Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinPC Antivirus and uacinit.dll nagging issues


  • This topic is locked This topic is locked
14 replies to this topic

#1 dagrunster

dagrunster

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:51 AM

Posted 30 May 2009 - 10:33 AM

Good Morning.

A few days ago, another user was accessing MySpace on my PC and it somehow wound up with WinPC Antivirus installed on it. I do not use IE, only Firefox, but apparently I forgot to install the NOSCRIPT plugin for Firefox on the login that was used. I recognized WinPC AV immediately as some sort of spyware on my PC. I did some research on it and wound up using MBAM and Super Anti Spyware, only after renaming them bcuz they wouldnt run normally. Eventually I was able to get rid of most of it. The uacinit.dll is giving me a problem, though. The software says it will remove it after reboot (which I have done in Normal AND Safe mode for windows) but it is still there. I cannot open SUPER Anti-Spyware on my PC now in normal mode. I also notice that iexplore.exe is running in my task manager with no application open, and it even comes back when I end the process (in normal mode). Currently the PC is running in Safe mode without networking, and I am posting this from a clean PC and using a thumb drive to transfer files needed to it.

Any help is extremely appreciated! I am attaching all the logs I have to give more info, and eagerly await a reply.



DDS (Ver_09-05-14.01) - NTFSx86 MINIMAL
Run by Administrator at 11:24:52.40 on Sat 05/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1776 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [VolPanel] "c:\program files\creative\volume panel\VolPanlu.exe" /r
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\Tricky_time.exe" /runcleanupscript
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! widget engine\YahooWidgetEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\l5kskhmr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-17 325896]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-10-31 27784]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-17 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-10-31 353672]
S2 adpgha;adpgha;c:\windows\system32\drivers\fwnjmxi.sys --> c:\windows\system32\drivers\fwnjmxi.sys [?]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 908568]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 298776]
S2 gupdate1c9898942ef6a62;Google Update Service (gupdate1c9898942ef6a62);c:\program files\google\update\GoogleUpdate.exe [2009-2-7 133104]
S2 ndghi;ndghi;c:\windows\system32\drivers\nvyftadl.sys [2009-5-29 61440]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 xctiqphm;xctiqphm;c:\windows\system32\drivers\cbawxfk.sys [2009-5-30 61440]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [2001-8-17 20160]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2008-12-25 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2009-5-29 30136]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;\??\c:\program files\ufasoft\sniffer\usft_sn4.sys --> c:\program files\ufasoft\sniffer\usft_sn4.sys [?]

=============== Created Last 30 ================

2009-05-30 10:52 61,440 a------- c:\windows\system32\drivers\cbawxfk.sys
2009-05-29 23:18 61,440 a------- c:\windows\system32\drivers\nvyftadl.sys
2009-05-29 22:52 <DIR> --d----- c:\program files\Trend Micro
2009-05-29 20:23 30,136 a------- c:\windows\system32\drivers\rspSanity32.sys
2009-05-29 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-29 10:42 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-29 10:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-05-28 14:58 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-05-28 14:37 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 14:37 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-28 14:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 14:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-28 10:59 <DIR> --d----- c:\program files\MSSOAP
2009-05-28 10:58 164 a------- c:\windows\install.dat
2009-05-28 10:40 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-17 21:13 69 a------- c:\windows\NeroDigital.ini
2009-05-17 21:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero

==================== Find3M ====================

2009-05-29 22:52 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-05-26 15:48 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-26 15:47 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-05-07 17:31 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 17:31 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 17:31 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 17:19 41,808 a------- c:\windows\system32\xfcodec.dll
2009-03-06 10:00 284,160 a------- c:\windows\system32\pdh.dll
2009-03-01 14:09 75,064 a------- c:\windows\system32\PnkBstrA.exe

============= FINISH: 11:25:26.39 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/17/2006 1:21:58 PM
System Uptime: 5/30/2009 10:53:01 AM (1 hours ago)

Motherboard: Intel Corporation | | D945PVS
Processor: Intel® Pentium® D CPU 3.20GHz | J3E1 | 3200/200mhz
Processor: Intel® Pentium® D CPU 3.20GHz | J3E1 | 3200/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 73.53 GiB free.
D: is FIXED (NTFS) - 298 GiB total, 256.623 GiB free.
E: is CDROM ()
F: is FIXED (FAT32) - 466 GiB total, 417.781 GiB free.
G: is CDROM ()
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


µTorrent
ABBYY FineReader 5.0 Sprint
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
APC PowerChute Personal Edition
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AutoUpdate
AVG Free 8.5
Battlefield 2™
Battlefield 2: Special Forces
Battlestar Galactica
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.4 Patch
Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch
Call of Duty® 4 - Modern Warfare™ 1.5 Patch
Call of Duty® 4 - Modern Warfare™ 1.6 Patch
Call of Duty® 4 - Modern Warfare™ 1.7 Patch
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
ConvertXtoDVD 3.3.2.100
Creative Audio Control Panel
Creative Console Launcher
Creative MediaSource 5
Creative Software AutoUpdate
Creative System Information
Critical Update for Windows Media Player 11 (KB959772)
Crysis®
Data Lifeguard Tools
Diskeeper Professional Edition
DivX Codec
DivX Converter
DivX Player
DivX Web Player
dMC AccurateRip
dvdSanta 4.00
Elite Force Engine Patch
Elite Force Map Search
Enemy Territory - QUAKE Wars™
Exact Audio Copy 0.95b4
FEAR
FLAC 1.2.0a (remove only)
FMS
Foxit Reader
Fraps
Free M4a to MP3 Converter 5.9
GIMP 2.4.5
Google Earth
Google Update
GTK+ 2.10.6-1 runtime environment
GTK+ Runtime 2.10.11 rev b (remove only)
Half-Life 2: Lost Coast
Half-Life® 2
HijackThis 2.0.2
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
ImageEditor
Intel® Integrator Toolkit
Intel® PRO Network Connections 11.2.0.69
ioUrbanTerror 1.0
J2SE Runtime Environment 5.0 Update 6
Lexmark 3100 Series
Logitech Harmony Remote Software 7
Magic ISO Maker v5.5 (build 0274)
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
MediaMonkey 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (2.0.0.21)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6 Service Pack 2 (KB954459)
Nero 7 Premium
neroxml
OpenAL
PartitionMagic
PlexTools Professional V2.20
PowerQuest PartitionMagic 8.0
PunkBuster Services
Quake 4™
Quake 4™ 1.3 Patch
RCA Detective™ 2.0.0.98
RCA easyRip™ 1.4.6.0
RCA easyRip™ 2.0.8.0
Real Alternative 1.52
Remote Control USB Driver
Roxio DVDMax Player
Samsung PC Studio PIM & File Manager 1.0
Sansa Updater
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Skins
Software Update for Web Folders
Sound Blaster X-Fi
Spybot - Search & Destroy
Star Trek Voyager Elite Force
Steam™
SUPERAntiSpyware Free Edition
TeamSpeak 2 RC2
Trepidation
Unix Utilities for Yahoo! Widgets
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Urban Terror 4.0
VC 9.0 Runtime
Ventrilo Client
VideoLAN VLC media player 0.8.6a
Volume Panel
WD Diagnostics
WinAVI MP4 Converter
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB885884
WinRAR archiver
World of Padman
Xfire (remove only)
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Widgets
ZoneAlarm
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

