can't get rid of trojan horse downloader

jasont · 06-15-2009, 12:16 PM

Trying to fix family laptop which appears to have a trojan. AVG repeatedly reports findng trojan horse downloader.generic8.anhq. Multiple threats then found by avg which appear to be random letter sequences for an .exe file which is located on C:\ (example is ttmxc or CaFg). There are also txt files and ms-dos applications created in same location. Firewall is also repeatedly disabled but can't seem to find way to keep it activated.

Running AVG, MBAM, SuperAntiSpyware and SpyBot finds issues but fixing via these doesn't stop the problem from reappearing when I next access internet connection and process starts over again. Have tried running in safe mode to fix with above programmes but issue always returns.

Now lost and would appreciate some help. Have removed torrent software and any cracked software I could find but let me know if anything else needs to be done in this area.

DDS as below:

DDS (Ver_09-05-14.01) - FAT32x86
Run by Jason at 18:28:05.86 on 15/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.494.156 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
SVCHOST.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Documents and Settings\Jason\Desktop\trojan\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.pricerunner.co.uk/
uWindow Title = Microsoft Internet Explorer provided by Orange UK
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = ;localhost;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: {b56a7d7d-6927-48c8-a975-17df180c71ac} - PCTools Browser Monitor
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Kwyshell MidpX: {ebe9e2b5-b526-48bc-ad46-687263edcb0e} - c:\program files\kwyshell\midpx\jadinvoker\MidpInvoker.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
TB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
TB: Kwyshell MidpX: {ebe9e2b5-b526-48bc-ad46-687263edcb0e} - c:\program files\kwyshell\midpx\jadinvoker\MidpInvoker.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [µTorrent] "c:\program files\utorrent\utorrent.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [LaunchApp] Alaunch
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [EPM-DM] c:\acer\epm\epm-dm.exe
mRun: [ePowerManagement] c:\acer\epm\ePM.exe boot
mRun: [LManager] c:\program files\launch manager\QtZgAcer.EXE
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dExplorerRun: [Msn] c:\Twpp21Xv.exe
dExplorerRun: [MsnHost] c:\Twpp21Xv.exe
dExplorerRun: [MsnLoad] c:\Twpp21Xv.exe
dExplorerRun: [MsnConvert] c:\Twpp21Xv.exe
dExplorerRun: [MsnMessendger] c:\Twpp21Xv.exe
StartupFolder: c:\docume~1\jason\startm~1\programs\startup\autobahn.lnk - c:\documents and settings\jason\local settings\application data\autobahn\autobahn.exe
StartupFolder: c:\docume~1\jason\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
IE: &Test1 - c:\windows\system32\icq6s.dll/MENUSEARCH.HTM
IE: Link to &MidpX - c:\program files\kwyshell\midpx\jadinvoker\extent\jad_wrap.htm
IE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\wanadoo\wsbar\WSBar.dll/VSearch.htm
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - c:\program files\bet365mpp\MPPoker.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: myfreepaysite.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155714722522
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://hgtv.view22.com/view22/app/view22rte.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
TCP: {3CEFB118-FDCA-45DD-B168-30A28FD47432} = 192.168.1.1
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: awtrSkKd - awtrSkKd.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\pakiguwu.dll,c:\windows\system32\waluyelo.dll,c:\windows\system32\nazoduse.dll,c:\windows\system32\diduwada.dll,c:\windows\system32\jeruvote.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IPC Configuration Utility - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\pakiguwu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jason\applic~1\mozilla\firefox\profiles\nl46hcjp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-9 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-9 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [2004-8-30 6784]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-9 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-9 298776]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2004-10-27 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2004-10-27 78208]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2004-6-1 10594]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2004-6-1 4054]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [2004-8-30 16000]
S2 gupdate1c9ad8dd2e90380;Google Update Service (gupdate1c9ad8dd2e90380);c:\program files\google\update\GoogleUpdate.exe [2009-3-25 133104]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\mediacoder\SysInfo.sys [2007-9-25 15152]

=============== Created Last 30 ================

2009-06-15 18:04 6,998 a------- C:\aepibKe.bat
2009-06-15 18:04 272 a------- C:\gKPAcP.bat
2009-06-15 18:01 6,998 a------- C:\rXELsfX.bat
2009-06-15 18:01 244 a------- C:\qR1Tjr.bat
2009-06-15 17:09 6,998 a------- C:\CAfG.bat
2009-06-15 17:09 245 a------- C:\soP935T.bat
2009-06-15 16:57 6,998 a------- C:\FJ5.bat
2009-06-15 16:57 233 a------- C:\ziPgo9bF.bat
2009-06-15 16:41 6,998 a------- C:\ttmxc.bat
2009-06-15 16:41 231 a------- C:\qtRiWBX0.bat
2009-06-10 05:40 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 05:40 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 20:58 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-09 20:49 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-09 20:49 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-09 20:49 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-09 20:48 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-09 20:19 25,022 a------- c:\windows\RGI19.tmp
2009-06-09 20:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-06 10:49 <DIR> --dsh--- c:\documents and settings\jason\IETldCache
2009-06-06 10:03 <DIR> --d----- c:\windows\ie8updates
2009-06-06 09:56 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-06 09:27 <DIR> --d-h--- c:\windows\ie8
2009-05-30 06:53 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-25 22:50 <DIR> --d----- c:\docume~1\jason\applic~1\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 06:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 22:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 22:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 22:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 22:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 22:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 12:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 08:15 81,920 a------- c:\windows\LGMobileDL.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2006-12-02 14:34 92,064 a------- c:\documents and settings\jason\mqdmmdm.sys
2006-12-02 14:34 79,328 a------- c:\documents and settings\jason\mqdmserd.sys
2006-12-02 14:34 66,656 a------- c:\documents and settings\jason\mqdmbus.sys
2006-12-02 14:34 25,600 a------- c:\documents and settings\jason\usbsermptxp.sys
2006-12-02 14:34 22,768 a------- c:\documents and settings\jason\usbsermpt.sys
2006-12-02 14:34 9,232 a------- c:\documents and settings\jason\mqdmmdfl.sys
2006-12-02 14:34 6,208 a------- c:\documents and settings\jason\mqdmcmnt.sys
2006-12-02 14:34 5,936 a------- c:\documents and settings\jason\mqdmwhnt.sys
2006-12-02 14:34 4,048 a------- c:\documents and settings\jason\mqdmcr.sys
2006-10-24 09:15 278,528 a------- c:\program files\common files\FDEUnInstaller.exe
2009-01-03 12:07 109 a--sh--- c:\windows\system32\839718926.dat
2006-05-03 10:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-09-30 20:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008093020081001\index.dat

============= FINISH: 18:29:13.92 ===============

sjb007 · 06-15-2009, 05:20 PM

Howdy there and welcome to TSF Forums

I'm Steve and I will be helping you throughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Vista users please make sure you all run commands with administrator rights (right click icon - run as administrator)

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

jasont · 06-16-2009, 01:55 PM

Steve,

Thanks for the help. Seem to have followed the instructions and combofix log included as text below. Not sure if you wanted text here or file attached?

