Unable to remove virus on WinXP. Logs included. Thanks everyone!

[Bitwise]

Hi everyone,

I just found out about this forum. I believe I have a computer virus infecting my C drive (WinXP SP2). I thought that initial indications pointed to the sasser worm such as lsass.exe overrun and resulting shutdown. Using tools from Microsoft and Symantec did not find the worm and did not stop the infection. The next symptom was that the computer would not reboot, hanging in a windows boot screen with the message “Configuring Network Connections”.
I was able to use an older HDD also with winXP-SP2 as the primary drive to boot from thus having my infected drive map to the F drive as the slave physical drive. Attempts at fixing this infection are run from the current C drive with the network unplugged. This is the state I am in now. The current C drive, the uninfected one ( I still hope) already had AVG version 7.5 installed which recognized the infected files on the F drive as soon as I used windows explorer to examine that drive. AVG identified a file in f:\documents and settings\owner folder named owner.exe as the culprit but could not remove it or heal it. I tried A squared (free) but could not find this file. I could not use explorer to open the f:\documents and settings\owner folder directly, always getting an access denied message. I was able to rename the owner folder to owner1 and then was able to explore inside, but AVG still could not remove the file. I tried using various unremovable file removal tools to no avail. Then, while I was watching AVG, a registry entry was made and another file appeared in the owner1 folder called file.exe. AVG claimed this was also an infected file, but failed to remove it. Below are all the logs you request on the Computer Hope webpage. Please look into this and I will follow along. You folks provide a great learning experience, thanks for your time and patience.

Also, using a DOS window I find another file that probably has a name too long for windows to find that is located in the same infected folder f:\documents and settings\owner. I'll try to attach a screen shot.

Does anyone know what virus(es) I have?

The computer is a used Dell Dimension 2350, but the HDD is new with a fresh install of WinXP-SP2 Home Edition.


Service Tag 51RZN21
Express Service Code 10991390329
Processor Intel(R) Pentium(R) 4 CPU 2.00GHz
Processor Speed 1.95 GHz
Memory (RAM) 2048 MB
Operating System Microsoft Windows XP Home Edition
Operating System Version 5.1.2600

[attachment deleted by admin]

[evilfantasy]

Download DDS by sUBs and save it to your desktop. Alternate DDS download link

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

[Bitwise]

DDS (Ver_09-03-16.01) - NTFSx86 
Run by ADMINISTRATOR 1 at 23:39:51.03 on Wed 04/29/2009
Internet Explorer: 7.0.5700.6
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.2046.1554 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Documents and Settings\ADMINISTRATOR 1\Local Settings\Temporary Internet Files\Content.IE5\OLMDUVM5\dds[1].pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.yahoo.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = hxxp://localhost;
uSearchAssistant =
uCustomizeSearch =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\ctbr.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\ctbr.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeper.exe" /0
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [!CleanupNetMeetingDispDriver] "c:\windows\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - hxxp://loandocs.swiftsend.com/component/sview-6.2.2/svinstall_a_stat_ics.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1240601962_1107a2eb8e0c670d828419dbe3cfc756&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\ctbr.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll
STS: IE Component Categories cache daemon: {553858a7-4922-4e7e-b1c1-97140c1c16ef} - c:\windows\system32\ieframe.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-24 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-22 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-23 325640]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2007-9-7 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-23 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-4-24 425080]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-23 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-22 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-22 1095560]