5/29/2009 5:30:33 PM, error: Service Control Manager [7000] - The SABProcEnum service failed to start due to the following error: The system cannot find the file specified.
5/29/2009 12:36:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip vsdatant
5/29/2009 11:10:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
5/29/2009 11:10:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
5/28/2009 4:10:45 PM, error: Service Control Manager [7000] - The adpgha service failed to start due to the following error: The system cannot find the file specified.
5/28/2009 2:40:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service NMIndexingService with arguments "" in order to run the server: {C6A811AB-F8FF-45A4-93E5-FC5CCB650BE7}
5/28/2009 11:27:08 AM, error: Service Control Manager [7034] - The Webroot Client Service service terminated unexpectedly. It has done this 1 time(s).
5/28/2009 1:17:28 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
5/28/2009 1:10:20 PM, error: Service Control Manager [7031] - The ASKService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
5/28/2009 1:07:56 PM, error: PlugPlayManager [11] - The device Root\LEGACY_SSIDRV\0000 disappeared from the system without first being prepared for removal.
5/28/2009 1:07:56 PM, error: PlugPlayManager [11] - The device Root\LEGACY_SSHRMD\0000 disappeared from the system without first being prepared for removal.
5/28/2009 1:07:56 PM, error: PlugPlayManager [11] - The device Root\LEGACY_SSFS0BBC\0000 disappeared from the system without first being prepared for removal.
5/27/2009 6:47:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate1c9898942ef6a62) service to connect.
5/27/2009 6:47:47 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate1c9898942ef6a62) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/27/2009 6:05:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/27/2009 5:10:52 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/27/2009 5:06:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/27/2009 5:03:04 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip vsdatant
5/27/2009 5:03:04 PM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 5:03:04 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 5:03:04 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 5:03:04 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 5:03:04 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 4:36:42 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume3'. It has stopped monitoring the volume.
5/27/2009 4:30:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
5/25/2009 11:26:38 AM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.

==== End Of File ===========================

Malwarebytes' Anti-Malware 1.37
Database version: 2192
Windows 5.1.2600 Service Pack 2

5/30/2009 10:50:50 AM
mbam-log-2009-05-30 (10-50-50).txt

Scan type: Quick Scan
Objects scanned: 107689
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
=============================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:40 AM, on 5/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\Tricky_time.exe" /runcleanupscript
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Update Service (gupdate1c9898942ef6a62) (gupdate1c9898942ef6a62) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6279 bytes

BC AdBot (Login to Remove)

 


#2 dagrunster

dagrunster
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:51 AM

Posted 30 May 2009 - 11:57 AM

Screen shot of the end result

Attached Files

  • Attached File  MBAM.JPG   82.67KB   6 downloads


#3 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 30 May 2009 - 04:02 PM

Hello dagrunster, and :) to Bleeping Computer Forums, My Nick is Net_Surfer I'll be glad to help you with your computer problems.

I will be working on your Malware issues, this may or may not solve other issues you may have with your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so I can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown Here.

Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. DDS and HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.

1. Please reply using the AddReply button in the lower right hand corner of your screen. Do not start a new topic.
2. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
3. All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware.
4. Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.


Ok.. dagrunster, please observe these rules while we work:
  • Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
  • Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear.
  • Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time so I can I review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks for waiting.
.
Kind regards
Net_Surfer

:thumbup2:

#4 dagrunster

dagrunster
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:51 AM

Posted 30 May 2009 - 04:28 PM

Excellent, Thank You.

#5 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 02 June 2009 - 06:35 PM

Hello dagrunster.

Thanks for waiting and for taking my advise of not to try anything on your own!
. :thumbup2:

Ok.. dagrunster, please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
  • Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear.
  • Please do not install any new programs or update anything unless told to do so while we are fixing your problem.
If you can do these things, everything should go smoothly. :)

:cool: <-- P2P Warning --> :)

Going over your logs I noticed that you have: <--> uTorrent <--> installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall: <--> uTorrent<-->, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned
.


Please follow these instructions carefully.

If you can not download and run the following tools, then I would like for you to try another approach.

If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.
Be sure you put them on the desktop of the infected computer
.

Step #1.

Please download ComboFix by: sUBs from one of these locations:
WARNING: This tool is not a toy and not for everyday use!!!.

Link 1
Link 2
Link 3

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your DESKTOP**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • *Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Please insert all usb-drives before running Combofix
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • *Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

  • Double click Posted Imageon your desktop & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.
  • Leave your computer alone while ComboFix is running. Do not mouseclick combofix's window while it's running. That may cause it to stall**
    ComboFix will restart your computer if malware is found; allow it to do so.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new DDS log for further review.
Notes:
ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

-----------------------------------------------------------

A word of warning: *If you are a lurker: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use
.

Combofix is a very complex and dangerous tool. It is not a one fit all tool and it is not automaticly removing what needs to be removed by itself. It is like a scalpell in the hands of a surgeon. A surgeon can remove exactly what is need and no more while an untrained person would either cut too much or not enough.

Combofix is powerful enough to be able to render your computer unbootable if used wrongly or to leave your computer infected if you do not know what you are doing
.

ComboFix SHOULD NOT be used unless requested by a forum helper

-----------------------------------------------------------

Step #2.

Please re-scan with DDS and post the log.

Summary of the logs I will need in your next reply:
  • The ComboFix log. located at: "C:\ComboFix.txt"
  • The DDS log.
And a description of remaining problems in your next post.

How is your Computer running now?.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
.
Kind regards
Net_Surfer

:)

