svchost trojan -- Please help.

[ktharrington]

Hi, my name is William. It seems I've caught some bad programs and I've exhausted all my knowledge on how to fix them. I need help from someone with expertise, so any advice will be most appreciated.

Here are the two logs as requested.

Thanks again,

-William

attach.txt

dds.txt

[ktharrington]

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 1/14/2008 4:59:06 PM

System Uptime: 3/1/2012 3:01:15 PM (0 hours ago)

.

Motherboard: Hewlett-Packard | | 0024

Processor: mobile AMD Athlon XP 2200+ | mPGA462B | 1788/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 75 GiB total, 6.258 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: LAN-Express IEEE 802.11 PCI Adapter

Device ID: PCI\VEN_1260&DEV_3873&SUBSYS_02001468&REV_01\3&61AAA01&0&48

Manufacturer: LAN-Express

Name: LAN-Express IEEE 802.11 PCI Adapter

PNP Device ID: PCI\VEN_1260&DEV_3873&SUBSYS_02001468&REV_01\3&61AAA01&0&48

Service: PRISM

.

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}

Description: CD-ROM Drive

Device ID: IDE\CDROMQSI_CDRW/DVD_SBW-241____________________VH07____\5&2A87669&0&0.0.0

Manufacturer: (Standard CD-ROM drives)

Name: QSI CDRW/DVD SBW-241

PNP Device ID: IDE\CDROMQSI_CDRW/DVD_SBW-241____________________VH07____\5&2A87669&0&0.0.0

Service: cdrom

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

7-Zip 4.57

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 8.1.3

Adobe Shockwave Player 11

Advanced Windows Optimizer 5.11

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ATI Display Driver

avast! Free Antivirus

AVG 2012

Avidemux 2.4

BitTorrent

Bonjour

Broadcom 802.11 Driver

Canon Utilities EOS Utility

CCleaner (remove only)

Conexant 56K ACLink Modem

Conexant AC-Link Audio

Critical Update for Windows Media Player 11 (KB959772)

DivX Converter

DivX Setup

DivX Version Checker

DNA

DTS+AC3 Filter

Exterminate It!

Flash Video Capture 4.5.5 build 4900

FlashGet 3.7

Free FLV Converter V 6.32

GOM Player

Google Chrome

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB981793)

HP Wireless LAN Driver

Image Grabber II

INISafeWeb 5.0

INISafeWeb 6.0

INISafeWeb 7.0 (SFilter v1.0)

iTunes

Java Auto Updater

Java 6 Update 22

Java 6 Update 3

Java 6 Update 7

K-Lite Codec Pack 3.6.5 Basic

Lexmark 640 Series

Malwarebytes Anti-Malware version 1.60.1.1000

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2656353)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Choice Guard

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Windows Journal Viewer

MobileMe Control Panel

Mozilla Firefox 10.0.2 (x86 en-US)

MSVCRT

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB933579)

NirSoft WebVideoCap

OpenOffice.org 3.3

Paint.NET v3.22

QuickTime

Replay Media Catcher 3.01

Replay Media Catcher 4

Safari

Seagate Manager Installer

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 8 (KB917734)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953155)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976323)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Segoe UI

SignGATE EWS v2.9.2

Skype™ 4.2

SoftCamp Secure KeyStroke 4.0

Sony Vegas Pro 8.0

Spybot - Search & Destroy

SpywareBlaster 4.1

SUPER © Version 2007.bld.23 (July 4, 2007)

SUPERAntiSpyware

Synaptics Pointing Device Driver

TBS WMP Plug-in

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB961503)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

USB Storage Driver

VC80CRTRedist - 8.0.50727.4053

VLC media player 1.1.11

Voxox 2.5.3

WebFldrs XP

Winamp

Windows Essentials Media Codec Pack 1.0

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Live Upload Tool

Windows Media Format 11 runtime

Windows Media Format SDK Hotfix - KB891122

Windows Media Player 11

Windows Media Player Firefox Plugin

Windows Presentation Foundation

Windows XP Service Pack 3

Wise PC Doctor version 3.8.6

XecureExpressII

XML Paper Specification Shared Components Pack 1.0

Yahoo! Messenger

.

