-08-22 03:00 . 2008-08-22 03:00 68,608 -----c--- C:\WINDOWS\system32\dllcache\hmmapi.dll
2008-08-21 20:45 . 2008-08-21 20:45 2,645 --ah----- C:\WINDOWS\SwSys2.bmp
2008-08-21 20:45 . 2008-08-21 20:45 2,645 --ah----- C:\WINDOWS\SwSys1.bmp
2008-08-21 18:44 . 2006-12-28 14:01 19,569 --a------ C:\WINDOWS\[u]0[/u]05857_.tmp
2008-08-21 16:26 . 2008-08-21 16:27 d-------- C:\Program Files\SystemRequirementsLab
2008-08-21 16:26 . 2008-08-21 16:26 d-------- C:\Documents and Settings\Jonathan\Application Data\SystemRequirementsLab
2008-08-21 01:17 . 2008-08-21 01:17 d-------- C:\Documents and Settings\Jonathan\Application Data\Reallusion
2008-08-21 01:16 . 2008-08-21 01:16 d-------- C:\Program Files\Common Files\Reallusion
2008-08-21 00:20 . 2008-09-17 21:26 d-------- C:\Program Files\FlashGet
2008-08-20 08:10 . C:\Program Files\E›'¢IoA‡
2008-08-20 07:42 . 2008-08-20 07:42 d-------- C:\Documents and Settings\Jonathan\Application Data\QQUpdate
2008-08-20 07:32 . 2008-08-20 07:32 d-------- C:\WINDOWS\system32\qqedit
2008-08-20 07:32 . 2008-08-20 07:32 d-------- C:\Program Files\QQMusic
2008-08-20 07:32 . 2008-08-20 07:43 d-------- C:\Program Files\QQGame
2008-08-20 07:32 . 2008-08-20 07:43 d-------- C:\Documents and Settings\Jonathan\Application Data\QQ
2008-08-20 07:31 . 2008-08-20 07:43 d-------- C:\Program Files\QQ
2008-08-20 06:53 . 2008-08-20 06:53 d-------- C:\Program Files\XAudioTools
2008-08-20 06:22 . 2008-08-20 06:22 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-20 05:46 . 2008-08-20 22:59 d-------- C:\Program Files\eMule
2008-08-20 05:29 . 2008-08-21 00:20 d-------- C:\Downloads
2008-08-20 05:02 . 2008-05-01 09:30 331,776 --a------ C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 23:21 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\Viewpoint
2008-09-19 23:20 --------- d-----w C:\Program Files\Viewpoint
2008-09-19 23:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-19 00:47 --------- d-----w C:\Program Files\Java
2008-09-19 00:34 --------- d-----w C:\Program Files\Yahoo!
2008-09-13 13:47 47,866 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_09_13_08_44_23_small.dmp.zip
2008-09-12 00:41 --------- d-----w C:\Program Files\Google
2008-09-09 00:07 --------- d-----w C:\Program Files\Lavasoft
2008-09-09 00:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-08-31 02:39 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\DNA
2008-08-31 02:30 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\Hamachi
2008-08-31 00:32 --------- d-----w C:\Program Files\DNA
2008-08-30 17:37 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-08-29 19:05 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\U3
2008-08-28 23:45 --------- d--h--w C:\Documents and Settings\Jonathan\Application Data\ijjigame
2008-08-28 22:57 --------- d-----w C:\Program Files\Winamp
2008-08-28 22:53 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\Winamp
2008-08-28 21:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-28 21:57 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\AdobeUM
2008-08-25 13:53 23,771,837 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-08-21 08:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-21 06:20 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\InstallShield
2008-08-21 05:01 --------- d-----w C:\Program Files\BitComet
2008-08-21 04:05 --------- d-----w C:\Program Files\LimeWire
2008-08-20 16:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2008-08-20 13:24 --------- d-----w C:\Program Files\Ê¢´óÍøÂç
2008-08-20 10:41 --------- d-----w C:\Program Files\Skype
2008-08-20 10:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-20 10:13 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\InstallShield Installation Information
2008-03-19 17:24 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-07 22:09 47,360 ----a-w C:\Documents and Settings\Jonathan\Application Data\pcouffin.sys
2008-01-22 15:45 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-06-12 23:02 58,956 ----a-w C:\Documents and Settings\Jonathan\UninstallFW.exe
2004-08-16 17:22 905,216 ----a-w C:\Documents and Settings\Jonathan\Rival Ball.exe
2001-12-15 03:08 81,920 ----a-w C:\Documents and Settings\Jonathan\audiow32.dll
1998-12-01 03:36 816,640 ----a-w C:\Program Files\i_view32.exe
2006-06-16 01:33 233,472 ----a-w C:\Program Files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 23:43 204,895 ----a-w C:\Program Files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 19:41 77,824 ----a-w C:\Program Files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 18:10 426,081 ----a-w C:\Program Files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 17:19 458,752 ----a-w C:\Program Files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 23:35 139,264 ----a-w C:\Program Files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 16:10 204,800 ----a-w C:\Program Files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 16:42 106,496 ----a-w C:\Program Files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 16:22 212,992 ----a-w C:\Program Files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 16:21 167,936 ----a-w C:\Program Files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2004-10-08 05:17 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 385024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-29 180269]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-04-02 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-04-02 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-04-02 455168]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-11-15 755472]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-09-18 144792]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-07-11 24651]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2007-12-15 217088]
BTTray.lnk - C:\Program Files\DLink\Bluetooth Software\BTTray.exe [2003-10-29 503875]
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [1999-10-22 217600]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-10-30 724992]
VPN Client.lnk - C:\WINDOWS\Installer\{B8221906-224A-4494-BB97-55FC63740019}\Icon3E5562ED7.ico [2005-02-16 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Nexon\\Combat Arms\\NMService.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10418:TCP"= 10418:TCP:BitComet 10418 TCP
"10418:UDP"= 10418:UDP:BitComet 10418 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-09-18 147456]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 22912]
S3 pmxscan;USB ScanModule V5.1 Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0dd712dc-2d27-11dd-b7e2-000f3d058a67}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26940dc6-72c5-11dd-b7fa-000f3d058a67}]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c196dea-6ea2-11dd-b7ed-000f3d058a67}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e27ff7c-a2ba-11dc-b796-000f3d058a67}]
\Shell\AutoRun\command - G:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder

