Trojan infection

[seagulldlj]

Hello,
My XP pc has been attacked by trojans, it had the follwing damage as a result:-

a).Could not connect to the internet.
b).A flashing WARNING message appeared on my desktop saying that the PC had been corrupted and to run a virus cleaning application.

I downloaded and ran Malwarebytes and removed the trojans. I then rebooted. This removed the Warning message from my desktop. I also downloaded and ran Winsock fix VB_Winfix 1.2, this reconnected me to the internet. However, I am now finding that when I do a search on Google, it says redirecting and it downloads the infections again. I had tried to restore to a day before the infection but Windows is unable to restore to that day or other days (you press the button and nothing happens),

Could you please help me with this problem, as I don't know what else to do.

Thanks and regards,

David

DDS (Ver_09-03-16.01) - NTFSx86
Run by David Jones at 19:05:54.70 on 30/04/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.894.409 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
FW: COMODO Firewall Pro *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\David Jones\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\David Jones\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uWindow Title = Tiscali Internet Access
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali Internet Access
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AccuWeather.com Toolbar: {b0fdbb8e-5c2c-41ed-a18c-228f9b2f598c} - mscoree.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress]
uRun: [PowerBar]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [A00F17447B.exe] c:\docume~1\davidj~1\locals~1\temp\_A00F17447B.exe
uRun: [Google Update] "c:\documents and settings\david jones\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [autochk] rundll32.exe c:\docume~1\davidj~1\protect.dll,_IWMPEvents@16
mRun: [PCMService] "c:\program files\cyberlink\powercinema\PCMService.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "c:\program files\cyberlink\powerbackup\PBKScheduler.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [EZNETDNS] c:\program files\solid oak software\ezdnswatch\EZDNSWatch.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\davidj~1\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
StartupFolder: c:\documents and settings\david jones\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\davidj~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bbc.co.uk\www
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davidj~1\applic~1\mozilla\firefox\profiles\pgdg09rs.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - plugin: c:\documents and settings\david jones\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-28 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-28 353672]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-28 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-28 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-26 55640]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 bfastfao;bfastfao;\??\c:\docume~1\davidj~1\locals~1\temp\bfastfao.sys --> c:\docume~1\davidj~1\locals~1\temp\bfastfao.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2005-11-25 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2005-11-25 51840]

=============== Created Last 30 ================

2009-04-30 19:02 61,440 a------- c:\windows\system32\drivers\nahoaxh.sys
2009-04-30 07:52 24,064 a--sh--- c:\documents and settings\david jones\protect.dll
2009-04-30 07:52 24,064 -------- c:\windows\system32\autochk.dll
2009-04-28 20:51 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-04-28 20:51 <DIR> --d----- c:\program files\Zone Labs
2009-04-28 20:51 350,192 a------- c:\windows\system32\vsconfig.xml
2009-04-28 20:39 <DIR> --d----- c:\program files\Avira
2009-04-28 20:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-27 21:11 <DIR> --d----- c:\docume~1\davidj~1\applic~1\Malwarebytes
2009-04-27 21:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-27 21:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 21:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-27 21:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-27 15:29 1 a------- c:\windows\system32\uniq.tll
2009-04-26 16:00 <DIR> --d----- c:\program files\iPod
2009-04-26 16:00 <DIR> --d----- c:\program files\iTunes
2009-04-26 16:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-26 08:41 28,624 a---h--- c:\windows\system32\mlfcache.dat
2009-04-26 08:14 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-15 08:54 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 08:54 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 08:54 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 08:54 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 08:54 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 08:54 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 08:54 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 08:54 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 08:54 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 08:53 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 08:53 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 08:53 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-09 15:09 <DIR> --dsh--- c:\documents and settings\david jones\IECompatCache
2009-04-09 15:09 <DIR> --dsh--- c:\documents and settings\david jones\PrivacIE
2009-04-09 15:08 <DIR> --dsh--- c:\documents and settings\david jones\IETldCache
2009-04-09 15:04 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-04-30 19:02 2,080 a------- c:\program files\almeze.txt
2009-04-28 20:51 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-04-27 15:30 104,960 a------- c:\windows\system32\userinit.exe
2009-04-06 08:30 150,922 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 00:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-06 00:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-09 13:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 13:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 13:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 12:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 11:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 11:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 1907.50 ===============

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Download RootRepeal.zip to your Desktop and click 'Extract all files' to extract the compressed file to it's own folder.