#6 dagrunster

dagrunster
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:51 AM

Posted 03 June 2009 - 09:41 AM

As requested:
ComboFix log
ComboFix 09-06-01.03 - Administrator 06/03/2009 10:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1582 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joey\Application Data\inst.exe
c:\windows\system32\drivers\UACkpurwlwjqsjkfnu.sys
c:\windows\system32\drivers\UACmuwqpucfqxexnkf.sys
c:\windows\system32\UACgvqvqemxuiajkia.dll
c:\windows\system32\UACjpyputabtxevhop.dll
c:\windows\system32\UACkhnbxkodpcwfqdb.log
c:\windows\system32\UACmchutyqjbdfcekx.dll
c:\windows\system32\UACnxixlsnuungsorr.log
c:\windows\system32\UACrmwjamfesderoxw.log
c:\windows\system32\uacsr.dat
c:\windows\system32\UACufwcmokxfmnyxgv.dat
c:\windows\system32\UACuulusipvebdmsxw.dll
c:\windows\system32\UACvakdnkfgotacnky.dll
c:\windows\system32\UACvxoascnutmtnftu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-02 19:20 . 2009-06-02 19:20 -------- d-----w- C:\rsit
2009-06-02 00:36 . 2009-06-02 00:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PunkBuster
2009-06-01 15:17 . 2009-06-01 15:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2009-06-01 15:17 . 2009-06-01 15:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-05-30 02:52 . 2009-05-30 02:52 -------- d-----w- c:\program files\Trend Micro
2009-05-30 00:23 . 2009-03-02 15:24 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2009-05-29 14:43 . 2009-06-01 22:53 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-29 14:42 . 2009-05-29 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-29 14:42 . 2009-05-29 14:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-29 14:42 . 2009-05-29 14:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-28 19:34 . 2009-05-28 19:34 -------- d-----w- c:\documents and settings\Tammy\Application Data\Malwarebytes
2009-05-28 18:58 . 2009-05-28 18:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-28 18:40 . 2009-05-28 18:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2009-05-28 18:37 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 18:37 . 2009-05-28 18:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 18:37 . 2009-05-28 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-28 18:37 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-28 14:59 . 2009-05-28 14:59 -------- d-----w- c:\program files\MSSOAP
2009-05-28 14:58 . 2009-05-28 14:58 164 ----a-w- c:\windows\install.dat
2009-05-28 14:40 . 2009-05-28 14:40 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-05-28 14:39 . 2009-05-28 14:40 -------- d-----w- c:\documents and settings\Tammy\.housecall6.6
2009-05-23 17:16 . 2009-05-23 17:16 -------- d-----w- c:\documents and settings\Tammy\Application Data\Ahead
2009-05-23 17:15 . 2009-05-28 13:16 -------- d-----w- c:\documents and settings\Tammy\Local Settings\Application Data\Ahead
2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-05-19 13:56 . 2009-05-07 21:31 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-19 13:56 . 2009-05-07 21:31 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-19 13:56 . 2009-05-07 21:31 3288344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-19 13:56 . 2009-05-07 21:31 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-19 13:56 . 2009-05-07 21:31 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-19 13:56 . 2009-05-07 21:31 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-19 13:56 . 2009-05-07 21:31 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-19 13:55 . 2009-05-07 16:36 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-19 13:55 . 2009-05-07 16:36 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-18 01:10 . 2009-05-18 01:10 -------- d-----w- c:\documents and settings\Joey\Local Settings\Application Data\Ahead
2009-05-18 01:08 . 2009-05-18 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-05-18 01:07 . 2009-05-18 01:08 -------- d-----w- c:\program files\Common Files\Ahead
2009-05-18 01:07 . 2009-05-18 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-05-17 13:55 . 2009-05-07 21:31 3399960 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-17 13:55 . 2009-05-07 21:31 2302232 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-10 16:50 . 2009-05-10 16:59 107832 ----a-w- c:\documents and settings\Tammy\Application Data\PnkBstrB.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 03:01 . 2007-11-18 23:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-03 03:01 . 2006-10-22 04:18 -------- d-----w- c:\program files\Lavasoft
2009-06-03 02:55 . 2006-10-22 04:05 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-02 13:55 . 2009-01-12 18:04 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-02 13:55 . 2007-08-26 14:31 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-02 13:54 . 2007-09-28 16:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2009-06-02 13:45 . 2007-01-15 22:44 -------- d-s---w- c:\program files\Xfire
2009-05-30 01:15 . 2008-07-23 17:22 0 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\prvlcl.dat
2009-05-30 01:05 . 2007-07-02 00:17 -------- d-----w- c:\program files\Pidgin
2009-05-29 14:06 . 2006-10-22 04:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-29 01:56 . 2006-10-22 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-28 17:19 . 2009-05-28 17:19 60616 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_05_28_13_12_47_small.dmp.zip
2009-05-27 02:08 . 2008-03-15 22:47 -------- d-----w- c:\documents and settings\Tammy\Application Data\Move Networks
2009-05-27 02:00 . 2008-01-28 17:49 17849522 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-05-26 22:02 . 2007-11-07 18:01 169936 ----a-w- c:\documents and settings\Joey\Application Data\Mozilla\Firefox\Profiles\vzayxgni.default\FlashGot.exe
2009-05-26 21:23 . 2006-10-22 04:17 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-05-26 21:00 . 2007-06-25 22:53 -------- d-----w- c:\documents and settings\Tammy\Application Data\Xfire
2009-05-22 18:49 . 2007-06-01 17:03 -------- d-----w- c:\documents and settings\Joey\Application Data\Xfire
2009-05-19 13:06 . 2006-12-31 03:46 -------- d-----w- c:\documents and settings\Joey\Application Data\uTorrent
2009-05-18 15:02 . 2007-02-20 00:10 -------- d-----w- c:\documents and settings\Joey\Application Data\Ahead
2009-05-18 00:34 . 2009-01-02 01:56 -------- d-----w- c:\documents and settings\Joey\Application Data\Vso
2009-05-14 15:20 . 2009-05-14 15:21 542720 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-05-10 17:01 . 2008-07-01 17:00 22328 ----a-w- c:\documents and settings\Tammy\Application Data\PnkBstrK.sys
2009-05-10 17:01 . 2008-07-01 17:00 22328 ----a-w- c:\documents and settings\Tammy\Application Data\PnkBstrK.sys
2009-05-07 21:31 . 2008-06-17 17:05 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 21:31 . 2008-06-17 17:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-07 21:31 . 2007-10-31 22:08 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-07 21:31 . 2008-06-17 17:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-03 14:03 . 2009-05-03 14:05 637440 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-05-03 14:03 . 2009-05-03 14:05 2433536 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-04-30 01:07 . 2009-04-30 01:56 2433024 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-04-25 13:39 . 2009-04-25 13:39 -------- d-----w- c:\documents and settings\Tammy\Application Data\WeatherBug
2009-04-20 18:41 . 2009-04-20 21:22 2643968 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-04-20 18:41 . 2009-04-20 21:22 2401280 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-04-17 12:01 . 2008-06-17 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-04-06 01:30 . 2009-04-06 01:29 -------- d-----w- c:\program files\MagicISO
2009-04-06 01:23 . 2009-04-06 01:23 -------- d-----w- c:\program files\MagicDisc
2009-04-06 01:11 . 2007-03-03 01:58 -------- d-----w- c:\program files\dvdSanta
2009-04-02 19:15 . 2008-08-15 02:10 34 ----a-w- c:\documents and settings\Guest\jagex_runescape_preferences.dat
2009-03-09 15:34 . 2009-03-30 23:26 971776 ----a-w- c:\documents and settings\Tammy\Application Data\Mozilla\Firefox\Profiles\4j9kjw4y.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
2009-03-06 14:00 . 2004-08-04 04:56 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-07 1947928]
"VolPanel"="c:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-17 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-10-08 23552]

c:\documents and settings\Joey\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-5 576000]
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2007-5-4 2913840]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2007-5-4 2913840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-4-5 221247]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-07 21:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PlexTools Professional.lnk.disabled
backup=c:\windows\pss\PlexTools Professional.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Joey^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Joey\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Tammy^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\Tammy\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Tammy^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Tammy\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RunDLL32.exe NvMCTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"RemoteControl"=c:\program files\Roxio\Roxio DVDMax Player\PDVDServ.exe
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
"Start WingMan Profiler"=c:\program files\Logitech\Gaming Software\LWEMon.exe /noui
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe"
"LXBRKsk"=c:\progra~1\LEXMAR~1\LXBRKsk.exe
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" /logon

