virus killing spyware n antivirus programs

[lethigena]

My computer was infected with several virus run a bunch of .tmp files. My antivirus was able to kill some of the infections. I tried to run my antivirus on boot and safemode and it said there are no infections. However, when i tried to run HJT, Spybot SD, AVG or Avast programs normally, i keep getting messages saying i have no permission to access those programs and/or that the files are read only and can't be executed. Also my internet explorer keep getting redirected to advertisement pages.

Thank you for your times and help!!!

Below are the requested files:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Le Thi at 4:08:54.82 on Sun 08/16/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1577 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090815-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
svchost
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Le Thi\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8&rlz=1I7GPCK_enUS293
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {A057A204-BACC-4D26-CEC4-75A487FD6484} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\documents and settings\le thi\start menu\programs\startup\ikowin32.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\byXOhHBQ
LSA: Notification Packages = scecli c:\windows\system32\fawaputu.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-16 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-16 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-8-16 138680]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys --> c:\windows\system32\drivers\klif.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-8-16 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-8-16 352920]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2008-12-25 55840]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]

=============== Created Last 30 ================

2009-08-15 21:50 20,992 a------- c:\windows\system32\kbiwkmsgfufqhn.dll
2009-08-15 21:49 85 a------- c:\windows\system32\kbiwkmvustbvdo.dat
2009-08-15 21:49 71,168 a------- c:\windows\system32\drivers\kbiwkmfmnpafbt.sys
2009-08-15 21:49 45,056 a------- c:\windows\system32\kbiwkmpxoukphk.dll
2009-08-15 21:40 0 a--sh--- C:\1885308426
2009-07-23 12:07 1 ----h--- c:\windows\bf23567.dat
2009-07-23 12:06 2 a------- c:\windows\0535251103110107106.xvb
2009-07-23 12:06 2 a------- c:\windows\0101120101465752.dat
2009-07-23 11:06 210 a------- c:\windows\prxid93ps.dat

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 07:18 92,928 a------- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-11-10 10:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110320081110\index.dat
2008-11-10 10:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111020081111\index.dat

============= FINISH: 4:09:17.92 ===============

[amateur]

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from this location:
   
   Link 1
   
   * IMPORTANT !!! Place it on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
   
   How to disable Avast:
   
   Right Click on the Avast icon in the system tray
   Click on Program Settings...
   Click on Troubleshooting
   Place a tick next to Disable avast! self-defense module
   Click OK
   At the prompt that appears, click Yes
   Right Click on the Avast icon in the system tray and click Stop On-Access protection
   At the prompt that appears, click Yes
   
3. Double click on the file you downloaded & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

[lethigena]

thank you 4 taking the time to look at my problems!

Here is the combofix log you requested:

ComboFix Beta_09-08-17.03 - Le Thi 08/18/2009 5:39.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1547 [GMT -4:00]
Running from: c:\documents and settings\Le Thi\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090817-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Desktop\avast! Antivirus.lnk
c:\documents and settings\Le Thi\Application Data\Adobe\crc.dat
c:\documents and settings\Le Thi\Application Data\wiaserva.log
c:\documents and settings\Le Thi\Start Menu\Programs\Startup\ikowin32.exe
c:\documents and settings\Le Thi\XP Deluxe Protector
c:\recycler\S-1-5-21-0496285438-6101708395-146980900-0151
c:\recycler\S-1-5-21-1343024091-573735546-839522115-1003
C:\resycled
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101465752.dat
c:\windows\bf23567.dat
c:\windows\ro122381.dat
c:\windows\run_1244535354.exe
c:\windows\run_1244553817.exe
c:\windows\system32\afumadif.ini
c:\windows\system32\amurihuj.ini
c:\windows\system32\bacuwwgh.ini
c:\windows\system32\Cache
c:\windows\system32\Cache\Cache
c:\windows\system32\ebakawir.ini
c:\windows\system32\kbqddmwy.ini
c:\windows\system32\lowsec
c:\windows\system32\lowsec\lowsec
c:\windows\system32\qnlgrgkl.ini
c:\windows\system32\uhogisiz.ini

