Cyberwombat

I am helping my wife track down a trojan that is preventing her from opening IE. She has run the diagnostics and came up with the following logs:

from DDS.TXT



DDS (Ver_09-03-16.01) - NTFSx86
Run by MLeClair at 2148.45 on Wed 04/29/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_05

============== Pseudo HJT Report ===============

uStart Page = hxxp://smithlink.smith.com/default.aspx
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://smithlink.smith.com/default.aspx
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=userinit.exe
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: : {6c145e73-5596-4d3d-a605-f98cfca79915} - c:\windows\system32\hhvswup.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [MSMSGS] "c:\program files\messenger\Msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [DL32] DL32
uRunOnce: [SpybotDeletingB9206] command.com /c del "c:\windows\system32\796525\796525.dll_old"
uRunOnce: [SpybotDeletingD3529] cmd.exe /c del "c:\windows\system32\796525\796525.dll_old"
uRunOnce: [SpybotDeletingB7961] command.com /c del "c:\windows\system32\sdra64.exe"
uRunOnce: [SpybotDeletingD9573] cmd.exe /c del "c:\windows\system32\sdra64.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Device Detector] DevDetect.exe -autorun
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ScanSoft OmniPage SE 4.0-reminder] "c:\program files\scansoft\omnipagese4.0\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipagese4.0\ereg\ereg.ini"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
mRun: [sysLDtray] c:\windows\ld08.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [SpybotDeletingA1395] command.com /c del "c:\windows\system32\796525\796525.dll_old"
mRunOnce: [SpybotDeletingC876] cmd.exe /c del "c:\windows\system32\796525\796525.dll_old"
mRunOnce: [SpybotDeletingA8398] command.com /c del "c:\windows\system32\sdra64.exe"
mRunOnce: [SpybotDeletingC3700] cmd.exe /c del "c:\windows\system32\sdra64.exe"
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: miswaco.com\*.prod
Trusted Zone: miswaco.com\*.web
Trusted Zone: miswaco.com\*.prod
Trusted Zone: miswaco.com\*.web
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {59D8A93A-CA6A-4F2B-9398-2E620678726F} - hxxp://siihardydev19.net.smith.com/osoft/installation/OSoftDiag.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FB1A5DF-578D-4302-BDD7-9E92BE61CA30} - hxxp://siihardydev19.net.smith.com/osoft/installation/OSoftInst.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF}
DPF: {CAFECAFE-0013-0001-0029-ABCDEFABCDEF} - hxxp://sii.apps.smith.com:8000/jinitiator/oajinit.exe
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://nc.smith.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {FD0A97F4-914F-4EB2-A43B-4371137D73CE} - hxxp://siihardydev17.net.smith.com/viewer507_ETAX/ee/MVEEPlugin.exe
Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} -
Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} -
Notify: igfxcui - igfxdev.dll
Notify: xsuhqhfm - hhvswup.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-29 21:07 <DIR> --d----- c:\docume~1\mleclair\applic~1\diybtsou
2009-04-29 19:42 14,848 a------- c:\windows\system32\DL32.exe
2009-04-29 19:42 <DIR> --d----- c:\windows\system32\796525
2009-04-29 19:41 14,336 ----h--- c:\windows\ld08.exe
2009-04-29 18:20 <DIR> --dsh--- C:\found.002
2009-04-29 15:25 <DIR> --d----- c:\windows\system32\%%DATA_DIR%%
2009-04-27 11:11 <DIR> --d----- C:\BPC Database
2009-04-27 11:10 <DIR> --d----- C:\BPC
2009-04-22 21:05 <DIR> --d----- c:\program files\iPod
2009-04-22 21:05 <DIR> --d----- c:\program files\iTunes
2009-04-22 21:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-13 08:10 <DIR> --d----- c:\program files\MasteryNet
2009-04-13 08:09 <DIR> --d----- c:\documents and settings\mleclair\Tracing

==================== Find3M ====================

2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2008-11-14 15:14 60,744 a------- c:\documents and settings\mleclair\g2mdlhlpx.exe
2006-03-30 16:02 18,376 -c------ c:\docume~1\mleclair\applic~1\GDIPFONTCACHEV1.DAT
1999-12-22 19:28 540,203 ac------ c:\program files\_SETUP.1
1999-12-22 19:28 5 ac------ c:\program files\DISK1.ID
1999-12-22 19:28 103 ac------ c:\program files\SETUP.PKG
1999-12-22 19:28 35 ac------ c:\program files\SETUP.INI
1999-12-22 19:28 194,234 ac------ c:\program files\_SETUP.LIB
1999-12-22 18:34 6,242 ac------ c:\program files\ReadMe.txt
1998-06-18 13:43 70,711 ac------ c:\program files\SETUP.INS
1997-01-18 13:04 320,411 ac------ c:\program files\_INST32I.EX_
1997-01-18 12:53 45,312 a------- c:\program files\SETUP.EXE
1996-12-19 17:03 6,128 ac------ c:\program files\_SETUP.DLL
1995-09-07 21:22 8,192 a------- c:\program files\_ISDEL.EXE

============= FINISH: 21:10:05.07 ===============

ARK.TXT and ATTACH.TXT are attached as ATTACH.ZIP.

She says she was playing a game on Facebook when this happened. It started out as a false virus protection alert. She ran SpyBot, but it left Spy-Agent.bw!.mem on her machine. It is her work laptop so we're sorta in a bind.

Any help would be muchly appreciated.

Attached Files

Attach.zip (3.2 KB, 1 views)

chemist

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

chemist

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------