Tech Support Forum - View Single Post

jasont · 06-16-2009, 01:55 PM

Steve,

Thanks for the help. Seem to have followed the instructions and combofix log included as text below. Not sure if you wanted text here or file attached?

Look forward to hearing from you.
Jase

ComboFix 09-06-15.07 - Jason 16/06/2009 19:17.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.494.128 [GMT 1:00]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Jason\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\afiburiw.ini
c:\windows\system32\erowiped.ini
c:\windows\system32\uhupulud.ini
c:\windows\system32\uyijegiy.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At73.job
c:\windows\Tasks\At74.job
c:\windows\Tasks\At75.job
c:\windows\Tasks\At76.job
c:\windows\Tasks\At77.job
c:\windows\Tasks\At78.job
c:\windows\Tasks\At79.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At80.job
c:\windows\Tasks\At81.job
c:\windows\Tasks\At82.job
c:\windows\Tasks\At83.job
c:\windows\Tasks\At84.job
c:\windows\Tasks\At85.job
c:\windows\Tasks\At86.job
c:\windows\Tasks\At87.job
c:\windows\Tasks\At88.job
c:\windows\Tasks\At89.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At90.job
c:\windows\Tasks\At91.job
c:\windows\Tasks\At92.job
c:\windows\Tasks\At93.job
c:\windows\Tasks\At94.job
c:\windows\Tasks\At95.job
c:\windows\Tasks\At96.job

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 )))))))))))))))))))))))))))))))
.

2009-06-16 18:06 . 2009-06-16 18:06 260608 ----a-w- C:\QZ6oIcO.exe
2009-06-16 18:06 . 2009-06-16 18:06 6998 ----a-w- C:\X8OyYhZB.bat
2009-06-16 18:06 . 2009-06-16 18:06 265 ----a-w- C:\N1NP5Q.bat
2009-06-16 17:56 . 2009-06-16 17:56 260608 ----a-w- C:\pvNWoKyx.exe
2009-06-16 17:56 . 2009-06-16 17:56 6998 ----a-w- C:\z8q.bat
2009-06-16 17:56 . 2009-06-16 17:56 269 ----a-w- C:\xLvEnh.bat
2009-06-13 19:51 . 2009-06-13 19:51 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-13 19:51 . 2009-06-13 19:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-13 17:45 . 2009-06-13 17:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-13 17:44 . 2009-06-13 17:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-10 04:40 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 04:40 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 20:00 . 2009-06-09 20:00 152576 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-09 19:58 . 2009-06-09 19:58 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-09 19:49 . 2009-06-09 19:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-09 19:49 . 2009-06-09 19:49 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-09 19:49 . 2009-06-09 19:49 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-09 19:49 . 2009-06-09 19:49 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-09 19:48 . 2009-06-09 19:48 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-09 19:11 . 2009-06-09 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-07 08:02 . 2009-06-07 08:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-06-07 08:00 . 2009-06-07 08:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-06-06 09:53 . 2009-06-06 09:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-06 09:50 . 2009-06-06 09:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-06 09:49 . 2009-06-06 09:49 -------- d-sh--w- c:\documents and settings\Jason\IETldCache
2009-06-06 09:03 . 2009-06-06 09:03 -------- d-----w- c:\windows\ie8updates
2009-06-06 08:56 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-06 08:27 . 2009-06-06 08:27 -------- d--h--w- c:\windows\ie8
2009-05-30 05:55 . 2009-06-16 19:23 117760 ----a-w- c:\documents and settings\Jason\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-30 05:53 . 2009-05-30 05:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-28 06:33 . 2009-05-28 06:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2009-05-25 21:50 . 2009-05-25 21:50 -------- d-----w- c:\documents and settings\Jason\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-05-25 21:50 . 2009-05-25 21:48 38208 ----a-w- c:\documents and settings\Jason\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-05-25 21:50 . 2009-05-25 21:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-22 19:42 . 2009-05-22 19:42 390664 ----a-w- c:\documents and settings\Jason\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-16 18:29 . 2006-05-10 09:52 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-09 19:20 . 2009-06-09 19:19 25022 ----a-w- c:\windows\RGI19.tmp
2009-05-26 12:20 . 2009-01-18 19:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 12:19 . 2009-01-18 19:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 10:33 . 2008-12-14 12:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-15 08:07 . 2009-05-15 08:07 -------- d-----w- c:\documents and settings\Jason\Application Data\Broad Intelligence
2009-05-13 05:15 . 1979-12-31 23:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-10 06:30 . 2009-05-10 06:30 -------- d-----w- c:\documents and settings\Jason\Application Data\Red Kawa
2009-05-09 17:16 . 2009-05-09 17:16 -------- d-----w- c:\program files\MediaCoder
2009-05-09 17:15 . 2009-05-09 17:15 -------- d-----w- c:\program files\Red Kawa
2009-05-09 17:14 . 2009-05-09 17:14 -------- d-----w- c:\program files\H.264 Encoder
2009-05-09 17:12 . 2009-05-09 17:12 -------- d-----w- c:\documents and settings\Jason\Application Data\Any Video Converter Professional
2009-05-09 17:12 . 2009-05-09 17:12 -------- d-----w- c:\program files\Any Video Converter Professional
2009-05-09 11:40 . 2009-05-09 11:40 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-08 19:49 . 2009-05-08 19:49 152576 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-07 15:32 . 1979-12-31 23:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 15:53 . 2009-05-06 15:53 -------- d-----w- c:\documents and settings\Jason\Application Data\LG Electronics
2009-05-06 15:50 . 2009-05-06 15:50 -------- d-----w- c:\documents and settings\Jason\Application Data\InstallShield
2009-05-06 15:44 . 2009-05-06 15:44 -------- d-----w- c:\program files\LG Electronics
2009-04-28 07:15 . 2009-05-09 16:18 81920 ----a-w- c:\windows\LGMobileDL.dll
2009-04-18 13:59 . 2009-04-18 13:59 -------- d-----w- c:\program files\Microsoft Silverlight
2009-04-17 12:26 . 1979-12-31 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 1979-12-31 23:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2006-10-24 08:15 . 2006-10-24 08:15 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-01-03 11:07 . 2009-01-03 11:00 109 --sha-w- c:\windows\system32\839718926.dat
2006-05-03 09:06 . 2007-10-07 17:45 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-10-07 17:45 31232 --sh--r- c:\windows\system32\msfDX.dll
.

