Help! Virus/Trojen Password stealer?

[dmath1n]

Hello TSF,

My problems are in internet explorer and Firefox when I type a search the search opens but so does another or multiple windows with a long URL with ASCI characters in it. Also in Firefox I get numerous tabs opening with directory lists on my computer! such as "file://c:\windows....."! Combine these with other strange crashes and glitches I cannot recall at the moment and I am at your mercy! I did delete several registry entry’s and suspicious files on my computer but that was before I came to this site.

DDS.txt

DDS (Ver_09-09-29.01) - NTFSx86
Run by Darryll at 9:59:24.00 on Fri 10/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.581 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\DisplayFusion\DisplayFusion.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Darryll\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = www.google.com
uStart Page = hxxp://extreme.rogers.yahoo.com/
uInternet Settings,ProxyServer = 120.28.64.69:8080
uInternet Settings,ProxyOverride = local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: MSN helper: {85ce3383-ee2e-4c76-a038-286b273e16c4} - nsr01.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [DisplayFusion] "c:\program files\displayfusion\DisplayFusion.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: msn.com
Trusted Zone: msn.com\runonce
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1234374162515
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234365158674
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234373323218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1235838993249&h=16850860e0987abb9c22ba9cd7bac750/&filename=jinstall-6u12-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-11 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-11 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-11 297752]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-8-19 10384]
R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [2009-6-16 137344]
R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [2009-6-16 12032]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\printer\center\ekdiscovery.exe --> c:\program files\kodak\printer\center\EKDiscovery.exe [?]
S2 KodakSvc;Kodak AiO Device Service;"c:\program files\kodak\printer\center\kodaksvc.exe" --> c:\program files\kodak\printer\center\KodakSvc.exe [?]
S3 CrystalSysInfo;CrystalSysInfo;\??\c:\program files\mediacoder\sysinfo.sys --> c:\program files\mediacoder\SysInfo.sys [?]
S3 iANSMiniport;Intel(R) Advanced Network Services Virtual Adapter;c:\windows\system32\drivers\ianswxp.sys [2008-11-12 115848]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-10-4 33792]
S3 VKeyboard;Virtual Keyboard Device;c:\windows\system32\drivers\VKeyboard.sys [2009-10-4 302080]
S3 VMouse;Virtual Mouse;c:\windows\system32\drivers\VMouse.sys [2009-10-4 303104]
S3 VPS3Joy;Virtual Playstation(3) Joystick;c:\windows\system32\drivers\VPS3Joy.sys [2009-10-4 304128]