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0"
"UpdatesDisableNotify"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\World of Padman\\wop.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2008 1:05 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/17/2008 1:05 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 1:05 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 1:05 PM 298776]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 2:21 AM 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 2:21 AM 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 2:21 AM 72728]
S2 adpgha;adpgha;c:\windows\system32\drivers\fwnjmxi.sys --> c:\windows\system32\drivers\fwnjmxi.sys [?]
S2 gupdate1c9898942ef6a62;Google Update Service (gupdate1c9898942ef6a62);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2009 9:04 PM 133104]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [8/17/2001 1:11 PM 20160]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [12/25/2008 3:06 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 2:21 AM 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 2:21 AM 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 2:21 AM 72728]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [5/29/2009 8:23 PM 30136]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;\??\c:\program files\Ufasoft\Sniffer\usft_sn4.sys --> c:\program files\Ufasoft\Sniffer\usft_sn4.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-03 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 01:04]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l5kskhmr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 10:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-03 10:11
ComboFix-quarantined-files.txt 2009-06-03 14:11

Pre-Run: 76,785,184,768 bytes free
Post-Run: 77,152,145,408 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

270 --- E O F --- 2009-05-18 15:16
========================================

DDS log

DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 10:32:30.28 on Wed 06/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1503 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\ups.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.yahoo.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [VolPanel] "c:\program files\creative\volume panel\VolPanlu.exe" /r
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! widget engine\YahooWidgetEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\l5kskhmr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-17 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-10-31 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-17 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-10-31 353672]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 298776]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
RUnknown ecemfx;ecemfx; [x]
S2 adpgha;adpgha;c:\windows\system32\drivers\fwnjmxi.sys --> c:\windows\system32\drivers\fwnjmxi.sys [?]
S2 gupdate1c9898942ef6a62;Google Update Service (gupdate1c9898942ef6a62);c:\program files\google\update\GoogleUpdate.exe [2009-2-7 133104]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [2001-8-17 20160]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2008-12-25 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2009-5-29 30136]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;\??\c:\program files\ufasoft\sniffer\usft_sn4.sys --> c:\program files\ufasoft\sniffer\usft_sn4.sys [?]

=============== Created Last 30 ================

2009-06-03 09:32 <DIR> a-dshr-- C:\cmdcons
2009-06-02 23:16 161,792 a------- c:\windows\SWREG.exe
2009-06-02 23:16 154,624 a------- c:\windows\PEV.exe
2009-06-02 23:16 98,816 a------- c:\windows\sed.exe
2009-06-02 23:16 <DIR> --ds---- C:\ComboFix
2009-05-29 22:52 <DIR> --d----- c:\program files\Trend Micro
2009-05-29 20:23 30,136 a------- c:\windows\system32\drivers\rspSanity32.sys
2009-05-29 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-29 10:42 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-29 10:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-05-28 14:58 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-05-28 14:37 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 14:37 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-28 14:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 14:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-28 10:59 <DIR> --d----- c:\program files\MSSOAP
2009-05-28 10:58 164 a------- c:\windows\install.dat
2009-05-28 10:40 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-21 18:51 41,808 a------- c:\windows\system32\xfcodec.dll
2009-05-17 21:13 69 a------- c:\windows\NeroDigital.ini
2009-05-17 21:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero

==================== Find3M ====================

2009-06-02 22:55 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-06-02 09:55 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-02 09:55 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-05-07 17:31 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 17:31 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 17:31 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-06 10:00 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 10:32:51.34 ===============

Did you also need the attach log from DDS?

After posting the logs, I tested the PC and it seemed a bit laggy. I was playing COD4. Not sure if it is malware again or if it was updating since being disconnected for days. I also noticed that Google Installer kept asking for access in ZoneAlarm. Maybe I am paranoid, but it seems a bit twitchy still. Should I disconnect the ethernet cable until we are done? I had to connect it for combofix to install the Recovery Console.

Question: what about my external drives? do I need to worry about those or does the infection I have (had) concentrate itself on the C: drive? The only thing that wasnt connected when I ran combofix was my 500GB external. There is also a D: drive on the system that WAS connected.

:thumbup2: Thanks again for the help! :)

Edited by dagrunster, 03 June 2009 - 10:27 AM.


#7 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 03 June 2009 - 06:29 PM

After posting the logs, I tested the PC and it seemed a bit laggy. I was playing COD4. Not sure if it is malware again or if it was updating since being disconnected for days. I also noticed that Google Installer kept asking for access in ZoneAlarm. Maybe I am paranoid, but it seems a bit twitchy still. Should I disconnect the ethernet cable until we are done? I had to connect it for combofix to install the Recovery Console.

Question: what about my external drives? do I need to worry about those or does the infection I have (had) concentrate itself on the C: drive? The only thing that wasnt connected when I ran combofix was my 500GB external. There is also a D: drive on the system that WAS connected.


Hello dagrunster. :)

Well done, :thumbup2: glad to see that ComboFix clear up some of the malware, but We still have a bit of work to do.

Nope, I do not need you to post the other file from DDS.
You may have to give access to google updater.
And about your other drive. Please connect it to your system before you run ComboFix AGAIN***


WeatherBug Warning
I recommend you to uninstall "WeatherBug Installer", as WeatherBug has been associated with minor malware.

Please follow these instructions carefully.

If you can not download and run the following tools, then I would like for you to try another approach.

If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.
Be sure you put them on the desktop of the infected computer
.

Step #1.

I see you are running Teatimer. I suggest you to disable it.
Ok...Firstly, we need to disable SpyBot's Teatimer which can interfere with the fixes.


TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

Step #2.

We need to run an CFScript by using ComboFix again

Please disable any running anti-virus or anti-malware programs.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
  • Close any open browsers.
  • Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it (Do not include the word: "CODE"):

    KILLALL::
    
    Driver::
    ecemfx
    adpgha
    fwnjmxi
    
    File::
    c:\windows\system32\drivers\fwnjmxi.sys
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    Posted Image

  • Now refering to the picture above, use your mouse to drag CFScript.text on top of ComboFix.exe
  • This will start ComboFix again. Please follow the prompts.
  • When finished, after reboot (in case it asks to reboot), it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

* CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Step #3.

Your Java is out of date!!!.
Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Step #4.

Please download Posted Image ATF Cleaner-3 by Atribune.
(Good temp file cleaner that could do the job safely and without removing files that are crucial to windows).
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTES: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

NOTE:It's normal after running ATF cleaner that the PC will be slower to boot the first time.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_...refetch-XP.html

Step #5.

Kaspersky Online Scan

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using Kaspersky online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

Please, Go to Kaspersky website and perform an online antivirus scan.

Note: Kaspersky doesn't fix anything it just reports what it founds.
If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Posted Image
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Please re-scan with DDS and post the log.

Summary of the logs I will need in your next reply:
  • The ComboFix log. at C:\ComboFix.txt.
  • The DDS log.
  • The Kaspersky log.
And any description of remaining problems in your next post.

How is your Computer running now?.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
.
Kind regards
Net_Surfer

:)

#8 dagrunster

dagrunster
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:51 AM

Posted 05 June 2009 - 07:39 AM

Hi Net Surfer,

FYI I looked for Weahterbug Installer in Add/Remove programs plus a Windows search, but couldnt locate it. I think it may already be uninstalled. I know that program can be a pain from past experience.
I also reconnected the External drive before scanning.

