Unsolved Views: 1077
.
Offline SDFix: Version 1.220 Run by Madame Rotary on Fri 08/29/2008 at 09:58 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\Documents and Settings\Madame Rotary\Desktop\SDFix\SDFix Checking Services : Name : sysrest.sys Path : \??\C:\WINDOWS\system32\sysrest.sys sysrest.sys - Deleted Restoring Default Security Values Restoring Default Hosts File Restoring Default Desktop Wallpaper
SDFix: Version 1.220 Run by Madame Rotary on Fri 08/29/2008 at 09:58 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\Documents and Settings\Madame Rotary\Desktop\SDFix\SDFix Checking Services : Name : sysrest.sys Path : \??\C:\WINDOWS\system32\sysrest.sys sysrest.sys - Deleted Restoring Default Security Values Restoring Default Hosts File Restoring Default Desktop Wallpaper Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\phcr6mj0ej59.bmp - Deleted C:\Documents and Settings\Madame Rotary\xrt_cyjy.exe - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt168E.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1692.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt16C3.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1712.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1759.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1770.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1779.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1783.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1786.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt178B.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt178D.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt178F.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1791.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1797.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt179D.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17A0.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17A2.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17A8.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17AA.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17AC.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17AF.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17B1.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17B3.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17B5.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17B7.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17B9.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17BC.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17BE.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17C0.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17C2.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17C4.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17C6.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17C9.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17CB.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17CD.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17CF.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17D1.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17D3.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17D6.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17D8.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17DA.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17DC.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17DE.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17E0.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17E6.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17E8.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17EA.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17EC.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17EE.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17F0.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17F3.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17F5.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17F8.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17FA.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17FC.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt17FF.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1802.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1805.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1807.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt180B.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt180D.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt180F.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1812.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1818.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt182D.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1836.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1845.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1878.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1893.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt18AA.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt18BB.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt18F1.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1909.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt190F.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1915.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1918.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt191A.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1925.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1946.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt195D.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1985.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt198A.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1993.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt19A9.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1CAD.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1CB4.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1CD0.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1CD9.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1CDF.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1CE5.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1CEB.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1CF1.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1CF9.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1CFF.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D06.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D0C.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D12.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D18.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D1E.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D24.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D2A.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D30.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D36.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D3C.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D42.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D48.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D4E.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D54.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D5A.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D60.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D66.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D6C.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D72.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D78.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D7E.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D84.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D8A.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D90.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D96.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1D9C.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DA2.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DA8.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DAE.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DB4.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DBA.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DC0.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DC8.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DCE.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DD4.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DDA.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DE0.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DE6.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DEC.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DF2.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DF8.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1DFF.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1E05.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1E0B.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1E11.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1E17.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1E1D.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1E23.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1E29.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1E2F.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1E4D.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1E6E.tmp - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt168E.tmp.vbs - Deleted C:\DOCUME~1\MADAME~1\LOCALS~1\Temp\.tt1CAD.tmp.vbs - Deleted C:\WINDOWS\system32\drivers\tdssserv.sys - Deleted C:\WINDOWS\system32\sysrest.sys - Deleted C:\WINDOWS\system32\tdssadw.dll - Deleted C:\WINDOWS\system32\tdssinit.dll - Deleted C:\WINDOWS\system32\tdssl.dll - Deleted C:\WINDOWS\system32\tdsslog.dll - Deleted C:\WINDOWS\system32\tdssmain.dll - Deleted C:\WINDOWS\system32\tdssservers.dat - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-29 12:02:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:5d,d3,6f,da,74,01,fa,a4,8a,e4,f0,2e,35,15,dc,47,2d,a6,dc,d1,f4,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "khjeh"=hex:62,bf,56,f0,8d,c1,a2,f4,db,41,f3,07,b5,dd,19,fb,ea,7d,7b,c4,94,.. "d0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:05,67,bc,98,d7,34,64,ae,7a,d9,30,18,ac,9d,c9,4c,30,a2,60,0b,5f,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:5d,d3,6f,da,74,01,fa,a4,8a,e4,f0,2e,35,15,dc,47,2d,a6,dc,d1,f4,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "khjeh"=hex:62,bf,56,f0,8d,c1,a2,f4,db,41,f3,07,b5,dd,19,fb,ea,7d,7b,c4,94,.. "d0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:05,67,bc,98,d7,34,64,ae,7a,d9,30,18,ac,9d,c9,4c,30,a2,60,0b,5f,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv] "start"=dword:00000001 "type"=dword:00000001 "imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys" scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader" "C:\\utorrent.exe"="C:\\utorrent.exe:*:Enabled:æTorrent" "C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera Internet Browser" "C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader" "C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe:*:Enabled:Blizzard Downloader" "C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe:*:Enabled:Blizzard Downloader" "C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM" "C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe:*:Enabled:Blizzard Downloader" "C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader" "C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM" "C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe:*:Enabled:P2P Networking" "C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Documents and Settings\\Madame Rotary\\My Documents\\my games\\Nintendo Games\\EMULATOR1 - NESTICLE.exe"="C:\\Documents and Settings\\Madame Rotary\\My Documents\\my games\\Nintendo Games\\EMULATOR1 - NESTICLE.exe:*:Disabled:EMULATOR1 - NESTICLE" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\WINDOWS\\system32\\a.exe"="C:\\WINDOWS\\system32\\a.exe:*:Disabled:a" "C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enable" "C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer" "C:\\WINDOWS\\system32\\services.exe"="C:\\WINDOWS\\system32\\services.exe:*:Enabled:enable" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files : File Backups: - C:\DOCUME~1\MADAME~1\Desktop\SDFix\SDFix\backups\backups.zip Files with Hidden Attributes : Fri 16 Mar 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Thu 17 May 2007 399 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti43.tmp" Wed 17 Nov 2004 94,458 A..H. --- "C:\Program Files\Nero\data\Nero PhotoShow Express.exe" Finished!