=============== Created Last 30 ================

2009-04-29 22:51   <DIR>   --d-----   C:\XTGOLD
2009-04-24 21:50   <DIR>   --d-----   c:\temp\jobs
2009-04-24 21:50   <DIR>   --d-----   c:\temp\passwords
2009-04-24 21:48   <DIR>   --d-----   c:\temp\CRedit card payments
2009-04-24 16:29   <DIR>   --d-----   c:\program files\a-squared Free
2009-04-24 13:47   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-24 13:47   <DIR>   --d-----   c:\program files\SUPERAntiSpyware
2009-04-24 13:47   <DIR>   --d-----   c:\docume~1\admini~2\applic~1\SUPERAntiSpyware.com
2009-04-24 13:46   <DIR>   --d-----   c:\program files\common files\Wise Installation Wizard
2009-04-24 12:55   <DIR>   --d-----   c:\program files\Trend Micro
2009-04-24 12:41   410,984   a-------   c:\windows\system32\deploytk.dll
2009-04-24 12:41   73,728   a-------   c:\windows\system32\javacpl.cpl
2009-04-24 12:03   <DIR>   --d-----   c:\program files\CCleaner
2009-04-24 10:56   <DIR>   --d-----   c:\program files\PurgeIE
2009-04-24 10:14   64,160   a-------   c:\windows\system32\drivers\Lbd.sys
2009-04-24 10:08   <DIR>   -cd-h---   c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-24 10:08   <DIR>   --d-----   c:\program files\Lavasoft
2009-04-23 20:45   10,520   a-------   c:\windows\system32\avgrsstx.dll
2009-04-23 20:45   108,552   a-------   c:\windows\system32\drivers\avgtdix.sys
2009-04-23 20:44   325,640   a-------   c:\windows\system32\drivers\avgldx86.sys
2009-04-23 20:44   <DIR>   --d-----   c:\windows\system32\drivers\Avg
2009-04-23 20:44   <DIR>   --d-----   c:\docume~1\admini~2\applic~1\AVGTOOLBAR
2009-04-23 20:44   <DIR>   --d-----   c:\program files\AVG
2009-04-23 20:44   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\avg8
2009-04-22 23:42   159,600   a-------   c:\windows\system32\drivers\pctgntdi.sys
2009-04-22 23:42   130,936   a-------   c:\windows\system32\drivers\PCTCore.sys
2009-04-22 23:42   73,840   a-------   c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-22 23:42   64,392   a-------   c:\windows\system32\drivers\pctplsg.sys
2009-04-22 23:42   <DIR>   --d-----   c:\program files\common files\PC Tools
2009-04-22 23:42   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-22 23:42   <DIR>   --d-----   c:\docume~1\admini~2\applic~1\PC Tools
2009-04-22 23:24   <DIR>   --d-----   c:\docume~1\admini~2\applic~1\EMCO
2009-04-22 23:18   <DIR>   --d-----   c:\program files\FileASSASSIN
2009-04-22 23:15   <DIR>   --d-----   c:\docume~1\admini~2\applic~1\Malwarebytes
2009-04-22 23:15   15,504   a-------   c:\windows\system32\drivers\mbam.sys
2009-04-22 23:15   38,496   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-22 23:15   <DIR>   --d-----   c:\program files\Malwarebytes' Anti-Malware
2009-04-22 23:15   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-22 23:07   <DIR>   --d-----   c:\windows\system32\CatRoot_bak
2009-04-22 22:42   <DIR>   --d-----   C:\!KillBox
2009-04-22 22:09   <DIR>   --d-----   c:\program files\Spyware Doctor
2009-04-22 22:09   84   a-------   c:\windows\encore_launcher.ini
2009-04-21 21:43   60,416   --------   c:\windows\system32\dllcache\colbact.dll
2009-04-21 21:43   399,360   --------   c:\windows\system32\dllcache\rpcss.dll
2009-04-21 21:43   473,088   --------   c:\windows\system32\dllcache\fastprox.dll
2009-04-21 21:43   227,840   --------   c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 21:43   110,592   --------   c:\windows\system32\dllcache\services.exe
2009-04-21 21:43   453,120   --------   c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 21:43   616,960   --------   c:\windows\system32\dllcache\advapi32.dll
2009-04-21 21:43   714,752   --------   c:\windows\system32\dllcache\ntdll.dll

