Google Redirect Virus

Viruses and worms
1

Hi all

I was wondering if someone could help me with this issue im having or if someone knows how to fix it.

I seem to have a trojan or virus that seems to be redirecting any link I click after a google search.

I hit this comp with a full Avast virus scan, a win defender scan, Kaspersky online scan, Hijack this, Adaware scan and seem to be coming up short and with no success. >:(

Any ideas??

2

Have you tried this

Download and then run SuperAntispyware

[*]On the first page select Check for Updates
[*]On completion select SCAN YOUR COMPUTER
[*]On the next page select COMPLETE SCAN and tick ALL your drives
[*]The next stage will take a while as your entire drive(s), memory and registry are scanned
[*]When it has completed click NEXT
[*]The next screen shows the problems found click OK
[*]On the next screen place a tick against all items and select NEXT
[*]Now to get the log Go to the PREFERENCES button on the right bottom
[*]Select the STATISTICS/LOG tab
[*]Highlight the scan just completed and click VIEW LOG
[*]This will open a notepad text file copy and paste this to your next reply

ON COMPLETION

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

3

Ok SuperAntispyware only detected some cookies thats been picked up since I checked google again:-

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/29/2007 at 10:21 PM

Application Version : 3.9.1008

Core Rules Database Version : 3332
Trace Rules Database Version: 1333

Scan type : Custom Scan
Total Scan Time : 00:04:25

Memory items scanned : 362
Memory threats detected : 0
Registry items scanned : 6591
Registry threats detected : 0
File items scanned : 0
File threats detected : 19

Adware.Tracking Cookie
C:\Documents and Settings\Gordon\Cookies\gordon@adopt.euroclick[2].txt
C:\Documents and Settings\Gordon\Cookies\gordon@tacoda[2].txt
C:\Documents and Settings\Gordon\Cookies\gordon@mediaplex[1].txt
C:\Documents and Settings\Gordon\Cookies\gordon@findwhat[1].txt
C:\Documents and Settings\Gordon\Cookies\gordon@overture[1].txt
C:\Documents and Settings\Gordon\Cookies\gordon@ad.easydate[1].txt
C:\Documents and Settings\Gordon\Cookies\gordon@perf.overture[1].txt
C:\Documents and Settings\Gordon\Cookies\gordon@serving-sys[1].txt
C:\Documents and Settings\Gordon\Cookies\gordon@atdmt[2].txt
C:\Documents and Settings\Gordon\Cookies\gordon@fastclick[2].txt
C:\Documents and Settings\Gordon\Cookies\gordon@2o7[1].txt
C:\Documents and Settings\Gordon\Cookies\gordon@advertising[1].txt
C:\Documents and Settings\Gordon\Cookies\gordon@toplist[1].txt
C:\Documents and Settings\Gordon\Cookies\gordon@bs.serving-sys[1].txt
C:\Documents and Settings\Gordon\Cookies\gordon@h.starware[2].txt
C:\Documents and Settings\Gordon\Cookies\gordon@doubleclick[1].txt
C:\Documents and Settings\Gordon\Cookies\gordon@try.starware[2].txt
C:\Documents and Settings\Gordon\Cookies\gordon@ad.yieldmanager[2].txt
C:\Documents and Settings\Gordon\Cookies\gordon@adserver.filefront[2].txt

And below is the HJT Log:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:37, on 29/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TRIXX\TRIXX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [trIXX] “C:\Program Files\TRIXX\TRIXX.exe” -s
O4 - HKLM..\Run: [SPAMfighter Agent] “C:\Program Files\SPAMfighter\SFAgent.exe” update delay 60
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra ‘Tools’ menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe


End of file - 6253 bytes

4

Nothing showing there lets have a deeper look at your startup and registry areas

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

5

Logs are to big to post m8…any ideas?

Could post several in a row!

6

Deckard’s System Scanner v20071014.68
Run by Gordon on 2007-10-29 22:51:28
Computer is in Normal Mode.