==== Event Viewer Messages From Past Week ========

.

3/1/2012 3:04:16 PM, error: Service Control Manager [7024] - The Workstation service terminated with service-specific error 2250 (0x8CA).

3/1/2012 3:04:16 PM, error: Service Control Manager [7001] - The Alerter service depends on the Workstation service which failed to start because of the following error: The service has returned a service-specific error code.

3/1/2012 3:02:25 PM, error: Workstation [5727] - Could not load RDR device driver.

3/1/2012 2:53:45 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.

3/1/2012 2:51:37 PM, error: Service Control Manager [7031] - The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

3/1/2012 2:51:37 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SAS Core Service service to connect.

3/1/2012 2:51:37 PM, error: Service Control Manager [7000] - The SAS Core Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/1/2012 2:39:33 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 80563bdc, parameter3 f7352c74, parameter4 00000000.

3/1/2012 2:34:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVGIDSAgent service to connect.

3/1/2012 2:34:33 PM, error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/1/2012 2:23:19 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

3/1/2012 2:22:31 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Avgldx86 Avgmfx86 Fips SASDIFSV SASKUTIL sptd

3/1/2012 2:17:47 AM, error: Service Control Manager [7023] - The Thkeys service terminated with the following error: The specified module could not be found.

3/1/2012 1:23:20 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.

2/29/2012 8:42:59 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The system cannot find the file specified.

2/29/2012 8:42:58 AM, error: Service Control Manager [7023] - The Ibmasrex service terminated with the following error: The specified module could not be found.

2/29/2012 8:42:58 AM, error: Service Control Manager [7023] - The Help and Support service terminated with the following error: The specified module could not be found.

2/29/2012 8:42:58 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the dzdgzhbhzg service to connect.

2/29/2012 8:42:58 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.

2/29/2012 8:42:58 AM, error: Service Control Manager [7000] - The IIS Admin service failed to start due to the following error: The system cannot find the file specified.

2/29/2012 8:33:28 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.

2/29/2012 8:31:28 AM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service IISADMIN with arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}

2/29/2012 8:30:34 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sptd

2/29/2012 8:30:34 AM, error: Service Control Manager [7023] - The Synaptics TouchPad Support service terminated with the following error: The specified module could not be found.

2/29/2012 8:30:34 AM, error: Service Control Manager [7023] - The NICSer_WPC300N service terminated with the following error: The specified module could not be found.

2/29/2012 8:30:34 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The system cannot find the file specified.

2/29/2012 8:27:34 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

2/29/2012 12:42:56 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

2/29/2012 12:25:42 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Avgldx86 Avgmfx86 Fips ohci1394 SASDIFSV SASKUTIL sptd

2/29/2012 12:25:42 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.

2/29/2012 12:25:42 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.

2/28/2012 11:52:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Avgldx86 Avgmfx86 Fips sptd

2/28/2012 11:36:30 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s).

2/28/2012 10:01:10 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).

2/23/2012 8:54:14 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

.

==== End Of File ===========================

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Run by Kyle at 15:48:45 on 2012-03-01

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.104 [GMT 9:00]

.

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\WINDOWS\system32\DrvMon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Safari\Safari.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wuauclt.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - c:\documents and settings\kyle\application data\flashgetbho\FlashGetBHO3.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [DrvMon.exe] c:\windows\system32\DrvMon.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

uPolicies-explorer: NoViewOnDrive = 0 (0x0)

IE: Download all by FlashGet3 - c:\documents and settings\kyle\application data\flashgetbho\GetAllUrl.htm

IE: Download by FlashGet3 - c:\documents and settings\kyle\application data\flashgetbho\GetUrl.htm

LSP: mswsock.dll

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab

DPF: {2022EE84-1E1F-45B0-8D35-FF9DA75366BC} - hxxp://download.softforum.co.kr/XecureExpressI/xei_install2.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} - hxxp://www.congnamul.com/ActiveX/Release/CongnamulMap4Asp_V2_0_0_19.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 121.254.25.230 121.254.25.220 210.94.0.73

