CastleCops® Malware: Anti-virus XP 2008 license agreement

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

[DONE]Malware: Anti-virus XP 2008 license agreement
Goto page 1, 2 Next

All -> FavForums -> Trend Micro HijackThis Logs

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

mackey

Trooper
Trooper

Premium Member

Joined: Dec 11, 2005
Posts: 33
Location: USA

Posted: Wed Sep 10, 2008 9:00 pm Post subject: Malware: Anti-virus XP 2008 license agreement

I have two boxes on my screen that won't go away. One is an "Anti-Virus XP 2008 License Agreement" that wants an ok to install and the other is an window saying "Windows Warning Message" stating my computer is infected and to activate anti virus software. I have observed the following items - System Restore only has available a restore to around the time of the infection and won't click backwards to a previous day. - I was unable to reach CastleCops on the infected computer via Firefox 3. Only a new window would open with an ad. - I ran CCleaner, Spyware Blaster and Spybot Search & Destroy, Spybot fixed problems but the two boxes are still present. I have been unable to successfully run the anti-virus program as the computer has re-booted by itself. Hijack This Log follows as: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:48:42 PM, on 9/10/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvraidservice.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\WINDOWS\system32\lphcaa4j0e95r.exe C:\Documents and Settings\malcolm\Local Settings\Temp\.tt108.tmp.exe C:\Program Files\Steam\Steam.exe C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080521 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080521 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080521 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [lphcaa4j0e95r] C:\WINDOWS\system32\lphcaa4j0e95r.exe O4 - HKLM\..\Run: [inrhcea4j0e95r] C:\Documents and Settings\malcolm\Local Settings\Temp\.tt108.tmp.exe /CR=E378D6B80573F693830D714814CC3DF8E985A907FF8041AD8853A0C9820EFFA7E4499093A3680CF9405D25AA4DAAD6B63F98B1C5A0425B25CF538F056C97035C33BAC19F2818F2A98BE68F5D1FEA75BFCD O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Amazon Unbox.lnk = ? O8 - Extra context menu item: En&queue current page with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm O8 - Extra context menu item: Enqueue link target with Bulk Ima&ge Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm O8 - Extra context menu item: Open &link target with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm O8 - Extra context menu item: Open current page with Bulk I&mage Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 8545 bytes I appreciate the help and hope to hear from you soon. Thanks, Mac

sjb007

1st Responder
Premium Member

Joined: Mar 27, 2007
Posts: 1140

Posted: Thu Sep 11, 2008 6:58 pm Post subject:

Howdy and welcome to castlecops security forum

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Thanks.

Please note that as general practice CastleCops now ask that any P2P programs are removed prior to undergoing any fixes.
More information on this matter is available from here - P2P programs - we ask that you remove first

If this is a computer from a work place then please advise your IT department of the concerning issues before commencing past this point.

Please follow these directions in the order they are set out for you.

We need to disable your TeaTimer as it may interfere with the fixes that we need to make.

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

After all of the fixes are complete it is very important that you enable TeaTimer again, I will let you know when it is safe to do so.

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily. Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

A Tutorial for Tea Timer can be found here -> http://russelltexas.com/malware/teatimer.htm

Please download RogueRemover & save it to your desktop.

Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover.
Navigate to the folder and double click on the file named RogueRemover.exe or use the icon that was created on your desktop.
Once the program runs, select Check for Updates.
When prompted, select Check for Updates.
If prompted again, click Download to receive the latest updates.
When completed, close the update window.
Finally, select Scan and the program will walk you through the remaining steps.

Once done - Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Update me on how things are running

mackey

Trooper
Trooper

Premium Member

Joined: Dec 11, 2005
Posts: 33
Location: USA

Posted: Sun Sep 14, 2008 3:17 pm Post subject:

Sorry for the delay in a response. I can't seem to connect to CastleCops or the links in this post on the infected computer. I had to wait until I could get on my brother's computer and downloaded the items to an external harddrive. Just a few questions. - Do I need to turn off the SD Helper on Spybot also? - I have the Teatimer bat on the desktop, double clicked on it and Notepad opened up with text. Did I do this correctly? sjb007, thanks for your patience with me.

sjb007

1st Responder
Premium Member

Joined: Mar 27, 2007
Posts: 1140

Posted: Sun Sep 14, 2008 3:59 pm Post subject:

Hi mackey As long as Tea Timer is disabled we should be ok. Regarding the teatimer bat, if saved correctly it should look like the following image-> Click here for image If it does not look like the icon shown then right click the link again using Internet Explorer and choose "save target as" - save this to your desktop where you can locate it easy Regards..

mackey

Trooper
Trooper

Premium Member

Joined: Dec 11, 2005
Posts: 33
Location: USA

Posted: Tue Sep 30, 2008 9:26 pm Post subject:

sjb007, Sorry I've been away from home and the computer. Please don't think I'm not intend on cleaning this computer or I'm using the computer with malware installed. I'm going to do everything prescribed in the morning. I've also begun suffering severe computer withdrawal. Again, thanks for your patience.

mackey

Trooper
Trooper

Premium Member

Joined: Dec 11, 2005
Posts: 33
Location: USA

Posted: Wed Oct 01, 2008 10:00 pm Post subject:

sjb007, Followed your directions and observed the following: - Still cannot connect to CastleCops or Bleeping Computer. I have still been using the external drive and had to use to for Combofix - Combofix detected rootkit activity and rebooted. - Upon any reboots and noticed before corrective measures "Phoenix Award Bios Floppy Disks full (40) - Everything exactly as described for combofix ComboFix Log ComboFix 08-09-30.03 - malcolm 2008-10-01 17:35:07.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2616 [GMT -4:00] Running from: C:\Documents and Settings\malcolm\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\casino1.ico C:\WINDOWS\system32\casino2.ico C:\WINDOWS\system32\casino3.ico C:\WINDOWS\system32\drivers\tdssserv.sys C:\WINDOWS\system32\tdssadw.dll C:\WINDOWS\system32\tdssinit.dll C:\WINDOWS\system32\TDSSl.dll C:\WINDOWS\system32\tdsslog.dll C:\WINDOWS\system32\tdssmain.dll C:\WINDOWS\system32\tdsspopup.dll C:\WINDOWS\system32\TDSSpopup1.url C:\WINDOWS\system32\TDSSpopup2.url C:\WINDOWS\system32\TDSSpopup3.url C:\WINDOWS\system32\tdssservers.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SYSREST.SYS -------\Legacy_TDSSSERV -------\Service_sysrest.sys -------\Service_TDSSserv ((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 ))))))))))))))))))))))))))))))) . 2008-09-13 13:49 . 2008-10-01 17:01 <DIR> d-------- C:\Program Files\RogueRemover FREE 2008-09-11 09:23 . 2008-09-11 09:43 <DIR> d-------- C:\Program Files\TuneXP 2008-09-10 22:53 . 2008-09-10 22:53 <DIR> d-------- C:\Program Files\VS Revo Group 2008-09-10 22:27 . 2008-09-10 22:50 <DIR> d-------- C:\Program Files\Auslogics 2008-09-10 22:27 . 2008-09-10 22:27 <DIR> d-------- C:\Documents and Settings\malcolm\Application Data\Auslogics 2008-09-10 20:50 . 2008-09-10 20:50 <DIR> d-------- C:\Program Files\Webshots 2008-09-10 20:50 . 2008-09-10 20:50 <DIR> d-------- C:\Documents and Settings\malcolm\Application Data\Webshots 2008-09-10 20:42 . 2008-06-23 12:57 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-09-10 20:42 . 2008-06-23 12:57 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-09-10 20:41 . 2008-06-23 12:57 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-09-10 20:41 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-09-10 20:41 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-09-10 20:41 . 2008-06-23 12:57 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-09-10 20:41 . 2008-06-23 12:57 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll 2008-09-10 20:41 . 2008-06-23 12:57 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll 2008-09-10 20:41 . 2008-06-23 05:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-09-10 18:59 . 2008-09-10 18:59 285 --a------ C:\WINDOWS\system32\MRT.INI 2008-09-10 16:48 . 2008-09-10 16:48 <DIR> d-------- C:\Program Files\Trend Micro 2008-09-10 07:46 . 2008-09-10 21:56 229 --a------ C:\WINDOWS\wininit.ini 2008-09-10 07:36 . 2008-09-10 21:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-09-10 07:36 . 2008-09-14 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-01 21:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-13 17:27 --------- d-----w C:\Program Files\McAfee 2008-09-13 17:14 --------- d-----w C:\Program Files\Google 2008-09-11 04:13 --------- d-----w C:\Program Files\Dell 2008-09-11 03:40 --------- d-----w C:\Program Files\Steam 2008-09-09 22:04 358 ----a-w C:\Documents and Settings\malcolm\Application Data\wklnhst.dat 2008-09-09 17:33 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-09-07 17:30 --------- d-----w C:\Documents and Settings\malcolm\Application Data\DVD Profiler 2008-09-07 17:28 --------- d-----w C:\Program Files\DVD Profiler 2008-09-03 20:27 --------- d-----w C:\Documents and Settings\malcolm\Application Data\Ahead 2008-08-26 11:27 --------- d-----w C:\Documents and Settings\malcolm\Application Data\XnView 2008-08-23 17:17 --------- d-----w C:\Documents and Settings\malcolm\Application Data\Snapfish 2008-08-23 14:22 --------- d-----w C:\Program Files\Ahead 2008-08-23 14:18 --------- d-----w C:\Program Files\Common Files\Ahead 2008-08-23 14:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead 2008-08-22 22:43 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-08-20 