Hi,

After 2 years, I'm back again :rolleyes:

Was just surfing on Thu evening (if I recall correctly) and I think I inadvertently visited a rogue website and suddenly this XP Total Security 2011 app window popped up and started scanning my PC for viruses. A modified Windows Security Center appeared, too. I've been using computers for the last 16 years so I could tell it was not legit almost immediately. What I initially (momentarily) thought was a very cleverly-and-cunningly-designed online advert, but was shocked when I found the app. icon beside my clock. :spider:

What follows were the actions I took to try to remedy the problem to the best of my memory, in chronological order:

1. Couldn't run an Malwarebytes scan as the virus seemed to have blocked the app. entirely (couldn't even start it)

2. Spybot scan in safe mode showed sys was clean (obviously wasn't!)

3. Bit of googling and I found a suggestion in a comment to try using a 'TDSS rootkit removing tool' by Kaspersky, which I downloaded off the Kaspersky website. That seemingly found the virus and said I'd need to restart the PC to finish the removal. If I remember correctly, after restarting after this scan was when I noticed my Start Menu was almost empty and that my desktop icons had disappeared. I found that my Start Menu folders where simply 'hidden', but strangely all icons both inside and outside each App folder was deleted. Desktop items were simply hidden, though.

4. Ran Malwarebytes full scan in Safe mode, showed sys was clean.

5. I then tried a spybot scan in normal mode, again showed sys was clean. Set it up to run a scan on next system start up.

6. This time it found the virus but after the scan it said it'd need to run again after a restart to fully remove it. Interestingly, about 20 secs or so after the scan had started, Spybot said smth along the lines of 'it'd be better to run it once again on next sys start up' so I selected OK there and the scan cont'd. But as I said, after the scan when it was trying to 'fix the selected problems' it asked for my permission to 'fix' the problem after another restart and I selected OK. Reason I mention is because after I restarted, Spybot didn't just open up and re-try to tackle the issue, it actually ran a whole scan again, but found nothing.

The icon has disappeared from my sys tray and Windows Security Center looks normal again. My Start Menu items are still missing, however. All 3 attempts to run a System Restore to a point before the virus entered were unsuccessful.

Now, I have a slight feeling that this virus hasn't been fully eradicated as, A. my Start Menu is still in its post-hacked state, B. 3 failed attempts as Sys Restore using 3 different dates, and C. the Quick Launch toolbar is set to 'show' but it's totally invisible, exactly as if it's been set to not show.