– HijackThis (run as Gordon.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:51:29, on 29/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TRIXX\TRIXX.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gordon\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Gordon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [trIXX] “C:\Program Files\TRIXX\TRIXX.exe” -s
O4 - HKLM..\Run: [SPAMfighter Agent] “C:\Program Files\SPAMfighter\SFAgent.exe” update delay 60
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra ‘Tools’ menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe

7


End of file - 6212 bytes

– Files created between 2007-09-29 and 2007-10-29 -----------------------------

2007-10-29 14:50:17 0 d-------- C:\Documents and Settings\Gordon\Application Data\Ventrilo
2007-10-29 14:48:28 0 d-------- C:\Program Files\VentriloMIX
2007-10-29 14:03:43 0 d-------- C:\Program Files\Common Files\Ankiro
2007-10-29 14:02:19 0 d-------- C:\Program Files\Common Files\Application
2007-10-29 14:01:42 0 d-------- C:\Program Files\SPAMfighter
2007-10-28 21:25:44 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-28 21:25:30 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-10-28 21:25:30 0 d-------- C:\Documents and Settings\Gordon\Application Data\SUPERAntiSpyware.com
2007-10-28 21:25:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-28 21:25:08 0 d-------- C:\Program Files\Trend Micro
2007-10-28 20:23:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-28 20:23:03 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-27 17:06:24 0 d-------- C:\Documents and Settings\Gordon\Application Data\WinRAR
2007-10-27 09:32:27 0 d-------- C:\Program Files\Barbie™
2007-10-20 12:12:36 0 d-------- C:\Program Files\TVAnts
2007-10-20 11:53:51 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-10-20 11:53:40 0 d-------- C:\Documents and Settings\Gordon\Application Data\SopCast
2007-10-20 11:53:39 0 d-------- C:\Program Files\SopCast
2007-10-20 10:00:09 0 d-------- C:\Program Files\TRIXX
2007-10-20 09:51:29 516096 -----n— C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2007-10-20 09:32:26 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-10-12 11:44:57 0 d-------- C:\Program Files\id Software
2007-10-12 11:42:46 0 d–hs---- C:\WINDOWS\ftpcache

– Find3M Report ---------------------------------------------------------------

2007-10-29 22:29:19 0 d—s---- C:\Program Files\Xfire
2007-10-29 22:29:15 0 d-------- C:\Documents and Settings\Gordon\Application Data\Xfire
2007-10-29 17:31:20 0 d-------- C:\Program Files\Steam
2007-10-29 14:49:04 0 d-------- C:\Documents and Settings\Gordon\Application Data\teamspeak2
2007-10-29 14:03:43 0 d-------- C:\Program Files\Common Files
2007-10-27 17:05:28 0 d-------- C:\Documents and Settings\Gordon\Application Data\Azureus
2007-10-20 09:51:07 0 d–h----- C:\Program Files\InstallShield Installation Information
2007-10-02 12:51:26 0 d-------- C:\Program Files\SmartFTP Client 2.0
2007-09-29 08:37:20 0 d-------- C:\Program Files\Soulseek-Test
2007-09-22 18:33:09 0 d-------- C:\Program Files\Azureus

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTSysVol”=“C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe” [17/09/2003 09:43]
“CTDVDDET”=“C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE” [18/06/2003 00:00]
“CTHelper”=“CTHELPER.EXE” [19/03/2004 08:33 C:\WINDOWS\system32\CTHELPER.EXE]
“SBDrvDet”=“C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe” [03/12/2002 17:06]
“UpdReg”=“C:\WINDOWS\UpdReg.EXE” [11/05/2000 00:00]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [06/09/2007 10:06]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [12/07/2007 03:00]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [12/01/2006 16:40]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [03/11/2006 18:20]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [21/12/2006 18:58]
“@”=“”
“Sony Ericsson PC Suite”=“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [26/10/2005 15:17]
“KernelFaultCheck”=“C:\WINDOWS\system32\dumprep 0 -k”
“TRIXX”=“C:\Program Files\TRIXX\TRIXX.exe” [16/08/2005 11:18]
“SPAMfighter Agent”=“C:\Program Files\SPAMfighter\SFAgent.exe” [25/10/2007 15:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [04/08/2004 12:00]
“Steam”=“”
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [09/10/2006 11:28]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [21/06/2007 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“System”=“kdruq.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