=============== Created Last 30 ================

2009-10-08 17:18 1 a------- c:\windows\system32\idm.dat
2009-10-08 17:18 1 a------- c:\windows\system32\c2d.dat
2009-10-08 17:06 45,056 a------- c:\windows\system32\WNASPI2K.BAK
2009-10-08 17:06 25,244 a------- c:\windows\system32\drivers\ASPI2K.BAK
2009-10-08 17:06 5,600 a------- c:\windows\system\WINASPI.BAK
2009-10-08 17:06 4,672 a------- c:\windows\system\WOWPOST.BAK
2009-10-04 17:57 12,800 a------- c:\windows\system32\EKDeviceServices.dll
2009-10-04 17:55 <DIR> --d----- c:\windows\system32\kodak
2009-10-04 17:55 397,312 a------- c:\windows\system32\EKIJ5000MON.dll
2009-10-04 17:53 <DIR> --d----- c:\program files\common files\Kodak
2009-10-04 17:22 46,592 a------- c:\windows\system32\libusb0.dll
2009-10-04 17:22 33,792 a------- c:\windows\system32\drivers\libusb0.sys
2009-10-04 17:20 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-10-04 17:20 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-10-04 17:20 304,128 a------- c:\windows\system32\vps3joy.sys
2009-10-04 17:20 304,128 a------- c:\windows\system32\drivers\VPS3Joy.sys
2009-10-04 17:20 303,104 a------- c:\windows\system32\vmouse.sys
2009-10-04 17:20 303,104 a------- c:\windows\system32\drivers\VMouse.sys
2009-10-04 17:20 302,080 a------- c:\windows\system32\vkeyboard.sys
2009-10-04 17:20 302,080 a------- c:\windows\system32\drivers\VKeyboard.sys
2009-10-04 17:20 5,336 a------- c:\windows\system32\vps3joy.inf
2009-10-04 17:20 4,542 a------- c:\windows\system32\vkeyboard.inf
2009-10-04 17:20 4,295 a------- c:\windows\system32\vmouse.inf
2009-10-04 17:20 <DIR> --d----- c:\program files\The Force Studio
2009-10-04 16:20 17 a------- c:\windows\system32\WINSPOOL.WIN
2009-10-04 13:44 196,608 a------- c:\windows\system32\NCTWMAFile2.dll
2009-10-04 13:44 1,843,200 a------- c:\windows\system32\NCTAudioFile2.dll
2009-10-04 13:44 315,392 a------- c:\windows\system32\NCTAudioPlayer2.dll
2009-10-03 17:42 66 a------- c:\windows\MP3 WAV to CD Burner.INI
2009-10-02 09:16 34,304 a------- c:\windows\system32\nsr01.dll
2009-10-02 09:16 4,232 a------- c:\windows\system32\plom
2009-09-26 09:10 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-26 09:10 512,000 -c------ c:\windows\system32\dllcache\jscript.dll
2009-09-21 15:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-21 15:25 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-21 15:25 <DIR> --d----- c:\docume~1\darryll\applic~1\SUPERAntiSpyware.com
2009-09-21 15:25 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-21 14:50 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-09-21 14:46 <DIR> --d----- c:\windows\ERUNT
2009-09-20 17:40 <DIR> --d----- c:\program files\Real Alternative
2009-09-20 17:14 23,392 a------- c:\windows\system32\nscompat.tlb
2009-09-20 17:14 16,832 a------- c:\windows\system32\amcompat.tlb
2009-09-20 12:32 45,056 a------- c:\windows\system32\WNASPI32.DLL
2009-09-20 12:32 16,877 a------- c:\windows\system32\drivers\ASPI32.SYS
2009-09-20 12:32 5,600 a------- c:\windows\system\WINASPI.DLL
2009-09-20 12:32 4,672 a------- c:\windows\system\WOWPOST.EXE
2009-09-20 12:28 <DIR> --d----- C:\adaptec
2009-09-20 12:18 <DIR> --d----- c:\docume~1\darryll\applic~1\Video DVD Maker FREE
2009-09-20 10:13 <DIR> --d----- c:\docume~1\darryll\applic~1\AVS4YOU
2009-09-20 10:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-09-10 10:22 <DIR> --d----- c:\program files\iPod
2009-09-10 10:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 10:22 <DIR> --d----- c:\program files\iTunes
2009-09-10 09:46 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-09-10 09:46 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-09-10 09:46 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2009-09-10 09:46 21,504 a------- c:\windows\system32\hidserv.dll

==================== Find3M ====================

2009-09-11 12:00 499,712 a------- c:\windows\system32\msvcp71.dll
2009-09-11 12:00 348,160 a------- c:\windows\system32\msvcr71.dll
2009-09-04 13:15 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2009-09-02 09:40 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-09-02 09:40 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-08-20 15:13 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-08-18 13:52 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-18 13:52 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 00:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-20 12:26 84,496 a------- c:\windows\system32\KemXML.dll
2009-07-20 12:26 117,264 a------- c:\windows\system32\KemWnd.dll
2009-07-20 12:26 145,936 a------- c:\windows\system32\KemUtil.dll
2009-07-20 12:26 170,512 a------- c:\windows\system32\kemutb.dll
2009-07-20 12:25 301,656 a------- c:\windows\system32\BtCoreIf.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 20:15 90,112 a------- c:\windows\system32\dpl100.dll
2009-07-13 20:15 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-07-13 20:15 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-07-13 20:15 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-07-13 20:15 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-07-13 20:15 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-07-13 20:15 685,056 a------- c:\windows\system32\DivX.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-11 16:35 47,360 a------- c:\docume~1\darryll\applic~1\pcouffin.sys
2009-06-17 12:07 23 a--sh--- c:\windows\system32\edacded0.dat
2009-04-22 11:57 543,008 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-22 11:57 17,952 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 10:00:21.79 ===============