Look forward to hearing from you.
Jase

ComboFix 09-06-15.07 - Jason 16/06/2009 19:17.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.494.128 [GMT 1:00]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Jason\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\afiburiw.ini
c:\windows\system32\erowiped.ini
c:\windows\system32\uhupulud.ini
c:\windows\system32\uyijegiy.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At73.job
c:\windows\Tasks\At74.job
c:\windows\Tasks\At75.job
c:\windows\Tasks\At76.job
c:\windows\Tasks\At77.job
c:\windows\Tasks\At78.job
c:\windows\Tasks\At79.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At80.job
c:\windows\Tasks\At81.job
c:\windows\Tasks\At82.job
c:\windows\Tasks\At83.job
c:\windows\Tasks\At84.job
c:\windows\Tasks\At85.job
c:\windows\Tasks\At86.job
c:\windows\Tasks\At87.job
c:\windows\Tasks\At88.job
c:\windows\Tasks\At89.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At90.job
c:\windows\Tasks\At91.job
c:\windows\Tasks\At92.job
c:\windows\Tasks\At93.job
c:\windows\Tasks\At94.job
c:\windows\Tasks\At95.job
c:\windows\Tasks\At96.job

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 )))))))))))))))))))))))))))))))
.

2009-06-16 18:06 . 2009-06-16 18:06 260608 ----a-w- C:\QZ6oIcO.exe
2009-06-16 18:06 . 2009-06-16 18:06 6998 ----a-w- C:\X8OyYhZB.bat
2009-06-16 18:06 . 2009-06-16 18:06 265 ----a-w- C:\N1NP5Q.bat
2009-06-16 17:56 . 2009-06-16 17:56 260608 ----a-w- C:\pvNWoKyx.exe
2009-06-16 17:56 . 2009-06-16 17:56 6998 ----a-w- C:\z8q.bat
2009-06-16 17:56 . 2009-06-16 17:56 269 ----a-w- C:\xLvEnh.bat
2009-06-13 19:51 . 2009-06-13 19:51 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-13 19:51 . 2009-06-13 19:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-13 17:45 . 2009-06-13 17:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-13 17:44 . 2009-06-13 17:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-10 04:40 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 04:40 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 20:00 . 2009-06-09 20:00 152576 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-09 19:58 . 2009-06-09 19:58 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-09 19:49 . 2009-06-09 19:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-09 19:49 . 2009-06-09 19:49 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-09 19:49 . 2009-06-09 19:49 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-09 19:49 . 2009-06-09 19:49 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-09 19:48 . 2009-06-09 19:48 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-09 19:11 . 2009-06-09 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-07 08:02 . 2009-06-07 08:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-06-07 08:00 . 2009-06-07 08:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-06-06 09:53 . 2009-06-06 09:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-06 09:50 . 2009-06-06 09:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-06 09:49 . 2009-06-06 09:49 -------- d-sh--w- c:\documents and settings\Jason\IETldCache
2009-06-06 09:03 . 2009-06-06 09:03 -------- d-----w- c:\windows\ie8updates
2009-06-06 08:56 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-06 08:27 . 2009-06-06 08:27 -------- d--h--w- c:\windows\ie8
2009-05-30 05:55 . 2009-06-16 19:23 117760 ----a-w- c:\documents and settings\Jason\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-30 05:53 . 2009-05-30 05:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-28 06:33 . 2009-05-28 06:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2009-05-25 21:50 . 2009-05-25 21:50 -------- d-----w- c:\documents and settings\Jason\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-05-25 21:50 . 2009-05-25 21:48 38208 ----a-w- c:\documents and settings\Jason\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-05-25 21:50 . 2009-05-25 21:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-22 19:42 . 2009-05-22 19:42 390664 ----a-w- c:\documents and settings\Jason\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-16 18:29 . 2006-05-10 09:52 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-09 19:20 . 2009-06-09 19:19 25022 ----a-w- c:\windows\RGI19.tmp
2009-05-26 12:20 . 2009-01-18 19:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 12:19 . 2009-01-18 19:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 10:33 . 2008-12-14 12:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-15 08:07 . 2009-05-15 08:07 -------- d-----w- c:\documents and settings\Jason\Application Data\Broad Intelligence
2009-05-13 05:15 . 1979-12-31 23:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-10 06:30 . 2009-05-10 06:30 -------- d-----w- c:\documents and settings\Jason\Application Data\Red Kawa
2009-05-09 17:16 . 2009-05-09 17:16 -------- d-----w- c:\program files\MediaCoder
2009-05-09 17:15 . 2009-05-09 17:15 -------- d-----w- c:\program files\Red Kawa
2009-05-09 17:14 . 2009-05-09 17:14 -------- d-----w- c:\program files\H.264 Encoder
2009-05-09 17:12 . 2009-05-09 17:12 -------- d-----w- c:\documents and settings\Jason\Application Data\Any Video Converter Professional
2009-05-09 17:12 . 2009-05-09 17:12 -------- d-----w- c:\program files\Any Video Converter Professional
2009-05-09 11:40 . 2009-05-09 11:40 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-08 19:49 . 2009-05-08 19:49 152576 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-07 15:32 . 1979-12-31 23:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 15:53 . 2009-05-06 15:53 -------- d-----w- c:\documents and settings\Jason\Application Data\LG Electronics
2009-05-06 15:50 . 2009-05-06 15:50 -------- d-----w- c:\documents and settings\Jason\Application Data\InstallShield
2009-05-06 15:44 . 2009-05-06 15:44 -------- d-----w- c:\program files\LG Electronics
2009-04-28 07:15 . 2009-05-09 16:18 81920 ----a-w- c:\windows\LGMobileDL.dll
2009-04-18 13:59 . 2009-04-18 13:59 -------- d-----w- c:\program files\Microsoft Silverlight
2009-04-17 12:26 . 1979-12-31 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 1979-12-31 23:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2006-10-24 08:15 . 2006-10-24 08:15 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-01-03 11:07 . 2009-01-03 11:00 109 --sha-w- c:\windows\system32\839718926.dat
2006-05-03 09:06 . 2007-10-07 17:45 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-10-07 17:45 31232 --sh--r- c:\windows\system32\msfDX.dll
.