22:17 --------- d-----w C:\Documents and Settings\malcolm\Application Data\Roxio 2008-08-17 22:20 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-17 22:20 --------- d-----w C:\Program Files\Fox 2008-08-17 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\GRETECH 2008-08-17 13:52 --------- d-----w C:\Documents and Settings\malcolm\Application Data\GRETECH 2008-08-17 13:51 --------- d-----w C:\Program Files\GRETECH 2008-08-17 12:30 --------- d-----w C:\Program Files\CCleaner 2008-08-17 09:23 --------- d-----w C:\Documents and Settings\malcolm\Application Data\Thunderbird 2008-08-17 09:08 --------- d-----w C:\Program Files\SpywareBlaster 2008-08-17 09:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-17 09:00 --------- d-----w C:\Program Files\Lavasoft 2008-08-17 08:13 --------- d-----w C:\Documents and Settings\malcolm\Application Data\BID 2008-08-17 08:00 --------- d-----w C:\Program Files\Bulk Image Downloader 2008-08-16 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amazon 2008-07-04 15:32 22,328 ----a-w C:\Documents and Settings\malcolm\Application Data\PnkBstrK.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-15 106496] "PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-20 68856] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-14 8523776] "NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2007-10-26 184352] "PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-20 29744] "ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2008-02-28 17920] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 155648] "RTHDCPL"="RTHDCPL.EXE" [2008-01-14 C:\WINDOWS\RTHDCPL.EXE] C:\Documents and Settings\malcolm\Start Menu\Programs\Startup\ Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2008-09-10 157000] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.divxa32"= msaud32_divx.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk backup=C:\WINDOWS\pss\Amazon Unbox.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-08-20 17:18 1271032 C:\Program Files\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\WINDOWS\\system32\\PnkBstrA.exe"= "C:\\WINDOWS\\system32\\PnkBstrB.exe"= "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= R0 nvgts;nvgts;C:\WINDOWS\system32\drivers\nvgts.sys [2008-02-11 102400] R0 nvrd32;NVIDIA nForce RAID Driver;C:\WINDOWS\system32\drivers\nvrd32.sys [2008-02-11 128000] R3 NB762_XP;NB 802.11g XG762 1211B Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2006-11-13 437760] R3 physX32;physX32;C:\WINDOWS\system32\DRIVERS\physX32.sys [2007-06-26 117888] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0dabcfe-50fa-11dd-baea-001ec9367195}] \Shell\AutoRun\command - H:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-lphcaa4j0e95r - C:\WINDOWS\system32\lphcaa4j0e95r.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\malcolm\Application Data\Mozilla\Firefox\Profiles\8ms3er3x.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?hl=en&source=iglk FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava11.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava12.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava13.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava14.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava32.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPOJI610.dll FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-01 17:42:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Webshots\Webshots.scr C:\WINDOWS\system32\wbem\unsecapp.exe C:\PROGRA~1\McAfee\MSC\mcuimgr.exe C:\ComboFix\pv.cfexe C:\ComboFix\pv.cfexe . ************************************************************************ . Completion time: 2008-10-01 17:45:53 - machine was rebooted ComboFix-quarantined-files.txt 2008-10-01 21:45:50 Pre-Run: 266,246,008,832 bytes free Post-Run: 266,186,047,488 bytes free 192 --- E O F --- 2008-09-11 07:00:47 HijackThis Log as follows: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:48:58 PM, on 10/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\nvraidservice.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Webshots\webshots.scr C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\wuauclt.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080521 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080521 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O8 - Extra context menu item: En&queue current page with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm O8 - Extra context menu item: Enqueue link target with Bulk Ima&ge Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm O8 - Extra context menu item: Open &link target with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm O8 - Extra context menu item: Open current page with Bulk I&mage Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Amazon Unbox Video Service (ADVService) - Unknown owner - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe (file missing) O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 7479 bytes

sjb007

1st Responder
Premium Member

Joined: Mar 27, 2007
Posts: 1140

Posted: Sat Oct 11, 2008 10:19 am Post subject:

Hi there mackey

All appologies for any delays from my side.