TCP: Interfaces\{68291D52-DB43-4C62-897F-7FA85F00CB48} : DhcpNameServer = 121.254.25.230 121.254.25.220 210.94.0.73

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Name-Space Handler: http\s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - c:\program files\initech\shttp\InitechSHTTPInterface.10113.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\kyle\application data\mozilla\firefox\profiles\xmvq0tob.default\

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\kyle\application data\mozilla\firefox\profiles\xmvq0tob.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll

FF - plugin: c:\documents and settings\kyle\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npampx3.0.84.2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npINISAFEWeb60.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2012-03-01 06:31:13 -------- d-----w- c:\documents and settings\all users\application data\InstallMate

2012-03-01 03:50:07 -------- d-----w- c:\documents and settings\kyle\application data\SUPERAntiSpyware.com

2012-03-01 03:48:27 -------- d-----w- c:\program files\Spybot - Search & Destroy2

2012-03-01 03:47:59 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-03-01 03:47:59 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2012-03-01 03:43:38 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-01 03:43:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-03-01 03:36:24 -------- d-----w- c:\program files\Wise PC Doctor

2012-03-01 00:22:19 -------- d-----w- c:\windows\WinUpdaterstd

2012-02-29 17:38:42 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-02-29 17:37:47 41184 ----a-w- c:\windows\avastSS.scr

2012-02-29 17:37:12 -------- d-----w- c:\program files\AVAST Software

2012-02-29 17:37:12 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

2012-02-28 14:56:23 -------- d-----w- c:\documents and settings\kyle\application data\Malwarebytes

2012-02-28 14:55:21 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-02-28 13:01:49 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-02-28 13:00:19 -------- d-----w- C:\spoolerlogs

2012-02-16 16:38:04 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-02-16 16:38:04 3072 ------w- c:\windows\system32\iacenc.dll

.

==================== Find3M ====================

.

2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys

2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll

2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-12-17 19:46:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-12-16 12:22:58 385024 ------w- c:\windows\system32\html.iec

2011-12-10 01:08:32 1409 ----a-w- c:\windows\QTFont.for

2011-12-03 13:25:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

.

============= FINISH: 15:53:48.64 ===============

[Elise]

Hello Willian and

Unfortunately you have a nasty rootkit on your computer. Before starting the cleaning process, please read the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

• 
  

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

[ktharrington]

Elise,

Thank you for your time and precautions, I understand the risks and would like to proceed:

I downloaded and ran combofix as directed, it notified me that I had rootkit.zeroaccess in my Tcp/ip, it then said it would need to restartmy computer to complete the scan.

After restarting combofix ran until stage 3 where it remained for 30 minutes until I rebooted. Afterwards combofix would always hang at the initial "this process usually takes 10minutes" screen with no progress.

I restarted my computer, and now it boots with "argon pxe boot agent" and says "no operating system found"

[ktharrington]

Update: After repeated reboots windows will load, but at my logon screen neither the mouse or keyboard will work, so I'm stuck

[Elise]

In that case I suspect we're dealing with another rootkit as well. To confirm this lets first get a dump of your disk's master boot record.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
  
• A new folder will appear on the desktop.
  
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
• Remove the USB & CD and insert it in the sick computer
  
• Boot the Sick computer with the CD you just burned
  
• The computer must be set to boot from the CD
  
• Gently tap F12 and choose to boot from the CD
  
• Follow the prompts
  
• A Welcome to xPUD screen will appear
  
• Press File
  
• Expand mnt
  
• sda1,2...usually corresponds to your HDD
  
• sdb1 is likely your USB
  
• Click on the folder that represents your USB drive (sdb1 ?)
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type the following and press enter:
  dd if=/dev/sda of=mbr.bin bs=512 count=1
  
• Press Enter
  
• After it has finished a file will be located on your USB drive named mbr.bin
  
• Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.
  

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

[ktharrington]

The sick computer doesn't have a working cd drive, is there another way to run this?

[Elise]

Yes, you can do the same from USB.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

• Insert your USB drive
  
• Press Start > My Computer > right click your USB drive > choose Format > Quick format
  
• Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  
• Press Run then OK
  
• Select the DiskImage option then click the browse button located on the right side of the textbox field.
  
