Jump to content

Trojan's keep on coming back


Recommended Posts

I have had a number of viruses detected on my computer in the last week as indicated below; detected by Malawarebytes

Trojan.Agent

Trojan.Vundo.H

Trojan.Hiloti

Worm.Autorun

A full scan using Malawarebytes have not found anything in the last few days but AVG keeps finding a Trojan every other day. AVG found Trojan horse Downloader Generic9.BBZH today and when it did a

Link to post
Share on other sites

Hello WarZone! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we

begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install any software or hardware, while work on.

Step 1:

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall two of them. Of the two, I would recommend keeping AVG, so please uninstall the following applications:

Norton Security Center

LiveUpdate 3.0 (Symantec Corporation)

Step 2:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 3:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

Link to post
Share on other sites

Hello WarZone! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we

begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install any software or hardware, while work on.

Step 1:

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall two of them. Of the two, I would recommend keeping AVG, so please uninstall the following applications:

Norton Security Center

LiveUpdate 3.0 (Symantec Corporation)

Step 2:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 3:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

Thanks for your help. I have completed step1 but I have a problem with one of the Java files as instructed;

When trying to delete Program Files\Java, I get the following error message;

Cannot delete Jqs.exe Access is denied.

Should I continue with ComboFix?

Thanks

Link to post
Share on other sites

Do you uninstall Java from Control Panel before attempting to delete the folder?

Thanks, I have now deleted folder and gone to step 3. Please see attachments as requsted and ComboFix log below.

ComboFix 10-03-11.04 - Comet 12/03/2010 9:58.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.421 [GMT 0:00]

Running from: c:\documents and settings\Comet\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\EventSystem.log

c:\windows\system32\prsgrc.dll

.

((((((((((((((((((((((((( Files Created from 2010-02-12 to 2010-03-12 )))))))))))))))))))))))))))))))

.

2010-03-12 09:34 . 2010-03-12 09:34 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-03-12 09:34 . 2010-03-12 09:34 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-03-12 09:34 . 2010-03-12 09:34 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-03-12 09:32 . 2010-02-18 23:09 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll

2010-03-12 09:32 . 2010-02-18 23:09 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe

2010-03-12 09:32 . 2010-02-18 23:09 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-03-12 09:32 . 2010-02-18 23:09 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2010-03-10 19:32 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-10 19:18 . 2010-03-11 07:11 -------- d-----w- c:\documents and settings\Comet\Application Data\OnlineArmor

2010-03-10 19:18 . 2010-03-10 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor

2010-03-10 19:18 . 2009-12-05 07:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys

2010-03-10 19:18 . 2009-12-05 07:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys

2010-03-10 19:18 . 2009-12-05 07:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys

2010-03-10 19:18 . 2010-03-10 19:18 -------- d-----w- c:\program files\Tall Emu

2010-03-10 12:40 . 2010-03-10 12:40 503808 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d70af72-n\msvcp71.dll

2010-03-10 12:40 . 2010-03-10 12:40 499712 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d70af72-n\jmc.dll

2010-03-10 12:40 . 2010-03-10 12:40 348160 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d70af72-n\msvcr71.dll

2010-03-10 12:40 . 2010-03-10 12:40 61440 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6ad6540b-n\decora-sse.dll

2010-03-10 12:40 . 2010-03-10 12:40 12800 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6ad6540b-n\decora-d3d.dll

2010-03-10 08:47 . 2010-03-10 08:47 -------- d-sh--w- c:\documents and settings\Comet\IECompatCache

2010-03-03 22:45 . 2010-03-10 20:00 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-03 22:45 . 2010-03-10 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-03 12:52 . 2010-03-03 12:52 52224 ----a-w- c:\documents and settings\Comet\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-03 12:51 . 2010-03-08 17:52 117760 ----a-w- c:\documents and settings\Comet\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-03 12:50 . 2010-03-03 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-03-03 12:47 . 2010-03-03 12:47 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-03 12:47 . 2010-03-03 12:47 -------- d-----w- c:\documents and settings\Comet\Application Data\SUPERAntiSpyware.com

2010-03-03 11:19 . 2010-03-03 11:19 -------- d-----w- c:\documents and settings\Comet\DoctorWeb

2010-03-01 08:49 . 2010-03-09 20:04 120 ----a-w- c:\windows\Aqeyujek.dat

2010-03-01 08:49 . 2010-03-09 07:05 0 ----a-w- c:\windows\Fcazogev.bin

2010-03-01 08:49 . 2010-03-01 08:49 -------- d-----w- c:\documents and settings\Comet\Local Settings\Application Data\{3E1E4A70-E00D-45D5-A3EE-9F67764F6FF1}

2010-02-28 15:54 . 2010-02-28 15:54 -------- d-sh--w- c:\documents and settings\Comet\PrivacIE

2010-02-28 15:51 . 2010-02-28 15:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-02-28 15:51 . 2010-02-28 15:51 -------- d-sh--w- c:\documents and settings\Comet\IETldCache

2010-02-28 15:46 . 2010-02-28 15:46 -------- d-----w- c:\windows\ie8updates

2010-02-28 15:41 . 2010-02-28 15:42 -------- dc-h--w- c:\windows\ie8

2010-02-28 15:36 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll

2010-02-28 15:36 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-02-28 15:36 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-28 14:21 . 2010-02-28 14:21 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-02-28 14:20 . 2010-02-28 14:20 -------- d-----w- c:\documents and settings\Comet\Application Data\Malwarebytes

2010-02-28 14:20 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-28 14:20 . 2010-02-28 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-28 14:20 . 2010-02-28 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-28 14:20 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-24 23:09 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-23 23:12 . 2010-02-23 23:12 -------- d-----w- C:\DKACACIA

2010-02-18 23:17 . 2010-02-18 23:09 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe

2010-02-18 23:17 . 2010-02-18 23:10 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe

2010-02-18 23:11 . 2010-02-18 23:11 -------- d-----w- C:\$AVG

2010-02-18 23:10 . 2010-03-12 09:34 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-02-18 23:09 . 2010-02-18 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-02-16 10:22 . 2010-03-04 10:57 -------- d-----w- c:\documents and settings\Comet\Application Data\VTC Preferences Folder

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-12 09:34 . 2008-05-26 12:14 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-12 09:33 . 2008-05-26 12:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-11 23:33 . 2008-09-24 19:59 12 ----a-w- c:\windows\bthservsdp.dat

2010-03-11 06:59 . 2007-05-07 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-03-10 22:21 . 2007-07-10 20:06 -------- d-----w- c:\program files\kunle ex

2010-03-05 07:27 . 2009-06-25 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-03-03 14:02 . 2007-10-28 13:48 -------- d-----w- c:\program files\DigidooNotecard

2010-03-03 13:53 . 2009-04-17 19:54 -------- d-----w- c:\program files\Free PowerPoint-PPT to Image Jpg-Jpeg Bmp Tiff Png Converter

2010-03-03 12:45 . 2006-10-02 18:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-02-25 15:02 . 2008-11-15 17:46 -------- d-----w- c:\documents and settings\Comet\Application Data\U3

2010-02-18 23:10 . 2008-05-26 12:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-02-18 23:09 . 2008-05-26 12:13 -------- d-----w- c:\program files\AVG

2010-01-30 11:07 . 2010-01-30 11:07 -------- d-----w- c:\program files\Sweet Home 3D

2010-01-30 11:07 . 2010-01-30 11:06 29456637 ----a-w- c:\program files\SweetHome3D-2.2-windows.exe

2010-01-28 13:10 . 2010-01-28 13:10 693800 ----a-w- c:\program files\WindowsXP-Windows2000-Script56-KB917344-x86-enu.exe

2010-01-27 17:29 . 2006-10-14 00:28 -------- d-----w- c:\program files\Acoustica MP3 CD Burner

2010-01-21 10:46 . 2010-01-21 10:46 27386256 ----a-w- c:\program files\AdbeRdr930_en_US.exe

2010-01-20 23:02 . 2007-09-23 19:28 -------- d-----w- c:\documents and settings\Comet\Application Data\Notepad++

2010-01-20 19:24 . 2007-09-23 19:28 -------- d-----w- c:\program files\Notepad++

2010-01-20 19:22 . 2010-01-20 19:22 3546726 ----a-w- c:\program files\npp.5.6.4.Installer.exe

2010-01-17 00:07 . 2005-08-04 07:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-14 11:12 . 2009-10-03 00:35 181120 ------w- c:\windows\system32\MpSigStub.exe

2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-17 17:14 . 2009-02-05 23:52 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-16 18:43 . 2004-08-04 08:00 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-06 22:09 . 2009-12-06 22:08 595499 ----a-w- c:\program files\Autoruns.zip

2007-07-07 15:07 . 2007-07-07 15:07 265376 ----a-w- c:\program files\chaosshredder.exe

2007-07-05 21:28 . 2007-07-05 21:28 21640064 ----a-w- c:\program files\Nokia_PC_Suite_6_84_10_3_eng_web.exe

2007-04-16 16:09 . 2007-04-16 16:09 22886 ----a-w- c:\program files\uninstal.log

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]

"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2006-02-21 45056]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-02-18 23:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk

backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk

backup=c:\windows\pss\SnagIt 8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]

2005-03-29 13:45 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]

2004-12-03 12:24 290816 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-01-06 13:06 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

2006-02-06 17:52 462935 ----a-w- c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 16:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

"NBService"=3 (0x3)

"SQLSERVERAGENT"=3 (0x3)

"MSSQLServerADHelper"=3 (0x3)

"MSSQLSERVER"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/05/2008 12:14 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/02/2010 23:10 242696]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/03/2010 19:18 223312]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/03/2010 19:18 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/03/2010 19:18 29776]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 10:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 10:15 66632]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [18/02/2010 23:09 285392]

R2 MySQL51;MySQL51;"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld" --defaults-file="c:\program files\MySQL\MySQL Server 5.1\my.ini" MySQL51 --> c:\program files\MySQL\MySQL Server 5.1\bin\mysqld [?]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [10/03/2010 19:18 1282248]

R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [25/09/2007 19:56 10951]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 10:15 12872]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [10/03/2010 19:18 3291336]

S2 TDService;TDService;c:\progra~1\COMMON~1\MERCUR~1\TDAPIS~1\TDService.exe --> c:\progra~1\COMMON~1\MERCUR~1\TDAPIS~1\TDService.exe [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]

S3 FLASHREADER;%FLASHREADER.SvcDesc%;c:\windows\system32\drivers\CAUSB.SYS [04/12/2006 11:37 68164]

.

Contents of the 'Scheduled Tasks' folder

2010-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-03-10 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/ig?hl=en

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: &Yahoo! Search

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Yahoo! &Dictionary

IE: Yahoo! &Maps

IE: Yahoo! &SMS

Trusted Zone: premierinn.com\bookings

Trusted Zone: yahoo.com

Trusted Zone: yahoo.com\login

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://mylaptop:8080/qcbin/Spider90.ocx

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

HKCU-Run-eyeBeam SIP Client - (no file)

HKLM-Run-Ayiqomeposuc - c:\windows\ejisucam.dll

MSConfigStartUp-eyeBeam SIP Client - c:\program files\BT Broadband Talk Softphone\BTSoftphone.exe

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\UninstFl.exe

AddRemove-TestDirector - c:\progra~1\COMMON~1\MERCUR~1\UNINST~1\Uninstal.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-12 10:13

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL51]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL51"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(492)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

.