As its been a while since we last communicated I want you to fully update me on how things are running in your next post.

Step 1

Please download Malwarebytes Anti-Malware (MBAM) and save it to your desktop.
alternate download link 1
alternate download link 2

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step 2

Please delete the verison of combofix you currently have on your desktop

Once deleted please download the lastest version from Here
Make sure it is saved to the desktop as before

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix, let it run and post the resulting log

Step 3

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply along with the combofix log.

Step 4

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please post back with the following logs:

MBAM Log
Combofix Log
Add-Remove Programs.txt
Kaspersky results

mackey

Trooper
Trooper

Premium Member

Joined: Dec 11, 2005
Posts: 33
Location: USA

Posted: Sat Oct 11, 2008 3:38 pm Post subject:

sjb007, Please accept my apologies for the delay in applying the fixes. A few observations - When I turn on the computer I still have Phoenix Award Bios Floppy Disks full (40) not sure what this is. - I can now reach Castlecops on the infected computer. I was unable to complete step 4. I received a "Internet Explorer cannot display the webpage". I also tried getting it via Google with no luck. I will keep trying thru the day. Everything else went well. Logs below. ComboFix ComboFix 08-10-10.09 - malcolm 2008-10-11 11:03:18.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2529 [GMT -4:00] Running from: C:\Documents and Settings\malcolm\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-09-11 to 2008-10-11 ))))))))))))))))))))))))))))))) . 2008-10-11 10:52 . 2008-10-11 10:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-11 10:52 . 2008-10-11 10:52 <DIR> d-------- C:\Documents and Settings\malcolm\Application Data\Malwarebytes 2008-10-11 10:52 . 2008-10-11 10:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-11 10:52 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-11 10:52 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-13 13:49 . 2008-10-01 17:01 <DIR> d-------- C:\Program Files\RogueRemover FREE 2008-09-11 09:23 . 2008-09-11 09:43 <DIR> d-------- C:\Program Files\TuneXP . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-11 15:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-14 14:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-13 17:27 --------- d-----w C:\Program Files\McAfee 2008-09-13 17:14 --------- d-----w C:\Program Files\Google 2008-09-11 04:13 --------- d-----w C:\Program Files\Dell 2008-09-11 03:40 --------- d-----w C:\Program Files\Steam 2008-09-11 02:53 --------- d-----w C:\Program Files\VS Revo Group 2008-09-11 02:50 --------- d-----w C:\Program Files\Auslogics 2008-09-11 02:27 --------- d-----w C:\Documents and Settings\malcolm\Application Data\Auslogics 2008-09-11 01:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-09-11 00:50 --------- d-----w C:\Program Files\Webshots 2008-09-11 00:50 --------- d-----w C:\Documents and Settings\malcolm\Application Data\Webshots 2008-09-10 20:48 --------- d-----w C:\Program Files\Trend Micro 2008-09-09 22:04 358 ----a-w C:\Documents and Settings\malcolm\Application Data\wklnhst.dat 2008-09-09 17:33 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-09-07 17:30 --------- d-----w C:\Documents and Settings\malcolm\Application Data\DVD Profiler 2008-09-07 17:28 --------- d-----w C:\Program Files\DVD Profiler 2008-09-03 20:27 --------- d-----w C:\Documents and Settings\malcolm\Application Data\Ahead 2008-08-29 17:18 2,302,017 ----a-w C:\WINDOWS\system32\GPhotos.scr 2008-08-26 11:27 --------- d-----w C:\Documents and Settings\malcolm\Application Data\XnView 2008-08-23 17:17 --------- d-----w C:\Documents and Settings\malcolm\Application Data\Snapfish 2008-08-23 14:22 --------- d-----w C:\Program Files\Ahead 2008-08-23 14:18 --------- d-----w C:\Program Files\Common Files\Ahead 2008-08-23 14:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead 2008-08-22 22:43 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-08-20 22:17 --------- d-----w C:\Documents and Settings\malcolm\Application Data\Roxio 2008-08-17 22:20 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-17 22:20 --------- d-----w C:\Program Files\Fox 2008-08-17 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\GRETECH 2008-08-17 13:52 --------- d-----w C:\Documents and Settings\malcolm\Application Data\GRETECH 2008-08-17 13:51 --------- d-----w C:\Program Files\GRETECH 2008-08-17 12:30 --------- d-----w C:\Program Files\CCleaner 2008-08-17 09:23 --------- d-----w C:\Documents and Settings\malcolm\Application Data\Thunderbird 2008-08-17 09:08 --------- d-----w C:\Program Files\SpywareBlaster 2008-08-17 09:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-17 09:00 --------- d-----w C:\Program Files\Lavasoft 2008-08-17 08:13 --------- d-----w C:\Documents and Settings\malcolm\Application Data\BID 2008-08-17 08:00 --------- d-----w C:\Program Files\Bulk Image Downloader 2008-08-16 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amazon 2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll 2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe 2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll 2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll 2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll 2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll 2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll 2008-07-04 15:32 22,328 ----a-w C:\Documents and Settings\malcolm\Application Data\PnkBstrK.sys . ((((((((((((((((((((((((((((( snapshot@2008-10-01_17.45.41.21 ))))))))))))))))))))))))))))))))))))))))) . - 2008-10-01 20:57:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-10-11 14:49:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-10-01 20:57:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-10-11 14:49:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-10-11 14:45:46 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7cc.