– End of Deckard’s System Scanner: finished at 2007-10-29 22:51:57 ------------

8

Methinks I have him

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

First we must back up the entire registry.To do this

REGISTRY BACKUP

Go START > RUN and type in REGEDIT then press your enter key.
When Regedit is open ensure that ‘my computer’ is highlighted in the left pane.
Go to FILE and select EXPORT.
Check the ‘all’ button at the bottom of the screen to backup the entire registry.
You will need to select a location to save the exported registry (it will be saved as a single file) I would suggest the Desktop
Choose the FILE NAME as Oldreg
In the drop down box called SAVE AS TYPE select registration files (*.reg).
Then click SAVE
This will create a file on your desktop called Oldreg.reg
http://img127.imageshack.us/img127/433/regtg8.jpg

REGISTRY FIX

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“System”=“”

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

I will now need you to locate and delete this file kdruq.exe

If you cannot find it then I will do a deep analysis

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - ControlSets
Reg - Security Settings

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

9

Dear Essexboy , forgive me if I’m wrong, but Theweedmans scan with Superantispyware was only a custom scan lasting 4mins.I don’t think he did a complete scan as you suggested.I don’t see any file items scanned.Apologies for gatecrashing the post

10

I saw that as well but as DSS gave me the answer it was not a problem as that file would probably not be seen by SAS

11

Hey guys…this things a clever little chappy!! Keeps turning my system restore back on when I disable it.

Anyhooo heres what you need m8 as I cant find it. Need to do this in parts!!

WinPFind3 logfile created on: 31/10/2007 16:19:18
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Gordon\Desktop\WinPFind3u
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

1023.52 Mb Total Physical Memory | 465.42 Mb Available Physical Memory | 45.47% Memory free
2.40 Gb Paging File | 2.07 Gb Available in Paging File | 86.18% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 152.66 Gb Total Space | 110.91 Gb Free Space | 72.65% Space Free
D: Drive not present or media not loaded
Drive E: | 37.26 Gb Total Space | 5.37 Gb Free Space | 14.41% Space Free
Drive F: | 487.14 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free

Computer Name: EVO
Current User Name: Gordon
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
application launcher.exe → %ProgramFiles%\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe → Sony Ericsson Mobile Communications AB [Ver = 1.1.1.3 | Size = 159744 bytes | Modified Date = 26/10/2005 15:17:24 | Attr = R ]
ashdisp.exe → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 06/09/2007 10:06:10 | Attr = ]
ashmaisv.exe → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 06/09/2007 10:05:42 | Attr = ]
ashserv.exe → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 06/09/2007 10:06:04 | Attr = ]
ashwebsv.exe → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 06/09/2007 10:04:44 | Attr = ]
aswupdsv.exe → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 06/09/2007 09:54:58 | Attr = ]
ati2evxx.exe → %System32%\ati2evxx.exe → ATI Technologies Inc. [Ver = 6.14.10.4118 | Size = 380928 bytes | Modified Date = 04/08/2005 03:02:58 | Attr = ]
ati2evxx.exe → %System32%\ati2evxx.exe → ATI Technologies Inc. [Ver = 6.14.10.4118 | Size = 380928 bytes | Modified Date = 04/08/2005 03:02:58 | Attr = ]
capabilitymanager.exe → %CommonProgramFiles%\Teleca Shared\CapabilityManager.exe → Teleca Software Solutions AB [Ver = 0.0.1.48 | Size = 278528 bytes | Modified Date = 08/06/2005 15:45:04 | Attr = ]
ctdvddet.exe → %ProgramFiles%\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe → Creative Technology Ltd [Ver = 1.0.3.0 | Size = 45056 bytes | Modified Date = 18/06/2003 | Attr = ]
cthelper.exe → %System32%\CTHELPER.EXE → Creative Technology Ltd [Ver = 1, 2, 0, 2 | Size = 24576 bytes | Modified Date = 19/03/2004 08:33:42 | Attr = ]
ctsysvol.exe → %ProgramFiles%\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe → Creative Technology Ltd [Ver = 1.4.1.0 | Size = 57344 bytes | Modified Date = 17/09/2003 09:43:36 | Attr = ]
epmworker.exe → %ProgramFiles%\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe → Sony Ericsson Mobile Communications AB [Ver = 1, 2, 0,1183 | Size = 868352 bytes | Modified Date = 24/02/2006 10:58:14 | Attr = R ]
generic.exe → %CommonProgramFiles%\Teleca Shared\Generic.exe → Teleca Software Solutions [Ver = 1, 0, 3, 2 | Size = 385024 bytes | Modified Date = 10/08/2005 06:54:34 | Attr = R ]
jusched.exe → %ProgramFiles%\Java\jre1.6.0_02\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 12/07/2007 03:00:36 | Attr = ]
nmbgmonitor.exe → %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe → Nero AG [Ver = 1, 5, 0, 18 | Size = 139264 bytes | Modified Date = 09/10/2006 11:28:56 | Attr = ]
nmindexstoresvr.exe → %CommonProgramFiles%\Ahead\Lib\NMIndexStoreSvr.exe → Nero AG [Ver = 1, 5, 0, 18 | Size = 884736 bytes | Modified Date = 09/10/2006 11:22:58 | Attr = ]
pnkbstra.exe → %System32%\PnkBstrA.exe → [Ver = | Size = 66872 bytes | Modified Date = 12/10/2007 14:45:24 | Attr = ]
sfagent.exe → %ProgramFiles%\SPAMfighter\SFAgent.exe → SPAMfighter ApS [Ver = 1, 2, 1, 5 | Size = 308880 bytes | Modified Date = 25/10/2007 15:29:16 | Attr = ]
sfus.exe → %ProgramFiles%\SPAMfighter\sfus.exe → SPAMfighter ApS [Ver = 1, 0, 0, 6 | Size = 184976 bytes | Modified Date = 25/10/2007 15:29:52 | Attr = ]
trixx.exe → %ProgramFiles%\TRIXX\TRIXX.exe → Sapphire Technologies [Ver = 1.0.0.13 | Size = 9576448 bytes | Modified Date = 16/08/2005 11:18:34 | Attr = ]
winpfind3u.exe → %UserDesktop%\WinPFind3u\WinPFind3U.exe → OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 04/09/2007 10:47:26 | Attr = ]