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-18 09:42 . 2008-04-14 09:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-16 07:44 . 2009-08-16 07:44 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\PrivacIE
2009-08-16 07:44 . 2009-08-16 07:44 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IECompatCache
2009-08-16 07:28 . 2009-08-16 07:28 -------- d-----w- c:\documents and settings\Le Thi\Local Settings\Application Data\The Weather Channel
2009-08-16 06:21 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-16 06:21 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-16 06:21 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-16 06:21 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-16 06:21 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-16 06:21 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-16 06:21 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-16 06:21 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-16 06:21 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-16 06:21 . 2009-08-16 06:21 -------- d-----w- c:\program files\Alwil Software
2009-08-16 01:50 . 2009-08-16 01:50 20992 ----a-w- c:\windows\system32\kbiwkmsgfufqhn.dll
2009-08-16 01:49 . 2009-08-16 01:49 85 ----a-w- c:\windows\system32\kbiwkmvustbvdo.dat
2009-08-16 01:49 . 2009-08-16 01:49 71168 ----a-w- c:\windows\system32\drivers\kbiwkmfmnpafbt.sys
2009-08-16 01:49 . 2009-08-16 01:49 45056 ----a-w- c:\windows\system32\kbiwkmpxoukphk.dll
2009-08-04 21:30 . 2009-08-04 21:30 152576 ----a-w- c:\documents and settings\Le Thi\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-07-23 15:06 . 2009-07-23 15:06 210 ----a-w- c:\windows\prxid93ps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 07:28 . 2009-04-27 19:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-16 05:54 . 2008-09-20 19:28 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-16 05:54 . 2009-06-18 03:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-16 05:05 . 2009-04-27 19:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-15 17:36 . 2009-06-21 23:13 14 ----a-w- c:\windows\popcinfo.dat
2009-08-12 00:50 . 2008-10-01 18:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-08-11 23:35 . 2008-12-07 02:49 -------- d-----w- c:\program files\mIRC
2009-08-05 09:01 . 2008-09-18 04:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:31 . 2008-05-19 18:12 -------- d-----w- c:\program files\Java
2009-07-31 14:40 . 2008-08-21 03:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 09:23 . 2008-12-27 21:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2008-09-18 04:37 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-09-18 04:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 23:08 . 2009-06-23 02:50 -------- d-----w- c:\documents and settings\Le Thi\Application Data\dvdcss
2009-07-03 17:09 . 2008-09-18 04:45 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-09-18 04:45 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-09-18 04:43 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-09-18 04:43 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-09-18 04:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-09-18 04:41 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-09-18 04:41 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-09-18 04:41 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 20:25 . 2009-06-21 22:53 -------- d-----w- c:\program files\BookWorm Deluxe
2009-06-21 23:15 . 2009-06-21 23:15 -------- d-----w- c:\program files\Games
2009-06-21 16:44 . 2009-06-21 16:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia
2009-06-16 14:36 . 2008-09-18 04:44 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-09-18 04:40 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2008-09-18 04:44 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2008-09-18 04:44 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2008-09-18 04:37 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2008-09-18 05:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2008-09-18 04:45 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 03:02 . 2009-06-10 03:02 152576 ----a-w- c:\documents and settings\Le Thi\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2008-09-18 04:43 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-03 185872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 21:11 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=3 (0x3)
"SPBBCSvc"=3 (0x3)
"ose"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"odserv"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/16/2009 2:21 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/16/2009 2:21 AM 20560]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [12/25/2008 6:32 PM 55840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-04-27 19:31]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8&rlz=1I7GPCK_enUS293
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 05:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1275210071-1177238915-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(2392)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\netdde.exe
c:\windows\system32\acs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\snmp.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-18 5:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 09:49

Pre-Run: 28,803,465,216 bytes free
Post-Run: 28,652,568,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 1

223 --- E O F --- 2009-08-12 00:51

[amateur]

Hi,

Looking much better, but not done yet.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/405389-virus-killing-spyware-n-antivirus-programs.html#post2299746

Collect::
c:\windows\system32\kbiwkmsgfufqhn.dll
c:\windows\system32\kbiwkmvustbvdo.dat
c:\windows\system32\drivers\kbiwkmfmnpafbt.sys
c:\windows\system32\kbiwkmpxoukphk.dll

File::
c:\windows\popcinfo.dat

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=-
"SPBBCSvc"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

Driver::
TfFsMon
TfSysMon
TfNetMon

Save this as CFScript.txt on your desktop.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, it pops out with the CF log and this message box:



Clicking OK will begin the auto-upload of the zipped file.