------- Sigcheck -------

[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys
[-] 2005-05-25 10:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 08:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 04:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 15:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2005-05-25 10:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2006-01-12 17:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2007-04-28 13:42 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2007-10-30 16:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 532480]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-11 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-11 118784]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 151552]
"ePowerManagement"="c:\acer\ePM\ePM.exe" [2004-09-01 2876416]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2004-07-30 319488]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-02-27 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-02-27 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-02-26 253952]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-26 185896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-09 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-09 19:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=c_120905.nls
"wave2"=c_120905.nls
"mixer2"=c_120905.nls
"midi2"=c_120905.nls
"wave1"=c_120905.nls
"mixer1"=c_120905.nls
"midi1"=c_120905.nls
"aux1"=c_120905.nls

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/06/2009 20:49 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/06/2009 20:49 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 72944]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [30/08/2004 13:34 6784]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 7408]
R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [30/08/2004 13:34 16000]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25/09/2007 15:59 15152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 20:05]

2009-06-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-25 20:07]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-µTorrent - c:\program files\uTorrent\utorrent.exe
SharedTaskScheduler-IPC Configuration Utility - (no file)
Notify-awtrSkKd - awtrSkKd.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pricerunner.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = ;localhost;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Test1 - c:\windows\system32\icq6s.dll/MENUSEARCH.HTM
IE: Link to &MidpX - c:\program files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: **{B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - c:\program files\bet365MPP\MPPoker.exe
Trusted Zone: myfreepaysite.com\www
TCP: {3CEFB118-FDCA-45DD-B168-30A28FD47432} = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-16 20:22
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4032)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WINDOWS DEFENDER\MSMPENG.EXE
c:\acer\EMANAGER\ANBMSERV.EXE
c:\program files\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\program files\AVG\AVG8\AVGNSX.EXE
c:\program files\ALCOHOL SOFT\ALCOHOL 120\STARWIND\STARWINDSERVICE.EXE
c:\progra~1\AVG\AVG8\avgemc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-06-16 20:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-16 19:29