------- Sigcheck -------

[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys
[-] 2005-05-25 10:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 08:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 04:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 15:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2005-05-25 10:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2006-01-12 17:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2007-04-28 13:42 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2007-10-30 16:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 532480]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-11 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-11 118784]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 151552]
"ePowerManagement"="c:\acer\ePM\ePM.exe" [2004-09-01 2876416]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2004-07-30 319488]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-02-27 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-02-27 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-02-26 253952]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-26 185896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-09 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-09 19:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=c_120905.nls
"wave2"=c_120905.nls
"mixer2"=c_120905.nls
"midi2"=c_120905.nls
"wave1"=c_120905.nls
"mixer1"=c_120905.nls
"midi1"=c_120905.nls
"aux1"=c_120905.nls

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/06/2009 20:49 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/06/2009 20:49 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 72944]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [30/08/2004 13:34 6784]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 7408]
R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [30/08/2004 13:34 16000]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25/09/2007 15:59 15152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 20:05]

2009-06-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-25 20:07]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-µTorrent - c:\program files\uTorrent\utorrent.exe
SharedTaskScheduler-IPC Configuration Utility - (no file)
Notify-awtrSkKd - awtrSkKd.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pricerunner.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = ;localhost;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Test1 - c:\windows\system32\icq6s.dll/MENUSEARCH.HTM
IE: Link to &MidpX - c:\program files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: **{B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - c:\program files\bet365MPP\MPPoker.exe
Trusted Zone: myfreepaysite.com\www
TCP: {3CEFB118-FDCA-45DD-B168-30A28FD47432} = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-16 20:22
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4032)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WINDOWS DEFENDER\MSMPENG.EXE
c:\acer\EMANAGER\ANBMSERV.EXE
c:\program files\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\program files\AVG\AVG8\AVGNSX.EXE
c:\program files\ALCOHOL SOFT\ALCOHOL 120\STARWIND\STARWINDSERVICE.EXE
c:\progra~1\AVG\AVG8\avgemc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-06-16 20:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-16 19:29

Pre-Run: 6,723,977,216 bytes free
Post-Run: 8,229,224,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
395 --- E O F --- 2009-06-15 15:39

sjb007 · 06-17-2009, 01:04 AM

Hi there Jase

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Quote:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\QZ6oIcO.exe"
"C:\X8OyYhZB.bat"
"C:\N1NP5Q.bat"
"C:\pvNWoKyx.exe"
"C:\z8q.bat"
"C:\xLvEnh.bat"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Online Scan
Perform an online scan with Panda ActiveScan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please post the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

Post back with the resutls in your next reply, also update me on how things are running

jasont · 06-17-2009, 11:58 AM

Have run fix.bat and received message of successfully deleted and then it deletes itself. Assume this is intended. Will carry on with rest of tasks now.

Jase

jasont · 06-17-2009, 02:50 PM

ATF Cleaner run successfully.

Panda ActiveScan completed and log below.

With regard to question on how things are running I have avoided using Laptop whilst you are helping me. Would you rather I use as normal? When I have been using to complete tasks requested by you I didn't receive any errors or AVG warnings last night but encountered one earlier this evening. However, not as frequent as before when it was happening every 5 minutes.

Continuing thanks,
Jase

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-06-17 21:34:23
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free 8.5 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00040538 adware/zango Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{0AC49246-419B-4EE0-8917-8818DAAD6A4E}
00040538 adware/zango Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}
00447834 Adware/Lop Adware No 0 Yes No C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A7535D2.EXE
00447834 Adware/Lop Adware No 0 Yes No C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A6463E4.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP4\A0000534.SYS
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP5\A0001633.EXE
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP4\A0000375.EXE
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP5\A0001632.EXE
04199562 Generic Trojan Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP4\A0000446.EXE
05140035 Adware/WebSearch Adware No 0 Yes No C:\Program Files\Orange\SETUP\Orange_icons.EXE
;===================================================================================================================================================================================
SUSPECTS
Sent Location �K
;===================================================================================================================================================================================
No C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\HXW88A5A\╨***vk#
No C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\HXW88A5A\╨***vk#
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description �K
;===================================================================================================================================================================================
;===================================================================================================================================================================================

sjb007 · 06-18-2009, 12:55 AM

Hi Jase....

Quote:

Would you rather I use as normal?

Yes, run it as normal.

I notice that you have a few items in quatantine by Symantec.

1. Close any open browsers.

2.Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:

Skipfix::

File::
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A7535D2.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A6463E4.EXE

Registry::
-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}
-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{0AC49246-419B-4EE0-8917-8818DAAD6A4E}

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Keep me updated on your how your system is running

jasont · 06-18-2009, 01:53 PM

Done as requested and combo fix log as below. Seems to be running OK and nothing highlighted by AVG.

;+}

ComboFix 09-06-18.02 - Jason 18/06/2009 20:39.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.494.241 [GMT 1:00]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jason\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A6463E4.EXE"
"c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A7535D2.EXE"
.