-----------

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

=========================

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

====================

Please post back with the Combofix.txt, the Kaspersky report, and let me know how the system is behaving now.

[lethigena]

I tried to run the Kasper online scan but keep getting error. I downloaded n run the programs. But i keep getting an 'Updates has failed. Program failed to start. Please go online to use Kaspersky Online Scanner 7.0 [Error: Key is expired] sign when updating the database. I checked my internet and retried several times but keep getting the same error.

I submitted the [4]-Submit_date@time.zip to the directed site.

Combofix log as requested:

ComboFix Beta_09-08-17.03 - Le Thi 08/19/2009 18:37.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1574 [GMT -4:00]
Running from: c:\documents and settings\Le Thi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Le Thi\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090819-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\popcinfo.dat"

file zipped: c:\windows\system32\kbiwkmpxoukphk.dll
file zipped: c:\windows\system32\kbiwkmsgfufqhn.dll
file zipped: c:\windows\system32\kbiwkmvustbvdo.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\popcinfo.dat
c:\windows\system32\kbiwkmpxoukphk.dll
c:\windows\system32\kbiwkmsgfufqhn.dll
c:\windows\system32\kbiwkmvustbvdo.dat

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TFFSMON
-------\Legacy_TFNETMON
-------\Legacy_TFSYSMON
-------\Service_TfFsMon
-------\Service_TfNetMon
-------\Service_TfSysMon


((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-18 09:42 . 2008-04-14 09:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-16 07:44 . 2009-08-16 07:44 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\PrivacIE
2009-08-16 07:44 . 2009-08-16 07:44 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IECompatCache
2009-08-16 07:28 . 2009-08-16 07:28 -------- d-----w- c:\documents and settings\Le Thi\Local Settings\Application Data\The Weather Channel
2009-08-16 06:21 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-16 06:21 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-16 06:21 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-16 06:21 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-16 06:21 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-16 06:21 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-16 06:21 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-16 06:21 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-16 06:21 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-16 06:21 . 2009-08-16 06:21 -------- d-----w- c:\program files\Alwil Software
2009-08-04 21:30 . 2009-08-04 21:30 152576 ----a-w- c:\documents and settings\Le Thi\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-07-23 15:06 . 2009-07-23 15:06 210 ----a-w- c:\windows\prxid93ps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 06:50 . 2008-10-01 18:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-08-16 07:28 . 2009-04-27 19:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-16 05:54 . 2008-09-20 19:28 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-16 05:54 . 2009-06-18 03:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-16 05:05 . 2009-04-27 19:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-11 23:35 . 2008-12-07 02:49 -------- d-----w- c:\program files\mIRC
2009-08-05 09:01 . 2008-09-18 04:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:31 . 2008-05-19 18:12 -------- d-----w- c:\program files\Java
2009-07-31 14:40 . 2008-08-21 03:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 09:23 . 2008-12-27 21:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2008-09-18 04:37 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-09-18 04:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 23:08 . 2009-06-23 02:50 -------- d-----w- c:\documents and settings\Le Thi\Application Data\dvdcss
2009-07-03 17:09 . 2008-09-18 04:45 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-09-18 04:45 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-09-18 04:43 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-09-18 04:43 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-09-18 04:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-09-18 04:41 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-09-18 04:41 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-09-18 04:41 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 20:25 . 2009-06-21 22:53 -------- d-----w- c:\program files\BookWorm Deluxe
2009-06-21 23:15 . 2009-06-21 23:15 -------- d-----w- c:\program files\Games
2009-06-21 16:44 . 2009-06-21 16:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia
2009-06-16 14:36 . 2008-09-18 04:44 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-09-18 04:40 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2008-09-18 04:44 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2008-09-18 04:44 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2008-09-18 04:37 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2008-09-18 05:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2008-09-18 04:45 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 03:02 . 2009-06-10 03:02 152576 ----a-w- c:\documents and settings\Le Thi\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2008-09-18 04:43 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-18_09.44.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-19 19:18 . 2009-08-19 19:18 16384 c:\windows\TEMP\Perflib_Perfdata_bc.dat
+ 2009-08-19 22:43 . 2009-08-19 22:43 16384 c:\windows\TEMP\Perflib_Perfdata_7f8.dat
+ 2009-08-19 22:43 . 2009-08-19 22:43 16384 c:\windows\TEMP\Perflib_Perfdata_5b0.dat
+ 2009-08-19 22:43 . 2009-08-19 22:43 16384 c:\windows\TEMP\Perflib_Perfdata_21c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-03 185872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 21:11 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"odserv"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/16/2009 2:21 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/16/2009 2:21 AM 20560]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [12/25/2008 6:32 PM 55840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-04-27 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8&rlz=1I7GPCK_enUS293
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 18:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1275210071-1177238915-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\netdde.exe
c:\windows\system32\acs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\snmp.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\windows\system32\igfxext.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-08-19 18:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 22:48
ComboFix2.txt 2009-08-18 09:49