Completion time: 2010-03-12 10:17:11

ComboFix-quarantined-files.txt 2010-03-12 10:16

Pre-Run: 40,659,484,672 bytes free

Post-Run: 41,750,315,008 bytes free

- - End Of File - - 373DDF181B677A79E65B2038B24F93D8

Link to post
Share on other sites

Thanks, I have now deleted folder and gone to step 3. Please see attachments as requsted and ComboFix log below.

ComboFix 10-03-11.04 - Comet 12/03/2010 9:58.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.421 [GMT 0:00]

Running from: c:\documents and settings\Comet\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\EventSystem.log

c:\windows\system32\prsgrc.dll

.

((((((((((((((((((((((((( Files Created from 2010-02-12 to 2010-03-12 )))))))))))))))))))))))))))))))

.

2010-03-12 09:34 . 2010-03-12 09:34 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-03-12 09:34 . 2010-03-12 09:34 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-03-12 09:34 . 2010-03-12 09:34 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-03-12 09:32 . 2010-02-18 23:09 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll

2010-03-12 09:32 . 2010-02-18 23:09 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe

2010-03-12 09:32 . 2010-02-18 23:09 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-03-12 09:32 . 2010-02-18 23:09 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2010-03-10 19:32 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-10 19:18 . 2010-03-11 07:11 -------- d-----w- c:\documents and settings\Comet\Application Data\OnlineArmor

2010-03-10 19:18 . 2010-03-10 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor

2010-03-10 19:18 . 2009-12-05 07:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys

2010-03-10 19:18 . 2009-12-05 07:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys

2010-03-10 19:18 . 2009-12-05 07:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys

2010-03-10 19:18 . 2010-03-10 19:18 -------- d-----w- c:\program files\Tall Emu

2010-03-10 12:40 . 2010-03-10 12:40 503808 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d70af72-n\msvcp71.dll

2010-03-10 12:40 . 2010-03-10 12:40 499712 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d70af72-n\jmc.dll

2010-03-10 12:40 . 2010-03-10 12:40 348160 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d70af72-n\msvcr71.dll

2010-03-10 12:40 . 2010-03-10 12:40 61440 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6ad6540b-n\decora-sse.dll

2010-03-10 12:40 . 2010-03-10 12:40 12800 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6ad6540b-n\decora-d3d.dll

2010-03-10 08:47 . 2010-03-10 08:47 -------- d-sh--w- c:\documents and settings\Comet\IECompatCache

2010-03-03 22:45 . 2010-03-10 20:00 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-03 22:45 . 2010-03-10 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-03 12:52 . 2010-03-03 12:52 52224 ----a-w- c:\documents and settings\Comet\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-03 12:51 . 2010-03-08 17:52 117760 ----a-w- c:\documents and settings\Comet\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-03 12:50 . 2010-03-03 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-03-03 12:47 . 2010-03-03 12:47 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-03 12:47 . 2010-03-03 12:47 -------- d-----w- c:\documents and settings\Comet\Application Data\SUPERAntiSpyware.com

2010-03-03 11:19 . 2010-03-03 11:19 -------- d-----w- c:\documents and settings\Comet\DoctorWeb

2010-03-01 08:49 . 2010-03-09 20:04 120 ----a-w- c:\windows\Aqeyujek.dat

2010-03-01 08:49 . 2010-03-09 07:05 0 ----a-w- c:\windows\Fcazogev.bin

2010-03-01 08:49 . 2010-03-01 08:49 -------- d-----w- c:\documents and settings\Comet\Local Settings\Application Data\{3E1E4A70-E00D-45D5-A3EE-9F67764F6FF1}

2010-02-28 15:54 . 2010-02-28 15:54 -------- d-sh--w- c:\documents and settings\Comet\PrivacIE

2010-02-28 15:51 . 2010-02-28 15:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-02-28 15:51 . 2010-02-28 15:51 -------- d-sh--w- c:\documents and settings\Comet\IETldCache

2010-02-28 15:46 . 2010-02-28 15:46 -------- d-----w- c:\windows\ie8updates

2010-02-28 15:41 . 2010-02-28 15:42 -------- dc-h--w- c:\windows\ie8

2010-02-28 15:36 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll

2010-02-28 15:36 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-02-28 15:36 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-28 14:21 . 2010-02-28 14:21 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-02-28 14:20 . 2010-02-28 14:20 -------- d-----w- c:\documents and settings\Comet\Application Data\Malwarebytes

2010-02-28 14:20 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-28 14:20 . 2010-02-28 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-28 14:20 . 2010-02-28 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-28 14:20 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-24 23:09 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-23 23:12 . 2010-02-23 23:12 -------- d-----w- C:\DKACACIA

2010-02-18 23:17 . 2010-02-18 23:09 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe

2010-02-18 23:17 . 2010-02-18 23:10 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe

2010-02-18 23:11 . 2010-02-18 23:11 -------- d-----w- C:\$AVG

2010-02-18 23:10 . 2010-03-12 09:34 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-02-18 23:09 . 2010-02-18 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-02-16 10:22 . 2010-03-04 10:57 -------- d-----w- c:\documents and settings\Comet\Application Data\VTC Preferences Folder

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-12 09:34 . 2008-05-26 12:14 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-12 09:33 . 2008-05-26 12:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-11 23:33 . 2008-09-24 19:59 12 ----a-w- c:\windows\bthservsdp.dat

2010-03-11 06:59 . 2007-05-07 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-03-10 22:21 . 2007-07-10 20:06 -------- d-----w- c:\program files\kunle ex

2010-03-05 07:27 . 2009-06-25 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-03-03 14:02 . 2007-10-28 13:48 -------- d-----w- c:\program files\DigidooNotecard