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-15 106496] "PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-20 68856] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-14 8523776] "NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2007-10-26 184352] "PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-20 29744] "ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2008-02-28 17920] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 155648] "RTHDCPL"="RTHDCPL.EXE" [2008-01-14 C:\WINDOWS\RTHDCPL.EXE] C:\Documents and Settings\malcolm\Start Menu\Programs\Startup\ Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2008-09-10 157000] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.divxa32"= msaud32_divx.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk backup=C:\WINDOWS\pss\Amazon Unbox.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-08-20 17:18 1271032 C:\Program Files\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\WINDOWS\\system32\\PnkBstrA.exe"= "C:\\WINDOWS\\system32\\PnkBstrB.exe"= "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= R0 nvgts;nvgts;C:\WINDOWS\system32\drivers\nvgts.sys [2008-02-11 102400] R0 nvrd32;NVIDIA nForce RAID Driver;C:\WINDOWS\system32\drivers\nvrd32.sys [2008-02-11 128000] R3 NB762_XP;NB 802.11g XG762 1211B Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2006-11-13 437760] R3 physX32;physX32;C:\WINDOWS\system32\DRIVERS\physX32.sys [2007-06-26 117888] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0dabcfe-50fa-11dd-baea-001ec9367195}] \Shell\AutoRun\command - H:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder 2008-08-15 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32] 2008-09-01 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\malcolm\Application Data\Mozilla\Firefox\Profiles\8ms3er3x.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?hl=en&source=iglk FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava11.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava12.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava13.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava14.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava32.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPOJI610.dll FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-11 11:04:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-10-11 11:07:51 ComboFix-quarantined-files.txt 2008-10-11 15:07:49 ComboFix2.txt 2008-10-01 21:45:53 Pre-Run: 266,140,315,648 bytes free Post-Run: 266,128,236,544 bytes free 169 --- E O F --- 2008-09-11 07:00:47 MBAM Malwarebytes' Anti-Malware 1.28 Database version: 1255 Windows 5.1.2600 Service Pack 2 10/11/2008 10:56:40 AM mbam-log-2008-10-11 (10-56-40).txt Scan type: Quick Scan Objects scanned: 45454 Time elapsed: 1 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Add-Remove Programs.txt Adobe Flash Player ActiveX Adobe Flash Player Plugin Adobe Reader 8.1.0 AGEIA PhysX v7.06.26 Amazon Unbox Video Amazon Unbox Video AusLogics Disk Defrag AusLogics Registry Defrag Bulk Image Downloader v1.37.0.6 Call of Duty(R) 4 - Modern Warfare(TM) Call of Duty(R) 4 - Modern Warfare(TM) CCleaner (remove only) Clive Barker's Undying(tm) Compatibility Pack for the 2007 Office system Dell DataSafe Online Dell System Restore Documentation & Support Launcher DVD Profiler Version 3.1.1 Games, Music, & Photos Launcher GOM Player Google Desktop Google Toolbar for Internet Explorer Google Toolbar for Internet Explorer Half-Life 2 HijackThis 2.0.2 Hotfix for Windows XP (KB906569) Hotfix for Windows XP (KB908673) Hotfix for Windows XP (KB909095) Hotfix for Windows XP (KB934428-v2) Hotfix for Windows XP (KB935448) Internet Service Offers Launcher J2SE Runtime Environment 5.0 Update 6 Malwarebytes' Anti-Malware Malwarebytes' RogueRemover McAfee SecurityCenter Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Microsoft .NET Framework 2.0 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office PowerPoint Viewer 2007 (English) Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Microsoft Silverlight Microsoft Works Mozilla Firefox (3.0.1) Mozilla Thunderbird (2.0.0.16) MSXML 6.0 Parser (KB933579) Musicmatch for Windows Media Player Nero 6 Ultra Edition Nero PhotoShow Express NeroMIX NeroVision Express 2 No One Lives Forever - Game of the Year Edition No One Lives Forever 2 NVIDIA Drivers NVIDIA Performance NVIDIA Performance NVIDIA System Monitor NVIDIA System Monitor PowerDVD QualXServ Service Agreement Realtek High Definition Audio Driver Revo Uninstaller 1.71 Roxio Creator Audio Roxio Creator Copy Roxio Creator Data Roxio Creator DE Roxio Creator DE Roxio Creator Tools Roxio Express Labeler 3 Roxio Update Manager SearchAssist Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB937894) Security Update for Windows XP (KB938127) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944533) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB946026) Spybot - Search & Destroy SpywareBlaster 4.1 Steam Update for Windows XP (KB912945) Update for Windows XP (KB932823-v3) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update for Windows XP (KB946627) WD Diagnostics WebFldrs XP Webshots Desktop Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Media Format Runtime Windows Media Player 10 Windows Media Player 10 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB889673 Windows XP Hotfix - KB891781 WinRAR archiver XnView 1.93.6

sjb007

1st Responder
Premium Member

Joined: Mar 27, 2007
Posts: 1140

Posted: Sat Oct 11, 2008 5:30 pm Post subject:

Hi there mackey

Regarding the query about the Phoenix Award Bios message, as this does not appear to be malware related I would advise that you post in the General Computer Problems and see what they can do to help.

Go to Start Menu > Control Panel > Add/Remove Programs
- Select SearchAssist > click Remove
- Now Exit Add/Remove Programs.

Next we need to fix a registry entry

First lets back up the registry

Go to start Menu - Run
Type in regedit to start the editor

Once edit is open...

From the file menu - Select File -> Export
Choose a filename for the backup
Next...
Just below the filename you will see export range.
Set the export range to all

Now click the save button and close the editor

Open Notepad and copy and paste the text inside the codebox into Notepad:

Code:

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0dabcfe-50fa-11dd-baea-001ec9367195}]

- Save this as fix.reg > choose to save as *all files > and place it on your desktop.
- On your desktop, it must look like a white sheet with little green boxes on it.
- Double-click on it and, when you are asked if you want to merge the contents to the registry, click YES/OK.
- Reboot your computer.

Lets try a different online scan....

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Perform an online scan with Panda ActiveScan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information" (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please post the contents of that log in your next reply.

**Note**
To optimize scanning time and produce a more sensible report for review:

Please post back with:

The results from the Pandascan
Let me know how the regfix went
Keep me updated on how your computer is running, are you experiencing any more problems?

mackey

Trooper
Trooper

Premium Member

Joined: Dec 11, 2005
Posts: 33
Location: USA

Posted: Sat Oct 11, 2008 7:48 pm Post subject:

PandaScan results as follows - ;********************************************************************************************************************************************************************************* ANALYSIS: 2008-10-11 15:35:28 PROTECTIONS: 2 MALWARE: 10 SUSPECTS: 0 ;********************************************************************************************************************************************************************************* PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== McAfee Internet Security Suite 2007 8.1 No No McAfee VirusScan Plus 12.1 No No ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\malcolm\Cookies\malcolm@bluestreak[1].txt 00386444 Rootkit/Agent.JWJ Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0001045.sys 00386444 Rootkit/Agent.JWJ Virus/Trojan No 1 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\tdssserv.sys.vir 01185375 Application/Psexec.A HackTools No 0 Yes