7. Here's my DDS log:

############DDS STARTS############

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by madPC at 1:20:20.15 on Sun 05/22/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3318.2143 [GMT 9.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Clarus\Samsung SecretZone\MSSvc.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Telstra\BigPond Wireless Broadband\TelstraUCM.exe
C:\Program Files\Telstra\BigPond Wireless Broadband\SwiApiMuxX.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\BI WinXP BU Data (4Dec09)\Documents\Virus 2011-05-18\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.telstra.com/
uWindow Title = Telstra BigPond Home Internet Explorer
uInternet Settings,ProxyServer = www-proxy.unisa.edu.au:8080
uInternet Settings,ProxyOverride = 127.0.0.1; localhost;;*.local; unisa.edu.au
BHO: AutorunsDisabled - No File
BHO: link filter bho - No File
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: BigPond Mobile Broadband Auto Dial: {db92ec3f-697d-4c3b-9a3b-3abbd23d4a85} - c:\program files\telstra\bigpond wireless broadband\bpwbb2ad.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [Tray Pilot Lite] "c:\program files\invention pilot\tray pilot lite\TrayPlt.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &Download All with FlashGet - h:\et 120gb 3.77gb\c\program files\flashget\jc_all.htm
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Download with FlashGet - h:\et 120gb 3.77gb\c\program files\flashget\jc_link.htm
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260277567218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: PSUTY - PSUWNP.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\madPC\applic~1\mozilla\firefox\profiles\8cyuvg60.default\
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\madPC\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-5-20 218688]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R2 MSR Service;Virtual Disk Service Manager;c:\program files\clarus\samsung secretzone\MSSvc.exe [2010-8-13 114688]
R2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files\sierra wireless inc\common\SwiCardDetect.exe [2010-9-2 230768]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2004-1-18 4864]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2010-2-19 10688]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-12-8 47448]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-12-8 44064]
R3 swiwdmbus;Sierra Wireless USB Composite Bus;c:\windows\system32\drivers\swiwdmbus.sys [2011-4-21 78720]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2011-4-21 201088]
R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2011-4-21 156544]
RUnknown mdf15;mdf15; [x]
RUnknown mvd20;mvd20; [x]
S2 LvIBTSvr;Logitech IBT Service;c:\program files\common files\logishrd\lvibtsvr\LvIBTSvr.exe [2007-4-3 76576]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-3-14 7680]
S3 MODRC;Ultima Infrared Receiver;c:\windows\system32\drivers\modrc.sys [2010-8-13 13440]
S3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2011-1-23 6609920]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2011-2-8 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2011-2-8 11104]
S3 Uplink;Uplink;c:\windows\system32\drivers\Uplink.sys [2010-8-4 31232]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [2010-1-2 30368]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2011-3-14 114688]
S4 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2009-12-8 7168]
.
=============== Created Last 30 ================
.
2011-05-21 05:17:07 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-21 05:17:07 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-21 05:10:02 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-05-21 03:15:12 -------- d-----w- C:\TDSSKiller reports
2011-05-19 18:18:55 -------- d-----w- c:\program files\BootLog XP
2011-05-19 15:44:57 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2011-05-19 15:43:56 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
2011-05-19 15:42:59 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2011-05-19 15:41:58 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2011-05-19 15:40:59 46592 -c--a-w- c:\windows\system32\dllcache\sspifilt.dll
2011-05-19 15:39:58 45568 -c--a-w- c:\windows\system32\dllcache\smb3w.dll
2011-05-19 15:38:58 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2011-05-19 15:38:57 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-05-19 15:38:28 221696 -c--a-w- c:\windows\system32\dllcache\seo.dll
2011-05-19 15:38:24 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2011-05-19 15:38:24 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2011-05-19 15:38:21 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-05-19 15:38:21 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2011-05-19 15:38:14 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2011-05-19 15:38:12 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2011-05-19 15:38:09 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2011-05-19 15:38:06 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2011-05-19 15:38:05 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2011-05-19 15:38:02 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2011-05-19 15:36:54 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
2011-05-19 15:35:57 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2011-05-19 15:34:58 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2011-05-19 15:33:57 60480 -c--a-w- c:\windows\system32\dllcache\neo20xx.dll
2011-05-19 15:32:59 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2011-05-19 15:31:59 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2011-05-19 15:30:59 45056 -c--a-w- c:\windows\system32\dllcache\icam5com.dll
2011-05-19 15:29:58 115807 -c--a-w- c:\windows\system32\dllcache\hsf_fsks.sys
2011-05-19 15:28:58 320384 -c--a-w- c:\windows\system32\dllcache\g200m.sys
2011-05-19 15:27:58 72192 -c--a-w- c:\windows\system32\dllcache\es1969.sys
2011-05-19 15:26:59 91305 -c--a-w- c:\windows\system32\dllcache\dimaint.sys
2011-05-19 15:25:59 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll
2011-05-19 15:24:59 377984 -c--a-w- c:\windows\system32\dllcache\ati2dvaa.dll
2011-05-19 15:20:50 8192 -c--a-w- c:\windows\system32\dllcache\staxmem.dll
2011-05-19 15:14:36 20538 -c--a-w- c:\windows\system32\dllcache\fpremadm.exe
2011-05-19 15:13:59 82035 -c--a-w- c:\windows\system32\dllcache\fp4anscp.dll
2011-05-19 15:13:58 184435 -c--a-w- c:\windows\system32\dllcache\fp4amsft.dll
2011-05-19 15:13:56 46592 -c--a-w- c:\windows\system32\dllcache\coadmin.dll
2011-05-19 15:13:56 188480 -c--a-w- c:\windows\system32\dllcache\cfgwiz.exe
2011-05-19 15:13:54 16439 -c--a-w- c:\windows\system32\dllcache\author.exe
2011-05-19 15:13:53 20540 -c--a-w- c:\windows\system32\dllcache\author.dll
2011-05-19 15:13:52 43520 -c--a-w- c:\windows\system32\dllcache\admwprox.dll
2011-05-19 15:13:52 290816 -c--a-w- c:\windows\system32\dllcache\adsiis51.dll
2011-05-19 15:13:52 16439 -c--a-w- c:\windows\system32\dllcache\admin.exe
2011-05-19 15:13:47 20540 -c--a-w- c:\windows\system32\dllcache\admin.dll
2011-05-19 15:04:23 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-05-19 15:03:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2011-05-17 02:50:29 7071056 ---ha-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4413dfc2-0d6d-41e9-ace5-9606719c4b1b}\mpengine.dll
2011-05-15 23:18:33 -------- d-----w- c:\program files\Invention Pilot
2011-05-12 22:46:11 -------- d--h--w- c:\docume~1\madPC\applic~1\Rovio
2011-05-11 13:13:31 -------- d-----w- c:\documents and settings\madPC\fastvoip
2011-05-11 13:11:05 -------- d-----w- c:\program files\FastVoip
2011-05-04 13:19:42 -------- d-----w- c:\docume~1\madPC\locals~1\applic~1\WMTools Downloaded Files
2011-05-04 11:02:49 -------- d-----w- c:\docume~1\madPC\locals~1\applic~1\SKIDROW
2011-05-04 11:02:44 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2011-05-04 11:02:44 -------- d-----w- c:\program files\OpenAL
2011-05-04 11:02:43 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2011-04-28 15:46:26 -------- d--h--w- c:\docume~1\madPC\applic~1\Nymgo4.0
2011-04-28 15:45:13 -------- d-----w- c:\program files\Nymgo4.0
.
==================== Find3M ====================
.
.
============= FINISH: 1:21:31.59 ===============