12

[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] → %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe → [Ver = 2.41.000 | Size = 68096 bytes | Modified Date = 12/08/2006 09:53:48 | Attr = ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 06/09/2007 09:54:58 | Attr = ]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] → %System32%\ati2evxx.exe → ATI Technologies Inc. [Ver = 6.14.10.4118 | Size = 380928 bytes | Modified Date = 04/08/2005 03:02:58 | Attr = ]
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] → %System32%\ati2sgag.exe → [Ver = 5.13.0024 | Size = 516096 bytes | Modified Date = 05/08/2005 20:05:00 | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 06/09/2007 10:06:04 | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 06/09/2007 10:05:42 | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 06/09/2007 10:04:44 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] → %System32%\dmadmin.exe → Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 04/08/2004 12:00:00 | Attr = ]
(Hidsvyage) Hidsvyage [Win32_Shared | On_Demand | Stopped] → → File not found
(NBService) NBService [Win32_Own | On_Demand | Stopped] → %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe → Nero AG [Ver = 2, 6, 6, 0 | Size = 724992 bytes | Modified Date = 09/10/2006 22:11:08 | Attr = ]
(PnkBstrA) PnkBstrA [Win32_Own | Auto | Running] → %System32%\PnkBstrA.exe → [Ver = | Size = 66872 bytes | Modified Date = 12/10/2007 14:45:24 | Attr = ]
(SPAMfighter Update Service) SPAMfighter Update Service [Win32_Own | Auto | Running] → %ProgramFiles%\SPAMfighter\sfus.exe → SPAMfighter ApS [Ver = 1, 0, 0, 6 | Size = 184976 bytes | Modified Date = 25/10/2007 15:29:52 | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
→ → File not found
avast! → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 06/09/2007 10:06:10 | Attr = ]
CTDVDDET → %ProgramFiles%\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe → Creative Technology Ltd [Ver = 1.0.3.0 | Size = 45056 bytes | Modified Date = 18/06/2003 | Attr = ]
CTHelper → %System32%\CTHELPER.EXE → Creative Technology Ltd [Ver = 1, 2, 0, 2 | Size = 24576 bytes | Modified Date = 19/03/2004 08:33:42 | Attr = ]
CTSysVol → %ProgramFiles%\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe → Creative Technology Ltd [Ver = 1.4.1.0 | Size = 57344 bytes | Modified Date = 17/09/2003 09:43:36 | Attr = ]
KernelFaultCheck → → File not found
NeroFilterCheck → %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe → Nero AG [Ver = 1, 0, 0, 5 | Size = 155648 bytes | Modified Date = 12/01/2006 16:40:44 | Attr = ]
QuickTime Task → %ProgramFiles%\QuickTime\qttask.exe → Apple Computer, Inc. [Ver = 6.5.1 | Size = 98304 bytes | Modified Date = 21/12/2006 18:58:48 | Attr = ]
SBDrvDet → %ProgramFiles%\Creative\SB Drive Det\SBDrvDet.exe → Creative Technology Ltd [Ver = 1.0.3.0 | Size = 45056 bytes | Modified Date = 03/12/2002 17:06:52 | Attr = ]
Sony Ericsson PC Suite → %ProgramFiles%\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe → Sony Ericsson Mobile Communications AB [Ver = 1.1.1.3 | Size = 159744 bytes | Modified Date = 26/10/2005 15:17:24 | Attr = R ]
SPAMfighter Agent → %ProgramFiles%\SPAMfighter\SFAgent.exe → SPAMfighter ApS [Ver = 1, 2, 1, 5 | Size = 308880 bytes | Modified Date = 25/10/2007 15:29:16 | Attr = ]
SunJavaUpdateSched → %ProgramFiles%\Java\jre1.6.0_02\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 12/07/2007 03:00:36 | Attr = ]
TRIXX → %ProgramFiles%\TRIXX\TRIXX.exe → Sapphire Technologies [Ver = 1.0.0.13 | Size = 9576448 bytes | Modified Date = 16/08/2005 11:18:34 | Attr = ]
UpdReg → %SystemRoot%\Updreg.EXE → Creative Technology Ltd. [Ver = 1.0.2 | Size = 90112 bytes | Modified Date = 11/05/2000 | Attr = ]
< OptionalComponents [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ →
IMAIL → Installed = 1 →
MAPI → Installed = 1 →
MSFS → Installed = 1 →
< Run [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} → %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe → Nero AG [Ver = 1, 5, 0, 18 | Size = 139264 bytes | Modified Date = 09/10/2006 11:28:56 | Attr = ]
Steam → → File not found
SUPERAntiSpyware → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 21/06/2007 14:06:28 | Attr = ]
< ShellExecuteHooks [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks →
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] → %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 20/12/2006 13:55:48 | Attr = ]
< SecurityProviders [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders →
< Winlogon settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
System → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System →