Pre-Run: 6,723,977,216 bytes free
Post-Run: 8,229,224,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
395 --- E O F --- 2009-06-15 15:39

06-16-2009, 01:55 PM	#3 (permalink)
jasont Registered User Join Date: Jun 2009 Posts: 6 OS: xp home edition ver2002 service pack 3	Re: can't get rid of trojan horse downloader Steve, Thanks for the help. Seem to have followed the instructions and combofix log included as text below. Not sure if you wanted text here or file attached? Look forward to hearing from you. Jase ComboFix 09-06-15.07 - Jason 16/06/2009 19:17.1 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.494.128 [GMT 1:00] Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: Norton Internet Worm Protection disabled {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\Jason\Local Settings\Temporary Internet Files\fbk.sts c:\windows\system32\afiburiw.ini c:\windows\system32\erowiped.ini c:\windows\system32\uhupulud.ini c:\windows\system32\uyijegiy.ini c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At25.job c:\windows\Tasks\At26.job c:\windows\Tasks\At27.job c:\windows\Tasks\At28.job c:\windows\Tasks\At29.job c:\windows\Tasks\At3.job c:\windows\Tasks\At30.job c:\windows\Tasks\At31.job c:\windows\Tasks\At32.job c:\windows\Tasks\At33.job c:\windows\Tasks\At34.job c:\windows\Tasks\At35.job c:\windows\Tasks\At36.job c:\windows\Tasks\At37.job c:\windows\Tasks\At38.job c:\windows\Tasks\At39.job c:\windows\Tasks\At4.job c:\windows\Tasks\At40.job c:\windows\Tasks\At41.job c:\windows\Tasks\At42.job c:\windows\Tasks\At43.job c:\windows\Tasks\At44.job c:\windows\Tasks\At45.job c:\windows\Tasks\At46.job c:\windows\Tasks\At47.job c:\windows\Tasks\At48.job c:\windows\Tasks\At49.job c:\windows\Tasks\At5.job c:\windows\Tasks\At50.job c:\windows\Tasks\At51.job c:\windows\Tasks\At52.job c:\windows\Tasks\At53.job c:\windows\Tasks\At54.job c:\windows\Tasks\At55.job c:\windows\Tasks\At56.job c:\windows\Tasks\At57.job c:\windows\Tasks\At58.job c:\windows\Tasks\At59.job c:\windows\Tasks\At6.job c:\windows\Tasks\At60.job c:\windows\Tasks\At61.job c:\windows\Tasks\At62.job c:\windows\Tasks\At63.job c:\windows\Tasks\At64.job c:\windows\Tasks\At65.job c:\windows\Tasks\At66.job c:\windows\Tasks\At67.job c:\windows\Tasks\At68.job c:\windows\Tasks\At69.job c:\windows\Tasks\At7.job c:\windows\Tasks\At70.job c:\windows\Tasks\At71.job c:\windows\Tasks\At72.job c:\windows\Tasks\At73.job c:\windows\Tasks\At74.job c:\windows\Tasks\At75.job c:\windows\Tasks\At76.job c:\windows\Tasks\At77.job c:\windows\Tasks\At78.job c:\windows\Tasks\At79.job c:\windows\Tasks\At8.job c:\windows\Tasks\At80.job c:\windows\Tasks\At81.job c:\windows\Tasks\At82.job c:\windows\Tasks\At83.job c:\windows\Tasks\At84.job c:\windows\Tasks\At85.job c:\windows\Tasks\At86.job c:\windows\Tasks\At87.job c:\windows\Tasks\At88.job c:\windows\Tasks\At89.job c:\windows\Tasks\At9.job c:\windows\Tasks\At90.job c:\windows\Tasks\At91.job c:\windows\Tasks\At92.job c:\windows\Tasks\At93.job c:\windows\Tasks\At94.job c:\windows\Tasks\At95.job c:\windows\Tasks\At96.job ----- BITS: Possible infected sites ----- hxxp://updates.swarmcast.net . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSserv.sys ((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 ))))))))))))))))))))))))))))))) . 2009-06-16 18:06 . 2009-06-16 18:06 260608 ----a-w- C:\QZ6oIcO.exe 2009-06-16 18:06 . 2009-06-16 18:06 6998 ----a-w- C:\X8OyYhZB.bat 2009-06-16 18:06 . 2009-06-16 18:06 265 ----a-w- C:\N1NP5Q.bat 2009-06-16 17:56 . 2009-06-16 17:56 260608 ----a-w- C:\pvNWoKyx.exe 2009-06-16 17:56 . 2009-06-16 17:56 6998 ----a-w- C:\z8q.bat 2009-06-16 17:56 . 2009-06-16 17:56 269 ----a-w- C:\xLvEnh.bat 2009-06-13 19:51 . 2009-06-13 19:51 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-06-13 19:51 . 2009-06-13 19:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-06-13 17:45 . 2009-06-13 17:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-06-13 17:44 . 2009-06-13 17:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-06-10 04:40 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2009-06-10 04:40 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll 2009-06-09 20:00 . 2009-06-09 20:00 152576 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-09 19:58 . 2009-06-09 19:58 -------- d--h--w- C:\$AVG8.VAULT$ 2009-06-09 19:49 . 2009-06-09 19:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-09 19:49 . 2009-06-09 19:49 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-06-09 19:49 . 2009-06-09 19:49 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-09 19:49 . 2009-06-09 19:49 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-09 19:48 . 