############DDS ENDS############

8. Attach.txt is zipped and attached

Few things:

i. ERUNT: As per forum instructions, I've backed up my registry

ii. Windows Updates: I've always tried to live by a very common rule in IT: "If it aint broken, don't fix it". That is to say I've disabled Windows Updates and I don't think I've downloaded even one, but I do have SP3 (and all that came with it). But other than that, I highly doubt so, not even IE7. After reading the sticky on this though, I plan to download all the 'critical' ones ONLY after we've rectified the current situation, however am happy to do so immediatey should you request so.

iii. Registry Cleaners: To be honest, before I read this on your forum yesterday, I used to use these apps quite regularly. A component of my copy of AVG PC utilities is such an app, so is CCleaner. My plan of action with these apps is the same as (ii) above.

Few Qs:

1. Would you know why Spybot takes only 30 mins to scan normally vs 3 hours when it does so on start-up?

2. For the last 5-6 months or so, Safe Boot takes literally 15 mins to start: I see all the drivers it's loading, the last being mup.sys and after that it looks frozen but there's a lot of HDD activity. Also when I choose to leave safe mode (shutdown/restart), again it takes 15 mins to exit Windows. Any ideas?

Tried sfc /scannow yesterday but didn't help.

Enabled boot logging and viewed the ntbtlog.txt and after showing Loaded driver with a few 'Did not load' in between, I then see a bunch of '20 or so Did not loads' repeat itself 38 times! :mad:

Any suggestions? I ask cuz anything you'd ask me to do in Safe mode would mean I'd have to go through this. Please don't misunderstand, it's not that I don't/wouldn't appreciate your assistance. :nono: In the often unpredictable world of IT, any sharing of past experience with a similar situation, or guidance are acts I always genuinely value. :ninja: It's just that if you happen to know anything, or think of something that just happens to fix this, it'd make for a more efficient resolution for both yourself and I. :bigthumb:


8. Attach.txt is zipped and attached



Now it is. Sorry about that! :clown:

Hi,

Hopefully you haven't run any temp cleaners since that would render your start menu issue inrecoverable.

Download this (http://download.bleepingcomputer.com/grinler/unhide.exe) tool and run it.

Post back fresh dds logs.

Hello blade81, nice to see you're still around :cool:

Thanks for taking the time to read that post - I realise it is a bit long, I was just trying to be as informative as possible.


Hopefully you haven't run any temp cleaners since that would render your start menu issue inrecoverable.


I don't believe I have run any.

Unhide.exe which worked pretty well - restored my Desktop and Quick Launch toolbar icons. Folders in 'All Programs' in the Start Menu, however, are still blank. Even Accessories looks fairly empty, for e.g. under Entertainment, there's only Windows Media Player; under System Tools, nothing at all.