Pre-Run: 28,808,048,640 bytes free
Post-Run: 28,748,701,696 bytes free

189 --- E O F --- 2009-08-12 00:51

[amateur]

Hi,

How is the system running now?

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:

Folder::
c:\documents and settings\Le Thi\Application Data\Sun\Java\jre1.6.0_14\lzma.dll


DDS::
uInternet Connection Wizard,ShellNext = iexplore

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===============================

Please run GMER again with the same instructions and post the new log.

===============================

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

=======================

Please post back with the new Combofix.txt, GMER's ark.txt, and the Kaspersky report.

[lethigena]

Hi

When the computer start up the folder C:\Program Files\Spybot - Search & Destroy keep pop up. This is the old Spybot SD folder and only contains the spybot.exe files that was changed to a read-only file by infection. I tried to delete the file and keep getting a acess denied message.
Aside from that the computer seem to be running normally nows; Antivirus and re-installed spyware programs are working fine now.
Internet explorer is no longer being redirected to advertisment pages.

Try the Kasper scan again still not working. The download and updates worked but it failed to started w/ popup 'ERROR: Antivirus datatbase was updated after key expiration'. Retry and keep getting 'key is expired' errors again.

These are the CF and gmer logs as requested:

ComboFix Beta_09-08-17.03 - Le Thi 08/20/2009 12:34.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1600 [GMT -4:00]
Running from: c:\documents and settings\Le Thi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Le Thi\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090819-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.