• Double-click on RootRepeal.exe to run it.
• Click on the 'Report' tab, and then click on 'Scan'.
• A window opens asking what to include in the scan.
• Check the following boxes then click 'OK':

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C:)
• Click 'OK' once again.
• The tool will begin scanning and may take a while to complete, so please be patient.
• When the scan finishes, click on 'Save Report'.
• Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.
• Post the log in your next reply.

------------------------------------------------------

[seagulldlj]

Hello Guys,
Please find attached the RootRepeal file as requested,

many thanks,
David

[seagulldlj]

Hi Guys,
Please find attached logs from Malwarebytes, I thought it might be useful,
regards,
David

[chemist]

Hello David. Please do not attach unrequested logs.

Did you read the first sentence here > NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

* DO NOT FIX ANY ENTRIES OR DELETE ANY FILES YOURSELF.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

[seagulldlj]

Hi, Apologies for sending logs.Here is the Combofix log as requested,
many thanks,
David

ComboFix 09-05-02.4 - David Jones 02/05/2009 11:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.894.589 [GMT 1:00]
Running from: c:\documents and settings\David Jones\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *disabled*
FW: ZoneAlarm Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lmppcsetup.exe
c:\windows\system32\uniq.tll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-01 16:40 . 2009-05-01 16:40 0 ----a-w C:\settings.dat
2009-04-28 19:51 . 2009-02-15 23:10 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-04-28 19:51 . 2009-04-28 19:51 -------- d-----w c:\program files\Zone Labs
2009-04-28 19:39 . 2009-04-28 19:39 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-28 19:39 . 2009-04-28 19:39 -------- d-----w c:\program files\Avira
2009-04-27 20:11 . 2009-04-27 20:11 -------- d-----w c:\documents and settings\David Jones\Application Data\Malwarebytes
2009-04-27 20:11 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-27 20:11 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 20:11 . 2009-04-27 20:11 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 20:11 . 2009-04-27 20:11 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 14:45 . 2009-04-27 14:45 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE
2009-04-27 14:45 . 2009-04-27 14:45 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-04-27 14:45 . 2009-04-27 14:45 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-04-26 15:00 . 2009-04-26 15:00 -------- d-----w c:\program files\iPod
2009-04-26 15:00 . 2009-04-26 15:00 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-26 15:00 . 2009-04-26 15:00 -------- d-----w c:\program files\iTunes
2009-04-26 07:41 . 2009-04-26 07:41 28624 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-26 07:41 . 2009-04-26 07:41 -------- d-----w c:\program files\Safari
2009-04-26 07:14 . 2009-04-28 19:59 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-15 07:54 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 07:54 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 07:54 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 07:54 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 07:54 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 07:54 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 07:54 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 07:54 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 07:54 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 07:53 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 07:53 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-09 15:30 . 2009-04-09 15:30 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-09 14:09 . 2009-04-09 14:09 -------- d-sh--w c:\documents and settings\David Jones\IECompatCache
2009-04-09 14:09 . 2009-04-09 14:09 -------- d-sh--w c:\documents and settings\David Jones\PrivacIE
2009-04-09 14:08 . 2009-04-09 14:08 -------- d-sh--w c:\documents and settings\David Jones\IETldCache
2009-04-09 14:04 . 2009-04-09 14:06 -------- dc-h--w c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 10:05 . 2005-11-25 09:02 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 09:06 . 2008-12-29 19:37 950 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054868573-2390593884-1353833358-1006.job
2009-05-02 07:31 . 2007-12-08 13:44 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-28 19:51 . 2006-10-24 12:11 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-28 17:58 . 2008-02-23 10:38 -------- d-----w c:\program files\Solid Oak Software
2009-04-27 19:12 . 2008-05-18 08:49 -------- d-----w c:\program files\a-squared HiJackFree
2009-04-26 15:00 . 2007-07-01 08:38 -------- d-----w c:\program files\Common Files\Apple
2009-04-25 18:17 . 2007-07-01 08:38 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-06 07:30 . 2009-04-27 19:00 150922 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-03-21 21:39 . 2007-07-01 08:38 -------- d-----w c:\program files\QuickTime
2009-03-21 21:34 . 2009-03-21 21:34 -------- d-----w c:\program files\Bonjour
2009-03-21 10:16 . 2008-09-21 08:17 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-19 15:32 . 2008-01-29 11:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 03:34 . 2005-09-09 22:03 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2005-09-09 22:03 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 03:33 . 2005-09-09 22:03 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2005-09-09 22:03 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 03:32 . 2005-09-09 22:03 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2005-09-09 22:03 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 03:31 . 2005-09-09 22:03 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 03:31 . 2005-09-09 22:03 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 03:31 . 2005-09-09 22:03 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 03:22 . 2005-09-09 22:03 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2005-09-09 22:03 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 23:59 . 2009-03-21 21:38 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 . 2008-12-31 15:23 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-09 12:10 . 2005-09-09 22:03 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-09-09 22:03 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-09-09 22:03 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-09-09 22:03 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-09-09 22:03 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-09-09 22:03 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-03 23:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-09-09 22:03 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-09-09 22:03 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Google Update"="c:\documents and settings\David Jones\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-09-26 206184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 110744]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="c:\program files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 69721]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-25 151597]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2003-06-20 118784]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-11 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=c:\windows\pss\LUMIX Simple Viewer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 bfastfao;bfastfao; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
R4 m5287;m5287;c:\windows\system32\DRIVERS\m5287.sys [2005-02-05 85888]
R4 m5289;m5289;c:\windows\system32\DRIVERS\m5289.sys [2004-12-01 51840]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-03 55024]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-28 108289]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2fdbe143-b6eb-11dc-b9d0-001731f64f1a}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-05-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054868573-2390593884-1353833358-1006.job
- c:\documents and settings\David Jones\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 19:06]