############DDS STARTS############

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by madPC at 15:04:10.67 on Fri 05/27/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3318.2796 [GMT 9.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
D:\BI WinXP BU Data (4Dec09)\Documents\Virus 2011-05-18\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.telstra.com/
uWindow Title = Telstra BigPond Home Internet Explorer
uInternet Settings,ProxyServer = www-proxy.unisa.edu.au:8080
uInternet Settings,ProxyOverride = 127.0.0.1; localhost;;*.local; unisa.edu.au
BHO: AutorunsDisabled - No File
BHO: link filter bho - No File
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: BigPond Mobile Broadband Auto Dial: {db92ec3f-697d-4c3b-9a3b-3abbd23d4a85} - c:\program files\telstra\bigpond wireless broadband\bpwbb2ad.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [Tray Pilot Lite] "c:\program files\invention pilot\tray pilot lite\TrayPlt.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\madPC\startm~1\programs\startup\tosbtmng.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
IE: &Download All with FlashGet - h:\et 120gb 3.77gb\c\program files\flashget\jc_all.htm
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Download with FlashGet - h:\et 120gb 3.77gb\c\program files\flashget\jc_link.htm
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\update
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306435773343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: PSUTY - PSUWNP.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\madPC\applic~1\mozilla\firefox\profiles\8cyuvg60.default\
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\madPC\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-5-20 218688]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files\sierra wireless inc\common\SwiCardDetect.exe [2010-9-2 230768]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2004-1-18 4864]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2010-2-19 10688]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-12-8 47448]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-12-8 44064]
R3 swiwdmbus;Sierra Wireless USB Composite Bus;c:\windows\system32\drivers\swiwdmbus.sys [2011-4-21 78720]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2011-4-21 201088]
R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2011-4-21 156544]
S2 LvIBTSvr;Logitech IBT Service;c:\program files\common files\logishrd\lvibtsvr\LvIBTSvr.exe [2007-4-3 76576]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-3-14 7680]
S3 MODRC;Ultima Infrared Receiver;c:\windows\system32\drivers\modrc.sys [2010-8-13 13440]
S3 MSR Service;Virtual Disk Service Manager;c:\program files\clarus\samsung secretzone\MSSvc.exe [2010-8-13 114688]
S3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2011-1-23 6609920]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2011-2-8 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2011-2-8 11104]
S3 Uplink;Uplink;c:\windows\system32\drivers\Uplink.sys [2010-8-4 31232]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [2010-1-2 30368]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2011-3-14 114688]
S4 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2009-12-8 7168]
.
=============== Created Last 30 ================
.
2011-05-27 05:32:46 6962000 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{8f5c7c75-13f2-44fd-925c-c4fd88dfdbed}\mpengine.dll
2011-05-26 18:38:49 -------- d-----w- c:\docume~1\madPC\applic~1\DAEMON Tools Lite
2011-05-21 05:17:07 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-21 05:17:07 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-21 05:10:02 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-05-21 03:15:12 -------- d-----w- C:\TDSSKiller reports
2011-05-19 18:18:55 -------- d-----w- c:\program files\BootLog XP
2011-05-19 15:44:57 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2011-05-19 15:43:56 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
2011-05-19 15:42:59 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2011-05-19 15:41:58 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2011-05-19 15:40:59 46592 -c--a-w- c:\windows\system32\dllcache\sspifilt.dll
2011-05-19 15:39:58 45568 -c--a-w- c:\windows\system32\dllcache\smb3w.dll
2011-05-19 15:38:58 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2011-05-19 15:38:57 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-05-19 15:38:28 221696 -c--a-w- c:\windows\system32\dllcache\seo.dll
2011-05-19 15:38:24 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2011-05-19 15:38:24 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2011-05-19 15:38:21 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-05-19 15:38:21 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2011-05-19 15:38:14 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2011-05-19 15:38:12 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2011-05-19 15:38:09 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2011-05-19 15:38:06 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2011-05-19 15:38:05 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2011-05-19 15:38:02 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2011-05-19 15:36:54 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
2011-05-19 15:35:57 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2011-05-19 15:34:58 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2011-05-19 15:33:57 60480 -c--a-w- c:\windows\system32\dllcache\neo20xx.dll
2011-05-19 15:32:59 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2011-05-19 15:31:59 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2011-05-19 15:30:59 45056 -c--a-w- c:\windows\system32\dllcache\icam5com.dll
2011-05-19 15:29:58 115807 -c--a-w- c:\windows\system32\dllcache\hsf_fsks.sys
2011-05-19 15:28:58 320384 -c--a-w- c:\windows\system32\dllcache\g200m.sys
2011-05-19 15:27:58 72192 -c--a-w- c:\windows\system32\dllcache\es1969.sys
2011-05-19 15:26:59 91305 -c--a-w- c:\windows\system32\dllcache\dimaint.sys
2011-05-19 15:25:59 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll
2011-05-19 15:24:59 377984 -c--a-w- c:\windows\system32\dllcache\ati2dvaa.dll
2011-05-19 15:20:50 8192 -c--a-w- c:\windows\system32\dllcache\staxmem.dll
2011-05-19 15:14:36 20538 -c--a-w- c:\windows\system32\dllcache\fpremadm.exe
2011-05-19 15:13:59 82035 -c--a-w- c:\windows\system32\dllcache\fp4anscp.dll
2011-05-19 15:13:58 184435 -c--a-w- c:\windows\system32\dllcache\fp4amsft.dll
2011-05-19 15:13:56 46592 -c--a-w- c:\windows\system32\dllcache\coadmin.dll
2011-05-19 15:13:56 188480 -c--a-w- c:\windows\system32\dllcache\cfgwiz.exe
2011-05-19 15:13:54 16439 -c--a-w- c:\windows\system32\dllcache\author.exe
2011-05-19 15:13:53 20540 -c--a-w- c:\windows\system32\dllcache\author.dll
2011-05-19 15:13:52 43520 -c--a-w- c:\windows\system32\dllcache\admwprox.dll
2011-05-19 15:13:52 290816 -c--a-w- c:\windows\system32\dllcache\adsiis51.dll
2011-05-19 15:13:52 16439 -c--a-w- c:\windows\system32\dllcache\admin.exe
2011-05-19 15:13:47 20540 -c--a-w- c:\windows\system32\dllcache\admin.dll
2011-05-19 15:04:23 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-05-19 15:03:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2011-05-15 23:18:33 -------- d-----w- c:\program files\Invention Pilot
2011-05-12 22:46:11 -------- d-----w- c:\docume~1\madPC\applic~1\Rovio
2011-05-11 13:13:31 -------- d-----w- c:\documents and settings\madPC\fastvoip
2011-05-11 13:11:05 -------- d-----w- c:\program files\FastVoip
2011-05-04 13:19:42 -------- d-----w- c:\docume~1\madPC\locals~1\applic~1\WMTools Downloaded Files
2011-05-04 11:02:49 -------- d-----w- c:\docume~1\madPC\locals~1\applic~1\SKIDROW
2011-05-04 11:02:44 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2011-05-04 11:02:44 -------- d-----w- c:\program files\OpenAL
2011-05-04 11:02:43 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2011-04-28 15:46:26 -------- d-----w- c:\docume~1\madPC\applic~1\Nymgo4.0
2011-04-28 15:45:13 -------- d-----w- c:\program files\Nymgo4.0
.
==================== Find3M ====================
.
.
============= FINISH: 15:05:33.46 ===============