2009-08-20 02:18 . 2009-08-20 02:32 -------- d-----w- c:\program files\Spybot - Search & Destroy 162
2009-08-20 02:14 . 2009-08-20 02:14 -------- d-----w- c:\program files\Trend Micro
2009-08-19 23:16 . 2009-08-20 16:08 14 ----a-w- c:\windows\popcinfo.dat
2009-08-18 09:42 . 2008-04-14 09:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-16 07:44 . 2009-08-16 07:44 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\PrivacIE
2009-08-16 07:44 . 2009-08-16 07:44 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IECompatCache
2009-08-16 07:28 . 2009-08-16 07:28 -------- d-----w- c:\documents and settings\Le Thi\Local Settings\Application Data\The Weather Channel
2009-08-16 06:21 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-16 06:21 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-16 06:21 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-16 06:21 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-16 06:21 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-16 06:21 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-16 06:21 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-16 06:21 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-16 06:21 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-16 06:21 . 2009-08-16 06:21 -------- d-----w- c:\program files\Alwil Software
2009-08-04 21:30 . 2009-08-04 21:30 152576 ----a-w- c:\documents and settings\Le Thi\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-07-23 15:06 . 2009-07-23 15:06 210 ----a-w- c:\windows\prxid93ps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 05:44 . 2008-09-20 19:28 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-20 05:44 . 2009-06-18 03:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-20 05:39 . 2009-04-27 19:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-20 02:13 . 2009-04-27 19:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-19 06:50 . 2008-10-01 18:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-08-11 23:35 . 2008-12-07 02:49 -------- d-----w- c:\program files\mIRC
2009-08-05 09:01 . 2008-09-18 04:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:31 . 2008-05-19 18:12 -------- d-----w- c:\program files\Java
2009-07-31 14:40 . 2008-08-21 03:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 09:23 . 2008-12-27 21:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2008-09-18 04:37 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-09-18 04:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 23:08 . 2009-06-23 02:50 -------- d-----w- c:\documents and settings\Le Thi\Application Data\dvdcss
2009-07-03 17:09 . 2008-09-18 04:45 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-09-18 04:45 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-09-18 04:43 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-09-18 04:43 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-09-18 04:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-09-18 04:41 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-09-18 04:41 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-09-18 04:41 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 20:25 . 2009-06-21 22:53 -------- d-----w- c:\program files\BookWorm Deluxe
2009-06-21 23:15 . 2009-06-21 23:15 -------- d-----w- c:\program files\Games
2009-06-21 16:44 . 2009-06-21 16:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia
2009-06-16 14:36 . 2008-09-18 04:44 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-09-18 04:40 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2008-09-18 04:44 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2008-09-18 04:44 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2008-09-18 04:37 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2008-09-18 05:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2008-09-18 04:45 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 03:02 . 2009-06-10 03:02 152576 ----a-w- c:\documents and settings\Le Thi\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2008-09-18 04:43 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-18_09.44.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-20 15:45 . 2009-08-20 15:45 16384 c:\windows\TEMP\Perflib_Perfdata_c4.dat
+ 2009-08-20 16:40 . 2009-08-20 16:40 16384 c:\windows\TEMP\Perflib_Perfdata_728.dat
+ 2009-08-20 16:40 . 2009-08-20 16:40 16384 c:\windows\TEMP\Perflib_Perfdata_6e4.dat
+ 2009-08-20 16:40 . 2009-08-20 16:40 16384 c:\windows\TEMP\Perflib_Perfdata_4fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy 162\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-03 185872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 21:11 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"odserv"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/16/2009 2:21 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/16/2009 2:21 AM 20560]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [12/25/2008 6:32 PM 55840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-04-27 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8&rlz=1I7GPCK_enUS293
mStart Page = hxxp://www.google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 12:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1275210071-1177238915-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3376)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\netdde.exe
c:\windows\system32\acs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\snmp.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-08-20 12:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-20 16:46
ComboFix2.txt 2009-08-19 22:48
ComboFix3.txt 2009-08-18 09:49

Pre-Run: 28,655,849,472 bytes free
Post-Run: 28,600,811,520 bytes free

176 --- E O F --- 2009-08-12 00:51


Thanks again 4 your helps!!!!

[amateur]

Hi,

Quote:

Antivirus and re-installed spyware programs are working fine now.
Internet explorer is no longer being redirected to advertisment pages.

That's good.

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following in BOLD:
  
  c:\windows\system32\dllcache\mspmsnsv.dll
  
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If the file is analyzed before click Reanalyse file now button.
• Wait until the file is analyzed.
• Once scanned, copy and paste the results in your next reply.

Do the same for:

c:\windows\system32\mspmsnsv.dll

========================

Open Notepad and copy/paste the contents in the code box below, into Notepad.

Code:

if exist log.txt del log.txt
PEV -l "%system%\mspmsnsv.dll" >log.txt
start notepad log.txt

Save this as look.bat Choose to "Save type as - All Files"
It should look like this:

Double click on look.bat & allow it to run. It may take several minutes, please be patient. Then post the log which it produces

========================

Please download the Win32kDiag.exe tool from the following location and save it to your desktop:

http://download.bleepingcomputer.com...Win32kDiag.exe

Once downloaded, double-click on the program and let it finish. When it states Finished! Press any key to exit..., you can press any key on your keyboard to close the program. On your desktop should now be a file called Win32kDiag.txt.

Double-click on this file and post the contents in your next reply.

========================

Quote:

When the computer start up the folder C:\Program Files\Spybot - Search & Destroy keep pop up. This is the old Spybot SD folder and only contains the spybot.exe files that was changed to a read-only file by infection. I tried to delete the file and keep getting a acess denied message.

Has this old Spybot SD already been uninstalled via Add or Remove Programs in Control Panel?

==========================

Quote:

Try the Kasper scan again still not working. The download and updates worked but it failed to started w/ popup 'ERROR: Antivirus datatbase was updated after key expiration'. Retry and keep getting 'key is expired' errors again.

It's a problem with the website which was fixed yesterday, but must be back again.