2009-01-17 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-17 13:15]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Power2GoExpress - (no file)
HKCU-Run-PowerBar - (no file)
HKLM-Run-EZNETDNS - c:\program files\Solid Oak Software\EZDNSWatch\EZDNSWatch.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali Internet Access
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bbc.co.uk\www
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\David Jones\Application Data\Mozilla\Firefox\Profiles\pgdg09rs.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - plugin: c:\documents and settings\David Jones\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 11:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthltovwrcormijlrrxdcbrwrkncuvyecqk.sys 83968 bytes executable
c:\docume~1\DAVIDJ~1\LOCALS~1\Temp\ovfsthx000 0 bytes
c:\windows\system32\ovfsthiqxtfptfmqibchqwxusirypmwbcopabd.dll 18432 bytes executable
c:\windows\system32\ovfsthjxvbjoufnidecqkosetrpwtpqxuocwuc.dat 171517 bytes
c:\windows\system32\ovfsthnbqhemnynfpclbpuevcvpvpidivaljki.dll 18944 bytes executable
c:\windows\system32\ovfsthtekljerxysepktslurgqyusixwqtjxoy.dll 60928 bytes executable
c:\windows\system32\ovfsthxrxpnyeregcpbpsibjbptnpkfdwxbrfx.dat 43 bytes

scan completed successfully
hidden files: 7

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,45,6e,20,f5,5b,0b,41,b5,a6,6b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,45,6e,20,f5,5b,0b,41,b5,a6,6b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3160)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-02 11:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 10:08

Pre-Run: 214,611,484,672 bytes free
Post-Run: 215,239,057,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
253 --- E O F --- 2009-04-15 20:53

[seagulldlj]

Hi,
I was just wondering should I stop accessing the internet now with my infected pc as I am concerned about reinfection.I think I made a mistake by running a malwarebytes scan and it still shows trojans after I was re-directed from google to a page i did not want to connect to. Unfortunately, this was after running combofix, sincere apolgies as you did say not to run any scans, i just forgot. Should I run a deep scan using malwarebytes which may uncover more infections, to get all trojans removed once more,

thanks and regards,

David.