One other issue I thought you should see was a file called "meong.txt" Located in my windows directory. Here is the info from that file.
============================
Password Stealer
============================
Firefox Password
============================
PK11_Authenticate Failed!
PK11_Authenticate Failed!
PK11_Authenticate Failed!

==========================
MSN Password
============================

============================
NOIP Password
============================
USERNAME: Password:


============================
STEAM ACCOUNT
============================

============================
AIM PASSWORD
============================
USERNAME: Password:

============================
File Zilla
============================

============================
Pidgin Stealer
============================

============================
Paltalk Password
============================
USERNAME: Password:

============================
CDKEY
============================
Microsoft
ProductName: Microsoft Windows XP
CSDVersion: Service Pack 3
RegisteredOwner: ***************
RegisteredOrganization: *************

--------------------
CALL OF DUTY
Serial:
United Offensive:
Call of Duty 2:
Call of Duty 4:
Call of Duty 5:
Call of Duty WAW:
--------------------
ZoneAlarm
Serial:
Username:
Company:

--------------------
WS FTP
Serial:

--------------------
Winamp
regname:
Serial:

--------------------
Westwood Alarmstufe Rot 2
Serial:

--------------------
VMware
VMware Workstation 5.0:
VMware Workstation 6.5.1:
VMware Server:

--------------------
Unreal Tournament
Unreal Tournament 2004:
Unreal Tournament 2003:

--------------------
Tuneup
TuneUP 2009:
TuneUP Company:
TuneUP UserName:

TuneUP 2008:
TuneUP Company:
TuneUP UserName:

TuneUP 2007:
TuneUP Company:
TuneUP UserName:

TuneUP 2006:
TuneUP Company:
TuneUP UserName:

--------------------
@Stake L0pht CrackLC5
¬@Stake Serial:

--------------------
3D Mark
Username:
Key:

--------------------
Acronis True Image
Serial:

--------------------
ACDSee
Username:
licency:

Username:
licency:

Username:
licency:

--------------------
Adobe Acrobat
Adobe Acrobat 6:

Adobe Acrobat 7:

Adobe Acrobat 8:

Adobe Acrobat 9:

--------------------
Borland
Delphi 6:
Delphi 6:

Delphi 7:
Delphi 7:

--------------------
Photoshop 7.0
Serial:

--------------------
Adobe Premiere
Serial:

--------------------
Advanced Direct Remailer
2.20:
2.18:

--------------------
After Effects
Username:
Company:
Serial:

--------------------
Alcohol
Username:
Password
Company:
Serial:

--------------------
Anno1701
Serial:

--------------------
Autocad
serial 2000:
serial 2002:
serial LT 2000:
serial LT 2005:
serial LT 2002:
serial 2008:
serial LT 2008:
serial 2007:
serial LT 2007:
serial LT 2006:
serial Electrical 2007:
serial Electrical 2006:
serial Electrical 2005:
serial Mechanical 2007:
serial Mechanical 2006:
serial Mechanical 2005:
3ds Max 8:
3ds Max 7:
serial Architectural Desktop 2007:
serial Architectural Desktop 2006:
serial Architectural Desktop 2005:
Building Systems 2007:

--------------------
Axailis IconWorkshop 6.0
Serial:

--------------------
Battle Field
Serial 1942:
Serial 1942 The Road to Rome:
Serial Battlefield 2:
Serial Battlefield 2142:
Serial 1942 Secret Weapons of WWII:
Serial Vietnam:

--------------------
SnapStream
Serial Beyond TV:
Serial Beyond Media:

--------------------
BitComet Acceleration Patch
Serial:

--------------------
Black and White
Serial:

--------------------
Chrome
Serial:

--------------------
Generals
Serial:
ZeroHour:
Command and Conquer:

--------------------
tiberian sun
Serial:

--------------------
Red Allert
Serial :
Serial red allert 2:
Serial Yuri's Revenge:

--------------------
Company of Heroes
Version:
Serial:

--------------------
Act Of War High Treason
Serial:
Serial:

--------------------
Splinter Cell
Chaos Theory:
Pandora Tomorrow:

--------------------
AnyDVD
Serial:

--------------------
Dawn of War
Dawn of War:
Dawn of War II Beta:
Dawn of War - Dark Crusade:
Dawn of War Soulstorm:
Dawn of War Winter Assault:

--------------------
Medieval Total War
Serial:

--------------------
Nero
Nero 8:
Nero 7:
Nero 9:

--------------------



Hope This helps you with your work!
Oddly when I tried to attach my zip file explorer.exe gave me an error and everything closed!


Windows XP SP3 Professional 2002
Intel pentium 4 3GHz
1 Gig Ram

just ran avg and super anti spyware and results are:
AVG: "C:\Documents and Settings\Darryll\Local Settings\temp\itune.exe";"Trojan horse Generic14.BJCT";"Infected"

Superantispyware: Trojrn.agent/gen-downloader[Packed] [11 items]
"C:\windows\system32\nsro1.dll
and several registry keys which i cannot copy/paste here!

[tetonbob]

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

As you've noted, the machine has also been infected with a password stealer. Though from the log you've posted it doesn't appear any data was harvested, if you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware. Please note: If the Recovery Console does NOT get installed, click on NO, do not continue, and let me know.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

[dmath1n]

I was running Combo fix and it rebooted after which it was at stage 6 or 7 of fixing when I got the deeded BSOD and dumped physical memory. Should I run combofix again?

[tetonbob]

Was AVG disabled? Did you receive any notification from ComboFix that it was still active?

[dmath1n]

I Did get a notification but I thought I disabled it! must have come back in systray.

[tetonbob]

Please use this set of instructions to disable AVG.

AVG 8.5
Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.

• Click on Open AVG Interface.
• Double click on Resident Shield
• Deselect the option to "Enable Resident Shield."
• Save changes, and exit the application.
• To re-enable AVG 8.5, please select "Enable Resident Shield" again.

then run ComboFix again.

[dmath1n]

Combofix log as requested:

ComboFix 09-10-10.02 - Darryll 10/11/2009 13:43.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.564 [GMT -4:00]
Running from: c:\documents and settings\Darryll\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\Installer\24d2bd.msi
c:\windows\system32\c2d.dat
c:\windows\system32\idm.dat
c:\windows\system32\nk.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-04 21:57 . 2008-09-10 17:44 12800 ----a-w- c:\windows\system32\EKDeviceServices.dll
2009-10-04 21:55 . 2009-10-04 21:55 -------- d-----w- c:\windows\system32\kodak
2009-10-04 21:55 . 2008-08-21 20:54 397312 ----a-w- c:\windows\system32\EKIJ5000MON.dll
2009-10-04 21:53 . 2009-10-04 21:53 -------- d-----w- c:\program files\Common Files\Kodak
2009-10-04 21:22 . 2005-03-10 00:50 33792 ----a-w- c:\windows\system32\drivers\libusb0.sys
2009-10-04 21:22 . 2005-03-10 00:50 46592 ----a-w- c:\windows\system32\libusb0.dll
2009-10-04 21:20 . 2008-04-14 04:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-10-04 21:20 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-10-04 21:20 . 2009-04-23 00:42 304128 ----a-w- c:\windows\system32\vps3joy.sys
2009-10-04 21:20 . 2009-04-23 00:42 304128 ----a-w- c:\windows\system32\drivers\VPS3Joy.sys
2009-10-04 21:20 . 2009-04-23 00:42 303104 ----a-w- c:\windows\system32\vmouse.sys
2009-10-04 21:20 . 2009-04-23 00:42 303104 ----a-w- c:\windows\system32\drivers\VMouse.sys
2009-10-04 21:20 . 2009-04-23 00:41 302080 ----a-w- c:\windows\system32\vkeyboard.sys
2009-10-04 21:20 . 2009-04-23 00:41 302080 ----a-w- c:\windows\system32\drivers\VKeyboard.sys
2009-10-04 21:20 . 2009-10-04 21:20 -------- d-----w- c:\program files\The Force Studio
2009-10-04 17:44 . 2004-05-20 19:24 196608 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2009-10-04 17:44 . 2004-12-02 22:20 1843200 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-10-04 17:44 . 2004-12-02 22:11 315392 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2009-09-26 13:10 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-26 13:10 . 2009-08-13 15:16 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2009-09-21 19:25 . 2009-09-21 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-21 19:25 . 2009-09-21 19:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-21 19:25 . 2009-09-21 19:25 -------- d-----w- c:\documents and settings\Darryll\Application Data\SUPERAntiSpyware.com
2009-09-21 19:25 . 2009-09-21 19:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-21 18:50 . 2009-09-21 18:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-09-21 18:46 . 2009-09-21 18:46 -------- d-----w- c:\windows\ERUNT
2009-09-20 21:40 . 2009-09-20 21:40 -------- d-----w- c:\program files\Real Alternative
2009-09-20 16:32 . 2002-07-17 20:22 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2009-09-20 16:32 . 2002-07-17 20:22 5600 ----a-w- c:\windows\system\WINASPI.DLL
2009-09-20 16:32 . 2002-07-17 13:20 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-09-20 16:32 . 2002-07-17 12:53 16877 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-09-20 16:28 . 2009-09-20 16:28 -------- d-----w- C:\adaptec
2009-09-20 16:18 . 2009-09-20 16:18 -------- d-----w- c:\documents and settings\Darryll\Application Data\Video DVD Maker FREE
2009-09-20 14:13 . 2009-09-20 14:13 -------- d-----w- c:\documents and settings\Darryll\Application Data\AVS4YOU
2009-09-20 14:13 . 2009-09-20 14:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 15:57 . 2009-02-12 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-09 21:47 . 2009-05-07 20:50 -------- d-----w- c:\program files\Jdownloader
2009-10-08 21:02 . 2009-05-03 23:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-04 21:57 . 2009-02-12 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-10-04 21:55 . 2009-05-27 14:16 -------- d-----w- c:\program files\Kodak
2009-09-20 23:28 . 2009-06-17 23:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-20 23:26 . 2009-05-22 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-20 20:37 . 2009-02-13 00:53 69848 ----a-w- c:\documents and settings\Sheila\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 16:00 . 2003-10-17 16:44 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-11 16:00 . 2003-02-21 02:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-10 14:35 . 2009-05-11 15:34 -------- d-----w- c:\documents and settings\Darryll\Application Data\Apple Computer
2009-09-10 14:22 . 2009-09-10 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 14:22 . 2009-09-10 14:22 -------- d-----w- c:\program files\iTunes
2009-09-10 14:22 . 2009-09-10 14:22 -------- d-----w- c:\program files\iPod
2009-09-10 14:22 . 2009-07-19 15:08 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 14:20 . 2009-09-10 14:19 -------- d-----w- c:\program files\QuickTime
2009-09-10 14:18 . 2009-09-10 14:18 -------- d-----w- c:\program files\Apple Software Update
2009-09-05 13:20 . 2009-02-12 21:07 69848 ----a-w- c:\documents and settings\Darryll\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-05 01:59 . 2009-09-05 01:59 -------- d-----w- c:\program files\MSBuild
2009-09-05 01:59 . 2009-09-05 01:59 -------- d-----w- c:\program files\Reference Assemblies
2009-09-04 21:27 . 2009-08-07 16:45 -------- d-----w- c:\program files\MediaInfo
2009-09-04 19:30 . 2009-06-20 16:19 -------- d-----w- c:\program files\VirtualDub-1.9.2
2009-09-04 17:15 . 2009-09-04 17:15 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2009-09-03 22:53 . 2009-09-03 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-09-02 13:40 . 2009-09-02 13:40 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-09-02 13:40 . 2009-09-02 13:40 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-09-02 13:40 . 2009-09-02 13:40 -------- d-----w- c:\program files\OpenAL
2009-09-02 13:39 . 2009-09-02 13:39 -------- d-----w- c:\program files\AssaultCube_v1.0
2009-08-31 14:15 . 2009-08-31 14:15 -------- d-----w- c:\program files\DisplayFusion
2009-08-31 13:36 . 2009-08-31 13:36 -------- d-----w- c:\documents and settings\Darryll\Application Data\Binary Fortress Software
2009-08-24 11:50 . 2009-07-29 17:17 -------- d-----w- c:\program files\DivX
2009-08-24 11:49 . 2009-08-24 11:49 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-22 20:18 . 2009-08-22 20:18 -------- d-----w- c:\documents and settings\Sheila\Application Data\Logitech
2009-08-21 15:51 . 2009-08-19 20:32 -------- d-----w- c:\documents and settings\Darryll\Application Data\GARMIN
2009-08-21 15:35 . 2009-08-21 15:35 -------- d-----w- c:\documents and settings\Darryll\Application Data\Subversion
2009-08-21 14:52 . 2009-08-21 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
2009-08-20 22:45 . 2009-08-20 19:16 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-08-20 19:19 . 2009-08-20 19:13 -------- d-----w- c:\documents and settings\Darryll\Application Data\DAEMON Tools Lite
2009-08-20 19:13 . 2009-03-15 14:45 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-20 18:58 . 2009-08-19 15:07 -------- d-----w- c:\documents and settings\Darryll\Application Data\Temp
2009-08-19 15:54 . 2009-08-19 15:54 -------- d-----w- c:\documents and settings\Darryll\Application Data\Logitech
2009-08-19 15:43 . 2009-08-19 15:43 -------- d-----w- c:\documents and settings\Darryll\Application Data\Leadertech
2009-08-19 15:43 . 2009-08-19 15:41 -------- d-----w- c:\program files\Common Files\Logishrd
2009-08-19 15:42 . 2009-04-16 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 00:15 . 2009-07-14 00:15 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-07-14 00:15 . 2009-07-14 00:15 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-07-14 00:15 . 2009-07-14 00:15 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-07-14 00:15 . 2009-07-14 00:15 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-07-14 00:15 . 2009-07-14 00:15 685056 ----a-w- c:\windows\system32\DivX.dll
2009-06-17 16:07 . 2009-06-17 16:07 23 --sha-w- c:\windows\system32\edacded0.dat
2009-04-22 15:57 . 2009-04-21 22:40 543008 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-04-22 15:57 . 2009-04-21 22:40 17952 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2009-05-30 768688]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-08-21 1306624]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2009-06-17 55824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Darryll\My Documents\My Pictures\Wallpapers\Costa_Maritima_by_brunofiorani.jpg
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 17:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Darryll^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Darryll\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\LeechFTP\\Leechftp.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Documents and Settings\\Darryll\\Desktop\\mplayerc.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"9323:TCP"= 9323:TCP:EKDiscovery
"9322:TCP"= 9322:TCP:EKDiscovery

