Author Topic: Help needed with infection......please! (Read 13614 times)

wildbjk · « **on:** May 19, 2009, 09:10:36 AM »

My computer is really messed up and I would really appreciate some help.......

I have a Dell Optiplex 320 desktop running Windows XP SP2. Pentium 3.4 GHz, 992 MB of RAM. I have run AVG 8.5 and it's warning of multiple threats.

Rootkits:

File

C:\WINDOWS\system32drivers\ovfsthxlydyqcwl.sys
c:\WINDOWS\system32\lowsec
c:\WINDOWS\system32lowsec\local.ds
c:\WINDOWS\system32\lowsec\user.ds
c:\WINDOWS\system32\ovfsthxaudlykhl.dll
c:\WINDOWS\system32\ovfsthxndxvfcad.dat
c:\WINDOWS\system32\ovfsthxpqfddong.dll
c:\WINDOWS\system32\ovfsthxsruyxpye.dll
c:\WINDOWS\system32\ovfsthxvqlsxgkc.dat
c:\WINDOWS\system32\sdra64.exe

AVG also said Multiple Threat Detection:

"212.117.174.14/lmn_setup.exe";"Trojan horse BackDoor.Generic11.OMJ";""

Process Name: C:\Windows\system32\scvhost.exe
Process ID: 1276

File:
212.117.188.102/~i571/winglsetup.exe
212.117.188.102/~i571/imppcsetup.exe

Trojan horse SHeur2.ADDA
Trojan horse SHeur2.ADCY

Below are logs for SuperAntispyware, Malwarebytes' Anti-malware and HijackThis:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/18/2009 at 03:25 PM

Application Version : 4.26.1002

Core Rules Database Version : 3899
Trace Rules Database Version: 1845

Scan type : Complete Scan
Total Scan Time : 00:25:55

Memory items scanned : 404
Memory threats detected : 1
Registry items scanned : 4849
Registry threats detected : 7
File items scanned : 45954
File threats detected : 2

Trojan.Unclassified/C00-WL/G
   C:\WINDOWS\SYSTEM32\__C0037996.DAT
   C:\WINDOWS\SYSTEM32\__C0037996.DAT

Trojan.Unclassified/C00-WL/B
   Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\__c0037996

Adware.Tracking Cookie
   C:\Documents and Settings\Jim\Cookies\[email protected][1].txt

Trojan.Unclassified/C00-WL
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0037996
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0037996#Asynchronous
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0037996#DllName
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0037996#Impersonate
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0037996#Startup
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0037996#Logon

mbam-log:

Malwarebytes' Anti-Malware 1.36
Database version: 2148
Windows 5.1.2600 Service Pack 2

5/18/2009 3:58:03 PM
mbam-log-2009-05-18 (15-58-03).txt

Scan type: Quick Scan
Objects scanned: 80505
Time elapsed: 1 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lmppcsetup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

hijackThis-log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:12 PM, on 5/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070428
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070428
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [A00FE3777.exe] C:\WINDOWS\TEMP\_A00FE3777.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [A00FE3777.exe] C:\WINDOWS\TEMP\_A00FE3777.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: zufwfxgo - nsxiyak.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5942 bytes

Thanks for any suggestions, I really need help!

wildbjk · « **Reply #1 on:** May 19, 2009, 10:09:23 PM »

Thank you Harry.

I'm sorry to ask a dumb question but I thought I already did post the logs to the Computer Viruses and Spyware forum. Do you mean attach the logs as notepad files rather than copy/paste them into the post? Please advise.

Karnac · « **Reply #2 on:** May 20, 2009, 12:02:34 AM »

Wildbjk, you did fine......evilfantasy will be along to help you out in turn........

wildbjk · « **Reply #3 on:** May 20, 2009, 03:29:40 PM »

Great, thank you very much. I am ready and I'm happy to wait my turn.

I appreciate it.

Wildbjk

evilfantasy · « **Reply #4 on:** May 20, 2009, 03:58:36 PM »

Hello Wildbjk.