((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-17 18:37 . 2008-06-19 16:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-06-17 18:36 . 2009-06-17 18:36 -------- d-----w- c:\program files\Panda Security
2009-06-17 17:29 . 2009-06-17 17:29 -------- d-sh--w- C:\FOUND.000
2009-06-13 19:51 . 2009-06-13 19:51 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-13 19:51 . 2009-06-13 19:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-13 17:45 . 2009-06-13 17:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-13 17:44 . 2009-06-13 17:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-10 04:40 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 04:40 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 20:00 . 2009-06-09 20:00 152576 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-09 19:58 . 2009-06-09 19:58 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-09 19:49 . 2009-06-09 19:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-09 19:49 . 2009-06-09 19:49 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-09 19:49 . 2009-06-09 19:49 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-09 19:49 . 2009-06-09 19:49 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-09 19:48 . 2009-06-09 19:48 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-09 19:11 . 2009-06-09 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-07 08:02 . 2009-06-07 08:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-06-07 08:00 . 2009-06-07 08:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-06-06 09:53 . 2009-06-06 09:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-06 09:50 . 2009-06-06 09:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-06 09:49 . 2009-06-06 09:49 -------- d-sh--w- c:\documents and settings\Jason\IETldCache
2009-06-06 09:03 . 2009-06-06 09:03 -------- d-----w- c:\windows\ie8updates
2009-06-06 08:56 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-06 08:27 . 2009-06-06 08:27 -------- d--h--w- c:\windows\ie8
2009-05-30 05:55 . 2009-06-18 06:14 117760 ----a-w- c:\documents and settings\Jason\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-30 05:53 . 2009-05-30 05:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-28 06:33 . 2009-05-28 06:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2009-05-25 21:50 . 2009-05-25 21:50 -------- d-----w- c:\documents and settings\Jason\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-05-25 21:50 . 2009-05-25 21:48 38208 ----a-w- c:\documents and settings\Jason\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-05-25 21:50 . 2009-05-25 21:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-22 19:42 . 2009-05-22 19:42 390664 ----a-w- c:\documents and settings\Jason\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 06:06 . 2006-05-10 09:52 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-09 19:20 . 2009-06-09 19:19 25022 ----a-w- c:\windows\RGI19.tmp
2009-05-26 12:20 . 2009-01-18 19:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 12:19 . 2009-01-18 19:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 10:33 . 2008-12-14 12:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-15 08:07 . 2009-05-15 08:07 -------- d-----w- c:\documents and settings\Jason\Application Data\Broad Intelligence
2009-05-13 05:15 . 1979-12-31 23:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-10 06:30 . 2009-05-10 06:30 -------- d-----w- c:\documents and settings\Jason\Application Data\Red Kawa
2009-05-09 17:16 . 2009-05-09 17:16 -------- d-----w- c:\program files\MediaCoder
2009-05-09 17:15 . 2009-05-09 17:15 -------- d-----w- c:\program files\Red Kawa
2009-05-09 17:14 . 2009-05-09 17:14 -------- d-----w- c:\program files\H.264 Encoder
2009-05-09 17:12 . 2009-05-09 17:12 -------- d-----w- c:\documents and settings\Jason\Application Data\Any Video Converter Professional
2009-05-09 17:12 . 2009-05-09 17:12 -------- d-----w- c:\program files\Any Video Converter Professional
2009-05-09 11:40 . 2009-05-09 11:40 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-08 19:49 . 2009-05-08 19:49 152576 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-07 15:32 . 1979-12-31 23:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 15:53 . 2009-05-06 15:53 -------- d-----w- c:\documents and settings\Jason\Application Data\LG Electronics
2009-05-06 15:50 . 2009-05-06 15:50 -------- d-----w- c:\documents and settings\Jason\Application Data\InstallShield
2009-05-06 15:44 . 2009-05-06 15:44 -------- d-----w- c:\program files\LG Electronics
2009-04-28 07:15 . 2009-05-09 16:18 81920 ----a-w- c:\windows\LGMobileDL.dll
2009-04-17 12:26 . 1979-12-31 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 1979-12-31 23:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2006-10-24 08:15 . 2006-10-24 08:15 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-01-03 11:07 . 2009-01-03 11:00 109 --sha-w- c:\windows\system32\839718926.dat
2006-05-03 09:06 . 2007-10-07 17:45 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-10-07 17:45 31232 --sh--r- c:\windows\system32\msfDX.dll
.

------- Sigcheck -------

[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys
[-] 2005-05-25 10:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 08:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 04:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 15:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2005-05-25 10:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2006-01-12 17:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2007-04-28 13:42 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2007-10-30 16:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-06-16_19.24.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-18 06:08 . 2009-06-18 06:08 16384 c:\windows\Temp\Perflib_Perfdata_7cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 532480]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-11 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-11 118784]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 151552]
"ePowerManagement"="c:\acer\ePM\ePM.exe" [2004-09-01 2876416]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2004-07-30 319488]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-02-27 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-02-27 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-02-26 253952]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-26 185896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-09 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-09 19:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=c_120905.nls
"wave2"=c_120905.nls
"mixer2"=c_120905.nls
"midi2"=c_120905.nls
"wave1"=c_120905.nls
"mixer1"=c_120905.nls
"midi1"=c_120905.nls
"aux1"=c_120905.nls

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [17/06/2009 19:37 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/06/2009 20:49 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/06/2009 20:49 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 72944]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [30/08/2004 13:34 6784]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [09/06/2009 20:48 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [09/06/2009 20:48 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 7408]
R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [30/08/2004 13:34 16000]
S2 gupdate1c9ad8dd2e90380;Google Update Service (gupdate1c9ad8dd2e90380);c:\program files\Google\Update\GoogleUpdate.exe [25/03/2009 21:08 133104]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25/09/2007 15:59 15152]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PAVBOOT

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 20:05]

2009-06-18 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-25 20:07]
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-IPC Configuration Utility - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pricerunner.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = ;localhost;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Test1 - c:\windows\system32\icq6s.dll/MENUSEARCH.HTM
IE: Link to &MidpX - c:\program files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: **{B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - c:\program files\bet365MPP\MPPoker.exe
Trusted Zone: myfreepaysite.com\www
TCP: {3CEFB118-FDCA-45DD-B168-30A28FD47432} = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 20:40
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-06-18 20:43
ComboFix-quarantined-files.txt 2009-06-18 19:43
ComboFix2.txt 2009-06-16 19:29

Pre-Run: 8,105,263,104 bytes free
Post-Run: 8,073,887,744 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
258 --- E O F --- 2009-06-18 15:14

sjb007 · 06-18-2009, 04:29 PM

Hi there

All is looking good from here. Just a spot of updating to do

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.
There is a newer version of Adobe Acrobat Reader available.

Please go to this link Adobe Acrobat Reader Download Link
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

You have Java versions that are out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove the following versions of Java.

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

Leave this one in -> Java(TM) 6 Update 14

IMPORTANT

The following will uninstall combofix and implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then visit Microsoft's Update Page and update your computer from there.

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Safer Browsing
Use software such as Web of Trust to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

NB: Please note that although your browser may be more secure without active x it will not throw a ring of steel around your computer. If you purposly visit sites that are dubious in nature then infection will prevail.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy can help you stay clear. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware- Please note that these products can also be run as free without a licience as a scan on demand scanner.

Secure your router
Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

jasont · 06-19-2009, 09:26 AM

I have completed all actions per your last post.

Thx for all your help,
Jase

sjb007 · 06-19-2009, 04:38 PM

Not a problem, only too glad to lend a hand

As this issue is now resolved I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forums

Good luck and happy safe surfing Jase!