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/11/2009 11:50 AM 335240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/11/2009 11:50 AM 297752]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/19/2009 11:42 AM 10384]
R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [6/16/2009 2:44 PM 137344]
R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [6/16/2009 2:44 PM 12032]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe --> c:\program files\Kodak\Printer\Center\EKDiscovery.exe [?]
S2 KodakSvc;Kodak AiO Device Service;"c:\program files\Kodak\printer\center\KodakSvc.exe" --> c:\program files\Kodak\printer\center\KodakSvc.exe [?]
S3 CrystalSysInfo;CrystalSysInfo;\??\c:\program files\MediaCoder\SysInfo.sys --> c:\program files\MediaCoder\SysInfo.sys [?]
S3 iANSMiniport;Intel(R) Advanced Network Services Virtual Adapter;c:\windows\system32\drivers\ianswxp.sys [11/12/2008 4:28 AM 115848]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [10/4/2009 5:22 PM 33792]
S3 VKeyboard;Virtual Keyboard Device;c:\windows\system32\drivers\VKeyboard.sys [10/4/2009 5:20 PM 302080]
S3 VMouse;Virtual Mouse;c:\windows\system32\drivers\VMouse.sys [10/4/2009 5:20 PM 303104]
S3 VPS3Joy;Virtual Playstation(3) Joystick;c:\windows\system32\drivers\VPS3Joy.sys [10/4/2009 5:20 PM 304128]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://extreme.rogers.yahoo.com/
uInternet Settings,ProxyServer = 120.28.64.69:8080
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: msn.com
Trusted Zone: msn.com\runonce
FF - ProfilePath - c:\documents and settings\Darryll\Application Data\Mozilla\Firefox\Profiles\rgk5jv7e.default\
FF - prefs.js: browser.startup.homepage - hxxp://extreme.rogers.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 13:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2009-10-11 13:49
ComboFix-quarantined-files.txt 2009-10-11 17:49