Download DDS by sUBs and save it to your desktop. Alternate DDS download link

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

romalias · « **Reply #5 on:** May 21, 2009, 06:27:28 AM »

sounds like you have the same worm i just disinfected my computer of... it's an ugly mother but if you have your xp cd handy I can help you remove it easily enough assuming it's the same one...

firstly run a scan with Previx it's free to "Scan" if you come up with a bunch of files starting with ov in the list then I can be of assistance. btw this malware dosn't appear to effect firefox so if you can find a way to get it downloaded it will help a lot through this process.

ok so assuming you ran the previx scan and found your malware i'm sure you don't want to spend 15$ just to fix it but if you did it's probably easier 0.o.

insert your windows xp cd reboot the computer and boot from the disc.

once it finishes loading hit "R" for recovery console

select your O.S. and goto the C:\windows\system32\ directory using the "cd system32" command.

type in "dir ov*.*" to find all files beginning with ov then type in
"delete <filename here>" for each entry.

type "cd drivers" then again type"dir "ov*.*" and delete the last file found here.

this should fix your problem type "Exit" to exit the recovery console and reboot back to windows once in windows delete all of your temp directories to ensure you won't be reinfected.

Karnac · « **Reply #6 on:** May 21, 2009, 06:36:42 AM »

Romalias,

"Others, who are not malware specialists, posting advice without approval are subject to have their posts removed immediately as the wrong advice is too risky"

wildbjk · « **Reply #7 on:** May 21, 2009, 06:43:19 AM »

Thank you Karnac for the clarification. I appreciate romalias offering to help but I will follow Evilfantasy's instructions ...........

Karnac · « **Reply #8 on:** May 21, 2009, 06:50:25 AM »

No problem Wildbjk, and romalias, no offense intended....it's just all infections are not equal, and what works for one problem may not work for another, causing more problems than necessary. Hang in wildbjk......

wildbjk · « **Reply #9 on:** May 21, 2009, 06:58:51 AM »

Evilfantasy,

I downloaded DDS and ran it. Below are the logs you requested..............

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 5/4/2007 1:26:14 PM
System Uptime: 5/21/2009 3:52:20 AM (5 hours ago)

Motherboard: Dell Inc. | | 0MH651
Processor: Intel(R) Pentium(R) D CPU 3.40GHz | Microprocessor | 3400/800mhz
Processor: Intel(R) Pentium(R) D CPU 3.40GHz | Microprocessor | 3400/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 137.972 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 4/28/2009 10:54:03 AM - Software Distribution Service 3.0
RP2: 4/28/2009 3:22:13 PM - Installed AVG 8.5
RP3: 4/28/2009 3:25:18 PM - Software Distribution Service 3.0
RP4: 4/28/2009 3:27:41 PM - Installed AVG 8.5
RP5: 4/29/2009 3:00:14 AM - Software Distribution Service 3.0
RP6: 4/29/2009 9:30:29 AM - Avg8 Update
RP7: 4/30/2009 10:03:28 AM - System Checkpoint
RP8: 4/30/2009 2:24:33 PM - Installed SUPERAntiSpyware Free Edition
RP9: 5/12/2009 9:52:04 AM - Installed Windows XP WgaNotify.
RP10: 5/13/2009 3:00:15 AM - Software Distribution Service 3.0
RP11: 5/13/2009 9:31:17 AM - Avg8 Update
RP12: 5/13/2009 9:32:06 AM - Avg8 Update
RP13: 5/17/2009 3:09:24 PM - System Checkpoint
RP14: 5/17/2009 6:09:17 PM - Software Distribution Service 3.0
RP15: 5/18/2009 12:20:04 PM - Avg8 Update
RP16: 5/18/2009 12:20:45 PM - Avg8 Update

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player ActiveX
Adobe Reader 9
ATI Catalyst Control Center
ATI Display Driver
AVG 8.5
Bloomberg DDE Server
Bloomberg Excel Tools
Bloomberg PFM Upload Tool for Microsoft Excel
Bloomberg Report Viewer (CR)
Bloomberg SFD Data Dictionary
Bloomberg, V.02.07.09
Bloomberg, V.08.07.07
Broadcom Management Programs
Brother HL-5250DN
Caere Scan Manager 5.1
CCleaner (remove only)
DIGOpt
Fidelity Active Trader Pro®
Google Chrome
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB923232)
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 13
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
MSN
OmniPage Pro 9.0
OpenOffice.org Installer 1.0
PowerDVD 5.7
Roxio DLA
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SUPERAntiSpyware Free Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781