==================== Find3M  ====================

2009-03-21 07:18   986,112   --------   c:\windows\system32\dllcache\kernel32.dll
2009-03-06 07:44   283,648   a-------   c:\windows\system32\pdh.dll
2009-03-06 07:44   283,648   a-------   c:\windows\system32\dllcache\pdh.dll
2009-02-09 03:20   723,456   a-------   c:\windows\system32\lsasrv.dll
2009-02-09 03:20   399,360   a-------   c:\windows\system32\rpcss.dll
2009-02-09 03:20   723,456   --------   c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 03:20   714,752   a-------   c:\windows\system32\ntdll.dll
2009-02-09 03:20   616,960   a-------   c:\windows\system32\advapi32.dll
2009-02-09 03:19   1,846,272   a-------   c:\windows\system32\win32k.sys
2009-02-09 03:19   1,846,272   --------   c:\windows\system32\dllcache\win32k.sys
2009-02-06 10:24   2,180,480   a-------   c:\windows\system32\ntoskrnl.exe
2009-02-06 10:24   2,180,480   a-------   c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 10:22   2,136,064   --------   c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:14   110,592   a-------   c:\windows\system32\services.exe
2009-02-06 09:54   35,328   a-------   c:\windows\system32\sc.exe
2009-02-06 09:54   35,328   a-------   c:\windows\system32\dllcache\sc.exe
2009-02-06 09:49   2,057,728   a-------   c:\windows\system32\ntkrnlpa.exe
2009-02-06 09:49   2,057,728   a-------   c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 09:49   2,015,744   --------   c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-04 23:56   90,112   a-------   c:\windows\DUMP9598.tmp
2009-02-04 23:52   90,112   a-------   c:\windows\DUMP84df.tmp
2009-02-03 21:30   90,112   a-------   c:\windows\DUMP3884.tmp
2009-02-03 21:29   90,112   a-------   c:\windows\DUMP35e4.tmp
2009-02-03 21:26   90,112   a-------   c:\windows\DUMP3623.tmp
2009-02-03 13:08   55,808   a-------   c:\windows\system32\secur32.dll
2009-02-03 13:08   55,808   --------   c:\windows\system32\dllcache\secur32.dll
2003-04-14 05:24   207,758   ac------   c:\program files\INSTALL.LOG

============= FINISH: 23:40:36.67 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/29/2003 12:01:16 PM
System Uptime: 4/29/2009 10:47:48 PM (1 hours ago)

Motherboard: Dell Computer Corporation |  | 07W080
Processor:               Intel(R) Pentium(R) 4 CPU 2.00GHz | Socket 478 | 1993/400mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 56 GiB total, 45.609 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 128 GiB total, 116.541 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1404: 4/21/2009 9:26:10 PM - System Checkpoint
RP1405: 4/22/2009 9:49:31 PM - Software Distribution Service 3.0
RP1406: 4/22/2009 11:50:41 PM - Software Distribution Service 3.0
RP1407: 4/23/2009 8:44:24 PM - Installed AVG Free 8.5
RP1408: 4/24/2009 9:48:39 AM - Avg8 Update
RP1409: 4/24/2009 12:41:05 PM - Installed Java(TM) 6 Update 13
RP1410: 4/24/2009 1:47:38 PM - Installed SUPERAntiSpyware Free Edition
RP1411: 4/29/2009 9:04:57 AM - System Checkpoint

==== Installed Programs ======================

a-squared Free 4.0
Ad-Aware
Adobe Reader 8.1.0
AVG 8.5
BACS
Banctec Service Agreement
Broadcom Advanced Control Suite
CCleaner (remove only)
CleanUp!
Conexant SmartHSFi V92 56K DF PCI Modem
DelinvFile - 3.03
Dell Picture Studio - Dell Image Expert
DellSupport
Digital Line Detect
EMCO UnLock IT
ePrint Setup
FileASSASSIN
FundingSuite CalyxPoint Interface
GoToAssist 8.0.0.480
Help and Support Customization
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 13
Malwarebytes' Anti-Malware
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Small Business
Microsoft Office Small Business Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Microsoft WSE 2.0 SP3 Runtime
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
POINT
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Setup
Spyware Doctor 6.0
SUPERAntiSpyware Free Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2

==== Event Viewer Messages From Past Week ========

4/23/2009 7:08:37 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
4/23/2009 7:08:37 PM, error: Service Control Manager [7000]  - The PC Tools Security Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
4/22/2009 9:56:59 PM, error: atapi [9]  - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
4/22/2009 9:56:31 PM, error: PlugPlayManager [12]  - The device 'SAMSUNG CD-ROM SC-148C' (IDE\CdRomSAMSUNG_CD-ROM_SC-148C__________________B105____\5&1202a50f&0&0.0.0) disappeared from the system without first being prepared for removal.
4/22/2009 9:56:31 PM, error: atapi [11]  - The driver detected a controller error on \Device\Ide\IdePort1.
4/22/2009 11:06:56 PM, error: DCOM [10000]  - Unable to start a DCOM Server: {54ECA872-DB2A-4C6B-BBB2-F3777C6786CC}. The error: "%2" Happened while starting this command: C:\PROGRA~1\Crawler\CToolbar.exe -Embedding
4/22/2009 10:02:15 PM, error: Print [23]  - Printer Auto Send with eFax Messenger Plus on LIFEBOOK failed to initialize because a suitable Send with eFax Messenger Plus driver could not be found.

