Help! Problem with suspicious file!!

[Stupidchonga]

Hi,

I have been told to post my logs and details on to here for help. I have been having trouble with deleting a suspicious file called C:/WINDOWS\System32\Drivers\swgsdq.sys, and when I used Malwarebytes' Anti-Malware to scan my computer, an error message with the error code 731(0,6) appears when the scan reaches this file during the scan. Please help me to solve the problem as I am worried that my computer is infected!! As instructed, I have downloaded the defogger programme and ran the programme once, everythin went ok except that at the end the defogger did not prompt me to reboot the computer(Hence, I did not select "Re-enable" just in case). I have also completed the instructions detailed in the same post. Below is the text from my DDS.txt.

"

DDS (Ver_09-12-01.01) - NTFSx86

Run by HP at 16:04:14.14 on 09/01/2010 Sat

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.950.852.1028.18.758.305 [GMT 0:00]

AV: avast! antivirus 4.8.1368 [VPS 100109-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Tudou\滄厒Tudou\TudouVa.exe

C:\Program Files\HPQ\shared\hpqwmi.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\conime.exe

C:\Documents and Settings\HP\桌面\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.hk

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: WebDetectorBHO Class: {43beafd9-e005-483d-a367-146ba6c8a32e} - c:\program files\tudou\滄厒tudou\tudouDetector.dll

BHO: Windows Live 登入小幫手: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe

mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

dRun: [ctfmon.exe] ctfmon.exe

StartupFolder: c:\docume~1\hp\「開始~1\程式集\啟動\雄滄~1.lnk - c:\program files\tudou\滄厒tudou\TudouVa.exe

StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://myspeciallittlecorner.spaces.live.com//PhotoUpload/MsnPUpld.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp\applic~1\mozilla\firefox\profiles\p5x3fbnb.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: network.proxy.type - 2

FF - component: c:\program files\mozilla firefox\components\CheckTudouVa.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-6 114768]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 74480]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-6 20560]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-6 138680]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-6 254040]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-6 352920]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]

S2 dqnbuzsiz;Image Task;c:\windows\system32\svchost.exe -k netsvcs [2004-8-12 14336]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]

=============== Created Last 30 ================

2010-01-09 16:01:25 0 ----a-w- c:\documents and settings\hp\defogger_reenable

2010-01-07 03:47:41 96512 ----a-w- c:\windows\system32\drivers\OLD19.tmp

2010-01-07 03:47:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-01-07 02:55:57 96512 ----a-w- c:\windows\system32\drivers\SET9F.tmp

2010-01-06 15:45:06 0 d-----w- c:\docume~1\hp\applic~1\AVG8

2010-01-05 22:18:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-05 22:18:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-05 22:18:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-04 17:32:50 0 d--h--w- c:\windows\PIF

2010-01-04 17:21:02 0 d-----w- c:\docume~1\hp\applic~1\Malwarebytes

2010-01-04 16:41:36 0 d-----w- C:\dialafix

2010-01-04 16:34:15 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-01-04 16:34:06 0 d-----w- c:\program files\SUPERAntiSpyware

2010-01-04 16:34:06 0 d-----w- c:\docume~1\hp\applic~1\SUPERAntiSpyware.com

2010-01-04 16:05:40 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-01-04 16:04:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-03 18:00:31 0 ----a-w- c:\windows\system32\18467-virusperhaps.exe

2010-01-03 03:15:43 0 ----a-w- c:\windows\system32\AVR10-virusperhaps.exe

2010-01-03 03:12:46 767488 ----a-w- c:\windows\system32\drivers\swgsdq.sys

2010-01-03 03:11:34 1 ----a-w- C:\s

2009-12-29 19:04:56 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-12-09 18:19:13 4724 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2009-12-09 18:19:13 326276 ----a-w- c:\windows\system32\prfh0404.dat

2009-12-09 18:19:13 131228 ----a-w- c:\windows\system32\prfc0404.dat

2009-10-29 07:40:28 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-13 10:33:01 268288 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:39:15 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:39:15 148480 ----a-w- c:\windows\system32\rastls.dll

2009-09-12 23:51:30 16384 -csha-w- c:\windows\temp\cookies\index.dat

2009-09-12 23:51:30 16384 -csha-w- c:\windows\temp\history\history.ie5\index.dat

2009-09-12 23:51:30 32768 -csha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:05:29.29 ==============="

I have also attached the zipped file of attact.txt and ark.txt with the post. Iam using Windows XP home edition. The Windows is a Chinese Windows, which I hope does not make things even more complicated than it is!! Since my computer is using a chinese version, the log file from MBAM may not be readable but I will post it anyway, and here is also the log from Defogger_disable:

"defogger_disable by jpshortstuff (28.11.09.2)

Log created at 16:02 on 09/01/2010 (HP)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

Unable to read swgsdq.sys

-=E.O.F=-"