• Browse to and select the xpud-0.9.2.iso file you downloaded
  
• Verify the correct drive letter is selected for your USB device then click OK
  
• It will install a little bootable OS on your USB device
  
• Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  
• After it has completed do not choose to reboot the clean computer simply close the installer

From this point on the instructions are the same, except that, instead for choosing to boot from CD you boot from USB.

[ktharrington]

I'm having some difficulty booting with the usb, I changed the boot order to "removable devices" first but it doesn't seem to be detecting it.

[Elise]

What boot options are there? Sometimes its listed as Zip Drive or FDD.

[ktharrington]

Pressing argonpxe boo pxe e61 media test failure

Pressing F2 takes me to my

Bios setup where the order is:

Removable Devices

CD-ROM Drive

Hard Drive

Built-In LAN

and pressing F12 takes me to the

Argon PXE Boot screen where it says:

PXE E61 media test failure

Then proceeds to a normal boot.

[Elise]

Yes, that should be Removable Devices. Can you try it with another USB drive? Sometimes that makes a difference.

[ktharrington]

I'll be able to get one tomorrow, so I'll try it again and let you know. In the event it still doesn't work, is there anything else we can do?

[Elise]

If it still doesn't work, try to boot from the USB on a working computer (just booting from it will not change anything on the computer so it is safe to try that). If that doesn't work it means most likely something went wrong when you prepared the USB drive.

[ktharrington]

Hi,

I got the xpud program to run on boot.

It displays the initial language selection screen, with english highlighted as default, but it won't let me select it and continue.

No button on the keyboard effects the display.

[ktharrington]

Update: I ran the prIgram all the way through, but I couldnt find the file on the usb afterwards. I tried twice with different usb.

[Elise]

Try again but this time do not take out the USB stick, Make sure you see the mbr.bin file in xPUD on the usb drive, but now instead first click the Home tab > Power Off and select Shut Down. Only after the computer shuts down take out the USB drive, the file should now be there.

[ktharrington]

I needed a functional laptop for work, so i Installed windows XP.

Now I have a functional computer, and I can see all my old files and programs under programfiles, but theyre not installes. Furthermore I now have a Windows and a Windows.0 folder.

When I boot the computer, I'm given the option of which windows xp to load, one being the new functional cp and the other being the xp in which my mouse and keyboard don't function.

So now, would you still like me to continue with your latest suggestion or given my current access, would you like to try something else?

I appreciate all of your help with my problem so far, and I apologize for swaying from your guideline, work called.

[Elise]

No, the instructions from my last post no longer apply.

Instead, boot in the new XP installation and look for the following files, let me know which one exists:

c:\windows\system32\drivers\i8042prt.sys

c:\windows.0\system32\driver\i8042prt.sys

One thing though, you can choose which installation to use (with preference for the old one as it contains your programs and such), but there is no easy way to undo the second XP installation.

[ktharrington]

Ok, I checked and that file exists in both locations.

If I have a choice, I want the original installation.

What should I do next?

[Elise]

Can you upload both files to http://www.virustotal.com and post me the links to the results (please specify the location of the files for each link).

[ktharrington]

Ok, so the link for "windows" is https://www.virustotal.com/file/db2452390ccfe67e0c5feb4fd42ca24abe2ddd40d0b22dd5f5b8f70416863918/analysis/

And the link for "windows.0" is https://www.virustotal.com/file/db2452390ccfe67e0c5feb4fd42ca24abe2ddd40d0b22dd5f5b8f70416863918/analysis/

[Elise]

Thats twice the same link.

[ktharrington]

Oh I'm embarrassed >_>

Sorry, again, the link to the Windows file is: https://www.virustotal.com/file/db2452390ccfe67e0c5feb4fd42ca24abe2ddd40d0b22dd5f5b8f70416863918/analysis/1330824521/

And the link for Windows.0 is: https://www.virustotal.com/file/db2452390ccfe67e0c5feb4fd42ca24abe2ddd40d0b22dd5f5b8f70416863918/analysis/1330824640/

[Elise]

Can you test if the broken windows installation will work with an USB mouse/keyboard if you have one to try?