06-15-2009, 05:20 PM	#2 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,235 OS: Windows 7 Premium x64 My System	Re: can't get rid of trojan horse downloader Howdy there and welcome to TSF Forums I'm Steve and I will be helping you throughout this fix. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence. Vista users please make sure you all run commands with administrator rights (right click icon - run as administrator) Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed. We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

06-16-2009, 01:55 PM	#3 (permalink)
jasont Registered User Join Date: Jun 2009 Posts: 6 OS: xp home edition ver2002 service pack 3	Re: can't get rid of trojan horse downloader Steve, Thanks for the help. Seem to have followed the instructions and combofix log included as text below. Not sure if you wanted text here or file attached? Look forward to hearing from you. Jase ComboFix 09-06-15.07 - Jason 16/06/2009 19:17.1 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.494.128 [GMT 1:00] Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: Norton Internet Worm Protection disabled {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\Jason\Local Settings\Temporary Internet Files\fbk.sts c:\windows\system32\afiburiw.ini c:\windows\system32\erowiped.ini c:\windows\system32\uhupulud.ini c:\windows\system32\uyijegiy.ini c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At25.job c:\windows\Tasks\At26.job c:\windows\Tasks\At27.job c:\windows\Tasks\At28.job c:\windows\Tasks\At29.job c:\windows\Tasks\At3.job c:\windows\Tasks\At30.job c:\windows\Tasks\At31.job c:\windows\Tasks\At32.job c:\windows\Tasks\At33.job c:\windows\Tasks\At34.job c:\windows\Tasks\At35.job c:\windows\Tasks\At36.job c:\windows\Tasks\At37.job c:\windows\Tasks\At38.job c:\windows\Tasks\At39.job c:\windows\Tasks\At4.job c:\windows\Tasks\At40.job c:\windows\Tasks\At41.job c:\windows\Tasks\At42.job c:\windows\Tasks\At43.job c:\windows\Tasks\At44.job c:\windows\Tasks\At45.job c:\windows\Tasks\At46.job c:\windows\Tasks\At47.job c:\windows\Tasks\At48.job c:\windows\Tasks\At49.job c:\windows\Tasks\At5.job c:\windows\Tasks\At50.job c:\windows\Tasks\At51.job c:\windows\Tasks\At52.job c:\windows\Tasks\At53.job c:\windows\Tasks\At54.job c:\windows\Tasks\At55.job c:\windows\Tasks\At56.job c:\windows\Tasks\At57.job c:\windows\Tasks\At58.job c:\windows\Tasks\At59.job c:\windows\Tasks\At6.job c:\windows\Tasks\At60.job c:\windows\Tasks\At61.job c:\windows\Tasks\At62.job c:\windows\Tasks\At63.job c:\windows\Tasks\At64.job c:\windows\Tasks\At65.job c:\windows\Tasks\At66.job c:\windows\Tasks\At67.job c:\windows\Tasks\At68.job c:\windows\Tasks\At69.job c:\windows\Tasks\At7.job c:\windows\Tasks\At70.job c:\windows\Tasks\At71.job c:\windows\Tasks\At72.job c:\windows\Tasks\At73.job c:\windows\Tasks\At74.job c:\windows\Tasks\At75.job c:\windows\Tasks\At76.job c:\windows\Tasks\At77.job c:\windows\Tasks\At78.job c:\windows\Tasks\At79.job c:\windows\Tasks\At8.job c:\windows\Tasks\At80.job c:\windows\Tasks\At81.job c:\windows\Tasks\At82.job c:\windows\Tasks\At83.job c:\windows\Tasks\At84.job c:\windows\Tasks\At85.job c:\windows\Tasks\At86.job c:\windows\Tasks\At87.job c:\windows\Tasks\At88.job c:\windows\Tasks\At89.job c:\windows\Tasks\At9.job c:\windows\Tasks\At90.job c:\windows\Tasks\At91.job c:\windows\Tasks\At92.job c:\windows\Tasks\At93.job c:\windows\Tasks\At94.job c:\windows\Tasks\At95.job c:\windows\Tasks\At96.job ----- BITS: Possible infected sites ----- hxxp://updates.swarmcast.net . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSserv.sys ((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 ))))))))))))))))))))))))))))))) . 2009-06-16 18:06 . 2009-06-16 18:06 260608 ----a-w- C:\QZ6oIcO.exe 2009-06-16 18:06 . 2009-06-16 18:06 6998 ----a-w- C:\X8OyYhZB.bat 2009-06-16 18:06 . 2009-06-16 18:06 265 ----a-w- C:\N1NP5Q.bat 2009-06-16 17:56 . 2009-06-16 17:56 260608 ----a-w- C:\pvNWoKyx.exe 2009-06-16 17:56 . 2009-06-16 17:56 6998 ----a-w- C:\z8q.bat 2009-06-16 17:56 . 2009-06-16 17:56 269 ----a-w- C:\xLvEnh.bat 2009-06-13 19:51 . 2009-06-13 19:51 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-06-13 19:51 . 2009-06-13 19:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-06-13 17:45 . 2009-06-13 17:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-06-13 17:44 . 2009-06-13 17:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-06-10 04:40 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2009-06-10 04:40 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll 2009-06-09 20:00 . 2009-06-09 20:00 152576 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-09 19:58 . 2009-06-09 19:58 -------- d--h--w- C:\$AVG8.VAULT$ 2009-06-09 19:49 . 2009-06-09 19:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-09 19:49 . 2009-06-09 19:49 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-06-09 19:49 . 2009-06-09 19:49 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-09 19:49 . 2009-06-09 19:49 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-09 19:48 . 2009-06-09 19:48 -------- d-----w- c:\windows\system32\drivers\Avg 2009-06-09 19:11 . 2009-06-09 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-07 08:02 . 2009-06-07 08:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM 2009-06-07 08:00 . 2009-06-07 08:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2009-06-06 09:53 . 2009-06-06 09:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-06-06 09:50 . 2009-06-06 09:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-06-06 09:49 . 2009-06-06 09:49 -------- d-sh--w- c:\documents and settings\Jason\IETldCache 2009-06-06 09:03 . 2009-06-06 09:03 -------- d-----w- c:\windows\ie8updates 2009-06-06 08:56 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll 2009-06-06 08:27 . 2009-06-06 08:27 -------- d--h--w- c:\windows\ie8 2009-05-30 05:55 . 2009-06-16 19:23 117760 ----a-w- c:\documents and settings\Jason\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-05-30 05:53 . 2009-05-30 05:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-05-28 06:33 . 2009-05-28 06:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla 2009-05-25 21:50 . 2009-05-25 21:50 -------- d-----w- c:\documents and settings\Jason\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1 2009-05-25 21:50 . 2009-05-25 21:48 38208 ----a-w- c:\documents and settings\Jason\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe 2009-05-25 21:50 . 2009-05-25 21:50 -------- d-----w- c:\program files\Common Files\Adobe AIR 2009-05-22 19:42 . 2009-05-22 19:42 390664 ----a-w- c:\documents and settings\Jason\Application Data\Real\RealPlayer\Update\RealPlayer11.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-16 18:29 . 2006-05-10 09:52 12 ----a-w- c:\windows\bthservsdp.dat 2009-06-09 19:20 . 2009-06-09 19:19 25022 ----a-w- c:\windows\RGI19.tmp 2009-05-26 12:20 . 2009-01-18 19:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-05-26 12:19 . 2009-01-18 19:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-05-21 10:33 . 2008-12-14 12:47 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-05-15 08:07 . 