Pre-Run: 39,131,656,192 bytes free
Post-Run: 39,169,015,808 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
218 --- E O F --- 2009-10-01 15:46

[tetonbob]

Please run GMER rootkit scanner once again, using the same settings as before. Attach that log to your next reply, no need to zip it, thanks.

[dmath1n]

Here is the most recent log from gmer.exe! Hope all is cleaned!

[tetonbob]

I'm looking into the logs, as what I see doesn't necessarily agree with what I might have expected.

Is the machine still being redirected?

Also, please do this....

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\atapi.sys" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

[dmath1n]

The system doesnt seem to be being redirected so far. A;sp here is the l;og you requested!

-c----w- 95,360 2004-08-04 12:00:00 C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
------w- 96,512 2008-04-14 04:10:32 C:\WINDOWS\ServicePackFiles\i386\atapi.sys
----a-w- 96,512 2008-04-14 04:10:32 C:\WINDOWS\system32\drivers\atapi.sys

Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 288,384 Blocks: 565

[tetonbob]

I'd like to get a look at a file. I may be wrong to suspect it, but better to look and be wrong than to ignore it.

To do so, we'll use the Microsoft Windows Recovery Console, which should be a boot menu option when you start the machine.



Select the Recovery Console option. You'll see a screen like this:




Press the number 1 on your keyboard and hit Enter.

If there's a password on the Administrator account, type it now, and press Enter.

At the C:\Windows prompt, type the following bolded text, and press Enter:

copy C:\Windows\system32\drivers\atapi.sys C:\atapi.bak


You should see a message indicating one file copied.

Next, type exit at the prompt, and Windows will reboot.

Once back in normal Windows, please do this

• Please visit this site:
  
  
  http://www.bleepingcomputer.com/subm....php?channel=4
  
  
• In the Link to topic where this file was requested: area, copy and paste this
  
  
  http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/420870-help-virus-trojen-password-stealer.html#post2386978
  
  
• In the Browse to the file you want to submit: area, copy and paste this
  
  
  C:\atapi.bak
  
  
• Then click Send File.
  
• Once it shows:
  

  Quote:

  Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

• Close the site and let me know

[dmath1n]

File sent successfully. I await further instructuins. Thank you!!

[tetonbob]

Thank you for uploading the file. It may take a little while to review it properly.

In the meantime, we can take care of a couple of things.

Your Java is out of date.

Java(TM) 6 Update 12 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.