Please run this alternative:

Using Internet Explorer browser only, go to ESET Online Scanner website:

• Accept the Terms of Use and press Start button;
• Approve the install of the required ActiveX Control, then follow on-screen instructions;
• Enable (check) the Remove found threats option, and run the scan.
• After the scan completes, the Details tab in the Results window will display what was found and removed. At this time, the scanner does not produce a detailed report. That is a planned, future feature. If needed, you should be able to find a file named log.txt in your folder C:\Program Files\EsetOnlineScanner
  Copy the contents of this file using Notepad or Wordpad and post it here.

After running the scan, you may uninstall ESET Online Scanner via Add/Remove Programs, if desired.

================================

Please post back with the results from the VirusTotal, the contents of the look.txt and the Win32kDiag.txt, and the ESET report.

[lethigena]

Hi again!
Thank you for your patience!

I have zipped and attached the two results from VirusTotal below!

========================
Quote:
["When the computer start up the folder C:\Program Files\Spybot - Search & Destroy keep pop up. This is the old Spybot SD folder and only contains the spybot.exe files that was changed to a read-only file by infection. I tried to delete the file and keep getting a acess denied message. "

Has this old Spybot SD already been uninstalled via Add or Remove Programs in Control Panel?]

==========================
Yes the old Spybot SD had been unistalled via Remove Programs and a new one was re-installed in a different folder

**********************************************************

I run Win32kDiag.exe file but there an error. Log below:

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log


**************************************************************

Here is the log produces by look.bat file:

-c----w- 25,088 2004-08-11 05:45:04 \WINDOWS\$NtUninstallWMFDist11$\mspmsnsv.dll
----a-w- 25,088 2004-08-11 05:45:04 \WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
----a-w- 52,224 2008-04-14 03:42:02 \WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
----a-w- 27,136 2006-10-19 02:47:16 \WINDOWS\system32\mspmsnsv.dll
-c----w- 27,136 2006-10-19 02:47:16 \WINDOWS\system32\dllcache\mspmsnsv.dll
-c--a-w- 27,136 2006-10-19 02:47:16 \WINDOWS\system32\dllcache\cache\mspmsnsv.dll

Entries: 6 (6)
Directories: 0 Files: 6
Bytes: 183,808 Blocks: 359

***************************************************************

Results from the ESET online scan and it found and clean 18 infections but there was no log file in the C:\Program Files\EsetOnlineScanner folder. There only the activex and uninstaller file.



********************************************************

[lethigena]

HI !

About the Eset scan i did not know the log.txt file would dissappear after i close the programs. My mistake sorry!!!

Of the 18 infections found as stated above , 16 of them was in teh C:\Qoobox quarantine folders!

On a positive note, a re-scan show no more infections

Below is the log.txt of the second scan:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6048
# api_version=3.0.2
# EOSSerial=471e4b75ff32164c8bcc76155a5facbe
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-21 06:25:30
# local_time=2009-08-21 02:25:30 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=769 21 100 100 395272031250
# scanned=94959
# found=0
# cleaned=0
# scan_time=4975

[amateur]

Hi,

You have two different folders for Spybot.

1. c:\program files\Spybot - Search & Destroy <======= This seems to be the older one, installed on April 27, 2009
2. c:\program files\Spybot - Search & Destroy 162<===== This must be the new one as it seems to have been installed on August 20, 2009

If the above information is correct, please proceed with the following instructions:

Please delete the Combofix from your desktop and download a fresh copy from one of these links:

Link 1
Link 2

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:

Folder::
c:\program files\Spybot - Search & Destroy

File::
c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply and let me know how things are now.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[lethigena]

Hi!

i ran the CF and it got rid of the old Spybot folder. The computer is working fine now. There no more problems with antivirus or the internet..