[chemist]

Hello again, David.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Quote:

* DO NOT FIX ANY ENTRIES OR DELETE ANY FILES YOURSELF.

Quote:

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

What part of the above do you not understand?

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c Vfind -ltf "%systemdrive%\ChkDisk.dll" >log.txt&log.txt&del log.txt

A Notepad file will open. Post the contents of log.txt in your next reply.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/372009-trojan-infection.html#post2113089

Collect::
C:\WINDOWS\system32\ovfsthiqxtfptfmqibchqwxusirypmwbcopabd.dll
C:\WINDOWS\system32\ovfsthjxvbjoufnidecqkosetrpwtpqxuocwuc.dat
C:\WINDOWS\system32\ovfsthnbqhemnynfpclbpuevcvpvpidivaljki.dll
C:\WINDOWS\system32\ovfsthtekljerxysepktslurgqyusixwqtjxoy.dll
C:\WINDOWS\system32\ovfsthxrxpnyeregcpbpsibjbptnpkfdwxbrfx.dat
C:\WINDOWS\system32\drivers\ovfsthltovwrcormijlrrxdcbrwrkncuvyecqk.sys

FixCSet::

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Driver::
ovfsthmpkkosplhbgojviqjrwtpnoelulwbhmn

Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------

[seagulldlj]

Hello again,
All went okay and requested files produced except I could not find the file named [4]-Submit_date@time.zip at:
c:\QooBox\Quarantine\[4]-Submit_date@time.zip. Here are the 2 requested file contents for log.txt and CFScript.txt

log.txt

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0

CFScript.txt

ComboFix 09-05-02.4 - David Jones 02/05/2009 15:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.894.570 [GMT 1:00]
Running from: c:\documents and settings\David Jones\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David Jones\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *disabled*
FW: ZoneAlarm Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthmpkkosplhbgojviqjrwtpnoelulwbhmn