2009-06-09 19:48 -------- d-----w- c:\windows\system32\drivers\Avg 2009-06-09 19:11 . 2009-06-09 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-07 08:02 . 2009-06-07 08:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM 2009-06-07 08:00 . 2009-06-07 08:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2009-06-06 09:53 . 2009-06-06 09:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-06-06 09:50 . 2009-06-06 09:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-06-06 09:49 . 2009-06-06 09:49 -------- d-sh--w- c:\documents and settings\Jason\IETldCache 2009-06-06 09:03 . 2009-06-06 09:03 -------- d-----w- c:\windows\ie8updates 2009-06-06 08:56 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll 2009-06-06 08:27 . 2009-06-06 08:27 -------- d--h--w- c:\windows\ie8 2009-05-30 05:55 . 2009-06-16 19:23 117760 ----a-w- c:\documents and settings\Jason\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-05-30 05:53 . 2009-05-30 05:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-05-28 06:33 . 2009-05-28 06:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla 2009-05-25 21:50 . 2009-05-25 21:50 -------- d-----w- c:\documents and settings\Jason\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1 2009-05-25 21:50 . 2009-05-25 21:48 38208 ----a-w- c:\documents and settings\Jason\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe 2009-05-25 21:50 . 2009-05-25 21:50 -------- d-----w- c:\program files\Common Files\Adobe AIR 2009-05-22 19:42 . 2009-05-22 19:42 390664 ----a-w- c:\documents and settings\Jason\Application Data\Real\RealPlayer\Update\RealPlayer11.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-16 18:29 . 2006-05-10 09:52 12 ----a-w- c:\windows\bthservsdp.dat 2009-06-09 19:20 . 2009-06-09 19:19 25022 ----a-w- c:\windows\RGI19.tmp 2009-05-26 12:20 . 2009-01-18 19:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-05-26 12:19 . 2009-01-18 19:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-05-21 10:33 . 2008-12-14 12:47 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-05-15 08:07 . 2009-05-15 08:07 -------- d-----w- c:\documents and settings\Jason\Application Data\Broad Intelligence 2009-05-13 05:15 . 1979-12-31 23:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-05-10 06:30 . 2009-05-10 06:30 -------- d-----w- c:\documents and settings\Jason\Application Data\Red Kawa 2009-05-09 17:16 . 2009-05-09 17:16 -------- d-----w- c:\program files\MediaCoder 2009-05-09 17:15 . 2009-05-09 17:15 -------- d-----w- c:\program files\Red Kawa 2009-05-09 17:14 . 2009-05-09 17:14 -------- d-----w- c:\program files\H.264 Encoder 2009-05-09 17:12 . 2009-05-09 17:12 -------- d-----w- c:\documents and settings\Jason\Application Data\Any Video Converter Professional 2009-05-09 17:12 . 2009-05-09 17:12 -------- d-----w- c:\program files\Any Video Converter Professional 2009-05-09 11:40 . 2009-05-09 11:40 -------- d-----w- c:\program files\Common Files\DivX Shared 2009-05-08 19:49 . 2009-05-08 19:49 152576 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-05-07 15:32 . 1979-12-31 23:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-05-06 15:53 . 2009-05-06 15:53 -------- d-----w- c:\documents and settings\Jason\Application Data\LG Electronics 2009-05-06 15:50 . 2009-05-06 15:50 -------- d-----w- c:\documents and settings\Jason\Application Data\InstallShield 2009-05-06 15:44 . 2009-05-06 15:44 -------- d-----w- c:\program files\LG Electronics 2009-04-28 07:15 . 2009-05-09 16:18 81920 ----a-w- c:\windows\LGMobileDL.dll 2009-04-18 13:59 . 2009-04-18 13:59 -------- d-----w- c:\program files\Microsoft Silverlight 2009-04-17 12:26 . 1979-12-31 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 1979-12-31 23:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2006-10-24 08:15 . 2006-10-24 08:15 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe 2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll 2009-01-03 11:07 . 2009-01-03 11:00 109 --sha-w- c:\windows\system32\839718926.dat 2006-05-03 09:06 . 2007-10-07 17:45 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 10:47 . 