I followed all the steps in order. For some reason I had issues getting the Kapersky online scan to work the first few times. I resolved it by running it from IE instead of Firefox.
Here are the logs you requested:

ComboFix 09-06-01.03 - Administrator 06/04/2009 11:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1544 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\system32\drivers\fwnjmxi.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADPGHA
-------\Service_adpgha


((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-06-03 15:16 . 2009-06-03 15:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-06-02 19:20 . 2009-06-02 19:20 -------- d-----w- C:\rsit
2009-06-02 00:36 . 2009-06-02 00:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PunkBuster
2009-06-01 15:17 . 2009-06-01 15:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2009-06-01 15:17 . 2009-06-01 15:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-05-30 02:52 . 2009-05-30 02:52 -------- d-----w- c:\program files\Trend Micro
2009-05-30 00:23 . 2009-03-02 15:24 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2009-05-29 14:43 . 2009-06-01 22:53 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-29 14:42 . 2009-05-29 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-29 14:42 . 2009-05-29 14:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-29 14:42 . 2009-05-29 14:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-28 19:34 . 2009-05-28 19:34 -------- d-----w- c:\documents and settings\Tammy\Application Data\Malwarebytes
2009-05-28 18:58 . 2009-05-28 18:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-28 18:40 . 2009-05-28 18:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2009-05-28 18:37 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 18:37 . 2009-05-28 18:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 18:37 . 2009-05-28 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-28 18:37 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-28 14:59 . 2009-05-28 14:59 -------- d-----w- c:\program files\MSSOAP
2009-05-28 14:58 . 2009-05-28 14:58 164 ----a-w- c:\windows\install.dat
2009-05-28 14:40 . 2009-05-28 14:40 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-05-28 14:39 . 2009-05-28 14:40 -------- d-----w- c:\documents and settings\Tammy\.housecall6.6
2009-05-23 17:16 . 2009-05-23 17:16 -------- d-----w- c:\documents and settings\Tammy\Application Data\Ahead
2009-05-23 17:15 . 2009-05-28 13:16 -------- d-----w- c:\documents and settings\Tammy\Local Settings\Application Data\Ahead
2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-05-19 13:56 . 2009-05-07 21:31 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-19 13:56 . 2009-05-07 21:31 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-19 13:56 . 2009-05-07 21:31 3288344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-19 13:56 . 2009-05-07 21:31 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-19 13:56 . 2009-05-07 21:31 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-19 13:56 . 2009-05-07 21:31 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-19 13:56 . 2009-05-07 21:31 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-19 13:55 . 2009-05-07 16:36 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-19 13:55 . 2009-05-07 16:36 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-18 01:10 . 2009-05-18 01:10 -------- d-----w- c:\documents and settings\Joey\Local Settings\Application Data\Ahead
2009-05-18 01:08 . 2009-05-18 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-05-18 01:07 . 2009-05-18 01:08 -------- d-----w- c:\program files\Common Files\Ahead
2009-05-18 01:07 . 2009-05-18 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-05-17 13:55 . 2009-05-07 21:31 3399960 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-17 13:55 . 2009-05-07 21:31 2302232 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-10 16:50 . 2009-05-10 16:59 107832 ----a-w- c:\documents and settings\Tammy\Application Data\PnkBstrB.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 15:10 . 2006-10-22 04:05 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-04 14:28 . 2006-10-22 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-03 19:56 . 2007-06-01 17:03 -------- d-----w- c:\documents and settings\Joey\Application Data\Xfire
2009-06-03 19:49 . 2009-01-12 18:04 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-03 19:49 . 2007-08-26 14:31 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-03 19:46 . 2007-11-07 18:01 169936 ----a-w- c:\documents and settings\Joey\Application Data\Mozilla\Firefox\Profiles\vzayxgni.default\FlashGot.exe
2009-06-03 15:16 . 2007-09-28 16:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2009-06-03 15:16 . 2007-01-15 22:44 -------- d-s---w- c:\program files\Xfire
2009-06-03 03:01 . 2007-11-18 23:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-03 03:01 . 2006-10-22 04:18 -------- d-----w- c:\program files\Lavasoft
2009-05-30 01:15 . 2008-07-23 17:22 0 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\prvlcl.dat
2009-05-30 01:05 . 2007-07-02 00:17 -------- d-----w- c:\program files\Pidgin
2009-05-29 14:06 . 2006-10-22 04:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-28 17:19 . 2009-05-28 17:19 60616 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_05_28_13_12_47_small.dmp.zip
2009-05-27 02:08 . 2008-03-15 22:47 -------- d-----w- c:\documents and settings\Tammy\Application Data\Move Networks
2009-05-27 02:00 . 2008-01-28 17:49 17849522 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-05-26 21:23 . 2006-10-22 04:17 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-05-26 21:00 . 2007-06-25 22:53 -------- d-----w- c:\documents and settings\Tammy\Application Data\Xfire
2009-05-19 13:06 . 2006-12-31 03:46 -------- d-----w- c:\documents and settings\Joey\Application Data\uTorrent
2009-05-18 15:02 . 2007-02-20 00:10 -------- d-----w- c:\documents and settings\Joey\Application Data\Ahead
2009-05-18 00:34 . 2009-01-02 01:56 -------- d-----w- c:\documents and settings\Joey\Application Data\Vso
2009-05-14 15:20 . 2009-05-14 15:21 542720 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-05-10 17:01 . 2008-07-01 17:00 22328 ----a-w- c:\documents and settings\Tammy\Application Data\PnkBstrK.sys
2009-05-10 17:01 . 2008-07-01 17:00 22328 ----a-w- c:\documents and settings\Tammy\Application Data\PnkBstrK.sys
2009-05-07 21:31 . 2008-06-17 17:05 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 21:31 . 2008-06-17 17:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-07 21:31 . 2007-10-31 22:08 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-07 21:31 . 2008-06-17 17:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-03 14:03 . 2009-05-03 14:05 637440 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-05-03 14:03 . 2009-05-03 14:05 2433536 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-04-30 01:07 . 2009-04-30 01:56 2433024 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-04-25 13:39 . 2009-04-25 13:39 -------- d-----w- c:\documents and settings\Tammy\Application Data\WeatherBug
2009-04-20 18:41 . 2009-04-20 21:22 2643968 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-04-20 18:41 . 2009-04-20 21:22 2401280 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-04-17 12:01 . 2008-06-17 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-04-06 01:30 . 2009-04-06 01:29 -------- d-----w- c:\program files\MagicISO
2009-04-06 01:23 . 2009-04-06 01:23 -------- d-----w- c:\program files\MagicDisc
2009-04-06 01:11 . 2007-03-03 01:58 -------- d-----w- c:\program files\dvdSanta
2009-04-02 19:15 . 2008-08-15 02:10 34 ----a-w- c:\documents and settings\Guest\jagex_runescape_preferences.dat
2009-03-09 15:34 . 2009-03-30 23:26 971776 ----a-w- c:\documents and settings\Tammy\Application Data\Mozilla\Firefox\Profiles\4j9kjw4y.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
.