############DDS ENDS############


Attach.txt is zipped and attached.

Cheers

Hi,

Since Unhide couldn't restore all items then there's no other option than start from scratch and reinstall. With whole start menu crippled using the system would be a pain.

Hi blade81,

Yes, using the system has been a bit cumbersome, although my Desktop shortcuts that were restored using Unhide.exe are still functional so it's not been too bad.

As I currently have numerous ongoing professional commitments, do you think it would be OK if I just did a 'repair' of Windows instead of backing up everything, formatting and reinstalling?

Also, would the repair option guarantee the eradication of any possible remnants of the rogue XP Security 2011 application/suite?

Cheers

Hi,

If this was my system I'd backup important stuff and reformat then. I know it's more work but that way I can be sure the system is clean for sure.

Also, repair install likely won't wipe possible infection remnants.

Hi blade81,

Thanks for the suggestion - I think I might just be able backup and format this weekend :)

To minimise a chance of a (similar) recurrence, I kindly seek your advice on the following:

1. Currently, I have very few (if any) Windows updates installed. As I mentioned previously, I held this practice with a 'don't-fix-it-if-it's-not-broken' mentality. From now on, do you recommend that I install all Windows updates? Or just (certain) critical ones? Would you suggest I do this immediately after installing the OS and drivers, or it doesn't matter?

2. From your vast experience in Consumer Security, what's been a highly effective (if not the best) combo of anti-virus/spyware/malware apps.? I currently have Spybot, Malwarebytes and MS Security Essentials.

3. In regards to the 'Few Qs' I wrote in my first post, I think a format should fix the 2nd one. But with the 1st Q - running Spybot at start-up - any ideas?

If you would be so kind as to spend a few moments to guide me on the above, I'm confident we can minimize the chance of a recurrence which in turn would mean less removal requests for you and your team :)

Hi,

1. One of the biggest infection magnets is a system that isn't fully up-to-date. That said, I recommend to install all important updates offered via Windows Update. To help keeping 3rd party software up-to-date I recommend to install Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/).
2. If system is kept up-to-date then with careful usage that combination of protection software is a good choice. Biggest thing that matters is how the system is used. I recommend to read this (http://forums.spybot.info/showthread.php?t=279) topic to get some understanding about possible reasons for system getting infected.

Hope that helps :)