"Malwarebytes' Anti-Malware 1.44

杅擂踱唳掛ㄩ 3526

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/1/2010 17:35:03

mbam-log-2010-01-09 (17-35-03).txt

禸鏡濬倰ㄩ辦厒禸鏡

掩禸鏡勤砓杅醴ㄩ 116530

奀潔徹ㄩ 13 minute(s), 8 second(s)

掩覜囀湔輛最杅醴ㄩ 0

掩覜囀湔耀輸杅醴ㄩ 0

掩覜蛁聊桶砐杅醴ㄩ 0

掩覜蛁聊桶硉杅醴ㄩ 0

掩覜蛁聊桶杅擂砐杅醴ㄩ 0

掩覜恅璃標杅醴ㄩ 0

掩覜恅璃杅醴ㄩ 0

掩覜囀湔輛最杅醴ㄩ

ㄗ羶衄潰聆善衄漲砐醴ㄘ

掩覜囀湔耀輸杅醴ㄩ

ㄗ羶衄潰聆善衄漲砐"

Thank you so much for your help, attention and time!!!

Attach.zip

ark.zip

[kahdah]

Hello chonga

Welcome to Malwarebytes.

=====================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

[Stupidchonga]

Hello chonga

Welcome to Malwarebytes.

=====================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Hi Kahdah,

Thanks for getting back to me so quickly.

It is quite worrying to hear that. I suppose the best way is to reformat my computer to be sure it is clean from all viruses!! however, I really hope it is the last resort, so I would like to give it a try to use any methods that may get rid of the viruses off my computer. Please kindly advice what to do!! Thank you so much once again!!

[kahdah]

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[Stupidchonga]

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Hi,

I have run the ComboFix programme and you can find the C:/ComboFix.txt attached to this post!! Thanks!!

Combofix.zip

[kahdah]

Please install the recovery Console when prompted.

1. Please open Notepad

• Click Start , then Run
  
• type in notepad in the Run Box then hit ok.
  

2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.malwarebytes.org/forums/index.php?showtopic=35938

Driver::
dqnbuzsiz
swgsdq

Collect::
c:\windows\system32\drivers\swgsdq.sys

NetSvc::
dqnbuzsiz

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
  
• A browser will open.
  
• Simply follow the instructions to copy/paste/send the requested file.
  

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

[Stupidchonga]

Please install the recovery Console when prompted.

1. Please open Notepad

• Click Start , then Run
  
• type in notepad in the Run Box then hit ok.
  

2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.malwarebytes.org/forums/index.php?showtopic=35938

Driver::
dqnbuzsiz
swgsdq

Collect::
c:\windows\system32\drivers\swgsdq.sys

NetSvc::
dqnbuzsiz

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
  
• A browser will open.
  
• Simply follow the instructions to copy/paste/send the requested file.
  

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Hi,

I have just followed your instruction and posted the submit.zip file to the link you provided, and I have left the link to this topic while I sent the file. I have also attached the log here so you should be able to have a look. Thanks!!!

_4__Submit_2010_01_12_15.14.18.zip

ComboFix.zip

[kahdah]

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

• Click on the update tab then click on Check for updates.
  
• If an update is found, it will download and install the latest version.
  
• Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Check next options: Remove found threats and Scan unwanted applications.
  
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[Stupidchonga]

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

• Click on the update tab then click on Check for updates.
  
• If an update is found, it will download and install the latest version.
  
• Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Check next options: Remove found threats and Scan unwanted applications.
  
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

Hi,

Sorry for getting back to you late, but here is the log after tha quick scan:

"Malwarebytes' Anti-Malware 1.44

杅擂踱唳掛ㄩ 3576

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

16/1/2010 16:30:09

mbam-log-2010-01-16 (16-30-09).txt

禸鏡濬倰ㄩ辦厒禸鏡

掩禸鏡勤砓杅醴ㄩ 114514

奀潔徹ㄩ 12 minute(s), 39 second(s)

掩覜囀湔輛最杅醴ㄩ 0

掩覜囀湔耀輸杅醴ㄩ 0

掩覜蛁聊桶砐杅醴ㄩ 0

掩覜蛁聊桶硉杅醴ㄩ 0

掩覜蛁聊桶杅擂砐杅醴ㄩ 0

掩覜恅璃標杅醴ㄩ 0

掩覜恅璃杅醴ㄩ 0

掩覜囀湔輛最杅醴ㄩ

ㄗ羶衄潰聆善衄漲砐醴ㄘ

掩覜囀湔耀輸杅醴ㄩ

ㄗ羶衄潰聆善衄漲砐 "

The strange thing is, this time there is no error message, hope everything has been solved?

Thanks!!