Below is the CF log:

ComboFix 09-08-20.07 - Le Thi 08/21/2009 17:12.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1594 [GMT -4:00]
Running from: c:\documents and settings\Le Thi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Le Thi\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090821-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Spybot - Search & Destroy
c:\program files\Spybot - Search & Destroy\SpybotSD.exe
c:\windows\prxid93ps.dat

.
((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-21 03:57 . 2009-08-21 03:57 -------- d-----w- c:\program files\ESET
2009-08-20 02:18 . 2009-08-20 02:32 -------- d-----w- c:\program files\Spybot - Search & Destroy 162
2009-08-20 02:14 . 2009-08-20 02:14 -------- d-----w- c:\program files\Trend Micro
2009-08-19 23:16 . 2009-08-20 16:08 14 ----a-w- c:\windows\popcinfo.dat
2009-08-18 09:42 . 2008-04-14 09:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-16 07:44 . 2009-08-16 07:44 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\PrivacIE
2009-08-16 07:44 . 2009-08-16 07:44 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IECompatCache
2009-08-16 07:28 . 2009-08-16 07:28 -------- d-----w- c:\documents and settings\Le Thi\Local Settings\Application Data\The Weather Channel
2009-08-16 06:21 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-16 06:21 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-16 06:21 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-16 06:21 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-16 06:21 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-16 06:21 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-16 06:21 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-16 06:21 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-16 06:21 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-16 06:21 . 2009-08-16 06:21 -------- d-----w- c:\program files\Alwil Software
2009-08-04 21:30 . 2009-08-04 21:30 152576 ----a-w- c:\documents and settings\Le Thi\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 05:44 . 2008-09-20 19:28 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-20 05:44 . 2009-06-18 03:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-20 05:39 . 2009-04-27 19:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-19 06:50 . 2008-10-01 18:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-08-11 23:35 . 2008-12-07 02:49 -------- d-----w- c:\program files\mIRC
2009-08-05 09:01 . 2008-09-18 04:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:31 . 2008-05-19 18:12 -------- d-----w- c:\program files\Java
2009-07-31 14:40 . 2008-08-21 03:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 09:23 . 2008-12-27 21:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2008-09-18 04:37 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-09-18 04:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 23:08 . 2009-06-23 02:50 -------- d-----w- c:\documents and settings\Le Thi\Application Data\dvdcss
2009-07-03 17:09 . 2008-09-18 04:45 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-09-18 04:45 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-09-18 04:43 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-09-18 04:43 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-09-18 04:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-09-18 04:41 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-09-18 04:41 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-09-18 04:41 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2008-09-18 04:44 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-09-18 04:40 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2008-09-18 04:44 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2008-09-18 04:44 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2008-09-18 04:37 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2008-09-18 05:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2008-09-18 04:45 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 03:02 . 2009-06-10 03:02 152576 ----a-w- c:\documents and settings\Le Thi\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2008-09-18 04:43 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-18_09.44.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-21 20:07 . 2009-08-21 20:07 16384 c:\windows\TEMP\Perflib_Perfdata_5bc.dat
+ 2009-08-21 20:07 . 2009-08-21 20:07 16384 c:\windows\TEMP\Perflib_Perfdata_228.dat
+ 2009-08-21 20:07 . 2009-08-21 20:07 16384 c:\windows\TEMP\Perflib_Perfdata_1a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy 162\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-03 185872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 21:11 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"odserv"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/16/2009 2:21 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/16/2009 2:21 AM 20560]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [12/25/2008 6:32 PM 55840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8&rlz=1I7GPCK_enUS293
mStart Page = hxxp://www.google.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 17:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1275210071-1177238915-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-08-21 17:20
ComboFix-quarantined-files.txt 2009-08-21 21:20
ComboFix2.txt 2009-08-20 16:46
ComboFix3.txt 2009-08-19 22:48
ComboFix4.txt 2009-08-18 09:49

Pre-Run: 28,028,317,696 bytes free
Post-Run: 28,048,371,712 bytes free

150 --- E O F --- 2009-08-12 00:51



Thank you for your help!!!

[amateur]

Hi,

Quote:

i ran the CF and it got rid of the old Spybot folder. The computer is working fine now. There no more problems with antivirus or the internet..

Glad to hear that.

If you have no further malware issues, you're all set to go. The logs are clean.

• Click Start then Run
• Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated.

SpywareBlaster, a real time scanner to help prevent spyware from installing in the first place. A tutorial on installing & using this product can be found here.

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing and Think Prevention!

[lethigena]

HI

This site is great a great help! With very clear and easy to follow instructions!! You have been a great help!!
Thank you Amatuer very much for all your time and patience with my problems!

Once again Thank you !!!!

[amateur]

You're very welcome. Glad to have been able to help. Stay safe!