2009-05-15 08:07 -------- d-----w- c:\documents and settings\Jason\Application Data\Broad Intelligence 2009-05-13 05:15 . 1979-12-31 23:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-05-10 06:30 . 2009-05-10 06:30 -------- d-----w- c:\documents and settings\Jason\Application Data\Red Kawa 2009-05-09 17:16 . 2009-05-09 17:16 -------- d-----w- c:\program files\MediaCoder 2009-05-09 17:15 . 2009-05-09 17:15 -------- d-----w- c:\program files\Red Kawa 2009-05-09 17:14 . 2009-05-09 17:14 -------- d-----w- c:\program files\H.264 Encoder 2009-05-09 17:12 . 2009-05-09 17:12 -------- d-----w- c:\documents and settings\Jason\Application Data\Any Video Converter Professional 2009-05-09 17:12 . 2009-05-09 17:12 -------- d-----w- c:\program files\Any Video Converter Professional 2009-05-09 11:40 . 2009-05-09 11:40 -------- d-----w- c:\program files\Common Files\DivX Shared 2009-05-08 19:49 . 2009-05-08 19:49 152576 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-05-07 15:32 . 1979-12-31 23:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-05-06 15:53 . 2009-05-06 15:53 -------- d-----w- c:\documents and settings\Jason\Application Data\LG Electronics 2009-05-06 15:50 . 2009-05-06 15:50 -------- d-----w- c:\documents and settings\Jason\Application Data\InstallShield 2009-05-06 15:44 . 2009-05-06 15:44 -------- d-----w- c:\program files\LG Electronics 2009-04-28 07:15 . 2009-05-09 16:18 81920 ----a-w- c:\windows\LGMobileDL.dll 2009-04-18 13:59 . 2009-04-18 13:59 -------- d-----w- c:\program files\Microsoft Silverlight 2009-04-17 12:26 . 1979-12-31 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 1979-12-31 23:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2006-10-24 08:15 . 2006-10-24 08:15 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe 2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll 2009-01-03 11:07 . 2009-01-03 11:00 109 --sha-w- c:\windows\system32\839718926.dat 2006-05-03 09:06 . 2007-10-07 17:45 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 10:47 . 2007-10-07 17:45 31232 --sh--r- c:\windows\system32\msfDX.dll . ------- Sigcheck ------- [-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys [-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys [-] 2005-05-25 10:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys [-] 2006-01-13 08:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys [-] 2006-04-20 04:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys [-] 2007-10-30 15:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys [7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys [7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [-] 2005-05-25 10:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys [7] 2004-08-04 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys [-] 2006-01-12 17:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys [-] 2007-04-28 13:42 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys [-] 2007-10-30 16:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys [7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys [-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys [7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 532480] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-11 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-11 118784] "EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 151552] "ePowerManagement"="c:\acer\ePM\ePM.exe" [2004-09-01 2876416] "LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2004-07-30 319488] "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696] "NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648] "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-02-27 69632] "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-02-27 757760] "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-02-26 253952] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-26 185896] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-09 1947928] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-09 19:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux2"=c_120905.nls "wave2"=c_120905.nls "mixer2"=c_120905.nls "midi2"=c_120905.nls "wave1"=c_120905.nls "mixer1"=c_120905.nls "midi1"=c_120905.nls "aux1"=c_120905.nls [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\PPLive\\PPLive.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\QuickTime\\QTTask.exe"= "c:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/06/2009 20:49 325896] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/06/2009 20:49 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 72944] R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [30/08/2004 13:34 6784] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 7408] R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [30/08/2004 13:34 16000] S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25/09/2007 15:59 15152] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc HPService REG_MULTI_SZ HPSLPSVC [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-06-16 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20] 2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-06-16 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 20:05] 2009-06-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-25 20:07] . - - - - ORPHANS REMOVED - - - - HKCU-Run-µTorrent - c:\program files\uTorrent\utorrent.exe SharedTaskScheduler-IPC Configuration Utility - (no file) Notify-awtrSkKd - awtrSkKd.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.pricerunner.co.uk/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = ;localhost;<local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Test1 - c:\windows\system32\icq6s.dll/MENUSEARCH.HTM IE: Link to &MidpX - c:\program files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - c:\program files\bet365MPP\MPPoker.exe Trusted Zone: myfreepaysite.com\www TCP: {3CEFB118-FDCA-45DD-B168-30A28FD47432} = 192.168.1.1 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - . ********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-16 20:22 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(944) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(4032) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\WINDOWS DEFENDER\MSMPENG.EXE c:\acer\EMANAGER\ANBMSERV.EXE c:\program files\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE c:\program files\AVG\AVG8\AVGWDSVC.EXE c:\program files\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE c:\program files\JAVA\JRE6\BIN\JQS.EXE c:\program files\AVG\AVG8\AVGRSX.EXE c:\program files\AVG\AVG8\AVGNSX.EXE c:\program files\ALCOHOL SOFT\ALCOHOL 120\STARWIND\STARWINDSERVICE.EXE c:\progra~1\AVG\AVG8\avgemc.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\rundll32.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe . ************************************************************************ . Completion time: 2009-06-16 20:29 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-16 19:29 Pre-Run: 6,723,977,216 bytes free Post-Run: 8,229,224,448 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 395 --- E O F --- 2009-06-15 15:39