==== Event Viewer Messages From Past Week ========

5/18/2009 4:00:20 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
5/17/2009 1:04:40 PM, error: Service Control Manager [7023] - The Microcode Update Monitor service terminated with the following error: The specified module could not be found.
5/17/2009 1:04:38 PM, error: ati2mtag [44044] - I2c return failed
5/16/2009 4:29:55 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================

and the DSS.txt:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Jim at 8:47:58.65 on Thu 05/21/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.484 [GMT -4:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Jim\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070428
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [A00FE3777.exe] c:\windows\temp\_A00FE3777.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: zufwfxgo - nsxiyak.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2007-4-28 3456]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-4-28 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-28 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-4 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-28 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-28 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-4-28 1366904]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-4-28 29208]
S1 nakguqrc;nakguqrc;c:\windows\system32\drivers\nakguqrc.sys [2009-4-27 28320]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 zqlsvtcq;Microcode Update Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-4-28 29208]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]

=============== Created Last 30 ================

2009-05-18 12:33   37,376   a-------   c:\windows\system32\glsetup.exe
2009-05-13 03:01   118   a-------   c:\windows\system32\MRT.INI
2009-05-01 09:03   <DIR>   --d-----   c:\program files\Trend Micro
2009-05-01 08:47   410,984   a-------   c:\windows\system32\deploytk.dll
2009-04-30 15:10   <DIR>   --d-----   c:\docume~1\jim\applic~1\Malwarebytes
2009-04-30 15:10   15,504   a-------   c:\windows\system32\drivers\mbam.sys
2009-04-30 15:10   38,496   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 15:10   <DIR>   --d-----   c:\program files\Malwarebytes' Anti-Malware
2009-04-30 15:10   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-30 14:24   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-30 14:24   <DIR>   --d-----   c:\program files\SUPERAntiSpyware
2009-04-30 14:24   <DIR>   --d-----   c:\docume~1\jim\applic~1\SUPERAntiSpyware.com
2009-04-30 14:23   <DIR>   --d-----   c:\program files\common files\Wise Installation Wizard
2009-04-30 14:10   <DIR>   --d-----   c:\program files\CCleaner
2009-04-28 16:01   <DIR>   --d-h---   C:\$AVG8.VAULT$
2009-04-28 15:42   <DIR>   --d-----   c:\docume~1\jim\applic~1\AVG8
2009-04-28 15:28   11,952   a-------   c:\windows\system32\avgrsstx.dll
2009-04-28 15:28   325,896   a-------   c:\windows\system32\drivers\avgldx86.sys
2009-04-28 15:28   12,552   a-------   c:\windows\system32\drivers\avgrkx86.sys
2009-04-28 15:28   <DIR>   --d-----   c:\windows\system32\drivers\Avg
2009-04-28 15:28   <DIR>   --d-----   c:\docume~1\jim\applic~1\AVGTOOLBAR
2009-04-28 15:28   108,552   a-------   c:\windows\system32\drivers\avgtdix.sys
2009-04-28 15:27   50,968   a-------   c:\windows\system32\avgfwdx.dll
2009-04-28 15:27   29,208   a-------   c:\windows\system32\drivers\avgfwdx.sys
2009-04-28 15:27   <DIR>   --d-----   c:\program files\AVG
2009-04-28 15:27   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\avg8
2009-04-28 09:42   2   a-------   c:\windows\system32\uniq.tll
2009-04-27 17:28   28,320   a-------   c:\windows\system32\drivers\nakguqrc.sys
2009-04-27 17:28   <DIR>   --d-----   c:\program files\Windows Live Safety CenterRebootActions

==================== Find3M ====================

2009-03-21 10:18   986,112   --------   c:\windows\system32\dllcache\kernel32.dll
2009-03-10 22:18   934,792   --------   c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18   239,496   --------   c:\windows\system32\dllcache\wgaLogon.dll
2009-03-06 10:00   284,160   a-------   c:\windows\system32\pdh.dll
2009-03-06 10:00   284,160   --------   c:\windows\system32\dllcache\pdh.dll
2009-03-02 20:18   826,368   a-------   c:\windows\system32\wininet.dll
2009-03-02 20:18   826,368   --------   c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54   636,072   --------   c:\windows\system32\dllcache\iexplore.exe
2008-03-25 15:07   17,528   a-------   c:\docume~1\jim\applic~1\GDIPFONTCACHEV1.DAT
2007-11-02 13:16   373,186   a-------   c:\docume~1\jim\applic~1\barryblau.zip

============= FINISH: 8:48:16.87 ===============

Thanks for your assistance....