---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------


Let me know if system behavior changes, please.

[tetonbob]

In addition to the instruction in my previous post, please do this:

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.

[dmath1n]

Below is the combo-fix log and attached is the kaspersky log. As you can see i stopped the virus scanner because it started to scan other drives! But had finished scanning the main drive C.
Computer seems to be running fine, Can you let me know how it is looking?

2009-10-11 14:58:58 . 2009-10-11 17:46:09 7,175 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-10-11 14:17:27 . 2009-10-11 14:17:27 1,653 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_gasfkypxradpet.reg.dat
2009-10-11 14:16:02 . 2009-10-11 17:42:07 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-10-09 21:43:19 . 2009-10-09 21:58:18 2,528 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\nk.dat.vir
2009-10-09 21:35:58 . 2009-10-09 21:35:58 13,312 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkylhdlhcno.dll.vir
2009-10-09 17:35:56 . 2009-10-09 17:35:57 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkynxntgqqa.dll.vir
2009-10-09 13:35:54 . 2009-10-09 13:35:54 13,824 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkybqhxijoq.dll.vir
2009-10-08 21:18:43 . 2009-10-08 21:18:43 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\idm.dat.vir
2009-10-08 21:18:43 . 2009-10-08 21:18:43 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\c2d.dat.vir
2009-10-08 17:55:28 . 2009-10-08 17:55:28 13,312 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyfaabsiee.dll.vir
2009-10-04 21:53:06 . 2009-10-04 21:53:06 1,400,320 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\24d2bd.msi.vir
2009-09-19 09:14:14 . 2009-10-11 14:02:59 43 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyuvbbtrgt.dat.vir
2009-09-19 09:14:14 . 2009-09-21 14:44:04 21,504 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyaiaqaeby.dll.vir
2009-09-19 09:09:11 . 2009-09-19 09:09:12 20,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkystxcuipv.dll.vir
2009-09-19 09:09:11 . 2009-10-11 14:02:59 71,753 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkycjkxabwk.dat.vir
2009-09-19 09:09:10 . 2009-09-19 09:09:10 45,568 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkywsrdsfot.dll.vir
2009-09-19 09:09:10 . 2009-09-19 09:09:10 71,680 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkyirfcukfu.sys.vir
2008-01-09 19:01:48 . 2008-01-09 19:01:48 32 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\bdcore.dll.vir
2008-01-09 19:01:48 . 2008-01-09 19:01:48 32 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\libfn.dll.vir

[tetonbob]

Hi -

Scanning an external drive from time to time is not a bad idea, though of course it can add quite a bit of time to the scan. The items Kaspersky found are in ComboFix quarantine, or System Restore's cache, and will be addressed before we're done, which should be shortly.

As you're telling me the machine is running fine, that's a good thing. If you don't mind, I'd like you to run one more tool, to help us further understand some of the information we're seeing in the previous logs. It may help other users in the future. It should only take a few minutes. Thanks.

Please download mbr.exe from here to your desktop.


Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

@echo off
sc config spcz.sys start= disabled
nircmd wait 700
mbr.exe -t
start mbr.log
del %0

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:
Place peek.bat next to mbr.exe & then double click to run it. A log file should open

Please post the contents of that logfile.

[dmath1n]

Here are the results of peek.bat

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

I had noticed an error so I ran the file in cmd mode and got the info below!

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[tetonbob]

The log does not appear to have produced expected results.

Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

@echo off
mbr.exe -t
start mbr.log
del %0

Save this as look.bat Choose to "Save type as - All Files"
It should look like this:
Place look.bat next to mbr.exe & then double click to run it.

Post back to tell me what it says.

Also, did you formerly have DAEMON Tools installed on this machine? I don't see it in the installed programs list.

[dmath1n]

here is the log as requested! hope this cears it all up! Yes I did have deamon tools installed.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spxf.sys >>UNKNOWN [0x86F8A938]<<
kernel: MBR read successfully
user & kernel MBR OK