((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-01 16:40 . 2009-05-01 16:40 0 ----a-w C:\settings.dat
2009-04-28 19:51 . 2009-02-15 23:10 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-04-28 19:51 . 2009-04-28 19:51 -------- d-----w c:\program files\Zone Labs
2009-04-28 19:39 . 2009-04-28 19:39 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-28 19:39 . 2009-04-28 19:39 -------- d-----w c:\program files\Avira
2009-04-27 20:11 . 2009-04-27 20:11 -------- d-----w c:\documents and settings\David Jones\Application Data\Malwarebytes
2009-04-27 20:11 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-27 20:11 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 20:11 . 2009-04-27 20:11 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 20:11 . 2009-04-27 20:11 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 14:45 . 2009-04-27 14:45 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE
2009-04-27 14:45 . 2009-04-27 14:45 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-04-27 14:45 . 2009-04-27 14:45 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-04-26 15:00 . 2009-04-26 15:00 -------- d-----w c:\program files\iPod
2009-04-26 15:00 . 2009-04-26 15:00 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-26 15:00 . 2009-04-26 15:00 -------- d-----w c:\program files\iTunes
2009-04-26 07:41 . 2009-04-26 07:41 28624 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-26 07:41 . 2009-04-26 07:41 -------- d-----w c:\program files\Safari
2009-04-26 07:14 . 2009-04-28 19:59 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-15 07:54 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 07:54 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 07:54 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 07:54 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 07:54 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 07:54 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 07:54 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 07:54 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 07:54 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 07:53 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 07:53 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-09 15:30 . 2009-04-09 15:30 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-09 14:09 . 2009-04-09 14:09 -------- d-sh--w c:\documents and settings\David Jones\IECompatCache
2009-04-09 14:09 . 2009-04-09 14:09 -------- d-sh--w c:\documents and settings\David Jones\PrivacIE
2009-04-09 14:08 . 2009-04-09 14:08 -------- d-sh--w c:\documents and settings\David Jones\IETldCache
2009-04-09 14:04 . 2009-04-09 14:06 -------- dc-h--w c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 14:17 . 2005-11-25 09:02 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 14:10 . 2007-12-08 13:44 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-02 13:18 . 2008-12-29 19:37 950 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054868573-2390593884-1353833358-1006.job
2009-04-28 19:51 . 2006-10-24 12:11 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-28 17:58 . 2008-02-23 10:38 -------- d-----w c:\program files\Solid Oak Software
2009-04-27 19:12 . 2008-05-18 08:49 -------- d-----w c:\program files\a-squared HiJackFree
2009-04-26 15:00 . 2007-07-01 08:38 -------- d-----w c:\program files\Common Files\Apple
2009-04-25 18:17 . 2007-07-01 08:38 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-06 07:30 . 2009-04-27 19:00 150922 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-03-21 21:39 . 2007-07-01 08:38 -------- d-----w c:\program files\QuickTime
2009-03-21 21:34 . 2009-03-21 21:34 -------- d-----w c:\program files\Bonjour
2009-03-21 10:16 . 2008-09-21 08:17 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-19 15:32 . 2008-01-29 11:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 03:34 . 2005-09-09 22:03 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2005-09-09 22:03 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 03:33 . 2005-09-09 22:03 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2005-09-09 22:03 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 03:32 . 2005-09-09 22:03 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2005-09-09 22:03 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 03:31 . 2005-09-09 22:03 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 03:31 . 2005-09-09 22:03 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 03:31 . 2005-09-09 22:03 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 03:22 . 2005-09-09 22:03 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2005-09-09 22:03 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 23:59 . 2009-03-21 21:38 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 . 2008-12-31 15:23 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-09 12:10 . 2005-09-09 22:03 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-09-09 22:03 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-09-09 22:03 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-09-09 22:03 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-09-09 22:03 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-09-09 22:03 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-03 23:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-09-09 22:03 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-09-09 22:03 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Google Update"="c:\documents and settings\David Jones\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-09-26 206184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 110744]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="c:\program files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 69721]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-25 151597]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2003-06-20 118784]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-11 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=c:\windows\pss\LUMIX Simple Viewer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 bfastfao;bfastfao; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
R4 m5287;m5287;c:\windows\system32\DRIVERS\m5287.sys [2005-02-05 85888]
R4 m5289;m5289;c:\windows\system32\DRIVERS\m5289.sys [2004-12-01 51840]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-03 55024]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-28 108289]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2fdbe143-b6eb-11dc-b9d0-001731f64f1a}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-05-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2054868573-2390593884-1353833358-1006.job
- c:\documents and settings\David Jones\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 19:06]

2009-01-17 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-17 13:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali Internet Access
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bbc.co.uk\www
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\David Jones\Application Data\Mozilla\Firefox\Profiles\pgdg09rs.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - plugin: c:\documents and settings\David Jones\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 15:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(476)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-02 15:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 14:20
ComboFix2.txt 2009-05-02 10:08

Pre-Run: 215,415,332,864 bytes free
Post-Run: 215,342,510,080 bytes free

227 --- E O F --- 2009-04-15 20:53

[chemist]

Hello again, David.

• Double-click on RootRepeal.exe to run it.
• Click on the 'Report' tab, and then click on 'Scan'.
• A window opens asking what to include in the scan.
• Check the following boxes then click 'OK':

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C:)
• Click 'OK' once again.
• The tool will begin scanning and may take a while to complete, so please be patient.
• When the scan finishes, click on 'Save Report'.
• Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.
• Post the log in your next reply.

------------------------------------------------------

[seagulldlj]

Hello,
Is it okay that I could not find the file named [4]-Submit_date@time.zip at:
c:\QooBox\Quarantine\[4]-Submit_date@time.zip. Here are the 2 requested file contents for log.txt and CFScript.txt,

regards,
David

[chemist]

Yes, it's OK. Please follow my instructions.

[seagulldlj]

Hi Chemist,
Here's RootRepeal.txt as requested,
regards,
David

[chemist]

Hello again, David. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

It appears you had COMODO Firewall installed previously. It is still registered with your WMI:

Quote:

AV: AntiVir Desktop *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
FW: COMODO Firewall Pro *disabled*

Please follow these instructions for de-registering COMODO Firewall Pro:

**Note: Make sure you only delete COMODO products.

• Go Start > Run and copy/paste wbemtest into the Run box and click 'OK'.
• Click 'Connect'.
• Copy/paste root/securitycenter into the box and click 'Connect'.
• Click 'Query'.
• Copy/paste SELECT * FROM FirewallProduct under 'Enter Query' and click 'Apply'.
• If there is more than one result, it means there is more than one Firewall program registered.
• Double-click on each result to view the properties for that Firewall product.
• Identify the product(s) registered by scrolling down to 'companyName' then click 'Close'.
• In the 'Query Result' window, click 'Delete' for any Firewall software that is no longer installed.
• Click 'Close', then 'Exit' and let me know if it worked.

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc stop bfastfao

A DOS window will open and close again, this is normal.

Repeat for this command:

sc delete bfastfao

------------------------------------------------------

We need to install Java on your machine in order to run an online scan with Kaspersky.

• Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
• Scroll down to where it says Java Runtime Environment (JRE) 6 Update 13 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
• Click the Download button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
• Click Continue
• Click on the link to download Windows Offline Installation and Save the file to your Desktop.
• Close any programs you may have running - especially your web browser.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

• After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button.
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window.
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window.
  • Click OK to leave the Java Control Panel.
  • Delete jre-6u13-windows-i586-p.exe from your desktop.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected.
• It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

[seagulldlj]

Hello again,
I followed your instructions and was also able to delete the old Comodo Firewall entry as requested.Please find attached the Kaspersky report.

KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 03, 2009 14:31:53
Records in database: 2124110
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 67038
Threat name: 2
Infected objects: 1
Suspicious objects: 3
Duration of the scan: 01:29:37


File name / Threat name / Threats count
C:\Documents and Settings\David Jones\Application Data\Thunderbird\Profiles\ut7gmpe5.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\David Jones\Application Data\Thunderbird\Profiles\ut7gmpe5.default\Mail\Local Folders\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1

The selected area was scanned.

[chemist]

Hello again, David.

Go to Start > Run and copy/paste the following into the Run box and click OK:

cmd /c del /a/f/q "C:\Program Files\Common Files\Real\Toolbar\RealBar.dll"

A DOS window will open and close again, this is normal.

------------------------------------------------------

Kaspersky has detected infected emails in the following Folders:

C:\Documents and Settings\David Jones\Application Data\Thunderbird\Profiles\ut7gmpe5.default\Mail\Local Folders\Inbox
C:\Documents and Settings\David Jones\Application Data\Thunderbird\Profiles\ut7gmpe5.default\Mail\Local Folders\Junk

Unfortunately, it only tells us where the emails are, and not their names. You will have to find the emails and delete them. They are likely emails with an attachment. If you are not sure what they are, you will have to delete emails until a scan of those folders comes up clean. You can configure Kaspersky to scan only those folders. Let me know when you find and delete them.

------------------------------------------------------

[seagulldlj]

Hi Chemist,
I have deleted all suspicious mails from thunderbird but I cannot see the infected ones. I have also looked for them using start>explorer, but I cannot find them,

regards,
David

[chemist]

Do those folders scan clean with Kaspersky?

[seagulldlj]

Hi Chemist,
No, down to 2 now, see attached:-
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 03, 2009 18:45:25
Records in database: 2124583
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\Documents and Settings\David Jones\Application Data\Thunderbird\Profiles\ut7gmpe5.default\Mail\Local Folders

Scan statistics:
Files scanned: 59
Threat name: 1
Infected objects: 0
Suspicious objects: 3
Duration of the scan: 00:01:57


File name / Threat name / Threats count
C:\Documents and Settings\David Jones\Application Data\Thunderbird\Profiles\ut7gmpe5.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\David Jones\Application Data\Thunderbird\Profiles\ut7gmpe5.default\Mail\Local Folders\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The selected area was scanned.

[chemist]

There are 2 emails in the Inbox, and one email in the Junk.

You will just have to delete emails until they scan clean.