Wildbjk

evilfantasy · « **Reply #10 on:** May 21, 2009, 12:58:20 PM »

Go to Add or Remove Programs and uninstall:

- Java(TM) 6 Update 7

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DDS::
uStart Page = about:blank
dRun: [A00FE3777.exe] c:\windows\temp\_A00FE3777.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: zufwfxgo - nsxiyak.dll

Driver::
nakguqrc
zqlsvtcq

File::
c:\windows\system32\drivers\nakguqrc.sys

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

wildbjk · « **Reply #11 on:** May 21, 2009, 02:34:44 PM »

Okay, I've downloaded and run ComboFix. The log follows:

ComboFix.txt...........

ComboFix 09-05-20.A1 - Jim 05/21/2009 16:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.595 [GMT -4:00]
Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jim\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

FILE ::
c:\windows\system32\drivers\nakguqrc.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\messenger\msmsgs.exe
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\drivers\nakguqrc.sys
c:\windows\system32\drivers\ovfsthxlydyqcwl.sys
c:\windows\system32\glsetup.exe
c:\windows\system32\lmn_setup.exe
c:\windows\system32\ovfsthxaudlykhl.dll
c:\windows\system32\ovfsthxndxvfcad.dat
c:\windows\system32\ovfsthxpqfddong.dll
c:\windows\system32\ovfsthxsruyxpye.dll
c:\windows\system32\ovfsthxvqlsxgkc.dat
c:\windows\system32\service-466.exe
c:\windows\system32\sft.res
c:\windows\system32\uniq.tll

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\i386\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxajqkiham
-------\Legacy_SFC
-------\Legacy_ZQLSVTCQ
-------\Service_nakguqrc
-------\Service_sfc
-------\Service_zqlsvtcq

((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 20:11 . 2009-05-21 20:11   29184   ----a-w   c:\windows\system32\jhxm32.dll
2009-05-21 19:26 . 2009-05-21 19:26   32768   ----a-w   c:\windows\system32\avast!Antivirus.exe
2009-05-01 13:03 . 2009-05-01 13:03   --------   d-----w   c:\program files\Trend Micro
2009-05-01 12:47 . 2009-05-01 12:47   410984   ----a-w   c:\windows\system32\deploytk.dll
2009-04-30 19:10 . 2009-04-30 19:10   --------   d-----w   c:\documents and settings\Jim\Application Data\Malwarebytes
2009-04-30 19:10 . 2009-04-06 19:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-04-30 19:10 . 2009-04-06 19:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 19:10 . 2009-04-30 19:10   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-30 19:10 . 2009-04-30 19:10   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-04-30 18:24 . 2009-04-30 18:24   --------   d-----w   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-30 18:24 . 2009-04-30 18:24   --------   d-----w   c:\documents and settings\Jim\Application Data\SUPERAntiSpyware.com
2009-04-30 18:24 . 2009-04-30 18:24   --------   d-----w   c:\program files\SUPERAntiSpyware
2009-04-30 18:23 . 2009-04-30 18:23   --------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2009-04-30 18:10 . 2009-04-30 18:10   --------   d-----w   c:\program files\CCleaner
2009-04-28 20:01 . 2009-05-18 16:56   --------   d--h--w   C:\$AVG8.VAULT$
2009-04-28 19:42 . 2009-04-28 19:42   --------   d-----w   c:\documents and settings\Jim\Application Data\AVG8
2009-04-28 19:28 . 2009-04-28 19:28   11952   ----a-w   c:\windows\system32\avgrsstx.dll
2009-04-28 19:28 . 2009-04-28 19:28   12552   ----a-w   c:\windows\system32\drivers\avgrkx86.sys
2009-04-28 19:28 . 2009-04-28 19:28   325896   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-04-28 19:28 . 2009-05-21 12:34   --------   d-----w   c:\windows\system32\drivers\Avg
2009-04-28 19:28 . 2009-04-28 19:57   --------   d-----w   c:\documents and settings\Jim\Application Data\AVGTOOLBAR
2009-04-28 19:28 . 2009-04-28 19:28   108552   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-04-28 19:27 . 2009-04-28 19:27   29208   ----a-w   c:\windows\system32\drivers\avgfwdx.sys
2009-04-28 19:27 . 2009-04-28 19:27   50968   ----a-w   c:\windows\system32\avgfwdx.dll
2009-04-28 19:27 . 2009-04-28 19:27   --------   d-----w   c:\program files\AVG
2009-04-28 19:27 . 2009-05-12 13:49   --------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2009-04-28 14:02 . 2009-04-28 14:02   --------   d-----w   c:\program files\Windows Defender
2009-04-27 21:28 . 2009-04-27 21:48   --------   d-----w   c:\program files\Windows Live Safety CenterRebootActions
2009-04-27 20:47 . 2009-04-27 20:49   --------   d-----w   c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 12:55 . 2007-04-28 05:41   --------   d-----w   c:\program files\Java
2009-03-06 14:00 . 2004-08-11 21:00   284160   ----a-w   c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 21:00   826368   ----a-w   c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}]
2009-05-21 20:11   29184   ----a-w   c:\windows\system32\jhxm32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-23 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-28 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-01 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05   356352   ----a-w   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-28 19:28   11952   ----a-w   c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [4/28/2007 1:26 AM 3456]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/28/2009 3:28 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/28/2009 3:28 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/28/2009 3:28 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 avast!Antivirus;avast!Antivirus;c:\windows\System32\avast!Antivirus.exe -k netsvcs --> c:\windows\System32\avast!Antivirus.exe -k netsvcs [?]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/28/2009 3:28 PM 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [4/28/2009 3:28 PM 1366904]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [4/28/2009 3:27 PM 29208]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [4/28/2009 3:27 PM 29208]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311905349-2035659520-1787606364-1005.job
- c:\documents and settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-20 17:54]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-A00FE3777.exe - c:\windows\TEMP\_A00FE3777.exe
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 16:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\avast!Antivirus.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-21 16:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 20:16