06-17-2009, 11:58 AM	#5 (permalink)
jasont Registered User Join Date: Jun 2009 Posts: 6 OS: xp home edition ver2002 service pack 3	Re: can't get rid of trojan horse downloader Have run fix.bat and received message of successfully deleted and then it deletes itself. Assume this is intended. Will carry on with rest of tasks now. Jase

06-17-2009, 02:50 PM	#6 (permalink)
jasont Registered User Join Date: Jun 2009 Posts: 6 OS: xp home edition ver2002 service pack 3	Re: can't get rid of trojan horse downloader ATF Cleaner run successfully. Panda ActiveScan completed and log below. With regard to question on how things are running I have avoided using Laptop whilst you are helping me. Would you rather I use as normal? When I have been using to complete tasks requested by you I didn't receive any errors or AVG warnings last night but encountered one earlier this evening. However, not as frequent as before when it was happening every 5 minutes. Continuing thanks, Jase ;********************************************************************************************************************************************************************************* ANALYSIS: 2009-06-17 21:34:23 PROTECTIONS: 1 MALWARE: 6 SUSPECTS: 2 ;******************************************************************************************************************************************************************************* PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== AVG Anti-Virus Free 8.5 No Yes ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00040538 adware/zango Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{0AC49246-419B-4EE0-8917-8818DAAD6A4E} 00040538 adware/zango Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287} 00447834 Adware/Lop Adware No 0 Yes No C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A7535D2.EXE 00447834 Adware/Lop Adware No 0 Yes No C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A6463E4.EXE 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP4\A0000534.SYS 03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP5\A0001633.EXE 03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP4\A0000375.EXE 03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP5\A0001632.EXE 04199562 Generic Trojan Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{9B7BB700-9269-4E60-AD1A-F3FF79A0262A}\RP4\A0000446.EXE 05140035 Adware/WebSearch Adware No 0 Yes No C:\Program Files\Orange\SETUP\Orange_icons.EXE ;=================================================================================================================================================================================== SUSPECTS Sent Location �K ;=================================================================================================================================================================================== No C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\HXW88A5A\╨vk# No C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\HXW88A5A\╨**vk# ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description �K ;=================================================================================================================================================================================== ;===================================================================================================================================================================================

06-18-2009, 01:53 PM	#8 (permalink)
jasont Registered User Join Date: Jun 2009 Posts: 6 OS: xp home edition ver2002 service pack 3	Re: can't get rid of trojan horse downloader Done as requested and combo fix log as below. Seems to be running OK and nothing highlighted by AVG. ;+} ComboFix 09-06-18.02 - Jason 18/06/2009 20:39.2 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.494.241 [GMT 1:00] Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Jason\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: Norton Internet Worm Protection disabled {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . - REDUCED FUNCTIONALITY MODE - FILE :: "c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A6463E4.EXE" "c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A7535D2.EXE" . ((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 ))))))))))))))))))))))))))))))) . 2009-06-17 18:37 . 2008-06-19 16:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys 2009-06-17 18:36 . 2009-06-17 18:36 -------- d-----w- c:\program files\Panda Security 2009-06-17 17:29 . 2009-06-17 17:29 -------- d-sh--w- C:\FOUND.000 2009-06-13 19:51 . 2009-06-13 19:51 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-06-13 19:51 . 2009-06-13 19:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-06-13 17:45 . 2009-06-13 17:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-06-13 17:44 . 2009-06-13 17:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-06-10 04:40 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2009-06-10 04:40 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll 2009-06-09 20:00 . 2009-06-09 20:00 152576 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-09 19:58 . 2009-06-09 19:58 -------- d--h--w- C:\$AVG8.VAULT$ 2009-06-09 19:49 . 2009-06-09 19:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-09 19:49 . 2009-06-09 19:49 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-06-09 19:49 . 2009-06-09 19:49 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-09 19:49 . 2009-06-09 19:49 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-09 19:48 . 2009-06-09 19:48 -------- d-----w- c:\windows\system32\drivers\Avg 2009-06-09 19:11 . 2009-06-09 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-07 08:02 . 2009-06-07 08:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM 2009-06-07 08:00 . 2009-06-07 08:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2009-06-06 09:53 . 2009-06-06 09:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-06-06 09:50 . 2009-06-06 09:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-06-06 09:49 . 2009-06-06 09:49 -------- d-sh--w- c:\documents and settings\Jason\IETldCache 2009-06-06 09:03 . 2009-06-06 09:03 -------- d-----w- c:\windows\ie8updates 2009-06-06 08:56 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll 2009-06-06 08:27 . 2009-06-06 08:27 -------- d--h--w- c:\windows\ie8 2009-05-30 05:55 . 2009-06-18 06:14 117760 ----a-w- c:\documents and settings\Jason\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-05-30 05:53 . 2009-05-30 05:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-05-28 06:33 . 2009-05-28 06:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla 2009-05-25 21:50 . 2009-05-25 21:50 -------- d-----w- c:\documents and settings\Jason\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1 2009-05-25 21:50 . 2009-05-25 21:48 38208 ----a-w- c:\documents and settings\Jason\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe 2009-05-25 21:50 . 2009-05-25 21:50 -------- d-----w- c:\program files\Common Files\Adobe AIR 2009-05-22 19:42 . 2009-05-22 19:42 390664 ----a-w- c:\documents and settings\Jason\Application Data\Real\RealPlayer\Update\RealPlayer11.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-18 06:06 . 2006-05-10 09:52 12 ----a-w- c:\windows\bthservsdp.dat 2009-06-09 19:20 . 2009-06-09 19:19 25022 ----a-w- c:\windows\RGI19.tmp 2009-05-26 12:20 . 2009-01-18 19:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-05-26 12:19 . 2009-01-18 19:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-05-21 10:33 . 2008-12-14 12:47 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-05-15 08:07 . 2009-05-15 08:07 -------- d-----w- c:\documents and settings\Jason\Application Data\Broad Intelligence 2009-05-13 05:15 . 1979-12-31 23:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-05-10 06:30 . 2009-05-10 06:30 -------- d-----w- c:\documents and settings\Jason\Application Data\Red Kawa 2009-05-09 17:16 . 2009-05-09 17:16 -------- d-----w- c:\program files\MediaCoder 2009-05-09 17:15 . 2009-05-09 17:15 -------- d-----w- c:\program files\Red Kawa 2009-05-09 17:14 . 2009-05-09 17:14 -------- d-----w- c:\program files\H.264 Encoder 2009-05-09 17:12 . 2009-05-09 17:12 -------- d-----w- c:\documents and settings\Jason\Application Data\Any Video Converter Professional 2009-05-09 17:12 . 2009-05-09 17:12 -------- d-----w- c:\program files\Any Video Converter Professional 2009-05-09 11:40 . 2009-05-09 11:40 -------- d-----w- c:\program files\Common Files\DivX Shared 2009-05-08 19:49 . 2009-05-08 19:49 152576 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-05-07 15:32 . 1979-12-31 23:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-05-06 15:53 . 2009-05-06 15:53 -------- d-----w- c:\documents and settings\Jason\Application Data\LG Electronics 2009-05-06 15:50 . 2009-05-06 15:50 -------- d-----w- c:\documents and settings\Jason\Application Data\InstallShield 2009-05-06 15:44 . 2009-05-06 15:44 -------- d-----w- c:\program files\LG Electronics 2009-04-28 07:15 . 2009-05-09 16:18 81920 ----a-w- c:\windows\LGMobileDL.dll 2009-04-17 12:26 . 1979-12-31 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 1979-12-31 23:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2006-10-24 08:15 . 2006-10-24 08:15 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe 2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll 2009-01-03 11:07 . 2009-01-03 11:00 109 --sha-w- c:\windows\system32\839718926.dat 2006-05-03 09:06 . 2007-10-07 17:45 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 10:47 . 2007-10-07 17:45 31232 --sh--r- c:\windows\system32\msfDX.dll . ------- Sigcheck ------- [-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys [-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys [-] 2005-05-25 10:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys [-] 2006-01-13 08:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys [-] 2006-04-20 04:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys [-] 2007-10-30 15:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys [7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys [7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [-] 2005-05-25 10:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys [7] 2004-08-04 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys [-] 2006-01-12 17:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys [-] 2007-04-28 13:42 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys [-] 2007-10-30 16:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys [7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys [-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys [7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys . ((((((((((((((((((((((((((((( SnapShot@2009-06-16_19.24.12 ))))))))))))))))))))))))))))))))))))))))) . + 2009-06-18 06:08 . 2009-06-18 06:08 16384 c:\windows\Temp\Perflib_Perfdata_7cc.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 532480] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-11 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-11 118784] "EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 151552] "ePowerManagement"="c:\acer\ePM\ePM.exe" [2004-09-01 2876416] "LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2004-07-30 319488] "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696] "NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648] "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-02-27 69632] "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-02-27 757760] "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-02-26 253952] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-26 185896] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-09 1947928] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-09 19:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux2"=c_120905.nls "wave2"=c_120905.nls "mixer2"=c_120905.nls "midi2"=c_120905.nls "wave1"=c_120905.nls "mixer1"=c_120905.nls "midi1"=c_120905.nls "aux1"=c_120905.nls [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\PPLive\\PPLive.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\QuickTime\\QTTask.exe"= "c:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [17/06/2009 19:37 28544] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/06/2009 20:49 325896] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/06/2009 20:49 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 72944] R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [30/08/2004 13:34 6784] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [09/06/2009 20:48 908568] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [09/06/2009 20:48 298776] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 7408] R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [30/08/2004 13:34 16000] S2 gupdate1c9ad8dd2e90380;Google Update Service (gupdate1c9ad8dd2e90380);c:\program files\Google\Update\GoogleUpdate.exe [25/03/2009 21:08 133104] S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25/09/2007 15:59 15152] --- Other Services/Drivers In Memory --- NewlyCreated - PAVBOOT [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc HPService REG_MULTI_SZ HPSLPSVC [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-06-18 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20] 2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-06-18 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 20:05] 2009-06-18 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-25 20:07] . - - - - ORPHANS REMOVED - - - - SharedTaskScheduler-IPC Configuration Utility - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.pricerunner.co.uk/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = ;localhost;<local> uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Test1 - c:\windows\system32\icq6s.dll/MENUSEARCH.HTM IE: Link to &MidpX - c:\program files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - c:\program files\bet365MPP\MPPoker.exe Trusted Zone: myfreepaysite.com\www TCP: {3CEFB118-FDCA-45DD-B168-30A28FD47432} = 192.168.1.1 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - . ********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-18 20:40 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(972) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll . Completion time: 2009-06-18 20:43 ComboFix-quarantined-files.txt 2009-06-18 19:43 ComboFix2.txt 2009-06-16 19:29 Pre-Run: 8,105,263,104 bytes free Post-Run: 8,073,887,744 bytes free Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 258 --- E O F --- 2009-06-18 15:14

