Defender-Review/ Trojan.Zlob

Hi I need help. I got infected with a nasty that hi-jacked the browser to defender-review.com repeatedly telling me i was infected with a trojan and that i needed to buy there fake anti-virus software. Anyway after a while that stopped and now i can't access the internet at all i am not sure but i think maybe one of the anti-virus or anti-spyware programs i have used found and deleted only part of the problem and has left me with no internet access and no visible sign of the infection anymore. Also would be appreciated if you could suggest which anti-spyware programs to keep and which aren't worth bothering with.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:39:19, on 07/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WUSB54GPv4.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WUSB54GPv4] C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: WUSB54GPv4SVC - GEMTEKS - C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 6621 bytes


Thanks,

Pyroduggs

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
If you already have a copy of DDS, there is no need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

---

Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

Hi Panda,

I've not made any changes since last post symptoms are simply that the internet is completely blocked there are no signs of the infection as far as i can see so hopefully thats where you come in. See log below and attached.

Thanks,

Pyroduggs


DDS (Ver_09-01-07.01) - NTFSx86
Run by family at 17:29:45.37 on 12/01/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.591 [GMT 0:00]

AV: AVG 7.5.552 *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WUSB54GPv4.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
E:\dds.com

============== Pseudo HJT Report ===============

uStart Page = www.google.com/
mStart Page = hxxp://www.google.com
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [NSLauncher] c:\program files\nokia\nokia software launcher\NSLauncher.exe /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [WUSB54GPv4] c:\program files\wireless-g portable usb adapter wireless network monitor\InvokeSvc3.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet g series\bin\hpoavn07.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\family\applic~1\mozilla\firefox\profiles\i85ousbt.default\
FF - prefs.js: browser.search.selectedEngine - eBay.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 4096]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-5-24 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-5-24 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-5-24 27776]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-5-24 3968]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-5-24 10760]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 204800]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-5-24 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-5-24 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-5-24 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-5-24 4960]
R4 WUSB54GPv4SVC;WUSB54GPv4SVC;c:\program files\wireless-g portable usb adapter wireless network monitor\WLService.exe [2008-5-7 41025]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-21 42376]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-21 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-21 81288]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-21 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-21 1073544]

=============== Created Last 30 ================

2009-01-07 17:26 161,792 a------- c:\windows\SWREG.exe
2009-01-07 17:26 98,816 a------- c:\windows\sed.exe
2009-01-02 15:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-02 15:10 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-02 15:10 <DIR> --d----- c:\docume~1\family\applic~1\SUPERAntiSpyware.com
2009-01-02 14:56 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-01-02 14:56 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-01-02 14:56 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-01-02 14:56 75,264 a------- c:\windows\system32\unacev2.dll
2009-01-02 14:56 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-01-02 14:56 <DIR> --d----- c:\program files\Trojan Remover
2009-01-02 14:56 <DIR> --d----- c:\docume~1\family\applic~1\Simply Super Software
2009-01-02 14:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-01-02 11:29 <DIR> --d----- c:\program files\Enigma Software Group
2008-12-21 20:00 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-21 20:00 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-21 20:00 42,376 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-12-21 20:00 29,576 a------- c:\windows\system32\drivers\kcom.sys
2008-12-21 20:00 <DIR> --d----- c:\program files\Spyware Doctor
2008-12-21 20:00 <DIR> --d----- c:\docume~1\family\applic~1\PC Tools

==================== Find3M ====================

2008-11-17 20:22 737,280 a------- c:\windows\iun6002.exe
2008-10-23 13:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll

============= FINISH: 17:30:02.17 ===============

Hello pyroduggs.

Please uninstall AVG7 using Add/Remove Programs because it is outdated. We will install a new antivirus later.

Download and Run ComboFix
If the computer cannot download the file directly, transfer it.

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
• Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
• If you did not have it installed, you will see the prompt below. Choose YES.
  
  
  
• When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  
• When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

---

With Regards,
The Panda

Recovery console is not installed so what do i do without an active internet connection?
Also do i remove user settings and objects in virus vault when removing avg?

Edited by pyroduggs, 18 January 2009 - 05:36 PM.