------- Sigcheck -------

[-] 2006-10-17 15:55 1580544 6E266AAF4168B3569A330C61AB01F6B4 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-06-03_14.08.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-04 15:06 . 2009-06-04 15:06 16384 c:\windows\temp\Perflib_Perfdata_6c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]
"VolPanel"="c:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-17 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-10-08 23552]

c:\documents and settings\Joey\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-5 576000]
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2007-5-4 2913840]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2007-5-4 2913840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-4-5 221247]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-07 21:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PlexTools Professional.lnk.disabled
backup=c:\windows\pss\PlexTools Professional.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Joey^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Joey\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Tammy^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\Tammy\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Tammy^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Tammy\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RunDLL32.exe NvMCTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"RemoteControl"=c:\program files\Roxio\Roxio DVDMax Player\PDVDServ.exe
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
"Start WingMan Profiler"=c:\program files\Logitech\Gaming Software\LWEMon.exe /noui
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe"
"LXBRKsk"=c:\progra~1\LEXMAR~1\LXBRKsk.exe
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" /logon
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\World of Padman\\wop.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2008 1:05 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/17/2008 1:05 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 1:05 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 1:05 PM 298776]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 2:21 AM 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 2:21 AM 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 2:21 AM 72728]
S2 gupdate1c9898942ef6a62;Google Update Service (gupdate1c9898942ef6a62);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2009 9:04 PM 133104]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [8/17/2001 1:11 PM 20160]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [12/25/2008 3:06 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 2:21 AM 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 2:21 AM 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 2:21 AM 72728]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [5/29/2009 8:23 PM 30136]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;\??\c:\program files\Ufasoft\Sniffer\usft_sn4.sys --> c:\program files\Ufasoft\Sniffer\usft_sn4.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-04 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 01:04]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l5kskhmr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 11:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3704)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\CTxfispi.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-06-04 11:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-04 15:14
ComboFix2.txt 2009-06-03 14:11

Pre-Run: 77,028,655,104 bytes free
Post-Run: 76,924,084,224 bytes free

283 --- E O F --- 2009-05-18 15:16
-----------------------------------------------------------------


DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 8:09:27.37 on Fri 06/05/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1254 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.yahoo.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [VolPanel] "c:\program files\creative\volume panel\VolPanlu.exe" /r
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! widget engine\YahooWidgetEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\l5kskhmr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-17 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-10-31 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-17 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-10-31 353672]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 298776]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S2 gupdate1c9898942ef6a62;Google Update Service (gupdate1c9898942ef6a62);c:\program files\google\update\GoogleUpdate.exe [2009-2-7 133104]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [2001-8-17 20160]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2008-12-25 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2009-5-29 30136]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;\??\c:\program files\ufasoft\sniffer\usft_sn4.sys --> c:\program files\ufasoft\sniffer\usft_sn4.sys [?]

=============== Created Last 30 ================

2009-06-04 11:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-04 11:29 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-04 11:00 <DIR> --ds---- C:\ComboFix
2009-06-03 09:32 <DIR> a-dshr-- C:\cmdcons
2009-06-02 23:16 161,792 a------- c:\windows\SWREG.exe
2009-06-02 23:16 154,624 a------- c:\windows\PEV.exe
2009-06-02 23:16 98,816 a------- c:\windows\sed.exe
2009-05-29 22:52 <DIR> --d----- c:\program files\Trend Micro
2009-05-29 20:23 30,136 a------- c:\windows\system32\drivers\rspSanity32.sys
2009-05-29 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-29 10:42 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-29 10:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-05-28 14:58 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-05-28 14:37 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 14:37 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-28 14:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 14:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-28 10:59 <DIR> --d----- c:\program files\MSSOAP
2009-05-28 10:58 164 a------- c:\windows\install.dat
2009-05-28 10:40 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-21 18:51 41,808 a------- c:\windows\system32\xfcodec.dll
2009-05-17 21:13 69 a------- c:\windows\NeroDigital.ini
2009-05-17 21:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero

==================== Find3M ====================

2009-06-05 08:04 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-06-03 15:49 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-03 15:49 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-05-07 17:31 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 17:31 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 17:31 108,552 a------- c:\windows\system32\drivers\avgtdix.sys

============= FINISH: 8:09:54.62 ===============

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, June 5, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, June 04, 2009 18:20:49
Records in database: 2306762
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 132406
Threat name: 12
Infected objects: 24
Suspicious objects: 17
Duration of the scan: 08:44:03


File name / Threat name / Threats count
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 7
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.re 2
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.ra 2
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.ri 2
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.rz 1
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 6
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Tammy\Application Data\Thunderbird\Profiles\8y2hdk28.default\Mail\pop3.knology.net\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Tammy\Application Data\Thunderbird\Profiles\8y2hdk28.default\Mail\pop3.knology.net\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACkpurwlwjqsjkfnu.sys.vir Infected: Rootkit.Win32.Agent.lae 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACmuwqpucfqxexnkf.sys.vir Infected: Rootkit.Win32.Agent.lae 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACgvqvqemxuiajkia.dll.vir Infected: Trojan.Win32.TDSS.adzz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjpyputabtxevhop.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmchutyqjbdfcekx.dll.vir Infected: Trojan.Win32.TDSS.aegg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACuulusipvebdmsxw.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvakdnkfgotacnky.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvxoascnutmtnftu.dll.vir Infected: Trojan.Win32.TDSS.adzw 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000001.sys Infected: Rootkit.Win32.Agent.lae 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000002.sys Infected: Rootkit.Win32.Agent.lae 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000003.dll Infected: Packed.Win32.Tdss.m 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000004.dll Infected: Trojan.Win32.TDSS.adzw 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000005.dll Infected: Trojan.Win32.TDSS.adzx 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000006.dll Infected: Trojan.Win32.TDSS.adzz 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000007.dll Infected: Trojan.Win32.TDSS.aegg 1
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000056.dll Infected: Packed.Win32.Tdss.m 1
F:\Pedro stuff\Wireless Security\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1

The selected area was scanned.

Thanks for all your help!

#9 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 05 June 2009 - 06:17 PM

Hi dagrunster, :cool:

:) You got some bad mail !!! :)

There is some bad active infected email files in your Thunderbird Mail program. :thumbup2:

And there are some bad files in the system restore and other ones already quarantine by Combofix Tool at C:\Qoobox\Quarantine.
those will be gone when we flush system restore and create a new one with the combofix uninstall switch later on.
So for now do not do any thing about those.

Now let's take care of the ones that still active in your system.


This is what kaspersky found:
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 7
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.re 2
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.ra 2
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.ri 2
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.rz 1
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 6
C:\Documents and Settings\Joey\Application Data\Thunderbird\Profiles\yk0x8k8n.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Tammy\Application Data\Thunderbird\Profiles\8y2hdk28.default\Mail\pop3.knology.net\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Tammy\Application Data\Thunderbird\Profiles\8y2hdk28.default\Mail\pop3.knology.net\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1

yk0x8k8n.default
and
8y2hdk28.default
NOTICE:
that they are 2 different profiles, (Two diferent users account) So you will need to empty the trash box and junk box from both profiles.

To do this do the following:

Step #1.
Go to your Thunderbird Mail Program and delete any bad mail that it looks suspicious in your inbox.
Then.. delete all email in your junk box and trash box.
Then.... Empty your deleted email box.

yk0x8k8n.default
and
8y2hdk28.default
are 2 different profiles, PLEASE also do the same for all profiles.
empty the junk folder and trash on this profile as well.

Step #2.

And about this one from your kaspersky log:

F:\Pedro stuff\Wireless Security\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1

Use Windows Explorer to find and Delete the following File: (IF PRESENT)

Go to your F:\ drive and delete:

F:\Pedro stuff\Wireless Security\ca_setup.exe <--- This File

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete

Reboot when done.

Step #3.

ESET Online Scan

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

ESET Online Scan

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

I'd like us to scan your machine with ESET OnlineScan just to be sure that nothing got left behind.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
Credit: Billy Oneal for the canned instructions. You can refer to this animation by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Step #4.

Your Microsoft Windows installation is out of date!.
Using unpatched Windows systems on the Internet are a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Please re-scan with DDS and post the log.

Summary of the logs I will need in your next reply:
  • The ESET Online scan report.
  • The DDS log.
And any description of remaining problems in your next post.

How is your Computer running now?.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
.
Kind regards
Net_Surfer

:)

Edited by Net_Surfer, 06 June 2009 - 05:34 AM.


#10 dagrunster

dagrunster
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:51 AM

Posted 06 June 2009 - 02:29 PM

Hi again,
Here are the logs you requested:
ESET LOG
-----------
C:\Documents and Settings\Joey\My Documents\Programs\zlsSetup_70_462_000_en.exe a variant of Win32/AdInstaller application deleted - quarantined
C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACgvqvqemxuiajkia.dll.vir a variant of Win32/Kryptik.PS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjpyputabtxevhop.dll.vir Win32/Olmarik.IC trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmchutyqjbdfcekx.dll.vir Win32/Olmarik.IA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACuulusipvebdmsxw.dll.vir Win32/Olmarik.IC trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvakdnkfgotacnky.dll.vir Win32/Olmarik.HZ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvxoascnutmtnftu.dll.vir Win32/Olmarik.HY trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACkpurwlwjqsjkfnu.sys.vir Win32/Olmarik.ID trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACmuwqpucfqxexnkf.sys.vir Win32/Olmarik.ID trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000001.sys Win32/Olmarik.ID trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000002.sys Win32/Olmarik.ID trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000003.dll Win32/Olmarik.IC trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000004.dll Win32/Olmarik.HY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000005.dll Win32/Olmarik.HZ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000006.dll a variant of Win32/Kryptik.PS trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000007.dll Win32/Olmarik.IA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP0\A0000056.dll Win32/Olmarik.IC trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP4\A0000770.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8B0954E4-2EC0-44B8-9871-2B6FBEC7A6DC}\RP4\A0000771.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
==============================================
DDS3


DDS (Ver_09-05-14.01) - NTFSx86
Run by Joey at 15:15:27.84 on Sat 06/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1428 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Creative\MEDIAS~1\MtdAcqu.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Joey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
uRun: [MtdAcqu] "c:\progra~1\creative\medias~1\MtdAcqu.exe" /s
uRun: [Creative MediaSource Go] "c:\program files\creative\mediasource5\go\CTCMSGoU.exe" /SCB
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [VolPanel] "c:\program files\creative\volume panel\VolPanlu.exe" /r
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\joey\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\joey\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! widget engine\YahooWidgetEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joey\applic~1\mozilla\firefox\profiles\vzayxgni.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-17 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-10-31 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-17 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-10-31 353672]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 298776]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S2 gupdate1c9898942ef6a62;Google Update Service (gupdate1c9898942ef6a62);c:\program files\google\update\GoogleUpdate.exe [2009-2-7 133104]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [2001-8-17 20160]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2008-12-25 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2009-5-29 30136]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;\??\c:\program files\ufasoft\sniffer\usft_sn4.sys --> c:\program files\ufasoft\sniffer\usft_sn4.sys [?]

=============== Created Last 30 ================

2009-06-06 12:04 <DIR> --d----- c:\program files\Messenger
2009-06-06 12:04 1,306,624 -c------ c:\windows\system32\dllcache\msxml6.dll
2009-06-06 12:04 79,872 -c------ c:\windows\system32\dllcache\msxml6r.dll
2009-06-06 12:04 102,912 -c------ c:\windows\system32\dllcache\dpcdll.dll
2009-06-06 12:03 3,990 -------- c:\windows\system32\wbem\napclientschema.mof
2009-06-06 12:03 638 -------- c:\windows\system32\wbem\napclientprov.mof
2009-06-06 12:03 46,592 -------- c:\windows\system32\drivers\irbus.sys
2009-06-06 12:03 9,728 -------- c:\windows\system32\comsdupd.exe
2009-06-06 12:03 10,752 -------- c:\windows\system32\smtpapi.dll
2009-06-06 12:03 9,728 -------- c:\windows\system32\rwnh.dll
2009-06-06 11:55 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-06 11:50 19,569 a------- c:\windows\003150_.tmp
2009-06-05 21:31 <DIR> --d----- c:\program files\ESET
2009-06-04 11:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-04 11:29 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-04 11:00 <DIR> --ds---- C:\ComboFix
2009-06-03 09:32 <DIR> a-dshr-- C:\cmdcons
2009-06-02 23:16 161,792 a------- c:\windows\SWREG.exe
2009-06-02 23:16 154,624 a------- c:\windows\PEV.exe
2009-06-02 23:16 98,816 a------- c:\windows\sed.exe
2009-05-29 22:52 <DIR> --d----- c:\program files\Trend Micro
2009-05-29 20:23 30,136 a------- c:\windows\system32\drivers\rspSanity32.sys
2009-05-29 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-29 10:42 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-28 14:37 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 14:37 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-28 14:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 14:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-28 10:59 <DIR> --d----- c:\program files\MSSOAP
2009-05-28 10:58 164 a------- c:\windows\install.dat
2009-05-28 10:40 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-21 18:51 41,808 a------- c:\windows\system32\xfcodec.dll
2009-05-17 21:13 69 a------- c:\windows\NeroDigital.ini
2009-05-17 21:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero

==================== Find3M ====================

2009-06-06 15:02 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-06-06 12:06 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-05 21:00 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-05 21:00 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-05-07 17:31 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 17:31 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 17:31 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-10 17:23 22,328 a------- c:\docume~1\joey\applic~1\PnkBstrK.sys
2009-01-10 17:21 107,832 a------- c:\docume~1\joey\applic~1\PnkBstrB.exe
2009-01-01 21:56 47,360 a------- c:\docume~1\joey\applic~1\pcouffin.sys
2008-10-25 10:52 30 a------- c:\documents and settings\joey\jagex_runescape_preferences.dat
2008-05-12 21:26 62,080 a------- c:\docume~1\joey\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 15:16:10.23 ===============

I did all the steps in the order you asked. The PC seems to be quite a bit zippy now. I am no longer getting the error messages on startup I was getting before.
I was curious about something though. In the pic I uploaded there is a window near the top I can't get rid of or resize. When I hover the mouse near the red arrow in the pic, the circled text shows up. I am assuming that this is Google trying to get me to install Chrome browser, and that NoScript is doing it's job. Do you know how I can remove this frame from my browser?

Thanks yet again,
DaGrunster

Attached Files



#11 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 06 June 2009 - 04:50 PM



I did all the steps in the order you asked. The PC seems to be quite a bit zippy now. I am no longer getting the error messages on startup I was getting before.
I was curious about something though. In the pic I uploaded there is a window near the top I can't get rid of or resize. When I hover the mouse near the red arrow in the pic, the circled text shows up. I am assuming that this is Google trying to get me to install Chrome browser, and that NoScript is doing it's job. Do you know how I can remove this frame from my browser?

Thanks yet again,
DaGrunster

Please See if you can post the full browser window then I will be able to tell more if I could see a bigger picture.
Your Welcome, Glad that I can help.

Hi DaGgrunster, :)

Good Job, we got all the baddies. :thumbup2:

Your logs are clean except for a few files that we need to take care of it.
:)

Step #1.

You have an Orphan Toolbar entry that we can fix with HijackThis:

TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File


*Open HijackThis. Click on Do a system scan only. Close your browser and all open windows including this one, the only program or window you should have open is HijackThis, and please check the following entry:

O3 - Toolbar: TB - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File

Ensure you have closed all windows except HijackThis and click Fix Checked.
Exit Hijackthis program.

Step #2.

ESET online scan report:
we need to clean up all those quarantine baddies, so please follow my instructions to help do that:


For the ones that already are quarantine that ESET found, just delete the anything related to ESET. And all of those files will be gone from your computer.


The other ones are in the quarantine folder of ComboFix Tool, and they should be gone also when we use the uninstall switch of Combofix at the end.

To get rid of the ones in system restore please do the following:


Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Step #3.

Follow these steps to uninstall Combofix and tools used in the removal of malware

Delete ComboFix and Clean Up

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of the next step.. Please visit HERE if you don't know how...Please re-enable them back after performing all steps given.


Click Start > Run and type combofix /u click OK (Note the "space" between combofix and /u) <--- It needs to be there.
Posted Image
Please advise if this step is missed for any reason as it performs some important actions:

"This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".


Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

If you don't plan to use Kaspersky again, then uninstall it through Add/Remove Programs.

You may delete DDS and any logs that any of the tools produced. Please delete DDS.exe and the DDS folder (C:\DDS).
I recommend keeping ATF, and use Malwarebyte's Anti-Malware to scan your computer regularly.



If you have done all of the above, Your Computer should be Clean of Malware. :)
:) CONGRATULATIONS.
:cool:


Ok,, DaGrunster, I'm not skilled at mincing words but I believe that by now you already figure it out how you got infected. {using P2p (file sharing programs)Maybe ?} So, especially for you I will use my long version of my "All Clean Canned Speech".

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.:

Please take the time to read below to secure your machine and take the necessary steps to keep it Clean, some of the following you may already have, So. just disregard them.
  • Make sure that you keep your anti-virus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your anti-virus program to provide you with the best possible protection from malicious software.
    Note: You should only have one anti-virus installed at a time. Having more than one anti-virus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  • Make Internet Explorer More Secure
    You are using Internet Explorer, Therefore please read and follow the recommendations at this SITE
Recommended Programs

To help protect your computer in the future I would recommend the download and installation of some or all of the following free programs (if not already present), and the updating of them on a regular basis:.
  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • McAfee Site Advisor --free version.
    To give you an indication of which sites may contain bad links or suspect downloads. It loads an icon to the taskbar of your browser (versions for IE and Firefox), As you browse, a small button on your browser toolbar changes color based on SiteAdvisor's safety results indicating the trustworthiness of the site you are on. Green for safe and Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. It also gives the same colour indications in the results page when you do a Google search, making it easier to decide which sites are safe to visit. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. Safety ratings from McAfee SiteAdvisor appear next to search results. Works with Google, Yahoo!, Live Search, AOL or ASK.
    This is a utility that can be downloaded and installed it from: HERE
  • Posted Image ATF Cleaner
    Good temp file cleaner that could do the job safely and without removing files that are crucial to windows.
    Cleans temporary files from IE and Windows, empties the recycle bin and more.
    Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
    This is a utility that can be downloaded and installed it from: HERE
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
  • Malwarebytes' Anti-Malware or SuperAntiSpyware
    These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
    You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
    You can download SuperAntiSpyware from HERE.
  • Hosts File - Hosts file is one such file that can be used to replace the Hosts file on your computer and help you to avoid accidentally visiting known nasty web sites.
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

    Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
    If this isn't done first, the next reboot may take a VERY LONG TIME.
    This is how to do it. First be sure you are signed in as a user with administrative privileges:

    Stop and Disable the DNS Client Service
    Go to Start, Run and type Services.msc and click OK.
    Under the Extended Tab, Scroll down and find this service.
    DNS Client
    Right-Click on the DNS Client Service. Choose Properties
    Select the General tab. Click on the Stop button.
    Click the Arrow-down tab on the right-hand side at the Start-up Type box.
    From the drop-down menu, click on Manual
    Click the Apply tab, then click OK

    Prevention:
    The Hosts file can be made read only and monitored for changes, or attempted changes. Programs such as >WinPatrol< do this very well.

    Cure:
    If your Hosts file becomes infected, it can be reset by installing >HostsXpert<.
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  • Backup regularly.
    You never know when your PC will become unstable or get infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.
    Alternatively, you can use 3rd-party programs to back up your data. It can be found at Bleeping Computer.

  • To stay secure is to stay updated.
    Calendar of Updates.

  • Practice Safe Internet
    One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.

  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
Visit Microsoft's Windows Update Site Frequently

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

To find out more information about how you got infected in the first place? and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this one by Miekiemoes.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

That's it, happy surfing!

Cheers,
Net_Surfer


***If ComboFix tool helped you***, please kindly consider a donation to it's author: Posted Image

Stay clean and be safe :)

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!


:)

I'd be grateful if you could reply to this post so that I know you have read it and if you've no other questions, the thread can be closed.

#12 dagrunster

dagrunster
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:51 AM

Posted 09 June 2009 - 10:49 AM

HI NetSurfer,

Regarding Step #1, I could not find that entry, even on different logins for the PC. Weird?
All the other steps were done successfully. :thumbup2:
Now that I am clear of infestation, is my PC safe to use for banking and paying bills? I plan to go to another hard drive within a week, which is my current D: drive. I will then copy everything over tho the new one and wipe and reformat the current one.


I want to thank you again for all of your help! I sincerely hope that the staff here is appreciated, I know I sure do!

I will take your advice to heart, and will be making a few security changes on my PC because of it. At least I learned something out of all of this mess! lol

Thanks again and keep up the good work!
:) :) :cool:

#13 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 09 June 2009 - 08:26 PM

Hi DaG runster. :)

Good job following all those steps. :thumbup2:

I am positive that you will be fine to do any type of activity on this computer.

Just be careful and use common sense and you will be fine. :)

I had a good Coach doing this fix with me his name is :) Kahdah, he ensures that all my posts are well advise before I post them here for you.

So, he takes part of the credit also.

Psss.... I never got another pic of the full browser window, if you will attach a bigger picture I will be able to tell more from it.


I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

If that's it ???

happy surfing!

Cheers,
Net_Surfer


:cool:

I'd be grateful if you could reply to this post so that I know you have read it and if you've no other questions, the thread can be closed.


#14 dagrunster

dagrunster
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:51 AM

Posted 10 June 2009 - 12:50 PM

got that browser issue handled. It was one of the toolbars I didnt need, so I ditched it.

Thanks again to you and Kahdah!!

:) :) :thumbup2: :cool: :) :) :)

Edited by dagrunster, 10 June 2009 - 12:51 PM.


#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:51 AM

Posted 10 June 2009 - 05:57 PM

You are welcome :thumbup2:


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users