kdruq.exe → kdruq.exe → File not found
< Winlogon settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon\Notify settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ →
!SASWinLogon → %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll → SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 19/04/2007 13:41:36 | Attr = ]
AtiExtEvent → %System32%\ati2evxx.dll → ATI Technologies Inc. [Ver = 6.14.10.4118 | Size = 46080 bytes | Modified Date = 04/08/2005 03:04:18 | Attr = ]
< CurrentVersion Policy Settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ScanWithAntiVirus → 2 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} → 1073741857 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1} → 32 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shutdownwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\undockwithoutlogon → 1 →
< CurrentVersion Policy Settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →

13

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 145 →
< HOSTS File > (734 bytes) → C:\WINDOWS\System32\drivers\etc\Hosts →
127.0.0.1 localhost → →
< Internet Explorer Settings > → →
HKLM: Default_Page_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM: Main\Default_Search_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM: Local Page → %SystemRoot%\system32\blank.htm →
HKLM: Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM: Start Page → http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM: CustomizeSearch → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM: SearchAssistant → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU: Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU: Start Page → http://www.google.co.uk/
HKCU: ProxyEnable → 0 →
< Trusted Sites > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
msn.com [ - ] → →
< BHO’s > → HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ →
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] → %ProgramFiles%\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [AcroIEHlprObj Class] → [Ver = 1, 0, 0, 1 | Size = 37808 bytes | Modified Date = 16/04/2001 15:39:02 | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] → %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [SSVHelper Class] → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 12/07/2007 03:00:36 | Attr = ]
< Internet Explorer Extensions [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ →
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] → %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [MenuText: Sun Java Console] → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 12/07/2007 03:00:36 | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] → %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [MenuText: Sun Java Console] → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 12/07/2007 03:00:36 | Attr = ]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} → Reg Data - Value does not exist [ButtonText: Research] → File not found
{E19ADC6E-3909-43E4-9A89-B7B676377EE3} → %CommonProgramFiles%\SourceTec\SWF Catcher\InternetExplorer.htm [ButtonText: Sothink SWF Catcher] → [Ver = | Size = 191 bytes | Modified Date = 29/09/2006 10:44:32 | Attr = ]
< Internet Explorer Menu Extensions [HKCU] > → HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ →
E&xport to Microsoft Excel → → File not found
Sothink SWF Catcher → %CommonProgramFiles%\SourceTec\SWF Catcher\InternetExplorer.htm → [Ver = | Size = 191 bytes | Modified Date = 29/09/2006 10:44:32 | Attr = ]
< Internet Explorer Plugins [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\ →
.spop → %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [Reg Data - Value does not exist] → Intertrust Technologies, Inc. [Ver = 1.0.0.32 | Size = 270336 bytes | Modified Date = 01/08/2001 16:05:42 | Attr = ]
< User Agent Post Platform [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform →
SV1 → →
< Protocol Handlers [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ →
ipp → Reg Data - Key not found → File not found
msdaipp → Reg Data - Key not found → File not found
< Downloaded Program Files > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ →
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} → CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
{17492023-C23A-453E-A040-C7C580BBF700} → Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{233C1507-6A77-46A4-9443-F871F945D258} → Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} → Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} → - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} → Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} → Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