==== End Of File ===========================

[evilfantasy]

a-squared Free 4.0
Ad-Aware
Spyware Doctor 6.0

Please uninstall all 3 of those. They are all running and it will just cause you problems. AVG 8.5 has spyware protection and is much better than all of those.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DDS::
mSearch Bar =
uSearchAssistant =
uCustomizeSearch =
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\ctbr.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeper.exe" /0
IE: Crawler Search - tbr:iemenu
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\ctbr.dll

Folder::
c:\progra~1\crawler
c:\program files\webroot

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[Bitwise]

OK, done.

Combofix log:

ComboFix 09-05-05.03 - ADMINISTRATOR 1 05/05/2009 21:41.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.2046.1645 [GMT -7:00]
Running from: c:\documents and settings\ADMINISTRATOR 1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ADMINISTRATOR 1\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\crawler
c:\progra~1\crawler\adrkeys.dat
c:\progra~1\crawler\autose.dat
c:\progra~1\crawler\Cache\COMMON\DIRLIST_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\DIRLIST_MENU.dat
c:\progra~1\crawler\Cache\COMMON\ECARDS_BMP.dat
c:\progra~1\crawler\Cache\COMMON\ECARDS_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\ECARDS_MENU.dat
c:\progra~1\crawler\Cache\COMMON\EMAIL_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\FFILL_BMP.dat
c:\progra~1\crawler\Cache\COMMON\FFILL_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\FIND-0_BMP.dat
c:\progra~1\crawler\Cache\COMMON\FIND-0_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\FIND-1_BMP.dat
c:\progra~1\crawler\Cache\COMMON\FIND-1_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\FIND-2_BMP.dat
c:\progra~1\crawler\Cache\COMMON\FIND-2_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\FIND-3_BMP.dat
c:\progra~1\crawler\Cache\COMMON\FIND-3_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\FIND-4_BMP.dat
c:\progra~1\crawler\Cache\COMMON\FIND-4_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\GAMES_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\GAMES_MENU.dat
c:\progra~1\crawler\Cache\COMMON\HIGHLIGHT_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\POPBLOCKER_MENU.dat
c:\progra~1\crawler\Cache\COMMON\SHOP_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\SKINS_BMP.dat
c:\progra~1\crawler\Cache\COMMON\SKINS_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\SKINS_MENU.dat
c:\progra~1\crawler\Cache\COMMON\SPELL_BMP.dat
c:\progra~1\crawler\Cache\COMMON\SPELL_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\TRAVEL_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\WAYBACK_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\WP_CHBMP.dat
c:\progra~1\crawler\Cache\COMMON\YP_CHBMP.dat
c:\progra~1\crawler\confirm.dat
c:\progra~1\crawler\ctbcomm.dll
c:\progra~1\crawler\ctbr.dll
c:\progra~1\crawler\CTConf.dat
c:\progra~1\crawler\CTipsDef.dll
c:\progra~1\crawler\CUpdate.exe
c:\progra~1\crawler\Cursors\284DB5093AA7C030E068CBC8BE6DFB6B\appstarting.ani
c:\progra~1\crawler\Cursors\284DB5093AA7C030E068CBC8BE6DFB6B\arrow.ani
c:\progra~1\crawler\Cursors\284DB5093AA7C030E068CBC8BE6DFB6B\cursor.xml
c:\progra~1\crawler\Cursors\284DB5093AA7C030E068CBC8BE6DFB6B\wait.ani
c:\progra~1\crawler\Cursors\8AA5B71D0994F160EA0C269A7B7AE9DA\appstarting.ani
c:\progra~1\crawler\Cursors\8AA5B71D0994F160EA0C269A7B7AE9DA\arrow.ani
c:\progra~1\crawler\Cursors\8AA5B71D0994F160EA0C269A7B7AE9DA\cursor.xml
c:\progra~1\crawler\Cursors\8AA5B71D0994F160EA0C269A7B7AE9DA\wait.ani
c:\progra~1\crawler\Cursors\cursors.xml
c:\progra~1\crawler\ecards.dat
c:\progra~1\crawler\ffill.dat
c:\progra~1\crawler\games.dat
c:\program files\INSTALL.LOG
c:\windows\system32\drivers\fad.sys