Hello.

Go ahead without the Recovery Console.

The vault and settings don't matter. Might as well remove them.

With Regards,
The Panda

Hi Panda,

Here is the combofix report, sorry bout the delay between posts i have limited access to this laptop.

Regards,

Pyroduggs


ComboFix 09-01-06.02 - family 2009-01-20 22:14:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.677 [GMT 0:00]
Running from: E:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-18 22:49 . 2009-01-18 22:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-01-02 15:10 . 2009-01-02 15:10 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-02 15:10 . 2009-01-02 15:10 <DIR> d-------- c:\documents and settings\family\Application Data\SUPERAntiSpyware.com
2009-01-02 15:10 . 2009-01-02 15:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-02 14:56 . 2009-01-02 14:56 <DIR> d-------- c:\program files\Trojan Remover
2009-01-02 14:56 . 2009-01-02 14:56 <DIR> d-------- c:\documents and settings\family\Application Data\Simply Super Software
2009-01-02 14:56 . 2009-01-02 14:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-01-02 14:56 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-01-02 14:56 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-01-02 14:56 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-01-02 14:56 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-01-02 14:56 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-01-02 11:29 . 2009-01-02 11:29 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-21 20:00 . 2008-12-21 20:02 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-21 20:00 . 2008-12-21 20:00 <DIR> d-------- c:\documents and settings\family\Application Data\PC Tools
2008-12-21 20:00 . 2009-01-02 15:02 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-21 20:00 . 2008-06-10 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-21 20:00 . 2008-06-02 15:19 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-21 20:00 . 2008-06-02 15:19 42,376 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-21 20:00 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 22:12 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-01-02 16:05 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-02 15:10 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-12 21:02 --------- d-----w c:\documents and settings\family\Application Data\dvdcss
2008-12-10 21:47 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-10 21:46 --------- d-----w c:\program files\Lavasoft
2008-12-10 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-10 21:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-10 19:11 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-09 02:07 --------- d-----w c:\documents and settings\family\Application Data\Ahead
2008-12-08 23:25 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-08 23:24 --------- d-----w c:\program files\DVD Shrink
2008-12-08 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-12-08 22:59 --------- d-----w c:\program files\Common Files\Ahead
2008-12-08 22:57 --------- d-----w c:\program files\Nero
2008-12-08 22:57 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-24 19:47 --------- d-----w c:\program files\Avi2Dvd
2008-11-24 19:42 --------- d-----w c:\program files\AviSynth 2.5
2008-11-24 19:27 --------- d-----w c:\program files\DVD Decrypter
2008-11-24 17:59 --------- d-----w c:\documents and settings\family\Application Data\vlc
2008-11-23 21:39 --------- d-----w c:\program files\VideoLAN
2008-11-23 19:33 --------- d-----w c:\documents and settings\family\Application Data\LimeWire
2008-11-23 19:00 --------- d-----w c:\program files\BitComet
2008-11-23 18:56 --------- d-----w c:\program files\LimeWire
2008-11-17 20:22 737,280 ----a-w c:\windows\iun6002.exe
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-11-14 19:09 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-14 19:09 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-14 19:09 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-14 19:09 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-14 19:09 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-07_17.36.59.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-18 22:50:58 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_768.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 2658304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"WUSB54GPv4"="c:\program files\Wireless-G Portable USB Adapter Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-14 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-14 86016]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2008-12-10 1230728]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"SoundMan"="SOUNDMAN.EXE" [2007-05-24 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2007-02-14 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" /background
"kdx"=c:\program files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"4oD"="c:\program files\Kontiki\KHost.exe" -all
"SpyHunter Security Suite"=c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26212:TCP"= 26212:TCP:BitComet 26212 TCP
"26212:UDP"= 26212:UDP:BitComet 26212 UDP

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R4 WUSB54GPv4SVC;WUSB54GPv4SVC;c:\program files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe [2008-05-07 41025]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-21 356920]
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-07-07 09:42]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\family\Application Data\Mozilla\Firefox\Profiles\i85ousbt.default\
FF - prefs.js: browser.search.selectedEngine - eBay.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 22:14:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-20 22:15:53
ComboFix-quarantined-files.txt 2009-01-20 22:15:47
ComboFix2.txt 2009-01-07 17:37:45

Pre-Run: 115,478,888,448 bytes free
Post-Run: 115,468,328,960 bytes free

164 --- E O F --- 2008-12-10 03:03:11

Hello.