2008-09-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-09-20 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 19:35]

2008-09-20 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2006-08-16 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 18:38]
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\p7y17xam.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Documents and Settings\Jonathan\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\npctrl.1.0.20926.0.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npff_gdm.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-09-19 22:06:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-19 22:18:24 - machine was rebooted [Jonathan]
ComboFix-quarantined-files.txt 2008-09-20 03:18:07

Pre-Run: 28,113,469,440 bytes free
Post-Run: 28,344,246,272 bytes free

343 --- E O F --- 2008-08-21 23:11:08

Here is the HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:06 PM, on 9/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Jonathan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:12080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Program Files\QQ\AddEmotion.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &7 Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Fill Id - {320AF880-6646-11D3-ABEE-C5DBF3571F47} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &5 Fill from Identity - {320AF880-6646-11D3-ABEE-C5DBF3571F47} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Fill Pass - {320AF880-6646-11D3-ABEE-C5DBF3571F48} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &6 Fill from Passcard - {320AF880-6646-11D3-ABEE-C5DBF3571F48} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &8 Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Go Fill - {320AF880-6646-11D3-ABEE-C5DBF3571F4A} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &Go && Fill from Passcard - {320AF880-6646-11D3-ABEE-C5DBF3571F4A} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Login - {320AF880-6646-11D3-ABEE-C5DBF3571F4B} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &Login (Go, Fill, Submit) - {320AF880-6646-11D3-ABEE-C5DBF3571F4B} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - C:\Program Files\Siber Systems\AI RoboForm\Identities.exe
O9 - Extra 'Tools' menuitem: &3 Edit Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - C:\Program Files\Siber Systems\AI RoboForm\Identities.exe
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - C:\Program Files\Siber Systems\AI RoboForm\Passcards.exe
O9 - Extra 'Tools' menuitem: &4 Edit Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - C:\Program Files\Siber Systems\AI RoboForm\Passcards.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RF toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: »*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: »*.sbcglobal.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···39999628
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - »www.acclaim.com/cabs/acclaim_v4.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 14483 bytes]]> http://www.dslreports.com/forum/remark,21140035 Fri, 19 Sep 2008 23:34:21 EDT Re: [Trojan or Vundo] HJT Log - Tdsserv HELP http://www.dslreports.com/forum/remark,21139146 LoPhatPhuud : First:
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Second:
Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here:
view plainprint?
http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe
• Double-click FixPolicies.exe
• Click the "Install" button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies,
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
• A black box will briefly appear and then close.

Third:
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: »www.bleepingcomputer.com/combofi···combofix





**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you. •Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Your next post should contain the logs from MBAM, ComboFix and a new HiJackThis log. Use more than one post if needed.

--
When angry count four; when very angry, swear.

Microsoft MVP/Consumer Security 2005-2008

Gladiator Security Forum]]> http://www.dslreports.com/forum/remark,21139146 Fri, 19 Sep 2008 20:04:50 EDT [Trojan or Vundo] HJT Log - Tdsserv HELP http://www.dslreports.com/forum/remark,21121671 PPL : Hi all,

First of all thanks to whoever is going to help me. My problem started 1 week ago, I had this background problem with "win32 virtumonde and privacy remover" thing. I forgot the name. I later installed some anti virus programs to delete it and it worked! But it also found some other viruses. Here is the main problem. I downloaded spyware doctor and scanned my computer, it found something called. "trojan.tdsserv" I don't know what it is. But of course, I deleted it. But it keeps coming back after every restart of my computer. I am not sure if the win32 virtumonde thing was fully removed. Or if this problem was the tojan or the vundo. I just put trojan because the virus said :"trojan.tdsserv"

Now, I followed most of the steps you gave us. I downloaded spybot and scanned. It found a couple of new stuff. I removed it. But it just couldn't get rid of the tdsserv. Adaware deleted some cookies but other than that, it didn't really do much. I downloaded Windows Defender and Malacious Software removal tool but nothing was detected. I couldn't do the www.eset.eu/online-scanner because my internet explorer was really slow. Firefox works way better. I finished the Trend Micro scan and it deleted some malware and grayware etc.

Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:11 PM, on 9/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »ie.redirect.hp.com/svs/rdr?TYPE=···=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:12080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Program Files\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &7 Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Fill Id - {320AF880-6646-11D3-ABEE-C5DBF3571F47} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &5 Fill from Identity - {320AF880-6646-11D3-ABEE-C5DBF3571F47} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Fill Pass - {320AF880-6646-11D3-ABEE-C5DBF3571F48} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &6 Fill from Passcard - {320AF880-6646-11D3-ABEE-C5DBF3571F48} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &8 Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Go Fill - {320AF880-6646-11D3-ABEE-C5DBF3571F4A} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &Go && Fill from Passcard - {320AF880-6646-11D3-ABEE-C5DBF3571F4A} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Login - {320AF880-6646-11D3-ABEE-C5DBF3571F4B} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &Login (Go, Fill, Submit) - {320AF880-6646-11D3-ABEE-C5DBF3571F4B} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &Options - {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - C:\Program Files\Siber Systems\AI RoboForm\Identities.exe
O9 - Extra 'Tools' menuitem: &3 Edit Identities - {45DB34C3-955C-11D3-ABEF-444553540000} - C:\Program Files\Siber Systems\AI RoboForm\Identities.exe
O9 - Extra button: Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - C:\Program Files\Siber Systems\AI RoboForm\Passcards.exe
O9 - Extra 'Tools' menuitem: &4 Edit Passcards - {45DB34C3-955C-11D3-ABEF-444553540001} - C:\Program Files\Siber Systems\AI RoboForm\Passcards.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RF toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: »*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: »*.sbcglobal.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···39999628
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - »www.acclaim.com/cabs/acclaim_v4.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 15131 bytes

P.S. I did not fix the stuff in the hijackthis. Just incase it was something good.. :huh:

Thanks Again!

PPL]]> http://www.dslreports.com/forum/remark,21121671 Tue, 16 Sep 2008 20:25:41 EDT