computer still infected?

[ChaSiuBao]

hi there
posted a thread a few days ago and was told to make a new one following the steps in the sticky so here it is
Deckard's System Scanner v20071014.68
Run by James Tran on 2008-07-31 18:32:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as James Tran.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:24 PM, on 31/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James Tran\Desktop\dss.exe
C:\DOCUME~1\JAMEST~1\Desktop\SYSTEM~1\JAMEST~1.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFEF81E5-4F5D-4D5D-9A76-EE5AF674C9E8}: NameServer = 192.168.1.1
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 3559 bytes

-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 18:21:47 0 d-------- C:\ie-spyad_zo
2008-07-31 17:15:55 0 d-------- C:\WINDOWS\LastGood
2008-07-31 17:15:40 0 d-------- C:\Program Files\Panda Security
2008-07-28 17:23:23 3532 --a------ C:\drmHeader.bin
2008-07-27 09:09:12 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-27 09:09:09 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-07-27 09:09:08 0 d-------- C:\Program Files\SpywareBlaster
2008-07-26 12:02:53 0 dr-h----- C:\Documents and Settings\James Tran\Recent
2008-07-25 22:51:21 0 d-------- C:\Program Files\uTorrent
2008-07-25 22:51:15 0 d-------- C:\Documents and Settings\James Tran\Application Data\uTorrent
2008-07-25 19:49:10 0 d-------- C:\Program Files\Logitech
2008-07-25 19:49:10 0 d-------- C:\Program Files\Common Files\Logitech
2008-07-23 23:34:25 1424 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-23 23:33:53 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-23 23:33:53 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-23 23:33:53 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-23 23:33:53 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-23 23:33:53 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-23 23:33:53 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-23 23:33:53 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-23 23:33:53 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-23 22:28:02 557988 --ahs---- C:\WINDOWS\system32\eLRBefii.ini2
2008-07-23 20:58:07 557589 --ahs---- C:\WINDOWS\system32\GPpponmp.ini2
2008-07-22 21:04:53 0 d-------- C:\WINDOWS\system32\4832
2008-07-22 20:05:41 0 d-------- C:\Documents and Settings\James Tran\Application Data\TmpRecentIcons
2008-07-22 20:05:17 94208 --a------ C:\WINDOWS\grswptdl.exe
2008-07-22 20:04:41 0 --a------ C:\WINDOWS\yoursearchnet_com.exe
2008-07-09 20:48:53 0 d-------- C:\WINDOWS\Prefetch
2008-07-09 20:30:00 0 d-------- C:\WINDOWS\system32\scripting
2008-07-09 20:29:57 0 d-------- C:\WINDOWS\system32\en
2008-07-09 20:29:57 0 d-------- C:\WINDOWS\system32\bits
2008-07-09 20:29:57 0 d-------- C:\WINDOWS\l2schemas
2008-07-09 20:27:26 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-09 17:59:45 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-09 17:59:41 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-09 17:59:41 0 d-------- C:\Documents and Settings\James Tran\Application Data\SUPERAntiSpyware.com
2008-07-09 17:52:27 0 d-------- C:\Documents and Settings\James Tran\Application Data\Malwarebytes
2008-07-09 17:52:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-09 17:52:21 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-09 17:52:10 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-09 16:52:49 0 d-------- C:\Documents and Settings\James Tran\.housecall6.6
2008-07-08 22:50:33 0 d-------- C:\Program Files\Alwil Software
2008-07-05 13:00:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-30 19:09:16 0 d-------- C:\Documents and Settings\James Tran\Application Data\Apple Computer


-- Find3M Report ---------------------------------------------------------------

2008-07-25 19:49:10 0 d-------- C:\Program Files\Common Files
2008-07-24 20:42:03 0 d-------- C:\Program Files\FrostWire
2008-07-09 20:30:18 0 d-------- C:\Program Files\Messenger
2008-07-09 20:29:57 0 d-------- C:\Program Files\Movie Maker
2008-07-09 20:27:02 0 d-------- C:\Program Files\Windows NT
2008-07-06 20:56:30 256 --a----c- C:\WINDOWS\system32\pool.bin
2008-07-05 13:03:11 0 d-------- C:\Program Files\Lavasoft
2008-07-03 21:37:59 0 d-------- C:\Program Files\Winamp
2008-06-30 19:41:18 68787 --a------ C:\WINDOWS\War3Unin.dat
2008-06-18 1614 0 d-------- C:\Documents and Settings\James Tran\Application Data\Mozilla


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/10/2007 06:14 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19/07/2008 10:38 AM]
"Start WingMan Profiler"="C:\Program Files\Logitech\Gaming Software\LWEMon.exe" [04/04/2008 11:38 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [13/04/2008 08:12 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 27/02/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-31 18:33:45 ------------

there was no extras.txt so i'm not sure what happened


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:05 PM, on 31/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James Tran\Desktop\System Tools\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFEF81E5-4F5D-4D5D-9A76-EE5AF674C9E8}: NameServer = 192.168.1.1
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 3527 bytes

[ChaSiuBao]

Bump!

[ChaSiuBao]

Bump..