2007-10-07 17:45 31232 --sh--r- c:\windows\system32\msfDX.dll . ------- Sigcheck ------- [-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys [-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys [-] 2005-05-25 10:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys [-] 2006-01-13 08:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys [-] 2006-04-20 04:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys [-] 2007-10-30 15:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys [7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys [7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [-] 2005-05-25 10:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys [7] 2004-08-04 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys [-] 2006-01-12 17:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys [-] 2007-04-28 13:42 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys [-] 2007-10-30 16:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys [7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys [-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys [7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 532480] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-11 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-11 118784] "EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 151552] "ePowerManagement"="c:\acer\ePM\ePM.exe" [2004-09-01 2876416] "LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2004-07-30 319488] "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696] "NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648] "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-02-27 69632] "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-02-27 757760] "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-02-26 253952] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-26 185896] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-09 1947928] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-09 19:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux2"=c_120905.nls "wave2"=c_120905.nls "mixer2"=c_120905.nls "midi2"=c_120905.nls "wave1"=c_120905.nls "mixer1"=c_120905.nls "midi1"=c_120905.nls "aux1"=c_120905.nls [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\PPLive\\PPLive.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\QuickTime\\QTTask.exe"= "c:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/06/2009 20:49 325896] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/06/2009 20:49 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 72944] R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [30/08/2004 13:34 6784] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 7408] R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [30/08/2004 13:34 16000] S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25/09/2007 15:59 15152] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc HPService REG_MULTI_SZ HPSLPSVC [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-06-16 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20] 2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-06-16 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 20:05] 2009-06-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-25 20:07] . - - - - ORPHANS REMOVED - - - - HKCU-Run-µTorrent - c:\program files\uTorrent\utorrent.exe SharedTaskScheduler-IPC Configuration Utility - (no file) Notify-awtrSkKd - awtrSkKd.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.pricerunner.co.uk/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = ;localhost;<local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Test1 - c:\windows\system32\icq6s.dll/MENUSEARCH.HTM IE: Link to &MidpX - c:\program files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - c:\program files\bet365MPP\MPPoker.exe Trusted Zone: myfreepaysite.com\www TCP: {3CEFB118-FDCA-45DD-B168-30A28FD47432} = 192.168.1.1 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - . ********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-16 20:22 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(944) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(4032) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\WINDOWS DEFENDER\MSMPENG.EXE c:\acer\EMANAGER\ANBMSERV.EXE c:\program files\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE c:\program files\AVG\AVG8\AVGWDSVC.EXE c:\program files\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE c:\program files\JAVA\JRE6\BIN\JQS.EXE c:\program files\AVG\AVG8\AVGRSX.EXE c:\program files\AVG\AVG8\AVGNSX.EXE c:\program files\ALCOHOL SOFT\ALCOHOL 120\STARWIND\STARWINDSERVICE.EXE c:\progra~1\AVG\AVG8\avgemc.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\rundll32.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe . ************************************************************************ . Completion time: 2009-06-16 20:29 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-16 19:29 Pre-Run: 6,723,977,216 bytes free Post-Run: 8,229,224,448 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 395 --- E O F --- 2009-06-15 15:39