06-18-2009, 04:29 PM	#9 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,235 OS: Windows 7 Premium x64 My System	Re: can't get rid of trojan horse downloader Hi there All is looking good from here. Just a spot of updating to do Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system. There is a newer version of Adobe Acrobat Reader available. Please go to this link Adobe Acrobat Reader Download Link Click Download On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation. Click the Continue button Click Run, and click Run again Next click the Install Now button and follow the on screen prompts When the installation is complete go to Add/Remove Programs and uninstall all previous versions. You have Java versions that are out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove the following versions of Java. J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 9 Java(TM) 6 Update 3 Java(TM) 6 Update 5 Java(TM) 6 Update 7 Java(TM) SE Runtime Environment 6 Update 1 Leave this one in -> Java(TM) 6 Update 14 IMPORTANT The following will uninstall combofix and implement some cleanup procedures as well as reset System Restore points: Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /u Now that you appear to be free from malware lets help you stay that way! Update windows on a regular basis - If you do not have automatic updates enabled then visit Microsoft's Update Page and update your computer from there. Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions. Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here Safer Browsing Use software such as Web of Trust to help you stay away from unsuspecting sites that have malicious purposes. Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects) Use an alternative browser Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser. NB: Please note that although your browser may be more secure without active x it will not throw a ring of steel around your computer. If you purposly visit sites that are dubious in nature then infection will prevail. Computer Maintenance Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis. Scan your computer regularly for malware Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy can help you stay clear. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware- Please note that these products can also be run as *free without a licience* as a scan on demand scanner. Secure your router Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access. Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for. I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet. -> So How Did I Get Infected In First Place - By TonyKlein -> How to prevent Malware - By miekiemoes -> I'm not pulling your leg, honest - By Sandi Hardmeie Kindly respond one more time and let me know if we may consider this thread resolved. __________________ If we have helped you then please consider donating** Proud Member of ASAP & UNITE Since 2007

06-19-2009, 09:26 AM	#10 (permalink)
jasont Registered User Join Date: Jun 2009 Posts: 6 OS: xp home edition ver2002 service pack 3	Re: can't get rid of trojan horse downloader I have completed all actions per your last post. Thx for all your help, Jase

06-19-2009, 04:38 PM	#11 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,235 OS: Windows 7 Premium x64 My System	Re: can't get rid of trojan horse downloader Not a problem, only too glad to lend a hand As this issue is now resolved I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forums Good luck and happy safe surfing Jase! __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007