[Ried]

Hello ChaSiuBao,


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

[ChaSiuBao]

ok both are done

ComboFix 08-08-07.01 - James Tran 2008-08-07 17:10:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.707 [GMT -4:00]
Running from: C:\Documents and Settings\James Tran\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James Tran\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\James Tran\Application Data\inst.exe
C:\Documents and Settings\James Tran\Application Data\macromedia\Flash Player\#SharedObjects\LPDUDA8N\interclick.com
C:\Documents and Settings\James Tran\Application Data\macromedia\Flash Player\#SharedObjects\LPDUDA8N\interclick.com\ud.sol
C:\Documents and Settings\James Tran\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\James Tran\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\BM4f871d3a.txt
C:\WINDOWS\BM4f871d3a.xml
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\system32\eLRBefii.ini
C:\WINDOWS\system32\eLRBefii.ini2
C:\WINDOWS\system32\GPpponmp.ini
C:\WINDOWS\system32\GPpponmp.ini2
C:\WINDOWS\system32\yqgqddtt.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_mssecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-04 02:11 . 2008-08-04 02:11 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-28 17:23 . 2008-07-28 17:23 38 --a------ C:\WINDOWS\avisplitter.INI
2008-07-27 09:09 . 2008-08-04 02:16 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-27 09:09 . 2008-08-04 02:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-27 09:09 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-07-25 22:51 . 2008-07-25 22:51 <DIR> d-------- C:\Program Files\uTorrent
2008-07-25 22:51 . 2008-08-06 19:17 <DIR> d-------- C:\Documents and Settings\James Tran\Application Data\uTorrent
2008-07-25 19:52 . 2008-04-13 14:39 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-07-25 19:52 . 2008-04-13 14:39 14,592 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-07-25 19:49 . 2008-08-04 02:15 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-07-23 23:34 . 2008-07-23 23:34 1,424 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-23 23:33 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-23 23:33 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-23 23:33 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-23 23:33 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-23 23:33 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-23 23:33 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-23 23:33 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-23 23:33 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-23 23:33 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-23 21:49 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-07-22 21:04 . 2008-07-25 15:48 <DIR> d-------- C:\WINDOWS\system32\4832
2008-07-22 20:17 . 2008-07-23 00:16 43,865 ---hs---- C:\WINDOWS\system32\fuwaeetu.ini
2008-07-09 20:30 . 2008-07-09 20:30 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-09 20:29 . 2008-07-09 20:29 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-09 20:29 . 2008-07-09 20:29 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-09 20:29 . 2008-07-09 20:29 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-09 20:27 . 2008-07-09 20:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-09 20:10 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-07-09 20:09 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-07-09 20:08 . 2008-04-13 20:11 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2008-07-09 17:59 . 2008-07-25 17:46 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-09 17:59 . 2008-07-09 17:59 <DIR> d-------- C:\Documents and Settings\James Tran\Application Data\SUPERAntiSpyware.com
2008-07-09 17:59 . 2008-07-09 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-09 17:52 . 2008-07-09 17:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-09 17:52 . 2008-07-09 17:52 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-09 17:52 . 2008-07-09 17:52 <DIR> d-------- C:\Documents and Settings\James Tran\Application Data\Malwarebytes
2008-07-09 17:52 . 2008-07-09 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-09 17:52 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-09 17:52 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-09 16:52 . 2008-07-26 21:43 <DIR> d-------- C:\Documents and Settings\James Tran\.housecall6.6
2008-07-08 22:50 . 2008-07-08 22:50 <DIR> d-------- C:\Program Files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 00:42 --------- d-----w C:\Program Files\FrostWire
2008-07-09 21:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-05 17:03 --------- d-----w C:\Program Files\Lavasoft
2008-07-05 17:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 01:37 --------- d-----w C:\Program Files\Winamp
2008-06-30 23:09 --------- d-----w C:\Documents and Settings\James Tran\Application Data\Apple Computer
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-09 19:39 47,360 ----a-w C:\Documents and Settings\James Tran\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-07-19 10:35]
R2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 10:37]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\James Tran\Application Data\Mozilla\Firefox\Profiles\zhve8f58.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 17:14:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
.
**************************************************************************
.
Completion time: 2008-08-07 17:17:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 21:17:49

Pre-Run: 17,692,368,896 bytes free
Post-Run: 17,596,518,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

160 --- E O F --- 2008-07-10 20:04:37




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:26 PM, on 07/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\James Tran\Desktop\System Tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFEF81E5-4F5D-4D5D-9A76-EE5AF674C9E8}: NameServer = 192.168.1.1
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 3650 bytes

[Ried]

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/secu...ml#post1636536

Suspect::
C:\WINDOWS\system32\fuwaeetu.ini

DirLook::
C:\WINDOWS\system32\4832

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
• A browser will open.
• Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------

Please run a new online scan at Panda:

Perform an online scan with Panda ActiveScan

* Turn off Avast real time protection

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

[ChaSiuBao]

ok after doing the combo fix and windows recovery the icon for my anti virus in the system tray is gone

[Ried]

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

***************************************************

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account.

--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK.

Open notepad and copy/paste the entire text in the quote box below: (don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

Save the file as "avast.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the avast.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Reboot into Normal Mode.

--------------------------------------------------------------------

Clear your Firefox cookies:

Launch Mozilla Firefox>Tools>Options

• Click the Privacy tab
  Under 'Private Data', click 'Clear Now'
  in the ensuing dialog box, ensure 'Cookies' is checked
  Click 'Clear Private Data Now'

--------------------------------------------------------------------

The remainder of Panda's findings are tools that you'be used to try to clean your system, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

Delete SmitfraudFix.exe as it's no longer needed and the tool is updated quite frequently.

------------------------------------------------------------------

The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[ChaSiuBao]

everything's working good

i wasn't able to do the avast.reg because it said it wasn't a binary value so i just reinstalled the antivirus and now the system tray icon is back

thanks alot for your help!

[Ried]

I am glad you worked it out, but for my info - Did you try to merge it from Safe Mode as instructed?

[ChaSiuBao]

yes i tried in safe mode
didn't work
then also tried in normal boot and same thing so i uninstalled then reinstalled