2010-03-03 13:53 . 2009-04-17 19:54 -------- d-----w- c:\program files\Free PowerPoint-PPT to Image Jpg-Jpeg Bmp Tiff Png Converter

2010-03-03 12:45 . 2006-10-02 18:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-02-25 15:02 . 2008-11-15 17:46 -------- d-----w- c:\documents and settings\Comet\Application Data\U3

2010-02-18 23:10 . 2008-05-26 12:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-02-18 23:09 . 2008-05-26 12:13 -------- d-----w- c:\program files\AVG

2010-01-30 11:07 . 2010-01-30 11:07 -------- d-----w- c:\program files\Sweet Home 3D

2010-01-30 11:07 . 2010-01-30 11:06 29456637 ----a-w- c:\program files\SweetHome3D-2.2-windows.exe

2010-01-28 13:10 . 2010-01-28 13:10 693800 ----a-w- c:\program files\WindowsXP-Windows2000-Script56-KB917344-x86-enu.exe

2010-01-27 17:29 . 2006-10-14 00:28 -------- d-----w- c:\program files\Acoustica MP3 CD Burner

2010-01-21 10:46 . 2010-01-21 10:46 27386256 ----a-w- c:\program files\AdbeRdr930_en_US.exe

2010-01-20 23:02 . 2007-09-23 19:28 -------- d-----w- c:\documents and settings\Comet\Application Data\Notepad++

2010-01-20 19:24 . 2007-09-23 19:28 -------- d-----w- c:\program files\Notepad++

2010-01-20 19:22 . 2010-01-20 19:22 3546726 ----a-w- c:\program files\npp.5.6.4.Installer.exe

2010-01-17 00:07 . 2005-08-04 07:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-14 11:12 . 2009-10-03 00:35 181120 ------w- c:\windows\system32\MpSigStub.exe

2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-17 17:14 . 2009-02-05 23:52 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-16 18:43 . 2004-08-04 08:00 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-06 22:09 . 2009-12-06 22:08 595499 ----a-w- c:\program files\Autoruns.zip

2007-07-07 15:07 . 2007-07-07 15:07 265376 ----a-w- c:\program files\chaosshredder.exe

2007-07-05 21:28 . 2007-07-05 21:28 21640064 ----a-w- c:\program files\Nokia_PC_Suite_6_84_10_3_eng_web.exe

2007-04-16 16:09 . 2007-04-16 16:09 22886 ----a-w- c:\program files\uninstal.log

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]

"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2006-02-21 45056]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-02-18 23:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk

backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk

backup=c:\windows\pss\SnagIt 8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]

2005-03-29 13:45 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]

2004-12-03 12:24 290816 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-01-06 13:06 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

2006-02-06 17:52 462935 ----a-w- c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 16:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

"NBService"=3 (0x3)

"SQLSERVERAGENT"=3 (0x3)

"MSSQLServerADHelper"=3 (0x3)

"MSSQLSERVER"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/05/2008 12:14 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/02/2010 23:10 242696]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/03/2010 19:18 223312]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/03/2010 19:18 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/03/2010 19:18 29776]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 10:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 10:15 66632]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [18/02/2010 23:09 285392]

R2 MySQL51;MySQL51;"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld" --defaults-file="c:\program files\MySQL\MySQL Server 5.1\my.ini" MySQL51 --> c:\program files\MySQL\MySQL Server 5.1\bin\mysqld [?]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [10/03/2010 19:18 1282248]

R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [25/09/2007 19:56 10951]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 10:15 12872]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [10/03/2010 19:18 3291336]

S2 TDService;TDService;c:\progra~1\COMMON~1\MERCUR~1\TDAPIS~1\TDService.exe --> c:\progra~1\COMMON~1\MERCUR~1\TDAPIS~1\TDService.exe [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]

S3 FLASHREADER;%FLASHREADER.SvcDesc%;c:\windows\system32\drivers\CAUSB.SYS [04/12/2006 11:37 68164]

.

Contents of the 'Scheduled Tasks' folder

2010-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-03-10 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/ig?hl=en

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: &Yahoo! Search

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Yahoo! &Dictionary

IE: Yahoo! &Maps

IE: Yahoo! &SMS

Trusted Zone: premierinn.com\bookings

Trusted Zone: yahoo.com

Trusted Zone: yahoo.com\login

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://mylaptop:8080/qcbin/Spider90.ocx

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

HKCU-Run-eyeBeam SIP Client - (no file)

HKLM-Run-Ayiqomeposuc - c:\windows\ejisucam.dll

MSConfigStartUp-eyeBeam SIP Client - c:\program files\BT Broadband Talk Softphone\BTSoftphone.exe

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\UninstFl.exe

AddRemove-TestDirector - c:\progra~1\COMMON~1\MERCUR~1\UNINST~1\Uninstal.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-12 10:13

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL51]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL51"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(492)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

.

Completion time: 2010-03-12 10:17:11

ComboFix-quarantined-files.txt 2010-03-12 10:16

Pre-Run: 40,659,484,672 bytes free

Post-Run: 41,750,315,008 bytes free

- - End Of File - - 373DDF181B677A79E65B2038B24F93D8

I'm attaching the requested files again - not sure if this was processed earlier

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=42907

KillAll::

Collect::
c:\windows\Aqeyujek.dat
c:\windows\Fcazogev.bin
c:\windows\ejisucam.dll

DDS::
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=42907

KillAll::

Collect::
c:\windows\Aqeyujek.dat
c:\windows\Fcazogev.bin
c:\windows\ejisucam.dll

DDS::
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Thank you for your feedback.

ComboFix Log:

ComboFix 10-03-11.04 - Comet 12/03/2010 21:50:59.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.488 [GMT 0:00]

Running from: C:\Documents and Settings\Comet\Desktop\Combo-Fix.exe

Command switches used :: C:\Documents and Settings\Comet\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

file zipped: c:\windows\Aqeyujek.dat

file zipped: c:\windows\Fcazogev.bin

.

---------------------------------------------

Please see attachment for HijackThis

Link to post
Share on other sites

Please post a full ComboFix log.

That was the only Log I found. ComboFix did a reboot, then a message appeared indicating not to run any applications and then another message indicating a preparing a log. A few seconds later ComboFix suddenly disappeared. This could be due to Online Armor now kicking in.

What do you suggest I do now?

Link to post
Share on other sites

Please locate to your main hard drive ( C:\ ), open ComboFix.txt and copy/paste its content.

That's what I did before. I have double checked and the content is the same;

ComboFix 10-03-11.04 - Comet 12/03/2010 21:50:59.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.488 [GMT 0:00]

Running from: C:\Documents and Settings\Comet\Desktop\Combo-Fix.exe

Command switches used :: C:\Documents and Settings\Comet\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

file zipped: c:\windows\Aqeyujek.dat

file zipped: c:\windows\Fcazogev.bin

.

Link to post
Share on other sites

Please delete your copy of ComboFix and follow the instructions:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

Link to post
Share on other sites

Please delete your copy of ComboFix and follow the instructions:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

New ComboFix Log:

ComboFix 10-03-12.04 - Comet 13/03/2010 16:37:33.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.477 [GMT 0:00]

Running from: c:\documents and settings\Comet\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\prsgrc.dll

.

---- Previous Run -------

.

c:\windows\Aqeyujek.dat

c:\windows\Fcazogev.bin

c:\windows\system32\prsgrc.dll

.

((((((((((((((((((((((((( Files Created from 2010-02-13 to 2010-03-13 )))))))))))))))))))))))))))))))

.

2010-03-12 09:57 . 2010-03-12 10:17 -------- d-----w- C:\Combo-Fix

2010-03-12 09:34 . 2010-03-12 09:34 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-03-12 09:34 . 2010-03-12 09:34 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-03-12 09:34 . 2010-03-12 09:34 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-03-12 09:34 . 2010-03-12 09:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-12 09:32 . 2010-02-18 23:09 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll

2010-03-12 09:32 . 2010-02-18 23:09 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe

2010-03-12 09:32 . 2010-02-18 23:09 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-03-12 09:32 . 2010-02-18 23:09 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2010-03-10 19:32 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-10 19:18 . 2010-03-11 07:11 -------- d-----w- c:\documents and settings\Comet\Application Data\OnlineArmor

2010-03-10 19:18 . 2010-03-10 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor

2010-03-10 19:18 . 2009-12-05 07:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys

2010-03-10 19:18 . 2009-12-05 07:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys

2010-03-10 19:18 . 2009-12-05 07:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys

2010-03-10 19:18 . 2010-03-10 19:18 -------- d-----w- c:\program files\Tall Emu

2010-03-10 12:40 . 2010-03-10 12:40 503808 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d70af72-n\msvcp71.dll

2010-03-10 12:40 . 2010-03-10 12:40 499712 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d70af72-n\jmc.dll

2010-03-10 12:40 . 2010-03-10 12:40 348160 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d70af72-n\msvcr71.dll

2010-03-10 12:40 . 2010-03-10 12:40 61440 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6ad6540b-n\decora-sse.dll

2010-03-10 12:40 . 2010-03-10 12:40 12800 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6ad6540b-n\decora-d3d.dll

2010-03-10 08:47 . 2010-03-10 08:47 -------- d-sh--w- c:\documents and settings\Comet\IECompatCache

2010-03-03 22:45 . 2010-03-10 20:00 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-03 22:45 . 2010-03-10 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-03 12:52 . 2010-03-03 12:52 52224 ----a-w- c:\documents and settings\Comet\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-03 12:51 . 2010-03-08 17:52 117760 ----a-w- c:\documents and settings\Comet\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-03 12:50 . 2010-03-03 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-03-03 12:47 . 2010-03-03 12:47 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-03 12:47 . 2010-03-03 12:47 -------- d-----w- c:\documents and settings\Comet\Application Data\SUPERAntiSpyware.com

2010-03-03 11:19 . 2010-03-03 11:19 -------- d-----w- c:\documents and settings\Comet\DoctorWeb

2010-03-01 08:49 . 2010-03-01 08:49 -------- d-----w- c:\documents and settings\Comet\Local Settings\Application Data\{3E1E4A70-E00D-45D5-A3EE-9F67764F6FF1}

2010-02-28 15:54 . 2010-02-28 15:54 -------- d-sh--w- c:\documents and settings\Comet\PrivacIE

2010-02-28 15:51 . 2010-02-28 15:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-02-28 15:51 . 2010-02-28 15:51 -------- d-sh--w- c:\documents and settings\Comet\IETldCache

2010-02-28 15:46 . 2010-02-28 15:46 -------- d-----w- c:\windows\ie8updates

2010-02-28 15:41 . 2010-02-28 15:42 -------- dc-h--w- c:\windows\ie8

2010-02-28 15:36 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll

2010-02-28 15:36 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-02-28 15:36 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-28 14:21 . 2010-02-28 14:21 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-02-28 14:20 . 2010-02-28 14:20 -------- d-----w- c:\documents and settings\Comet\Application Data\Malwarebytes

2010-02-28 14:20 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-28 14:20 . 2010-02-28 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-28 14:20 . 2010-02-28 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-28 14:20 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-24 23:09 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-23 23:12 . 2010-02-23 23:12 -------- d-----w- C:\DKACACIA

2010-02-18 23:17 . 2010-02-18 23:09 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe

2010-02-18 23:17 . 2010-02-18 23:10 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe

2010-02-18 23:11 . 2010-02-18 23:11 -------- d-----w- C:\$AVG

2010-02-18 23:10 . 2010-03-12 09:34 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-02-18 23:09 . 2010-02-18 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-02-16 10:22 . 2010-03-04 10:57 -------- d-----w- c:\documents and settings\Comet\Application Data\VTC Preferences Folder

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-13 00:45 . 2008-09-24 19:59 12 ----a-w- c:\windows\bthservsdp.dat

2010-03-12 18:45 . 2009-06-25 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-03-12 09:34 . 2008-05-26 12:14 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-12 09:33 . 2008-05-26 12:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-11 06:59 . 2007-05-07 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-03-10 22:21 . 2007-07-10 20:06 -------- d-----w- c:\program files\kunle ex

2010-03-03 14:02 . 2007-10-28 13:48 -------- d-----w- c:\program files\DigidooNotecard

2010-03-03 13:53 . 2009-04-17 19:54 -------- d-----w- c:\program files\Free PowerPoint-PPT to Image Jpg-Jpeg Bmp Tiff Png Converter

2010-03-03 12:45 . 2006-10-02 18:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-02-25 15:02 . 2008-11-15 17:46 -------- d-----w- c:\documents and settings\Comet\Application Data\U3

2010-02-18 23:09 . 2008-05-26 12:13 -------- d-----w- c:\program files\AVG

2010-01-30 11:07 . 2010-01-30 11:07 -------- d-----w- c:\program files\Sweet Home 3D

2010-01-30 11:07 . 2010-01-30 11:06 29456637 ----a-w- c:\program files\SweetHome3D-2.2-windows.exe

2010-01-28 13:10 . 2010-01-28 13:10 693800 ----a-w- c:\program files\WindowsXP-Windows2000-Script56-KB917344-x86-enu.exe

2010-01-27 17:29 . 2006-10-14 00:28 -------- d-----w- c:\program files\Acoustica MP3 CD Burner

2010-01-21 10:46 . 2010-01-21 10:46 27386256 ----a-w- c:\program files\AdbeRdr930_en_US.exe

2010-01-20 23:02 . 2007-09-23 19:28 -------- d-----w- c:\documents and settings\Comet\Application Data\Notepad++

2010-01-20 19:24 . 2007-09-23 19:28 -------- d-----w- c:\program files\Notepad++

2010-01-20 19:22 . 2010-01-20 19:22 3546726 ----a-w- c:\program files\npp.5.6.4.Installer.exe

2010-01-17 00:07 . 2005-08-04 07:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-14 11:12 . 2009-10-03 00:35 181120 ------w- c:\windows\system32\MpSigStub.exe

2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll

2009-12-17 17:14 . 2009-02-05 23:52 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-16 18:43 . 2004-08-04 08:00 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-06 22:09 . 2009-12-06 22:08 595499 ----a-w- c:\program files\Autoruns.zip

2007-07-07 15:07 . 2007-07-07 15:07 265376 ----a-w- c:\program files\chaosshredder.exe

2007-07-05 21:28 . 2007-07-05 21:28 21640064 ----a-w- c:\program files\Nokia_PC_Suite_6_84_10_3_eng_web.exe

2007-04-16 16:09 . 2007-04-16 16:09 22886 ----a-w- c:\program files\uninstal.log

.

((((((((((((((((((((((((((((( SnapShot@2010-03-12_10.13.58 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-03-13 16:30 . 2010-03-13 16:30 16384 c:\windows\temp\Perflib_Perfdata_44c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]

"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2006-02-21 45056]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-12 09:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk

backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk

backup=c:\windows\pss\SnagIt 8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]

2005-03-29 13:45 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]

2004-12-03 12:24 290816 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-01-06 13:06 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

2006-02-06 17:52 462935 ----a-w- c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 16:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

"NBService"=3 (0x3)

"SQLSERVERAGENT"=3 (0x3)

"MSSQLServerADHelper"=3 (0x3)

"MSSQLSERVER"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/05/2008 12:14 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/02/2010 23:10 242696]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/03/2010 19:18 223312]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/03/2010 19:18 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/03/2010 19:18 29776]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 10:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 10:15 66632]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/03/2010 09:34 308064]

R2 MySQL51;MySQL51;"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld" --defaults-file="c:\program files\MySQL\MySQL Server 5.1\my.ini" MySQL51 --> c:\program files\MySQL\MySQL Server 5.1\bin\mysqld [?]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [10/03/2010 19:18 1282248]

R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [25/09/2007 19:56 10951]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 10:15 12872]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [10/03/2010 19:18 3291336]

S2 TDService;TDService;c:\progra~1\COMMON~1\MERCUR~1\TDAPIS~1\TDService.exe --> c:\progra~1\COMMON~1\MERCUR~1\TDAPIS~1\TDService.exe [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]

S3 FLASHREADER;%FLASHREADER.SvcDesc%;c:\windows\system32\drivers\CAUSB.SYS [04/12/2006 11:37 68164]

.

Contents of the 'Scheduled Tasks' folder

2010-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-03-10 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/ig?hl=en

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: &Yahoo! Search

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Yahoo! &Dictionary

IE: Yahoo! &Maps

IE: Yahoo! &SMS

Trusted Zone: premierinn.com\bookings

Trusted Zone: yahoo.com

Trusted Zone: yahoo.com\login

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://mylaptop:8080/qcbin/Spider90.ocx

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-13 16:47

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL51]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL51"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

.

Completion time: 2010-03-13 16:51:13

ComboFix-quarantined-files.txt 2010-03-13 16:50

ComboFix2.txt 2010-03-12 10:17

Pre-Run: 41,099,571,200 bytes free

Post-Run: 41,091,215,360 bytes free

- - End Of File - - 6B9BCA83503E1C284FAAC94AF3E9F4FF

Also, please see new Hijackthis Log attached. Thanks

Link to post
Share on other sites

Step 1:

Please, open HiJackThis and select Do a system scan only.

Check the following entries:

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)

O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)

O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)

Then, close all open windows except that of HijackThis, and select Fix Checked.

Step 2:

Open Notepad and copy and paste the text in the code box below into it:

Collect::
c:\windows\system32\prsgrc.dll

COMMENT::
c:\windows\system32\prsgrc.dll <-- FP

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Step 1:

Please, open HiJackThis and select Do a system scan only.

Check the following entries:

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)

O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)

O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)

Then, close all open windows except that of HijackThis, and select Fix Checked.

Step 2:

Open Notepad and copy and paste the text in the code box below into it:

Collect::
c:\windows\system32\prsgrc.dll

COMMENT::
c:\windows\system32\prsgrc.dll <-- FP

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

ComboFix Log:

ComboFix 10-03-12.04 - Comet 13/03/2010 22:15:47.5.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.458 [GMT 0:00]

Running from: c:\documents and settings\Comet\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Comet\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

.

((((((((((((((((((((((((( Files Created from 2010-02-13 to 2010-03-13 )))))))))))))))))))))))))))))))

.

2010-03-12 09:57 . 2010-03-12 10:17 -------- d-----w- C:\Combo-Fix

2010-03-12 09:34 . 2010-03-12 09:34 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-03-12 09:34 . 2010-03-12 09:34 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-03-12 09:34 . 2010-03-12 09:34 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-03-12 09:34 . 2010-03-12 09:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-12 09:32 . 2010-02-18 23:09 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll

2010-03-12 09:32 . 2010-02-18 23:09 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe

2010-03-12 09:32 . 2010-02-18 23:09 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-03-12 09:32 . 2010-02-18 23:09 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2010-03-10 19:32 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-10 19:18 . 2010-03-11 07:11 -------- d-----w- c:\documents and settings\Comet\Application Data\OnlineArmor

2010-03-10 19:18 . 2010-03-10 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor

2010-03-10 19:18 . 2009-12-05 07:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys

2010-03-10 19:18 . 2009-12-05 07:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys

2010-03-10 19:18 . 2009-12-05 07:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys

2010-03-10 19:18 . 2010-03-10 19:18 -------- d-----w- c:\program files\Tall Emu

2010-03-10 12:40 . 2010-03-10 12:40 503808 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d70af72-n\msvcp71.dll

2010-03-10 12:40 . 2010-03-10 12:40 499712 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d70af72-n\jmc.dll

2010-03-10 12:40 . 2010-03-10 12:40 348160 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3d70af72-n\msvcr71.dll

2010-03-10 12:40 . 2010-03-10 12:40 61440 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6ad6540b-n\decora-sse.dll

2010-03-10 12:40 . 2010-03-10 12:40 12800 ----a-w- c:\documents and settings\Comet\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6ad6540b-n\decora-d3d.dll

2010-03-10 08:47 . 2010-03-10 08:47 -------- d-sh--w- c:\documents and settings\Comet\IECompatCache

2010-03-03 22:45 . 2010-03-10 20:00 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-03 22:45 . 2010-03-10 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-03 12:52 . 2010-03-03 12:52 52224 ----a-w- c:\documents and settings\Comet\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-03 12:51 . 2010-03-08 17:52 117760 ----a-w- c:\documents and settings\Comet\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-03 12:50 . 2010-03-03 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-03-03 12:47 . 2010-03-03 12:47 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-03 12:47 . 2010-03-03 12:47 -------- d-----w- c:\documents and settings\Comet\Application Data\SUPERAntiSpyware.com

2010-03-03 11:19 . 2010-03-03 11:19 -------- d-----w- c:\documents and settings\Comet\DoctorWeb

2010-03-01 08:49 . 2010-03-01 08:49 -------- d-----w- c:\documents and settings\Comet\Local Settings\Application Data\{3E1E4A70-E00D-45D5-A3EE-9F67764F6FF1}

2010-02-28 15:54 . 2010-02-28 15:54 -------- d-sh--w- c:\documents and settings\Comet\PrivacIE

2010-02-28 15:51 . 2010-02-28 15:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-02-28 15:51 . 2010-02-28 15:51 -------- d-sh--w- c:\documents and settings\Comet\IETldCache

2010-02-28 15:46 . 2010-02-28 15:46 -------- d-----w- c:\windows\ie8updates

2010-02-28 15:41 . 2010-02-28 15:42 -------- dc-h--w- c:\windows\ie8

2010-02-28 15:36 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll

2010-02-28 15:36 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-02-28 15:36 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-28 14:21 . 2010-02-28 14:21 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-02-28 14:20 . 2010-02-28 14:20 -------- d-----w- c:\documents and settings\Comet\Application Data\Malwarebytes

2010-02-28 14:20 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-28 14:20 . 2010-02-28 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-28 14:20 . 2010-02-28 14:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-28 14:20 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-24 23:09 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-23 23:12 . 2010-02-23 23:12 -------- d-----w- C:\DKACACIA

2010-02-18 23:17 . 2010-02-18 23:09 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe

2010-02-18 23:17 . 2010-02-18 23:10 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe

2010-02-18 23:11 . 2010-02-18 23:11 -------- d-----w- C:\$AVG

2010-02-18 23:10 . 2010-03-12 09:34 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-02-18 23:09 . 2010-02-18 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-02-16 10:22 . 2010-03-04 10:57 -------- d-----w- c:\documents and settings\Comet\Application Data\VTC Preferences Folder

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-13 18:32 . 2008-09-24 19:59 12 ----a-w- c:\windows\bthservsdp.dat

2010-03-12 18:45 . 2009-06-25 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-03-12 09:34 . 2008-05-26 12:14 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-12 09:33 . 2008-05-26 12:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-11 06:59 . 2007-05-07 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-03-10 22:21 . 2007-07-10 20:06 -------- d-----w- c:\program files\kunle ex

2010-03-03 14:02 . 2007-10-28 13:48 -------- d-----w- c:\program files\DigidooNotecard

2010-03-03 13:53 . 2009-04-17 19:54 -------- d-----w- c:\program files\Free PowerPoint-PPT to Image Jpg-Jpeg Bmp Tiff Png Converter

2010-03-03 12:45 . 2006-10-02 18:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-02-25 15:02 . 2008-11-15 17:46 -------- d-----w- c:\documents and settings\Comet\Application Data\U3

2010-02-18 23:09 . 2008-05-26 12:13 -------- d-----w- c:\program files\AVG

2010-01-30 11:07 . 2010-01-30 11:07 -------- d-----w- c:\program files\Sweet Home 3D

2010-01-30 11:07 . 2010-01-30 11:06 29456637 ----a-w- c:\program files\SweetHome3D-2.2-windows.exe

2010-01-28 13:10 . 2010-01-28 13:10 693800 ----a-w- c:\program files\WindowsXP-Windows2000-Script56-KB917344-x86-enu.exe

2010-01-27 17:29 . 2006-10-14 00:28 -------- d-----w- c:\program files\Acoustica MP3 CD Burner

2010-01-21 10:46 . 2010-01-21 10:46 27386256 ----a-w- c:\program files\AdbeRdr930_en_US.exe

2010-01-20 23:02 . 2007-09-23 19:28 -------- d-----w- c:\documents and settings\Comet\Application Data\Notepad++

2010-01-20 19:24 . 2007-09-23 19:28 -------- d-----w- c:\program files\Notepad++

2010-01-20 19:22 . 2010-01-20 19:22 3546726 ----a-w- c:\program files\npp.5.6.4.Installer.exe

2010-01-17 00:07 . 2005-08-04 07:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-14 11:12 . 2009-10-03 00:35 181120 ------w- c:\windows\system32\MpSigStub.exe

2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll

2009-12-17 17:14 . 2009-02-05 23:52 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-16 18:43 . 2004-08-04 08:00 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-06 22:09 . 2009-12-06 22:08 595499 ----a-w- c:\program files\Autoruns.zip

2007-07-07 15:07 . 2007-07-07 15:07 265376 ----a-w- c:\program files\chaosshredder.exe

2007-07-05 21:28 . 2007-07-05 21:28 21640064 ----a-w- c:\program files\Nokia_PC_Suite_6_84_10_3_eng_web.exe

2007-04-16 16:09 . 2007-04-16 16:09 22886 ----a-w- c:\program files\uninstal.log

.

((((((((((((((((((((((((((((( SnapShot@2010-03-12_10.13.58 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-03-13 18:34 . 2010-03-13 18:34 16384 c:\windows\temp\Perflib_Perfdata_468.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]

"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2006-02-21 45056]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-12 09:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk

backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk

backup=c:\windows\pss\SnagIt 8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]

2005-03-29 13:45 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]

2004-12-03 12:24 290816 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-01-06 13:06 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

2006-02-06 17:52 462935 ----a-w- c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 16:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

"NBService"=3 (0x3)

"SQLSERVERAGENT"=3 (0x3)

"MSSQLServerADHelper"=3 (0x3)

"MSSQLSERVER"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/05/2008 12:14 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/02/2010 23:10 242696]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/03/2010 19:18 223312]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/03/2010 19:18 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/03/2010 19:18 29776]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 10:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 10:15 66632]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/03/2010 09:34 308064]

R2 MySQL51;MySQL51;"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld" --defaults-file="c:\program files\MySQL\MySQL Server 5.1\my.ini" MySQL51 --> c:\program files\MySQL\MySQL Server 5.1\bin\mysqld [?]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [10/03/2010 19:18 1282248]

R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [25/09/2007 19:56 10951]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 10:15 12872]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [10/03/2010 19:18 3291336]

S2 TDService;TDService;c:\progra~1\COMMON~1\MERCUR~1\TDAPIS~1\TDService.exe --> c:\progra~1\COMMON~1\MERCUR~1\TDAPIS~1\TDService.exe [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]

S3 FLASHREADER;%FLASHREADER.SvcDesc%;c:\windows\system32\drivers\CAUSB.SYS [04/12/2006 11:37 68164]

.

Contents of the 'Scheduled Tasks' folder

2010-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-03-10 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/ig?hl=en

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: &Yahoo! Search

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Yahoo! &Dictionary

IE: Yahoo! &Maps

IE: Yahoo! &SMS

Trusted Zone: premierinn.com\bookings

Trusted Zone: yahoo.com

Trusted Zone: yahoo.com\login

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://mylaptop:8080/qcbin/Spider90.ocx

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-13 22:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL51]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL51"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2892)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2010-03-13 22:28:00

ComboFix-quarantined-files.txt 2010-03-13 22:27

ComboFix2.txt 2010-03-13 16:51

ComboFix3.txt 2010-03-12 10:17

Pre-Run: 41,090,879,488 bytes free

Post-Run: 41,061,462,016 bytes free

- - End Of File - - C74FCAA0B1DDA42241056E5F31EC2166

Please see attachment for HijackThis. Thanks

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Thanks, as requested:

Malwarebytes' Anti-Malware 1.44

Database version: 3864

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

13/03/2010 22:58:12

mbam-log-2010-03-13 (22-58-12).txt

Scan type: Quick Scan

Objects scanned: 133140

Time elapsed: 11 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Yes, you need it. Some final steps:

Step 1:

Please manually delete JavaRa and DDS.

Step 2:

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 3:

Some preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing! :(

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.