Please delete your copy of ComboFix and download a new copy. Save ComboFix to the Desktop before running it. Run GMER after ComboFix.

Before running ComboFix again, make sure TeaTimer is disabled.
To disable SpyBot's TeaTimer:
You can find instructions with visuals here.

• Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select Advanced Mode.
• On the left hand side, Click on Tools.
• Click on the Resident icon in the list.
• Uncheck Resident TeaTimer and OK any prompts.
• Download ResetTeaTimer.bat and run it to remove entries set by TeaTimer. If you are not using Internet Explorer, you may not be prompted to download the file when you click it. In that case, right click it and select "Save Target/Link as" and save the file onto your desktop.
  The file should take only a second to finish. Delete this file after use.

Restart your computer for the changes to take affect.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2

• Right click on GMER.zip and select "Extract All".
• Close all other open programs as there is a slight chance your computer will crash.
• Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
• You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
• Leaving the settings at default, click Scan.
• When the scan is complete, click Save and save the log onto your desktop.

Please include the log in your next reply.

With Regards,
The Panda

Not sure whether you needed the new combolog so i've attached it just in case.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-21 00:09:52
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF7F488AC]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF4B49F20]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !

---- EOF - GMER 1.0.14 ----

Hello.

Let's try to repair the Internet connection.

Click on the Start button.
Click on the Settings menu option.
Click on the Control Panel option.
When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it. Click on the Repair menu option.
Let the repair process perform its tasks.
---
If this does not repair the connection..
---
This tool should only be used on Windows NT4, 2000, and XP (and variants). Use on any other operating system may cause serious damage.

• Please download WinsockXPFix from a working machine and copy it to a CD or flash media.
• Copy the file to the desktop on the damaged computer.
• Double click on [b] on your desktop.
• Push the button.
• Allow your system to reboot.

Please let me know if your connection is restored in your next reply
---
Tell me how it goes.

With Regards,
The Panda

Brilliant the winsock fix has done just that. So is that it for fixes? Just the anti-virus and firewall to sort?

Hello pyroduggs.

Glad we got connnection back.

Since you were infected before, let's get an online scan off to make sure everything is gone.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.

• It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
• Go to F-Secure Online Scanner
• Follow the instructions here for installation.
• Accept the License Agreement.
• Once the ActiveX installs, click Full System Scan
• Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and copy the entire report in your next reply.
• Be sure to re-enable any security programs.

---

With Regards,
The Panda

Scanning Report
Wednesday, January 21, 2009 21:11:12 - 22:01:20

Computer name: HOMEXP
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 2 malware found
RemoteAdmin.Win32.WinVNC (spyware)

* System

TrackingCookie.Webtrends (spyware)

* System

Statistics
Scanned:

* Files: 52361
* System: 3125
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\FAMILY\APPLICATION DATA\AHEAD\XEROS.EXE

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Blacklight: 0.0.0
* F-Secure Hydra: 2.8.8110, 2009-01-21
* F-Secure Pegasus: 1.20.0, 1970-00-01
* F-Secure AVP: 7.0.171, 2009-01-21

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Hello.

Looks good. Unless you have any problems, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author.

• Click on your Start Menu, then Run....
• Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
  

Uninstalling ComboFix will do the following:

• Delete ComboFix and its components from your computer.
• Delete other tools commonly used during the malware removal process.
• Reset clock settings to standard format.
• Hide file extensions and hidden/system files.
• Clear the System Restore cache and create new a restore point.

Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections:

• So How did I get infected?
• Microsoft - 'Security at home'

For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

---

Do you have any further questions or concerns?

With Regards,
The Panda

No thats brilliant thank you very much you guys do a great job here. Only other question would be what would you recommend as the best free anti-virus, firewall and anti-spyware.

Thanks again,

Pyroduggs