with
a new HijackThis log.
Offline Offline 
ComboFix 08-08-29.02 - Madame Rotary 2008-08-30 1:27:05.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.780 [GMT -4:00]
Running from: C:\Documents and Settings\Madame Rotary\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Madame Rotary\Application Data\macromedia\Flash Player\#SharedObjects\JTFW6MTY\bin.clearspring.com
C:\Documents and Settings\Madame Rotary\Application Data\macromedia\Flash Player\#SharedObjects\JTFW6MTY\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Madame Rotary\Application Data\macromedia\Flash Player\#SharedObjects\JTFW6MTY\interclick.com
C:\Documents and Settings\Madame Rotary\Application Data\macromedia\Flash Player\#SharedObjects\JTFW6MTY\interclick.com\ud.sol
C:\Documents and Settings\Madame Rotary\Application Data\macromedia\Flash Player\#SharedObjects\JTFW6MTY\static.youku.com
C:\Documents and Settings\Madame Rotary\Application Data\macromedia\Flash Player\#SharedObjects\JTFW6MTY\static.youku.com\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Madame Rotary\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Madame Rotary\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Madame Rotary\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Madame Rotary\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Madame Rotary\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Madame Rotary\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Program Files\Altnet
C:\Program Files\Altnet\DBBackup\Sigfiles.db
C:\Program Files\Altnet\Download Manager\adm25.dll
C:\Program Files\Altnet\Download Manager\adm4.dll
C:\Program Files\Altnet\Download Manager\adm4005.exe
C:\Program Files\Altnet\Download Manager\admdata.dll
C:\Program Files\Altnet\Download Manager\admdloader.dll
C:\Program Files\Altnet\Download Manager\admfdi.dll
C:\Program Files\Altnet\Download Manager\admprog.dll
C:\Program Files\Altnet\Download Manager\altnetuninstall.exe
C:\Program Files\Altnet\Download Manager\asm.exe
C:\Program Files\Altnet\Download Manager\asmend.exe
C:\Program Files\Altnet\Download Manager\asmps.dll
C:\Program Files\Altnet\Download Manager\dminfo3.cab
C:\Program Files\Altnet\Download Manager\dminstall7.cab
C:\Program Files\Altnet\Download Manager\dmsetup.bmp
C:\Program Files\Altnet\Download Manager\dmsetupbig.bmp
C:\Program Files\Altnet\Download Manager\jsinstall.cab
C:\Program Files\Altnet\Download Manager\jslegals.txt
C:\Program Files\Altnet\Download Manager\selectdir.txt
C:\Program Files\Altnet\Download Manager\selectdir1st.txt
C:\Program Files\Altnet\Download Manager\Thumbs.db
C:\WINDOWS\cdmxtras
C:\WINDOWS\cdmxtras\uninst.exe
C:\WINDOWS\Fonts\acrsec.fon
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\AdCache
C:\WINDOWS\system32\cache329
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV
-------\Service_tdssserv
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.
