Stuck - Firewall will not allow updates to antivirus software.

[Razor]

Hi all

I'm having a bit of a problem with my computer. It is an AMD 2500 running windows XP SP2. It has been informing me that SP3 updates are available, but with the problems below I didn't want to upgrade.

The system was heavily infected by malware. When I got the computer it had Avast installed but for some reason it would not allow the licence key to work. I installed Malwarebytes and ran it, and also Superanti Spyware. The problem is that I cannot update the definitions on these programs. Every time I try it says "Update failed. Make sure you are connected to the internet and that your firewall is set to allow Malwaremalbytes Anti Malware (Or Superanti Spyware) access to the internet".

I have checked the exceptions tab on the firewall and allowed the programs, and I have even tried it with the firewall off. I am using Windows firewall and am not running any other firewalls that I know of.

I have attached the log for Malwarebytes and a Hijackthis log, and my last Superanti Spyware log. Unfortunately I cannot find the first (Or subsequent) superanti spyware logs as I have done multiple scans and it overwrites the log (Lesson Learnt). Note that the first scan picked up and destroyed 70 bogeys. I have uninstalled all other anti Malware/spyware/virus programs except for the two mentioned. I even uninstalled Avast as it was useless with no Licence Key.

How can I get these programs to update, and Avast to accept the licence key? I have tried uninstalling and re downloading and installing but no change. I haven't tried ti download avast again.

Any help will be greatly appreciated.

Thank you

Razor

PS I have tired to run my XP disk using the run command 'sfc /scannow' but unfortunately the disk belongs to XP on my other computer and I don't have the disk for this computer. It comes up with a window saying "The CD you provided is the wrong CD. Please insert the Windows Service pack 2 CD into your CD ROM drive." Not much of a work around there as I don't have that disk 

[attachment deleted by admin]

[Razor]

Hmm this just keeps getting better. I just restarted my computer and when I go to My Computer and click on any of the hard drives C: and D: it says C:\resycled\boot.com is not a valid win32 application. When I delete it it says cannot find resycled\boot.com. It wont let me into the drives unless I rightclick and select explore.

Any idea whats going on?

I have run CC cleaner and used the registery cleaner on it, but everything was fine. I then tried to defrag the drives but Disk defrager jammed so I shut it dow and restarted.

[tylerisdabest]

can you downloadthings?

[Razor]

Yes I can. I can download and install but not update, or in Avasts case it won't accept the reg key. On a note of my last post, I did some research and found out that the resycled\boot.com file is a virus. I have to manually delete it from all drives. It even put itself onto my flash stick from where I am running the antivirus programs from!

I am currently running a scan with ClamWin antivirus and it has picked up a Trojan with the name swcupdate.exe so I am hoping that that is the one causing the problems.

Anyone find anything in the Hijackthis log?

[evilfantasy]

Everything in the MBAM log says No action taken. Run it again and let it fix what  it finds. Then post the new log and a new HijackThis log after the MBAM cleaning is done.

[Razor]

Oops Sorry Evilfantasy, My bad, I saved the log, then deleted everything, which is probably why it says no action taken.

I Will rescan with MBAM and post new logs after the computer has finished scanning with ClamWin. I will also post the report from ClamWin so you can see what is going on. Might be a while, the ClamWin scan seems through but slow.

Thanks  Razor

[evilfantasy]

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.

[Razor]

Ok... a few logs to go through here.

As a side note I have managed the fix the 'Resycled\boot.com' problem.

Other things to note are:
 1) I deleted all files that the ClamWin report identifed as Trojans or adware
 2) The MBAM and Superanti Spyware scans picked nothing up, not suprising considering that I had scanned with them before and deleted everything they found. Note that these scans are still done with the definitions not updated.
 
I have SP3 available to install, would you recommend doing that now, or wait till the system is clean. The reason I ask is that a friend mentioned that the firewall problem might be a rootkit problem (I know nothing about root kits) and he thought that installing the SP3 might help. I said I'd ask you guys.

Thanks
Razor

[attachment deleted by admin]

[Razor]

Hmm The forum will only let me upload 4 files in a post.

Here are the ones you requested in your last post Evil.

[attachment deleted by admin]

[evilfantasy]

You are running an older version of HijackThis.

Download TrendMicro HijackThis.exe (HJT) to the Desktop.

• Double-click on HJTInstall.
• Click on the Install button.
  
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  
• Upon install, HijackThis should open for you.
• Click on the Do a system scan and save a log file button
  
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
  
• Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

[Razor]

Hijack 2.0.2 comming up. Sorry about the old hijackthis, I didn't realise. I don't know why it has the Avast references in this log - I uninstalled avast and removed the registry keys... at least I thought I did.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:38 p.m., on 18/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [dyvyqu] C:\WINDOWS\system32\kadoonilyr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\ToNy\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194049459359
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

--
End of file - 7973 bytes

[evilfantasy]

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R3 - Default URLSearchHook is missing
- O4 - HKLM\..\RunServices: [dyvyqu] C:\WINDOWS\system32\kadoonilyr.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[Razor]

Ok I have done that. Combo fix log below.

One thing to note that might be important is that after the restart my Mozilla Icon on the desktop opened to IE Browser not Mozilla. The Mozilla icon on the start bar opens Mozilla ok. Just thought that might be important.




ComboFix 09-01-17.03 - ToNy 2009-01-18 15:42:35.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1023.720 [GMT 13:00]
Running from: c:\documents and settings\ToNy\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.0 [VPS 081219-0] *On-access scanning disabled* (Outdated)
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\autorun.inf
G:\resycled
g:\resycled\boot.com

.
(((((((((((((((((((((((((   Files Created from 2008-12-18 to 2009-01-18  )))))))))))))))))))))))))))))))
.

2009-01-17 17:38 . 2009-01-17 17:38   <DIR>   d--------   C:\rsit
2009-01-17 17:38 . 2009-01-18 14:54   <DIR>   d--------   c:\program files\trend micro
2009-01-16 21:36 . 2009-01-16 21:36   <DIR>   d--------   c:\program files\CCleaner
2009-01-16 20:12 . 2009-01-16 20:12   <DIR>   d--------   c:\program files\VS Revo Group
2009-01-16 19:52 . 2009-01-16 19:52   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2009-01-16 17:48 . 2009-01-16 23:10   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2009-01-16 17:48 . 2009-01-16 19:53   <DIR>   d--------   c:\documents and settings\ToNy\Application Data\SUPERAntiSpyware.com
2009-01-16 17:48 . 2009-01-16 17:48   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-15 21:56 . 2009-01-14 16:11   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 21:34 . 2009-01-14 16:11   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-01-15 21:29 . 2009-01-15 21:29   <DIR>   d--------   c:\documents and settings\ToNy\Application Data\Malwarebytes
2009-01-15 21:29 . 2009-01-15 21:29   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-15 21:28 . 2001-08-17 13:48   12,160   --a------   c:\windows\system32\drivers\mouhid.sys
2009-01-15 21:28 . 2001-08-17 13:48   12,160   --a--c---   c:\windows\system32\dllcache\mouhid.sys
2009-01-15 21:27 . 2001-08-17 14:02   9,600   --a------   c:\windows\system32\drivers\hidusb.sys
2009-01-15 21:27 . 2001-08-17 14:02   9,600   --a--c---   c:\windows\system32\dllcache\hidusb.sys
2009-01-05 18:04 . 2009-01-16 18:57   <DIR>   d--------   c:\program files\DNA
2009-01-05 18:04 . 2009-01-16 19:10   <DIR>   d--------   c:\documents and settings\ToNy\Application Data\DNA
2008-12-29 11:55 . 2008-12-30 12:14   582   --a------   c:\windows\wininit.ini

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 02:32   ---------   d-----w   c:\documents and settings\ToNy\Application Data\OpenOffice.org2
2009-01-18 01:32   ---------   d-----w   c:\documents and settings\All Users\Application Data\Google Updater
2009-01-16 23:36   ---------   d-----w   c:\documents and settings\ToNy\Application Data\LimeWire
2009-01-16 07:18   ---------   d-----w   c:\program files\Spybot16- Search & Destroy
2009-01-16 07:18   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-16 04:51   ---------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2009-01-14 01:44   34   ----a-w   c:\documents and settings\ToNy\jagex_runescape_preferences.dat
2009-01-10 23:24   ---------   d-----w   c:\program files\Google
2009-01-05 05:23   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-01-05 05:09   ---------   d-----w   c:\program files\PokerStars.NET
2009-01-05 05:08   ---------   d-----w   c:\program files\BOTS
2008-12-30 10:03   ---------   d-----w   c:\program files\SwiftKit
2008-12-30 10:02   ---------   d-----w   c:\program files\DJ Music Mixer
2008-12-29 20:02   ---------   d-----w   c:\program files\Lavasoft
2008-12-09 22:34   ---------   d-----w   c:\program files\Lexmark X1100 Series
2008-12-09 11:05   21,504   ---h--w   c:\windows\che07.exe
2008-11-28 03:48   176,640   ----a-r   c:\windows\system32\hyjere.exe
2008-10-23 13:01   283,648   ----a-w   c:\windows\system32\gdi32.dll
2004-10-01 02:00   40,960   ----a-w   c:\program files\Uninstall_CDS.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-05 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-02 68856]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\ToNy\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2009-01-05 18:05 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrStsWnd]
--------- 2007-07-31 20:37 815104 c:\program files\Brownie\BrStsWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-03 09:15 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aswUpdSv"=2 (0x2)
"avast! Antivirus"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\ToNy\\Application Data\\GarageGames\\IAPlayer\\products\\www_instantaction_com\\6000\\install\\cyclomite.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"d:\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2008-10-26 15172]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-31 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-31 20560]
S3 XDva039;XDva039;\??\c:\windows\system32\XDva039.sys --> c:\windows\system32\XDva039.sys [?]
S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys --> c:\windows\system32\XDva143.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot16- Search & Destroy\TeaTimer.exe
MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search - ?p=ZJfox000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\ToNy\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\ToNy\Application Data\Mozilla\Firefox\Profiles\t1vlugw8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1396957&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - plugin: c:\documents and settings\ToNy\Application Data\Mozilla\Firefox\Profiles\t1vlugw8.default\extensions\[email protected]\plugins\npiaplayer.dll
FF - plugin: c:\program files\echospin\npesProxy.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 15:43:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-18 15:45:59
ComboFix-quarantined-files.txt  2009-01-18 02:45:43

Pre-Run: 45,028,093,952 bytes free
Post-Run: 45,021,675,520 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

167   --- E O F ---   2009-01-16 06:03:48

[evilfantasy]

You might need to delete the Firefox shortcut on the desktop and create a new one.

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[Razor]

Kaspersky Scan

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Monday, January 19, 2009
 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Sunday, January 18, 2009 23:47:59
 Records in database: 1644089
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   A:\
   C:\
   D:\
   E:\
   F:\
   G:\

Scan statistics:
   Files scanned: 67248
   Threat name: 4
   Infected objects: 6
   Suspicious objects: 0
   Duration of the scan: 01:47:02


File name / Threat name / Threats count
C:\Documents and Settings\ToNy\My Documents\My Music\Tenacious D - The road.mp3   Infected: Trojan-Downloader.WMA.GetCodec.c   1
C:\Documents and Settings\ToNy\My Documents\My Received Files\picture_858_jpg.zip   Infected: Trojan.Win32.Pakes.knt   1
C:\WINDOWS\che07.exe   Infected: Trojan.Win32.Agent.bgpb   1
C:\WINDOWS\system32\hyjere.exe   Infected: Trojan.Win32.Pakes.knt   1
D:\RECYCLED\NPROTECT\00000172.EXE   Infected: not-a-virus:AdWare.Win32.Gator.3202   1
D:\Back Up Old\My Documents\DivXPro502GAINBundle.exe   Infected: not-a-virus:AdWare.Win32.Gator.3202   1

The selected area was scanned.