14

[Registry - Non-Microsoft Only]
< Run [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
→ → File not found
avast! → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 06/09/2007 10:06:10 | Attr = ]
CTDVDDET → %ProgramFiles%\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe → Creative Technology Ltd [Ver = 1.0.3.0 | Size = 45056 bytes | Modified Date = 18/06/2003 | Attr = ]
CTHelper → %System32%\CTHELPER.EXE → Creative Technology Ltd [Ver = 1, 2, 0, 2 | Size = 24576 bytes | Modified Date = 19/03/2004 08:33:42 | Attr = ]
CTSysVol → %ProgramFiles%\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe → Creative Technology Ltd [Ver = 1.4.1.0 | Size = 57344 bytes | Modified Date = 17/09/2003 09:43:36 | Attr = ]
KernelFaultCheck → → File not found
NeroFilterCheck → %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe → Nero AG [Ver = 1, 0, 0, 5 | Size = 155648 bytes | Modified Date = 12/01/2006 16:40:44 | Attr = ]
QuickTime Task → %ProgramFiles%\QuickTime\qttask.exe → Apple Computer, Inc. [Ver = 6.5.1 | Size = 98304 bytes | Modified Date = 21/12/2006 18:58:48 | Attr = ]
SBDrvDet → %ProgramFiles%\Creative\SB Drive Det\SBDrvDet.exe → Creative Technology Ltd [Ver = 1.0.3.0 | Size = 45056 bytes | Modified Date = 03/12/2002 17:06:52 | Attr = ]
Sony Ericsson PC Suite → %ProgramFiles%\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe → Sony Ericsson Mobile Communications AB [Ver = 1.1.1.3 | Size = 159744 bytes | Modified Date = 26/10/2005 15:17:24 | Attr = R ]
SPAMfighter Agent → %ProgramFiles%\SPAMfighter\SFAgent.exe → SPAMfighter ApS [Ver = 1, 2, 1, 5 | Size = 308880 bytes | Modified Date = 25/10/2007 15:29:16 | Attr = ]
SunJavaUpdateSched → %ProgramFiles%\Java\jre1.6.0_02\bin\jusched.exe → Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 12/07/2007 03:00:36 | Attr = ]
TRIXX → %ProgramFiles%\TRIXX\TRIXX.exe → Sapphire Technologies [Ver = 1.0.0.13 | Size = 9576448 bytes | Modified Date = 16/08/2005 11:18:34 | Attr = ]
UpdReg → %SystemRoot%\Updreg.EXE → Creative Technology Ltd. [Ver = 1.0.2 | Size = 90112 bytes | Modified Date = 11/05/2000 | Attr = ]
< OptionalComponents [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ →
IMAIL → Installed = 1 →
MAPI → Installed = 1 →
MSFS → Installed = 1 →
< Run [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} → %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe → Nero AG [Ver = 1, 5, 0, 18 | Size = 139264 bytes | Modified Date = 09/10/2006 11:28:56 | Attr = ]
Steam → → File not found
SUPERAntiSpyware → %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe → SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 21/06/2007 14:06:28 | Attr = ]
< ShellExecuteHooks [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks →
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] → %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 20/12/2006 13:55:48 | Attr = ]
< SecurityProviders [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders →
< Winlogon settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
System → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System →
kdruq.exe → kdruq.exe → File not found
< Winlogon settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon\Notify settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ →
!SASWinLogon → %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll → SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 19/04/2007 13:41:36 | Attr = ]
AtiExtEvent → %System32%\ati2evxx.dll → ATI Technologies Inc. [Ver = 6.14.10.4118 | Size = 46080 bytes | Modified Date = 04/08/2005 03:04:18 | Attr = ]
< CurrentVersion Policy Settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →

15

Hi there Weedman unfortunately you did not give me the whole report I need it up to and including < End of Report >

However I gathered 1 piece which I can remove, if you could then re-run Winpfind and give me the entire log

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Win32 Services - Non-Microsoft Only] YN -> (Hidsvyage) Hidsvyage [Win32_Shared | On_Demand | Stopped] -> [Registry - Non-Microsoft Only] *System* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\System YN -> kdruq.exe -> kdruq.exe

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

16

Ok did as you asked m8.

Attatched file as to big to post m8.

17

OK that showed that it does not want to go so time for a bigger hammer

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, the Advanced Options Menu should appear;
[*]Select the first option, to run Windows in Safe Mode, then press Enter.
[*]Choose your usual account.

[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

18

Ok did it and it looks as though its removed some stuff…however a quick check on google and its still there.

SDFix: Version 1.113

Run by Gordon on 02/11/2007 at 13:00

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting…

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\ULTRA.DLL - Deleted
C:\WINDOWS\system32\plugin1.dat - Deleted

Removing Temp Files…

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

                             Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 13:05:27
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes …

scanning hidden services & system hive …

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
“s0”=dword:8276a6f2
“s1”=dword:12197488
“s2”=dword:45741743
“h0”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
“h0”=dword:00000000
“khjeh”=hex:bb,08,c3,6b,31,f6,bf,f4,fc,cf,0a,4b,7b,5c,99,c0,3d,1d,4e,f3,48,…
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
“h0”=dword:00000000
“khjeh”=hex:bb,08,c3,6b,31,f6,bf,f4,fc,cf,0a,4b,7b,5c,99,c0,3d,1d,4e,f3,48,…

scanning hidden registry entries …

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{BECFD19F-B930-E776-B888-3EAFE509941F}]
“nanihcbmklnboaohpongmdagmkki”=hex:69,61,6c,66,69,6c,70,63,6b,61,67,62,6e,69,68,65,68,6b,00,00
“madijedlpnnlcflaelmcccpahn”=hex:69,61,6c,66,69,6c,70,63,6b,61,67,62,6e,69,68,65,68,6b,00,00