2008-08-30 01:20 . 2008-08-30 01:20 <DIR> d---s---- C:\Documents and Settings\Madame Rotary\UserData
2008-08-30 00:13 . 2008-08-30 00:13 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-08-29 23:41 . 2007-02-13 15:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Snapfish
2008-08-29 23:41 . 2007-01-15 13:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Simple Star
2008-08-29 23:41 . 2007-01-15 13:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2008-08-29 23:41 . 2008-08-29 23:41 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-29 09:52 . 2008-08-29 09:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-28 14:25 . 2008-08-28 14:25 <DIR> dr------- C:\Program Files\Norton Support
2008-08-28 12:00 . 2008-08-29 23:32 86,528 --a------ C:\WINDOWS\system32\drivers\z2yhfmbkp2z.sys
2008-08-28 12:00 . 2008-08-28 12:00 3 --a------ C:\temp.tmp
2008-08-27 23:47 . 2008-08-27 23:51 <DIR> d-------- C:\fixwareout
2008-08-27 23:30 . 2008-08-27 23:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-27 13:17 . 2008-08-27 13:20 <DIR> d-------- C:\Program Files\XoftSpySE
2008-08-27 01:50 . 2008-08-27 01:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-08-26 15:41 . 2008-08-26 15:41 <DIR> d-------- C:\Program Files\Symantec
2008-08-26 15:41 . 2008-08-26 15:43 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-26 15:41 . 2008-08-26 15:41 124,464 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-26 15:41 . 2008-08-26 15:41 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-26 15:41 . 2008-08-26 15:41 35,888 -ra------ C:\WINDOWS\system32\drivers\SymIM.sys
2008-08-26 15:41 . 2008-08-26 15:41 10,635 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-26 15:41 . 2008-08-26 15:41 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-26 15:40 . 2008-08-26 15:40 <DIR> d-------- C:\WINDOWS\system32\drivers\NIS
2008-08-26 15:40 . 2008-08-26 15:40 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-08-26 15:40 . 2008-08-26 15:40 <DIR> d-------- C:\Program Files\NortonInstaller
2008-08-26 15:40 . 2008-08-26 15:40 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-08-26 15:40 . 2008-08-26 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-26 15:40 . 2008-08-26 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-08-26 15:40 . 2008-08-26 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Norton
2008-08-26 01:24 . 2008-08-27 23:48 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\COMCASTTOOLBAR
2008-08-26 01:24 . 2008-08-28 23:28 12,288 --a------ C:\WINDOWS\system32\tdssserf.dll
2008-08-07 11:36 . 2008-08-07 11:36 <DIR> d-------- C:\My Music
2008-07-21 16:03 . 2008-07-21 16:15 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-04 12:43 . 2008-07-04 12:43 <DIR> d-------- C:\Documents and Settings\Madame Rotary\Application Data\Amazon
2008-07-04 12:38 . 2008-07-04 12:38 <DIR> d-------- C:\Program Files\Amazon
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 06:52 --------- d-----w C:\Program Files\Trillian
2008-08-29 05:03 --------- d-----w C:\Program Files\Java
2008-08-23 15:25 --------- d-----w C:\Documents and Settings\Madame Rotary\Application Data\uTorrent
2008-07-20 04:20 --------- d-----w C:\Program Files\ABC Amber LIT Converter
2008-06-13 06:49 3,532 ----a-w C:\drmHeader.bin
.
------- Sigcheck -------
2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-08-26 01:24 502272 9b1bd82bd0761b5ba986af66d2809c30 C:\WINDOWS\system32\winlogon.exe
2004-08-04 08:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 20:28 212992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 10:11 925696]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 05:46 196608]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-28 00:01 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 08:00 158208]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 13:22 86016 C:\WINDOWS\system32\nvmctray.dll]
C:\Documents and Settings\Madame Rotary\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\z2yhfmbkp2z.sys]
@="\??\C:\WINDOWS\system32\drivers\z2yhfmbkp2z.sys"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\utorrent.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Documents and Settings\\Madame Rotary\\My Documents\\my games\\Nintendo Games\\EMULATOR1 - NESTICLE.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\services.exe"=
R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NIS\1000000.078\SYMEFA.SYS [2008-08-26 15:41]
S1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\NIS\1000000.078\BHDrvx86.sys [2008-08-26 15:41]
S1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\NIS\1000000.078\ccHPx86.sys [2008-08-26 15:41]
S1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080822.001\IDSxpx86.sys [2008-08-26 15:41]
S2 Norton Internet Security;Norton Internet Security;C:\Program Files\Norton Internet Security\Engine\16.0.0.120\ccSvcHst.exe /s Norton Internet Security /m C:\Program Files\Norton Internet Security\Engine\16.0.0.120\diMaster.dll []
S2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
S2 z2yhfmbkp2z.sys;z2yhfmbkp2z.sys;C:\WINDOWS\system32\drivers\z2yhfmbkp2z.sys [2008-08-29 23:32]
S3 MRVW225;D-Link AirPlus G DWL-G122 Wireless USB Dirver for Windows XP;C:\WINDOWS\system32\DRIVERS\MRVW225.sys [2005-09-30 21:42]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f8ef482-bee2-11db-963f-0018f39d11f4}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-08-26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
2008-08-30 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-08-19 18:37]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.google.com
R0 -: HKLM-Main,Start Page = www.google.com
R0 -: HKLM-Main,Window Title = Windows Internet Explorer provided by Comcast
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O16 -: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://download-games.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
C:\WINDOWS\Downloaded Program Files\PTGameLauncher.inf
C:\WINDOWS\Downloaded Program Files\PTGameLauncher.dllNotably, I don't appear to have a rdssrv.exe or hdfkt.dll. I double-checked my logs, the files you listed, and my folder multiple times to ensure I wasn't making any errors. Would that possibly be the error?
KillAll::
File::
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\rdssrv.exe
C:\WINDOWS\system32\rdshost.dll
C:\WINDOWS\system32\hdfkt.dll
Folder::
C:\Program Files\Viewpoint
Driver::
C:\WINDOWS\system32\drivers\z2yhfmbkp2z.sys
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\z2yhfmbkp2z.sys]
Offline | DaniWeb Message | |
| Cancel Changes | |