[Stupidchonga]

Hi,

I have just decided to run Eset online scan, and the scan has found some threats on my computer! so Im posting the log as well here:

"

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=581f04a45ad34b4c97a315ba5cf29573

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-01-16 05:57:19

# local_time=2010-01-16 05:57:19 )

# country="Hong Kong S.A.R."

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=769 16775125 100 98 9514 199941781 76270 0

# compatibility_mode=1024 16777215 100 0 5701396 5701396 0 0

# compatibility_mode=3073 16777213 80 89 521849 522018 0 0

# compatibility_mode=8192 67108863 100 0 4158 4158 0 0

# scanned=46514

# found=5

# cleaned=5

# scan_time=4043

C:\Documents and Settings\HP\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-7a1afb02 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\[4]-Submit_2010-01-12_15.14.18.zip a variant of Win32/Rootkit.Kryptik.AF trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\swgsdq.sys.vir a variant of Win32/Rootkit.Kryptik.AF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_swgsdq_.sys.zip a variant of Win32/Rootkit.Kryptik.AF trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{9DB7EC0D-C0ED-4074-8485-F8AEDAE03746}\RP1\A0000041.sys a variant of Win32/Rootkit.Kryptik.AF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

"

Thanks!!

[kahdah]

Looks good please run dds once more and post only the dds.txt no need to attach it.

[Stupidchonga]

Looks good please run dds once more and post only the dds.txt no need to attach it.

Hi, it is great to hear it is going well, here is my DDS log:

"

DDS (Ver_09-12-01.01) - NTFSx86

Run by HP at 14:46:58.76 on 20/01/2010 Wed

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.950.852.1028.18.758.338 [GMT 0:00]

AV: avast! antivirus 4.8.1368 [VPS 100119-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Nakido\nakido.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\HPQ\shared\hpqwmi.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\HP\桌面\dds.scr

C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.hk

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Windows Live 登入小幫手: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe

mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

dRun: [ctfmon.exe] ctfmon.exe

StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://myspeciallittlecorner.spaces.live.com//PhotoUpload/MsnPUpld.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxsrvc.dll

AppInit_DLLs: c:\windows\system32\guard32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp\applic~1\mozilla\firefox\profiles\p5x3fbnb.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - component: c:\program files\mozilla firefox\components\CheckTudouVa.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-6 114768]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-1-10 133064]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-1-10 25160]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 74480]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-6 20560]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-6 138680]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-1-10 723632]

R2 Nakido;Nakido;c:\program files\nakido\nakido.exe [2010-1-15 330240]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-6 254040]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-6 352920]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]

=============== Created Last 30 ================

2010-01-16 16:41:09 0 d-----w- c:\program files\ESET

2010-01-16 04:05:31 0 d-----w- c:\program files\Nakido

2010-01-12 15:12:28 0 d-sha-r- C:\cmdcons

2010-01-10 17:09:56 130 ----a-w- c:\windows\cfplogvw.INI

2010-01-10 16:50:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo

2010-01-10 16:50:25 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2010-01-10 16:50:25 171552 ----a-w- c:\windows\system32\guard32.dll

2010-01-10 16:50:25 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys

2010-01-10 16:50:16 0 d-----w- c:\program files\COMODO

2010-01-10 16:21:08 98816 ----a-w- c:\windows\sed.exe

2010-01-10 16:21:08 77312 ----a-w- c:\windows\MBR.exe

2010-01-10 16:21:08 261632 ----a-w- c:\windows\PEV.exe

2010-01-10 16:21:08 161792 ----a-w- c:\windows\SWREG.exe

2010-01-09 16:01:25 0 ----a-w- c:\documents and settings\hp\defogger_reenable

2010-01-07 03:47:41 96512 ----a-w- c:\windows\system32\drivers\OLD19.tmp

2010-01-07 03:47:40 96512 ------w- c:\windows\system32\drivers\atapi.sys

2010-01-07 02:55:57 96512 ----a-w- c:\windows\system32\drivers\SET9F.tmp

2010-01-06 15:45:06 0 d-----w- c:\docume~1\hp\applic~1\AVG8

2010-01-05 22:18:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-05 22:18:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-05 22:18:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-04 17:32:50 0 d--h--w- c:\windows\PIF

2010-01-04 17:21:02 0 d-----w- c:\docume~1\hp\applic~1\Malwarebytes

2010-01-04 16:41:36 0 d-----w- C:\dialafix

2010-01-04 16:34:15 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-01-04 16:34:06 0 d-----w- c:\program files\SUPERAntiSpyware

2010-01-04 16:34:06 0 d-----w- c:\docume~1\hp\applic~1\SUPERAntiSpyware.com

2010-01-04 16:05:40 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-01-04 16:04:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-12-29 19:04:56 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-12-09 18:19:13 4724 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2009-12-09 18:19:13 326276 ----a-w- c:\windows\system32\prfh0404.dat

2009-12-09 18:19:13 131228 ----a-w- c:\windows\system32\prfc0404.dat

2009-10-29 07:40:28 916480 ------w- c:\windows\system32\wininet.dll

============= FINISH: 14:47:57.20 ===============

"

Thanks a ton!!

[kahdah]

=======Cleanup=======

• Click START then RUN
  
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

======Next======

• Download OTC to your desktop and run it
  
• Click Yes to begin the Cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 18...allows end-users to run Java applications".
  
• Click the "Download" button to the right.
  
• Select your Platform: "Windows".
  
• Select your Language: "Multi-language".
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
• Click Continue and the page will refresh.
  
• Click on the link to download Windows Offline Installation and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
  

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...