scanning hidden files …

C:\WINDOWS\System32\kdruq.exe 72204 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\Xfire\Xfire.exe”="C:\Program Files\Xfire\Xfire.exe::Enabled:Xfire”
“C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\UPDATE.EXE”=“C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\UPDATE.EXE::Enabled:UPDATE"
“C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\Jointops.exe”="C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\Jointops.exe::Enabled:Jointops”
“C:\Program Files\HLSW\hlsw.exe”=“C:\Program Files\HLSW\hlsw.exe::Enabled:HLSW"
“C:\Program Files\Azureus\Azureus.exe”="C:\Program Files\Azureus\Azureus.exe::Enabled:Azureus”
“C:\Program Files\Soulseek-Test\slsk.exe”=“C:\Program Files\Soulseek-Test\slsk.exe::Enabled:SoulSeek"
“C:\Program Files\Steam-Down\Steam-Down.exe”="C:\Program Files\Steam-Down\Steam-Down.exe::Enabled:Steam-Down”
“C:\Program Files\TVAnts\Tvants.exe”=“C:\Program Files\TVAnts\Tvants.exe::Enabled:TVAnts"
“C:\Program Files\Activision\Rome - Total War\RomeTW.exe”="C:\Program Files\Activision\Rome - Total War\RomeTW.exe::Enabled:Rome: Total War”
“C:\Program Files\Steam\SteamApps\lodtheweedman\counter-strike source\hl2.exe”=“C:\Program Files\Steam\SteamApps\lodtheweedman\counter-strike source\hl2.exe::Enabled:hl2"
“C:\Program Files\Wolfenstein - Enemy Territory\ET.exe”="C:\Program Files\Wolfenstein - Enemy Territory\ET.exe::Enabled:ET”
“C:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE”=“C:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE::Enabled:Microsoft Office FrontPage"
“C:\Program Files\Internet Explorer\IEXPLORE.EXE”="C:\Program Files\Internet Explorer\IEXPLORE.EXE::Enabled:Internet Explorer”
“C:\Program Files\THQ\Dawn of War\W40k.exe”=“C:\Program Files\THQ\Dawn of War\W40k.exe::Enabled:W40K"
“C:\Program Files\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe”="C:\Program Files\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe::Enabled:DarkCrusade”
“C:\WINDOWS\system32\PnkBstrA.exe”=“C:\WINDOWS\system32\PnkBstrA.exe::Enabled:PnkBstrA"
“C:\WINDOWS\system32\PnkBstrB.exe”="C:\WINDOWS\system32\PnkBstrB.exe::Enabled:PnkBstrB”
“C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe”=“C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe::Enabled:SmartFTP Client 2.5"
“C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqwded.exe”="C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqwded.exe::Enabled:etqwded.exe”
“C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqw.exe”=“C:\Program Files\id Software\Enemy Territory - QUAKE Wars\etqw.exe::Enabled:Enemy Territory - QUAKE Wars™ "
“C:\Program Files\Steam\Steam.exe”="C:\Program Files\Steam\Steam.exe::Enabled:Steam”
“C:\Program Files\SopCast\SopCast.exe”=“C:\Program Files\SopCast\SopCast.exe::Enabled:SopCast Main Application"
“C:\Documents and Settings\Gordon\Application Data\SopCast\adv\SopAdver.exe”="C:\Documents and Settings\Gordon\Application Data\SopCast\adv\SopAdver.exe::Enabled:SopCast Adver”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”

Remaining Files:

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 8 Apr 2007 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak”
Mon 18 Dec 2006 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp”
Sat 13 Nov 2004 37,376 …H. — “C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe”
Fri 5 Oct 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\8361ae28fcfac79271825a6b2935fdb6\BIT1.tmp”
Sat 23 Dec 2006 106,496 A…H. — “C:\Deckard\System Scanner\20071029225128\backup\DOCUME~1\Gordon\LOCALS~1\Temp~18.tmp”
Fri 1 Dec 2006 106,496 A…H. — “C:\Deckard\System Scanner\20071029225128\backup\DOCUME~1\Gordon\LOCALS~1\Temp~19.tmp”
Fri 27 Jul 2007 126,976 A…H. — “C:\Deckard\System Scanner\20071029225128\backup\DOCUME~1\Gordon\LOCALS~1\Temp~1B.tmp”
Sat 28 Jul 2007 126,976 A…H. — “C:\Deckard\System Scanner\20071029225128\backup\DOCUME~1\Gordon\LOCALS~1\Temp~38.tmp”
Fri 27 Jul 2007 126,976 A…H. — “C:\Deckard\System Scanner\20071029225128\backup\DOCUME~1\Gordon\LOCALS~1\Temp~5.tmp”

Finished!

19

HiJack this log :-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:10:40, on 02/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\TRIXX\TRIXX.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [trIXX] “C:\Program Files\TRIXX\TRIXX.exe” -s
O4 - HKLM..\Run: [SPAMfighter Agent] “C:\Program Files\SPAMfighter\SFAgent.exe” update delay 60
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra ‘Tools’ menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe


End of file - 6860 bytes

20

OK that has now given me the location of the file now I need to nuke it

  1. Please download The Avenger by Swandog46 to your Desktop.
    [*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop

  2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

[QUOTE]Files to delete:
C:\WINDOWS\System32\kdruq.exe

registry keys to delete:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{BECFD19F-B930-E776-B888-3EAFE509941F}
[/quote]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, start The Avenger program by clicking on its icon on your desktop.
    [*] Under “Script file to execute” choose “Input Script Manually”.
    [*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script
    [*] Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    [*] Click Done
    [*] Now click on the Green Light to begin execution of the script
    [*] Answer “Yes” twice when prompted.
  2. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
    [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
    [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  3. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply