Recurring problems

[cadge]

Hey, my first hint of a problem was last night when I was browsing the internet and I was suddenly confronted with a program called Win PC Antivirus that was running a "firewall" that kept detecting attacks.

Instantly I knew this was malware, so I killed the process in process explorer (which I run instead of task manager), then I read this guide http://www.bleepingcomputer.com/viru...inpc-antivirus although I opted for manual removal of the files and registry keys rather than downloading the program.

Once I had removed them all seemed well, until I decicded to install malwarebytes, the .exe file would not run, so after renaming it and changing the file name I was able to get it to run but it kept hanging on the last part of the installation.

After several attempts to get it to run, both in normal and safe mode I gave up and decided to install SuperAntiSpyware, which surprise surprise wouldn't install.

Going into safe mode I managed to get it to install and run from its alternate start, however it did not find anything.

I also ran AVG which found six items in normal mode, 3 of which could be removed, 3 of which couldn't.

Running it in safe mode I was able to remove all of the items, most of them were named either 'Win/32 Cryptor' or 'Trojan horse PSW.Generic6.BFFW'.

Going into normal mode I was confronted with an occasional message telling me there was a problem with updclient which is Zone Alarm's updater, when I tried running the manual update I was simply told there was no new update.

Despite removing all of these I was still unable to run Malware Bytes so I changed into safe mode with networking, made sure SuperAntiSpyware was up to date and ran it again, this time it found six tracking cookies, although this may be more to do with the fact that I also tried googling for information about the infections I'd found.

I then ran BitDefender's online scanner, which found several infections, noticing that not all of them were removed, and that they had infected a VMWare image I no longer needed I decided to remove the entire folder that the image resided in.

I have attached this log as a .doc file called bitdefender.doc.

I then ran Microsoft's online scanner which found seven infections, 6 of which were treated and one of which 'Trojan: win32/Alurecn.gen!c' residing in 'C:\Windows\System32\vaclxvbnhsivmyryvl.dll' couldn't be cured but was deleted.

I no longer get the warning message regarding the updclient but am still unable to run malwarebytes and I am continually prompted by AVG that there is a tracking cookied in my Opera browser despite me constnatly running the clear prive data option and only accessing this site.

Below is the output of my DDS scan:


DDS (Ver_09-05-14.01) - NTFSx86
Run by pcuser at 11:40:44.95 on 18/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.958.411 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\vmnat.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Elantech\Ktp.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\pcuser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Kontiki\KService.exe
C:\Documents and Settings\pcuser\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rangers.co.uk/
uInternet Settings,ProxyServer = 193.1.160.183:3128
uURLSearchHooks: mySyncCell Toolbar: {d46d0a6c-fab1-45a4-997e-030450e41de5} - c:\program files\mysynccell\tbmySy.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {ca4eedb3-5719-4e27-a478-8d13f761c28d} - No File
TB: mySyncCell Toolbar: {d46d0a6c-fab1-45a4-997e-030450e41de5} - c:\program files\mysynccell\tbmySy.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\pcuser\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [KTPWare] c:\program files\elantech\Ktp.exe
mRun: [CHotkey] mHotkey.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NWEReboot]
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\windows\system32\qttask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\pcuser\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125845110031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-23 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-23 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-23 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-11-7 353672]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-23 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-23 298264]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-3-26 54960]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 HSFHWVIA;HSFHWVIA;c:\windows\system32\drivers\HSFHWVIA.sys [2005-9-4 218752]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [2005-9-4 25984]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-2-5 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-2-5 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-2-5 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-2-5 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-2-5 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-2-5 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-2-5 117672]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]

=============== Created Last 30 ================

2009-05-18 11:34 <DIR> --d----- C:\HJKT
2009-05-18 07:27 50,571 a------- C:\bitdefenderscsan.html
2009-05-18 01:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-18 01:29 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-18 01:29 <DIR> --d----- c:\docume~1\pcuser\applic~1\SUPERAntiSpyware.com
2009-05-18 01:29 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-18 01:29 6,367,264 a------- C:\saa.exe
2009-05-17 23:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-17 23:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-17 23:49 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-17 23:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-17 22:52 2,967,800 a------- C:\asa.scr.exe
2009-05-17 22:28 <DIR> --d----- c:\windows\pss
2009-05-17 21:56 5,584 a------- c:\windows\system32\uacinit.dll
2009-05-17 21:56 19,968 -------- c:\windows\system32\UACjwivppqgnxyjrrt.dll
2009-05-17 21:56 224 a------- c:\windows\system32\UACaivakfhoumxfutu.dat
2009-05-17 21:56 24,064 -------- c:\windows\system32\UACtyqqtvvcgsaomkd.dll
2009-05-17 21:56 52,224 -------- c:\windows\system32\drivers\UACbrprumoqoehhlnq.sys
2009-05-01 00:15 31,280 a----r-- c:\windows\system32\drivers\vmusb.sys
2009-04-29 00:32 55,856 a----r-- c:\windows\system32\vnetinst.dll
2009-04-29 00:32 16,560 a----r-- c:\windows\system32\drivers\vmnetadapter.sys
2009-04-29 00:32 326,192 a------- c:\windows\system32\vmnetdhcp.exe
2009-04-29 00:32 399,920 a------- c:\windows\system32\vmnat.exe
2009-04-29 00:32 26,288 a------- c:\windows\system32\drivers\vmnetuserif.sys
2009-04-29 00:32 50,736 a----r-- c:\windows\system32\vmnetbridge.dll
2009-04-29 00:32 31,280 a----r-- c:\windows\system32\drivers\vmnetbridge.sys
2009-04-29 00:32 18,736 a----r-- c:\windows\system32\drivers\vmnet.sys
2009-04-29 00:31 723,504 a------- c:\windows\system32\vnetlib.dll
2009-04-29 00:31 23,216 a------- c:\windows\system32\drivers\VMkbd.sys
2009-04-28 21:53 1,324 a------- c:\windows\system32\d3d9caps.dat
2009-04-28 18:06 <DIR> --d----- c:\program files\VMware
2009-04-24 00:07 1,024 a------- C:\.rnd

==================== Find3M ====================

2009-03-31 15:29 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-26 22:58 54,960 a------- c:\windows\system32\drivers\vmci.sys
2009-03-26 22:58 857,520 a------- c:\windows\system32\drivers\vmx86.sys
2009-03-26 22:58 32,304 a------- c:\windows\system32\drivers\hcmon.sys
2009-03-26 19:11 248,368 a------- c:\windows\system32\vmnc.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 19:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-01-06 22:56 87,608 a------- c:\docume~1\pcuser\applic~1\inst.exe
2009-01-06 22:56 47,360 a------- c:\docume~1\pcuser\applic~1\pcouffin.sys
2007-11-05 08:54 3,564,584 a------- c:\program files\procexp.exe

============= FINISH: 11:41:41.50 ===============


Also attached is the attach.txt file from DDS and the ark.txt file from gmer archived in the file attach.zip.

Thank you

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

------------------------------------------------------

Download ResetTeaTimer

• and Save it to your Desktop.
• Double-click ResetTeaTimer.zip
• Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.
• A DOS window will open and close again, this is normal.

------------------------------------------------------

If for some reason during these fixes you receive prompts from Spybot about whether to Allow or Deny any changes, please Allow them all.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

[cadge]

Hi, first let me thank you for taking the time to respond to my post, your help is much appreciated.

In the time span between me posting the original thread and your reply, I foolishly got impatient and was able to run a Malwarebytes scan which found six infections which were all placed in quarantine, when I tried deleting them I was told I needed to restart, however every time I tried to boot up I'd get the BSOD flashing quickly as soon as Windows started loading, even if I tried safe mode.

I was able to load up from my last safe configuration, and when I opened up Malware Bytes I noticed all of the infections were in quarantine.

Below is the output from it:

Malwarebytes' Anti-Malware 1.36
Database version: 2147
Windows 5.1.2600 Service Pack 3

18/05/2009 17:48:02
mbam-log-2009-05-18 (17-48-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 153767
Time elapsed: 1 hour(s), 18 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{18CA9AA6-6BCA-4694-B302-F7262CF8A99F}\RP290\A0201598.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{18CA9AA6-6BCA-4694-B302-F7262CF8A99F}\RP290\A0201599.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{18CA9AA6-6BCA-4694-B302-F7262CF8A99F}\RP290\A0201600.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACjwivppqgnxyjrrt.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACtyqqtvvcgsaomkd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACbrprumoqoehhlnq.sys (Trojan.Agent) -> Quarantined and deleted successfully.
------------------------------------------------------------------------------

After reading your post I carried out all of the steps, however after loading up from the Combo Fixer restart for some reason Tea Timer kept closing no matter how many times I opened it, and for some reason I couldn't open Spyware Guard, however when I logged off and logged back in again both were fine, but I thought it would be best to mention them.

Attached to this post is the Combi Fix log, thanks once again for your help.

ComboFix 09-05-20.09 - pcuser 21/05/2009 2:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.958.496 [GMT 1:00]
Running from: c:\documents and settings\pcuser\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\pcuser\Application Data\inst.exe
c:\windows\system32\drivers\etc\lmhosts

----- BITS: Possible infected sites -----

hxxp://softwaredownloadcentercom.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-19 07:09 . 2009-05-19 07:09 -------- d-----w c:\windows\system32\HouseCall 6.6
2009-05-18 16:48 . 2009-05-18 16:48 61440 ----a-w c:\windows\system32\drivers\frvntdnt.sys
2009-05-18 15:27 . 2009-05-18 15:27 -------- d-----w c:\documents and settings\pcuser\Application Data\Malwarebytes
2009-05-18 15:27 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-18 15:27 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-18 15:27 . 2009-05-18 15:27 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 15:27 . 2009-05-18 16:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-18 15:26 . 2009-05-18 15:26 2967800 ----a-w C:\abcdefg.exe
2009-05-18 15:19 . 2009-05-18 15:19 -------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2009-05-18 15:09 . 2009-05-18 15:09 45056 ----a-w c:\windows\SnoopFreeDll.dll
2009-05-18 15:09 . 2009-05-18 15:09 221184 ----a-w c:\windows\SnoopFreeUI.exe
2009-05-18 15:09 . 2009-05-18 15:09 9472 ----a-w c:\windows\system32\drivers\SnopFree.sys
2009-05-18 15:09 . 2009-05-18 15:09 90112 ----a-w c:\windows\system32\SnoopFreeSvc.exe
2009-05-18 13:10 . 2009-05-18 13:08 4684 ----a-w C:\attach.zip
2009-05-18 10:34 . 2009-05-18 10:35 -------- d-----w C:\HJKT
2009-05-18 07:03 . 2009-05-18 07:06 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-18 07:00 . 2009-05-18 07:00 -------- d-----w c:\documents and settings\Administrator.UNKNOWN-514EFED.000\.housecall6.6
2009-05-18 06:55 . 2009-05-18 06:56 -------- d-----w c:\documents and settings\Administrator.UNKNOWN-514EFED.000\Local Settings\Application Data\Adobe
2009-05-18 02:08 . 2009-05-18 04:24 -------- d-----w c:\windows\BDOSCAN8
2009-05-18 01:58 . 2009-05-18 01:58 -------- d-----w c:\documents and settings\Administrator.UNKNOWN-514EFED.000\Local Settings\Application Data\Opera
2009-05-18 00:34 . 2009-05-18 00:34 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-18 00:34 . 2009-05-18 00:34 -------- d-----w c:\documents and settings\Administrator.UNKNOWN-514EFED.000\Application Data\SUPERAntiSpyware.com
2009-05-18 00:29 . 2009-05-18 01:59 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-18 00:29 . 2009-05-18 00:29 -------- d-----w c:\documents and settings\pcuser\Application Data\SUPERAntiSpyware.com
2009-05-18 00:29 . 2009-05-18 00:29 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-18 00:29 . 2009-05-18 00:27 6367264 ----a-w C:\saa.exe
2009-05-17 21:52 . 2009-05-17 21:47 2967800 ----a-w C:\asa.scr.exe
2009-04-30 23:15 . 2009-03-26 16:31 31280 ----a-r c:\windows\system32\drivers\vmusb.sys
2009-04-28 23:32 . 2009-03-26 16:31 55856 ----a-r c:\windows\system32\vnetinst.dll
2009-04-28 23:32 . 2009-03-26 16:31 16560 ----a-r c:\windows\system32\drivers\vmnetadapter.sys
2009-04-28 23:32 . 2009-03-26 21:57 326192 ----a-w c:\windows\system32\vmnetdhcp.exe
2009-04-28 23:32 . 2009-03-26 21:57 399920 ----a-w c:\windows\system32\vmnat.exe
2009-04-28 23:32 . 2009-03-26 21:58 26288 ----a-w c:\windows\system32\drivers\vmnetuserif.sys
2009-04-28 23:32 . 2009-03-26 16:31 31280 ----a-r c:\windows\system32\drivers\vmnetbridge.sys
2009-04-28 23:32 . 2009-03-26 16:31 18736 ----a-r c:\windows\system32\drivers\vmnet.sys
2009-04-28 23:32 . 2009-03-26 16:31 50736 ----a-r c:\windows\system32\vmnetbridge.dll
2009-04-28 23:31 . 2009-03-26 21:57 723504 ----a-w c:\windows\system32\vnetlib.dll
2009-04-28 23:31 . 2009-03-26 21:58 23216 ----a-w c:\windows\system32\drivers\VMkbd.sys
2009-04-28 20:53 . 2009-05-18 06:59 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-28 17:06 . 2009-04-28 23:30 -------- d-----w c:\program files\VMware
2009-04-27 00:20 . 2009-04-30 23:10 -------- d-----w c:\documents and settings\pcuser\Application Data\VMware
2009-04-23 23:11 . 2009-05-21 01:07 -------- d-----w c:\documents and settings\NetworkService\Application Data\VMware
2009-04-23 23:08 . 2009-04-28 23:33 -------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-04-23 23:06 . 2009-05-21 01:07 -------- d-----w c:\documents and settings\All Users\Application Data\VMware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 08:29 . 2008-12-04 14:51 8049801 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-05-18 15:20 . 2006-11-07 21:19 -------- d-----w c:\program files\SpywareBlaster
2009-05-17 23:47 . 2009-05-18 00:20 2052608 ----a-w c:\windows\Internet Logs\xDB26.tmp
2009-05-17 00:32 . 2009-05-17 13:37 2047488 ----a-w c:\windows\Internet Logs\xDB25.tmp
2009-05-15 01:54 . 2009-05-15 12:54 2044928 ----a-w c:\windows\Internet Logs\xDB24.tmp
2009-05-14 11:09 . 2009-05-14 13:36 2044416 ----a-w c:\windows\Internet Logs\xDB23.tmp
2009-05-13 08:19 . 2006-10-31 17:55 -------- d-----w c:\program files\Java
2009-05-11 15:04 . 2009-05-12 08:06 2030592 ----a-w c:\windows\Internet Logs\xDB22.tmp
2009-05-05 00:43 . 2009-05-05 16:48 2020352 ----a-w c:\windows\Internet Logs\xDB21.tmp
2009-05-04 02:33 . 2009-05-04 02:49 2019840 ----a-w c:\windows\Internet Logs\xDB20.tmp
2009-05-03 02:49 . 2009-05-03 11:47 2019328 ----a-w c:\windows\Internet Logs\xDB1F.tmp
2009-04-21 02:01 . 2009-04-21 13:41 1974272 ----a-w c:\windows\Internet Logs\xDB1E.tmp
2009-04-20 00:54 . 2009-04-20 09:50 1973760 ----a-w c:\windows\Internet Logs\xDB1D.tmp
2009-04-19 01:17 . 2009-04-19 12:15 1972736 ----a-w c:\windows\Internet Logs\xDB1C.tmp
2009-04-18 23:41 . 2009-04-18 23:42 1972224 ----a-w c:\windows\Internet Logs\xDB1B.tmp
2009-04-18 23:41 . 2009-04-18 23:42 846848 ----a-w c:\windows\Internet Logs\xDB1A.tmp
2009-04-18 02:46 . 2009-04-18 11:38 1971712 ----a-w c:\windows\Internet Logs\xDB19.tmp
2009-04-13 02:16 . 2009-04-13 13:00 1957376 ----a-w c:\windows\Internet Logs\xDB18.tmp
2009-04-12 01:48 . 2009-04-12 18:13 1956864 ----a-w c:\windows\Internet Logs\xDB17.tmp
2009-04-05 21:39 . 2009-04-05 21:39 -------- d-----w c:\program files\QCC
2009-04-04 02:50 . 2009-04-04 11:58 1945600 ----a-w c:\windows\Internet Logs\xDB16.tmp
2009-03-31 14:43 . 2006-11-07 21:16 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-31 14:29 . 2006-11-07 21:09 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-30 00:00 . 2009-03-30 00:01 2124288 ----a-w c:\windows\Internet Logs\xDB15.tmp
2009-03-26 21:58 . 2009-03-26 21:58 54960 ----a-w c:\windows\system32\drivers\vmci.sys
2009-03-26 21:58 . 2009-03-26 21:58 857520 ----a-w c:\windows\system32\drivers\vmx86.sys
2009-03-26 21:58 . 2009-03-26 21:58 32304 ----a-w c:\windows\system32\drivers\hcmon.sys
2009-03-26 18:11 . 2009-03-26 18:11 248368 ----a-w c:\windows\system32\vmnc.dll
2009-03-09 04:19 . 2009-01-09 23:27 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 06:16 . 2009-02-20 15:37 1819136 ----a-w c:\windows\Internet Logs\xDB14.tmp
2007-11-05 07:54 . 2007-12-06 22:40 3564584 ----a-w c:\program files\procexp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\pcuser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-10 133104]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KTPWare"="c:\program files\Elantech\Ktp.exe" [2005-04-04 253952]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-07 1601304]
"QuickTime Task"="c:\windows\system32\qttask.exe" [2009-01-06 98304]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-03-26 64048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-01-10 143360]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-23 77824]
"CHotkey"="mHotkey.exe" - c:\windows\mHotkey.exe [2001-12-26 472576]
"SnoopFreeUI"="SnoopFreeUI.exe" - c:\windows\SnoopFreeUI.exe [2009-05-18 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\pcuser\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-07 15:09 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/08/2008 04:20 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/08/2008 04:20 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [23/08/2008 04:20 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [23/08/2008 04:20 298264]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [26/03/2009 22:58 54960]
R3 HSFHWVIA;HSFHWVIA;c:\windows\system32\drivers\HSFHWVIA.sys [04/09/2005 15:38 218752]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [04/09/2005 15:40 25984]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [05/02/2009 00:22 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [05/02/2009 00:22 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [05/02/2009 00:22 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [05/02/2009 00:22 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [05/02/2009 00:22 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [05/02/2009 00:22 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [05/02/2009 00:22 117672]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-840674332-3347718586-3918493275-1006.job
- c:\documents and settings\pcuser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-10 17:10]

2009-05-20 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-11-07 14:31]

2009-05-20 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-08-24 14:31]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rangers.co.uk/
uInternet Settings,ProxyServer = 193.1.160.183:3128
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 02:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1284)
c:\windows\SnoopFreeDll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\SnoopFreeSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Kontiki\KService.exe
.
**************************************************************************
.
Completion time: 2009-05-21 2:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 01:12

Pre-Run: 66,738,192,384 bytes free
Post-Run: 66,700,947,456 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

247 --- E O F --- 2009-05-16 09:32

[chemist]

Hello cadge.

Please go to: VirusTotal

• On the page you'll find a Browse button.
  
• Next to the Browse button you'll see a box to enter text.
• Please copy/paste the following bolded text into the box:
  
  c:\windows\system32\drivers\frvntdnt.sys
  
  
• Then click the Send File button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analysed: click Reanalyse file now
• Once scanned, copy and paste the results in your next reply.
• Please repeat for the following file:
  
  C:\abcdefg.exe

------------------------------------------------------

[cadge]

Firs file:

File frvntdnt.sys received on 05.21.2009 12:13:45 (CET)
Current status: finished
Result: 8/40 (20%)
Compact
Print results Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.21 -
AhnLab-V3 5.0.0.2 2009.05.21 Win-Trojan/Avenger.61440
AntiVir 7.9.0.168 2009.05.20 -
Antiy-AVL 2.0.3.1 2009.05.21 -
Authentium 5.1.2.4 2009.05.20 -
Avast 4.8.1335.0 2009.05.20 -
AVG 8.5.0.339 2009.05.21 -
BitDefender 7.2 2009.05.21 -
CAT-QuickHeal 10.00 2009.05.21 -
ClamAV 0.94.1 2009.05.21 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.21 -
eSafe 7.0.17.0 2009.05.19 Win32.Banker
eTrust-Vet 31.6.6514 2009.05.21 -
F-Prot 4.4.4.56 2009.05.20 -
F-Secure 8.0.14470.0 2009.05.21 -
Fortinet 3.117.0.0 2009.05.21 -
GData 19 2009.05.21 -
Ikarus T3.1.1.49.0 2009.05.21 -
K7AntiVirus 7.10.739 2009.05.19 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.05.21 -
McAfee 5621 2009.05.20 -
McAfee+Artemis 5621 2009.05.20 -
McAfee-GW-Edition 6.7.6 2009.05.21 -
Microsoft 1.4701 2009.05.21 -
NOD32 4093 2009.05.21 -
Norman 6.01.05 2009.05.20 W32/Renos.CNZ
nProtect 2009.1.8.0 2009.05.21 -
Panda 10.0.0.14 2009.05.20 Rootkit/Agent.LNB
PCTools 4.4.2.0 2009.05.20 Trojan-PWS.Bancos.PWN
Prevx 3.0 2009.05.21 -
Rising 21.30.32.00 2009.05.21 -
Sophos 4.42.0 2009.05.21 -
Sunbelt 3.2.1858.2 2009.05.20 Trojan-PWS.Bancos.PWN
Symantec 1.4.4.12 2009.05.21 -
TheHacker 6.3.4.1.328 2009.05.20 -
TrendMicro 8.950.0.1092 2009.05.21 -
VBA32 3.12.10.5 2009.05.21 -
ViRobot 2009.5.21.1744 2009.05.21 Hoax..Agent.61440
VirusBuster 4.6.5.0 2009.05.20 -
Additional information
File size: 61440 bytes
MD5...: 589312a3b46721c5a751e4d5222a89be
SHA1..: 3a497d3968a4f6e3c648d196da38e5f98e75ec30
SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae
SHA512: c8abe050c97efe34541c3ef293a750e34b82117ae41f41d83db1f1489eb5d776
a1d59d0b4a1e13536e5bebda630693daf4be66cc386f587a69288c76df98cf7b
ssdeep: 768:UzNrXvTHr4DU6K5H5VLvDcLugwoMcq5+x7J1uQ9VP:QTG2VrOuN+lJpP
PEiD..: -
TrID..: File type identification
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xd394
timedatestamp.....: 0x476b398b (Fri Dec 21 03:56:59 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0xd756 0xd780 5.52 e0dc8fff10e3a7c6343455cd02a67954
.rdata 0xdb80 0x10e 0x180 3.44 d2fd0bc28e070ccc67879e04b7cd5302
.data 0xdd00 0xc0 0x100 0.04 66a415a49d751cb335895306ecfb3389
INIT 0xde00 0x376 0x380 5.17 79cc3d62ef3ba8053786e08dc9b6cddc
.reloc 0xe180 0xe2c 0xe80 6.60 4f845320301140370066cbceee4c5e4c

( 1 imports )
> ntoskrnl.exe: ZwWriteFile, wcslen, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, wcscat, wcscpy, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePoolWithTag, RtlPrefixUnicodeString, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwOpenFile, ZwSetInformationFile, KeTickCount, ZwQueryInformationFile, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=589312a3b46721c5a751e4d5222a89be' target='_blank'>http://research.sunbelt-software.com...51e4d5222a89be</a>
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=589312a3b46721c5a751e4d5222a89be' target='_blank'>http://www.threatexpert.com/report.a...51e4d5222a89be</a>
-------------------------------------------------------------------------------------

Second file:

File abcdefg.exe received on 05.21.2009 12:19:15 (CET)
Current status: finished
Result: 0/39 (0%)
Compact
Print results Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.21 -
AhnLab-V3 5.0.0.2 2009.05.21 -
AntiVir 7.9.0.168 2009.05.20 -
Antiy-AVL 2.0.3.1 2009.05.21 -
Authentium 5.1.2.4 2009.05.20 -
Avast 4.8.1335.0 2009.05.20 -
AVG 8.5.0.339 2009.05.21 -
BitDefender 7.2 2009.05.21 -
CAT-QuickHeal 10.00 2009.05.21 -
ClamAV 0.94.1 2009.05.21 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.21 -
eSafe 7.0.17.0 2009.05.19 -
eTrust-Vet 31.6.6514 2009.05.21 -
F-Prot 4.4.4.56 2009.05.20 -
F-Secure 8.0.14470.0 2009.05.21 -
Fortinet 3.117.0.0 2009.05.21 -
GData 19 2009.05.21 -
Ikarus T3.1.1.49.0 2009.05.21 -
K7AntiVirus 7.10.739 2009.05.19 -
Kaspersky 7.0.0.125 2009.05.21 -
McAfee 5621 2009.05.20 -
McAfee+Artemis 5621 2009.05.20 -
McAfee-GW-Edition 6.7.6 2009.05.21 -
Microsoft 1.4701 2009.05.21 -
NOD32 4093 2009.05.21 -
Norman 6.01.05 2009.05.20 -
nProtect 2009.1.8.0 2009.05.21 -
Panda 10.0.0.14 2009.05.20 -
PCTools 4.4.2.0 2009.05.20 -
Prevx 3.0 2009.05.21 -
Rising 21.30.32.00 2009.05.21 -
Sophos 4.42.0 2009.05.21 -
Sunbelt 3.2.1858.2 2009.05.20 -
Symantec 1.4.4.12 2009.05.21 -
TheHacker 6.3.4.1.328 2009.05.20 -
TrendMicro 8.950.0.1092 2009.05.21 -
VBA32 3.12.10.5 2009.05.21 -
ViRobot 2009.5.21.1744 2009.05.21 -
Additional information
File size: 2967800 bytes
MD5...: 9f606477d7fb45dc14fdcc4de81ef3e9
SHA1..: 120f16a5acd98932530f380ac88c1ec1a7f58fc3
SHA256: fe10dd388a9830979ccb68634dcd2f7aba81e050fb15ffd39a87ce45bf53204e
SHA512: 4c1751cc1de669ef7ca30f65b4f24b16111c8f1ca72e4a7e539382fc8c655bc0
f6ead5761b908b25b289add633c1c099c566563995ad9a816508ffc32e321453
ssdeep: 49152:62Ut+RPUFpUnrmMEa0uhThAwkoIuRj/K1anfxC86JbqQNdTZZFvuUKQNyX
3+QoaH:bU4hr7jKwkyMafxCJkQnZLWUKQ8HnH
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x9a94
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x91b0 0x9200 6.57 0480920c89cdcb6ba631bc723feca2d6
DATA 0xb000 0x24c 0x400 2.73 063a9c1bd334f148bdc8a0648882a3a7
BSS 0xc000 0xe48 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xd000 0x950 0xa00 4.43 bb5485bf968b970e5ea81292af2acdba
.tls 0xe000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xf000 0x18 0x200 0.20 9ba824905bf9c7922b6fc87a38b74366
.reloc 0x10000 0x8b4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x11000 0x2a00 0x2a00 4.50 c0afb87cfa47c9de0f903bfde0ae5e9d

( 8 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
> user32.dll: MessageBoxA
> oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
> kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
> user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
> comctl32.dll: InitCommonControls
> advapi32.dll: AdjustTokenPrivileges

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=9f606477d7fb45dc14fdcc4de81ef3e9' target='_blank'>http://www.threatexpert.com/report.a...fdcc4de81ef3e9</a>
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=9f606477d7fb45dc14fdcc4de81ef3e9' target='_blank'>http://research.sunbelt-software.com...fdcc4de81ef3e9</a>

--------------------------------------------------------------------------------------

I should probably point out that abcdefg was the name of another copy of the Malware Bytes installer, that I renamed to try and get to run.

[chemist]

Hello cadge.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

You are using an outdated version of HijackThis. Please uninstall HijackThis 1.99.1 in the Add or Remove Programs section of your Control Panel and delete your current version.

------------------------------------------------------

Please disable TeaTimer and keep it disabled until we are done.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/377087-recurring-problems.html#post2146962

Collect::
c:\windows\system32\drivers\frvntdnt.sys

SecCenter::
{990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

Folder::
c:\documents and settings\Administrator.UNKNOWN-514EFED.000\.housecall6.6\quarantine

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------

[cadge]

Hey, followed the instructions, I got the popup box and it got sent fine.

Here's my the log it produced:

ComboFix 09-05-20.09 - pcuser 21/05/2009 18:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.958.532 [GMT 1:00]
Running from: c:\documents and settings\pcuser\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pcuser\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

file zipped: c:\windows\system32\drivers\frvntdnt.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\frvntdnt.sys

.
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-19 07:09 . 2009-05-19 07:09 -------- d-----w c:\windows\system32\HouseCall 6.6
2009-05-18 15:27 . 2009-05-18 15:27 -------- d-----w c:\documents and settings\pcuser\Application Data\Malwarebytes
2009-05-18 15:27 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-18 15:27 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-18 15:27 . 2009-05-18 15:27 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 15:27 . 2009-05-18 16:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-18 15:26 . 2009-05-18 15:26 2967800 ----a-w C:\abcdefg.exe
2009-05-18 15:19 . 2009-05-18 15:19 -------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2009-05-18 15:09 . 2009-05-18 15:09 45056 ----a-w c:\windows\SnoopFreeDll.dll
2009-05-18 15:09 . 2009-05-18 15:09 221184 ----a-w c:\windows\SnoopFreeUI.exe
2009-05-18 15:09 . 2009-05-18 15:09 9472 ----a-w c:\windows\system32\drivers\SnopFree.sys
2009-05-18 15:09 . 2009-05-18 15:09 90112 ----a-w c:\windows\system32\SnoopFreeSvc.exe
2009-05-18 13:10 . 2009-05-18 13:08 4684 ----a-w C:\attach.zip
2009-05-18 10:34 . 2009-05-18 10:35 -------- d-----w C:\HJKT
2009-05-18 07:03 . 2009-05-18 07:06 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-18 07:00 . 2009-05-18 07:00 -------- d-----w c:\documents and settings\Administrator.UNKNOWN-514EFED.000\.housecall6.6
2009-05-18 06:55 . 2009-05-18 06:56 -------- d-----w c:\documents and settings\Administrator.UNKNOWN-514EFED.000\Local Settings\Application Data\Adobe
2009-05-18 02:08 . 2009-05-18 04:24 -------- d-----w c:\windows\BDOSCAN8
2009-05-18 01:58 . 2009-05-18 01:58 -------- d-----w c:\documents and settings\Administrator.UNKNOWN-514EFED.000\Local Settings\Application Data\Opera
2009-05-18 00:34 . 2009-05-18 00:34 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-18 00:34 . 2009-05-18 00:34 -------- d-----w c:\documents and settings\Administrator.UNKNOWN-514EFED.000\Application Data\SUPERAntiSpyware.com
2009-05-18 00:29 . 2009-05-18 01:59 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-18 00:29 . 2009-05-18 00:29 -------- d-----w c:\documents and settings\pcuser\Application Data\SUPERAntiSpyware.com
2009-05-18 00:29 . 2009-05-18 00:29 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-18 00:29 . 2009-05-18 00:27 6367264 ----a-w C:\saa.exe
2009-05-17 21:52 . 2009-05-17 21:47 2967800 ----a-w C:\asa.scr.exe
2009-04-30 23:15 . 2009-03-26 16:31 31280 ----a-r c:\windows\system32\drivers\vmusb.sys
2009-04-28 23:32 . 2009-03-26 16:31 55856 ----a-r c:\windows\system32\vnetinst.dll
2009-04-28 23:32 . 2009-03-26 16:31 16560 ----a-r c:\windows\system32\drivers\vmnetadapter.sys
2009-04-28 23:32 . 2009-03-26 21:57 326192 ----a-w c:\windows\system32\vmnetdhcp.exe
2009-04-28 23:32 . 2009-03-26 21:57 399920 ----a-w c:\windows\system32\vmnat.exe
2009-04-28 23:32 . 2009-03-26 21:58 26288 ----a-w c:\windows\system32\drivers\vmnetuserif.sys
2009-04-28 23:32 . 2009-03-26 16:31 31280 ----a-r c:\windows\system32\drivers\vmnetbridge.sys
2009-04-28 23:32 . 2009-03-26 16:31 18736 ----a-r c:\windows\system32\drivers\vmnet.sys
2009-04-28 23:32 . 2009-03-26 16:31 50736 ----a-r c:\windows\system32\vmnetbridge.dll
2009-04-28 23:31 . 2009-03-26 21:57 723504 ----a-w c:\windows\system32\vnetlib.dll
2009-04-28 23:31 . 2009-03-26 21:58 23216 ----a-w c:\windows\system32\drivers\VMkbd.sys
2009-04-28 20:53 . 2009-05-18 06:59 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-28 17:06 . 2009-04-28 23:30 -------- d-----w c:\program files\VMware
2009-04-27 00:20 . 2009-04-30 23:10 -------- d-----w c:\documents and settings\pcuser\Application Data\VMware
2009-04-23 23:11 . 2009-05-21 09:50 -------- d-----w c:\documents and settings\NetworkService\Application Data\VMware
2009-04-23 23:08 . 2009-04-28 23:33 -------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-04-23 23:06 . 2009-05-21 09:50 -------- d-----w c:\documents and settings\All Users\Application Data\VMware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 01:16 . 2006-11-07 21:07 -------- d-----w c:\program files\SpywareGuard
2009-05-20 08:29 . 2008-12-04 14:51 8049801 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-05-18 15:20 . 2006-11-07 21:19 -------- d-----w c:\program files\SpywareBlaster
2009-05-17 23:47 . 2009-05-18 00:20 2052608 ----a-w c:\windows\Internet Logs\xDB26.tmp
2009-05-17 00:32 . 2009-05-17 13:37 2047488 ----a-w c:\windows\Internet Logs\xDB25.tmp
2009-05-15 01:54 . 2009-05-15 12:54 2044928 ----a-w c:\windows\Internet Logs\xDB24.tmp
2009-05-14 11:09 . 2009-05-14 13:36 2044416 ----a-w c:\windows\Internet Logs\xDB23.tmp
2009-05-13 08:19 . 2006-10-31 17:55 -------- d-----w c:\program files\Java
2009-05-11 15:04 . 2009-05-12 08:06 2030592 ----a-w c:\windows\Internet Logs\xDB22.tmp
2009-05-05 00:43 . 2009-05-05 16:48 2020352 ----a-w c:\windows\Internet Logs\xDB21.tmp
2009-05-04 02:33 . 2009-05-04 02:49 2019840 ----a-w c:\windows\Internet Logs\xDB20.tmp
2009-05-03 02:49 . 2009-05-03 11:47 2019328 ----a-w c:\windows\Internet Logs\xDB1F.tmp
2009-04-21 02:01 . 2009-04-21 13:41 1974272 ----a-w c:\windows\Internet Logs\xDB1E.tmp
2009-04-20 00:54 . 2009-04-20 09:50 1973760 ----a-w c:\windows\Internet Logs\xDB1D.tmp
2009-04-19 01:17 . 2009-04-19 12:15 1972736 ----a-w c:\windows\Internet Logs\xDB1C.tmp
2009-04-18 23:41 . 2009-04-18 23:42 1972224 ----a-w c:\windows\Internet Logs\xDB1B.tmp
2009-04-18 23:41 . 2009-04-18 23:42 846848 ----a-w c:\windows\Internet Logs\xDB1A.tmp
2009-04-18 02:46 . 2009-04-18 11:38 1971712 ----a-w c:\windows\Internet Logs\xDB19.tmp
2009-04-13 02:16 . 2009-04-13 13:00 1957376 ----a-w c:\windows\Internet Logs\xDB18.tmp
2009-04-12 01:48 . 2009-04-12 18:13 1956864 ----a-w c:\windows\Internet Logs\xDB17.tmp
2009-04-05 21:39 . 2009-04-05 21:39 -------- d-----w c:\program files\QCC
2009-04-04 02:50 . 2009-04-04 11:58 1945600 ----a-w c:\windows\Internet Logs\xDB16.tmp
2009-03-31 14:43 . 2006-11-07 21:16 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-31 14:29 . 2006-11-07 21:09 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-30 00:00 . 2009-03-30 00:01 2124288 ----a-w c:\windows\Internet Logs\xDB15.tmp
2009-03-26 21:58 . 2009-03-26 21:58 54960 ----a-w c:\windows\system32\drivers\vmci.sys
2009-03-26 21:58 . 2009-03-26 21:58 857520 ----a-w c:\windows\system32\drivers\vmx86.sys
2009-03-26 21:58 . 2009-03-26 21:58 32304 ----a-w c:\windows\system32\drivers\hcmon.sys
2009-03-26 18:11 . 2009-03-26 18:11 248368 ----a-w c:\windows\system32\vmnc.dll
2009-03-09 04:19 . 2009-01-09 23:27 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2007-11-05 07:54 . 2007-12-06 22:40 3564584 ----a-w c:\program files\procexp.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-05-21_01.08.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-21 09:50 . 2009-05-21 09:50 16384 c:\windows\Temp\Perflib_Perfdata_580.dat
+ 2009-05-21 10:11 . 2009-05-21 10:11 16384 c:\windows\Temp\Perflib_Perfdata_4fc.dat
+ 2009-05-21 09:50 . 2009-05-21 09:50 16384 c:\windows\Temp\Perflib_Perfdata_27c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\pcuser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-10 133104]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KTPWare"="c:\program files\Elantech\Ktp.exe" [2005-04-04 253952]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-07 1601304]
"QuickTime Task"="c:\windows\system32\qttask.exe" [2009-01-06 98304]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-03-26 64048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-01-10 143360]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-23 77824]
"CHotkey"="mHotkey.exe" - c:\windows\mHotkey.exe [2001-12-26 472576]
"SnoopFreeUI"="SnoopFreeUI.exe" - c:\windows\SnoopFreeUI.exe [2009-05-18 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\pcuser\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-07 15:09 10520 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/08/2008 04:20 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/08/2008 04:20 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [23/08/2008 04:20 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [23/08/2008 04:20 298264]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [26/03/2009 22:58 54960]
R3 HSFHWVIA;HSFHWVIA;c:\windows\system32\drivers\HSFHWVIA.sys [04/09/2005 15:38 218752]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [04/09/2005 15:40 25984]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [05/02/2009 00:22 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [05/02/2009 00:22 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [05/02/2009 00:22 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [05/02/2009 00:22 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [05/02/2009 00:22 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [05/02/2009 00:22 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [05/02/2009 00:22 117672]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-840674332-3347718586-3918493275-1006.job
- c:\documents and settings\pcuser\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-10 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rangers.co.uk/
uInternet Settings,ProxyServer = 193.1.160.183:3128
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 18:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-21 18:47
ComboFix-quarantined-files.txt 2009-05-21 17:47
ComboFix2.txt 2009-05-21 01:12

Pre-Run: 66,682,527,744 bytes free
Post-Run: 66,667,290,624 bytes free

205 --- E O F --- 2009-05-16 09:32
Upload was successful

[chemist]

Hello again, cadge. Thanks for submitting the file. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

J2SE Runtime Environment 5.0 Update 8

These are all outdated, and security risks by having them installed still.

Leave this one as it has the latest definitions:

Java(TM) 6 Update 13

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

When updating in the future, make sure you untick the box next to Yahoo Toolbar for Firefox/Mozilla or MSN Toolbar unless you want it.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected.
• It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

[cadge]

Hey, just to let you know I, followed your exact instructions, and Kaspersky scan didn't find a single thing.

Regarding suspicious behaviour I can think of nothing remotely suspicious, except that Spoybot's scheduled scan and update have both been removed, however both of them were running fine last night, and I haven't done anything that could change them, so I don't know why that happened.

[chemist]

Never heard of that happening before. Update Spybot again and schedule a scan. Let me know what happens.

[cadge]

Ran Spybot's update but it said I had the latest version, however tonight both the update and scheduled scan ran without any problems.

[chemist]

Congratulations. Well done! Your logs appear clean. You should be good to go.

Please disable AVG before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /u

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

Please re-enable TeaTimer:

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Check the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• How to Prevent Malware by miekiemoes

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Download Host.zip and Save it to your Desktop.
  • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
  • Follow the prompts and click 'Finish'.
  • This will open the newly created hosts folder on your Desktop.
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  • Once updated you should see another prompt that the task was completed.

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.

[cadge]

I've followed the instructions in your post, thanks again for the help.

[chemist]

You're very welcome, cadge! Glad to have helped.