.
(((((((((((((((((((((((((   Files Created from 2009-04-06 to 2009-05-06  )))))))))))))))))))))))))))))))
.

2009-04-30 05:51 . 2009-04-30 05:52   --------   d-----w   C:\XTGOLD
2009-04-29 18:36 . 2009-04-29 18:37   --------   d-----w   c:\documents and settings\ADMINISTRATOR 1\Application Data\U3
2009-04-25 04:51 . 2009-04-25 04:57   --------   d-----w   c:\documents and settings\ADMINISTRATOR 1\Local Settings\Application Data\Adobe
2009-04-25 04:50 . 2009-04-25 05:05   --------   d-----w   c:\temp\jobs
2009-04-25 04:50 . 2009-04-30 09:37   --------   d-----w   c:\temp\passwords
2009-04-25 04:48 . 2009-04-25 05:05   --------   d-----w   c:\temp\CRedit card payments
2009-04-24 23:29 . 2009-05-06 04:06   --------   d-----w   c:\program files\a-squared Free
2009-04-24 20:47 . 2009-04-24 20:47   --------   d-----w   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-24 20:47 . 2009-04-24 20:47   --------   d-----w   c:\program files\SUPERAntiSpyware
2009-04-24 20:47 . 2009-04-24 20:47   --------   d-----w   c:\documents and settings\ADMINISTRATOR 1\Application Data\SUPERAntiSpyware.com
2009-04-24 20:46 . 2009-04-24 20:46   --------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2009-04-24 19:55 . 2009-04-24 19:55   --------   d-----w   c:\program files\Trend Micro
2009-04-24 19:41 . 2009-04-24 19:41   --------   d-----w   c:\windows\Sun
2009-04-24 19:41 . 2009-04-24 19:41   410984   ----a-w   c:\windows\system32\deploytk.dll
2009-04-24 19:41 . 2009-04-24 19:41   --------   d-----w   c:\program files\Java
2009-04-24 19:03 . 2009-04-24 20:24   --------   d-----w   c:\program files\CCleaner
2009-04-24 17:56 . 2009-04-30 08:40   --------   d-----w   c:\program files\PurgeIE
2009-04-24 17:14 . 2009-05-06 04:08   --------   dc----w   c:\windows\system32\DRVSTORE
2009-04-24 17:08 . 2009-05-06 04:09   --------   d-----w   c:\program files\Lavasoft
2009-04-24 17:08 . 2009-05-06 04:09   --------   d-----w   c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-24 03:45 . 2009-05-06 04:02   11952   ----a-w   c:\windows\system32\avgrsstx.dll
2009-04-24 03:45 . 2009-05-06 04:02   108552   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-04-24 03:44 . 2009-05-06 04:02   325896   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-04-24 03:44 . 2009-05-06 04:03   --------   d-----w   c:\windows\system32\drivers\Avg
2009-04-24 03:44 . 2009-04-24 16:36   --------   d-----w   c:\documents and settings\ADMINISTRATOR 1\Application Data\AVGTOOLBAR
2009-04-24 03:44 . 2009-04-24 03:44   --------   d-----w   c:\program files\AVG
2009-04-24 03:44 . 2009-04-30 08:47   --------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2009-04-23 06:42 . 2009-05-06 04:07   --------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2009-04-23 06:24 . 2009-04-23 06:24   --------   d-----w   c:\documents and settings\ADMINISTRATOR 1\Application Data\EMCO
2009-04-23 06:18 . 2009-04-23 06:18   --------   d-----w   c:\program files\FileASSASSIN
2009-04-23 06:15 . 2009-04-23 06:15   --------   d-----w   c:\documents and settings\ADMINISTRATOR 1\Application Data\Malwarebytes
2009-04-23 06:15 . 2009-04-06 22:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-04-23 06:15 . 2009-04-06 22:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 06:15 . 2009-04-23 06:15   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 06:15 . 2009-04-24 22:19   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-04-23 06:07 . 2009-04-24 05:11   --------   d-----w   c:\windows\system32\CatRoot_bak
2009-04-23 05:42 . 2009-04-23 05:42   --------   d-----w   C:\!KillBox
2009-04-22 04:43 . 2005-07-26 04:39   60416   ------w   c:\windows\system32\dllcache\colbact.dll
2009-04-22 04:43 . 2009-02-09 10:20   399360   ------w   c:\windows\system32\dllcache\rpcss.dll
2009-04-22 04:43 . 2009-02-06 17:14   110592   ------w   c:\windows\system32\dllcache\services.exe
2009-04-22 04:43 . 2009-02-09 10:20   473088   ------w   c:\windows\system32\dllcache\fastprox.dll
2009-04-22 04:43 . 2009-02-06 16:39   227840   ------w   c:\windows\system32\dllcache\wmiprvse.exe
2009-04-22 04:43 . 2009-02-09 10:20   453120   ------w   c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-22 04:43 . 2009-02-09 10:20   616960   ------w   c:\windows\system32\dllcache\advapi32.dll
2009-04-22 04:43 . 2009-02-09 10:20   714752   ------w   c:\windows\system32\dllcache\ntdll.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 14:44 . 2002-08-29 10:00   283648   ----a-w   c:\windows\system32\pdh.dll
2009-02-09 10:20 . 2004-04-27 17:19   399360   ----a-w   c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2002-08-29 10:00   723456   ----a-w   c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2002-08-29 10:00   714752   ----a-w   c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2002-08-29 10:00   616960   ----a-w   c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2002-08-29 10:00   1846272   ----a-w   c:\windows\system32\win32k.sys
2009-02-06 17:24 . 1980-01-01 05:00   2180480   ----a-w   c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2002-08-29 10:00   110592   ----a-w   c:\windows\system32\services.exe
2009-02-06 16:54 . 2002-08-29 10:00   35328   ----a-w   c:\windows\system32\sc.exe
2009-02-06 16:49 . 1980-01-01 05:00   2057728   ----a-w   c:\windows\system32\ntkrnlpa.exe
2009-02-05 06:56 . 2003-04-14 12:01   90112   ----a-w   c:\windows\DUMP9598.tmp
2009-02-05 06:52 . 2003-04-14 12:01   90112   ----a-w   c:\windows\DUMP84df.tmp
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-06 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-24 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-4-14 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05   356352   ----a-w   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-06-04 16:44   10792   ----a-w   c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-06 04:02   11952   ----a-w   c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [4/23/2009 8:44 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/23/2009 8:45 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/23/2009 8:44 PM 298776]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = hxxp://localhost;
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 21:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(4028)
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\mnmsrvc.exe
c:\windows\SYSTEM32\rundll32.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-06 21:48 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-06 04:48

Pre-Run: 49,302,016,000 bytes free
Post-Run: 49,421,197,312 bytes free

215   --- E O F ---   2009-04-23 06:51

[evilfantasy]

How is the computer running now?

The screenshot from above indicates that AVG was hitting on SUPERAntiSpyware so it could be a false positive. Have you updated AVG and are you using the new version 8?

[Bitwise]

Thanks for looking into this evilfantasy.
Running AVG 8.5 free.
The infected drive still hangs with the standard blue screen with no text or graphics soon after I log in as admin level with my windows password.
Exploring from the other WinXP drive still has same symptoms and cannot access the Documents and Settings folder and child folders. Can see files using xtreegold when xtree is run from the infected drive but cannot access, remove, rename, etc. Moving these files with xtree is possible so I moved some within the infected drive to a temp directory and the files remain in-accessable.
The mystery long name file in the Owner1 folder remains as well and is protected.
I did an inadvertently dumb thing: while exploring from the other winXP drive I noticed a file named scrap.obj in my temp directory where I xtree moved some suspect files and attempted a windows delete, but forgot to <shift> del so it attempted to put the file into the recycle bin. The file disappeared from the original location but nothing showed up in the recycle bin. I quickly shut down and physically removed the infected drive.
It's getting close to fdisk time.


[attachment deleted by admin]

[evilfantasy]

Honestly I don't think the issue is malware related. it sounds like the drive has issues.

[Bitwise]

Evilfanasy, still think it wasn't malicious?

Well I tried repairing my winxp install from my XP disk but could not use my windows password to begin the process (hmmm...)
Next I selected a fresh install but stopped short of that during the process by attempting a repair that is allowed as a selection during the fresh install. That got me in. Upon reboot I got the error:

RUNDLL Error loading
c:\windows\phocamewo.dat
the specified module could not be found

I do not recognize this dat file.
WinXP finished the boot without further error. I explored the "owner1" folder and only found the one suspect file with the long filename. I zipped this file and can e-mail it if you want to look at it, it's only 1 kb uncompressed. I suspect it's harmless by itself.
The other files that I could not delete before the winXP repair are gone. The folder and it's sub-folders are now accessable and intact except for the files I successfully got out using xtree - they were indeed moved by xtree when xtree ran from within the infected drive in a temp folder.

So far the drive is operating normally. We'll see after some time on it though. If it was not the drive hardware but a winXP problem, the repair fixed it, but why was the long filename file unable to be accessed/deleted/moved before the repair but now it is available for scrutiny? I suspect some code was protecting it, that code was removed by the winXP repair. The AVG scan I did during the "infection" indicated I was already rootkitted.

Your thoughts?
Anyone's thoughts?

Thanks again for all the help.

Robert.

[evilfantasy]

I suspect some code was protecting it, that code was removed by the winXP repair.

Actually what I think is you are messing around in you Hidden Files and Folders finding things that don't "look right" but actually are OK.

Windows is constantly creating, overwriting and deleting files with very odd names. The fact that they are .dat files tells me they are most likely not malicious but instead a protected Windows file. Meaning they are not easy to delete because doing so will make Windows do something it isn't supposed to like crash and bluescreen.

Hidden Files and Folders are hidden for a few reasons. One is to keep people from deleting them...

[Bitwise]

Evilfantasy, thanks for your time on this. The dat file may indeed be a windows file but I’m stumped as to why it was not able to be moved, renamed or deleted before the windows repair. If I look at any hidden windows files now like history files or some hidden files in the windows sub-directory tree I suspect I can rename, move or delete any one of them. True, unstable operation or worse would most likely follow, but the files are hidden so the uninitiated do not damage them by mistake, they can be deleted. The only reason I was looking at the three files I was after was because AVG thought they were suspect. I do not claim to have your computer background but have you ever seen windows create .exe files named file.exe or owner.exe as part of its routine housekeeping? ...and in the C:\documents and settings\owner folder? (owner was the default log on) I had made a folder under owner for personal files instead of using the already available My Documents folder since MS Office likes to throw things into My Documents by default, so I tended to see the files in the owner folder allot. The creation of the suspect files were news to me, but it’s not something I usually scrutinize as I navigate about. Still, if I saved an infected file it would have gone there somewhere under owner. The files I moved with xtree were personal files I considered sensative. It all started with the windows error prompting a lsass.exe overrun. Then the hanging on re-boot with the boot blue-screen (not the fatal blue screen) with the words “Configuring Network Connections”.  Since lsass.exe is all about network allocation I suppose it may have been a windows hiccup and AVG was fooled, but I’m not convinced. I did not alter or even open any hidden files. I’m aware that registry related files should only be viewed with regedit. How else might I have caused this with pilot error?

Thanks,

Robert.

[Bitwise]

I forgot, I did do one bad thing: deleting the scrap.obj file from the temp dir. I thought it was dumb at the time. By then I thought all infection related files might exhibit the undeletable fearure so it was my blatant attempt to check this out. I was writing off extracting the problem by then anyway. Good thing I didn't fdisk.

[evilfantasy]

Malicious files 99% of the time have .exe .dll or .sys extensions.

Leave the hidden files and folders alone and trust your antivirus to find bad files. You are deleting stuff that Windows needs to communicate with itself.