Pre-Run: 148,095,545,344 bytes free
Post-Run: 148,057,296,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

188   --- E O F ---   2009-05-19 13:19

Thanks for your help. Wildbjk

evilfantasy · « **Reply #12 on:** May 21, 2009, 03:03:17 PM »

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
avast!Antivirus

File::
c:\windows\system32\jhxm32.dll
c:\windows\System32\avast!Antivirus.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

wildbjk · « **Reply #13 on:** May 22, 2009, 11:32:39 AM »

I have run ComboFix again as instructed.

Here is the log:

ComboFix 09-05-21.08 - Jim 05/22/2009 12:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.990.532 [GMT -4:00]
Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jim\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

FILE ::
c:\windows\System32\avast!Antivirus.exe
c:\windows\system32\jhxm32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\avast!Antivirus.exe
c:\windows\system32\jhxm32.dll
c:\windows\system32\sft.res

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS
-------\Service_avast!Antivirus

((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-18 16:20 . 2009-04-28 19:28   312088   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-18 16:20 . 2009-04-28 19:28   1437464   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-13 13:32 . 2009-05-13 13:31   2051864   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-13 13:32 . 2009-04-28 19:28   3399960   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-13 13:32 . 2009-04-28 19:28   2302232   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-13 13:32 . 2009-04-28 19:28   3288344   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-13 13:32 . 2009-04-28 19:28   354584   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-13 13:32 . 2009-04-28 19:28   2291992   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfwui.dll
2009-05-13 13:32 . 2009-04-28 19:28   424472   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-13 13:32 . 2009-04-28 19:28   177432   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-13 13:32 . 2009-04-28 19:28   1262880   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-05-13 13:32 . 2009-04-28 19:28   486168   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-13 13:31 . 2009-04-28 19:28   755992   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-13 13:31 . 2009-04-28 19:28   1083672   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-05-12 15:47 . 2008-06-12 10:09   33088   ----a-w   c:\documents and settings\Jim\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-05 14:09 . 2009-04-28 19:28   563456   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\dtuser.exe
2009-05-05 14:09 . 2009-04-28 19:28   2227968   ----a-w   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtoolbar.dll
2009-05-01 13:03 . 2009-05-01 13:03   --------   d-----w   c:\program files\Trend Micro
2009-05-01 12:47 . 2009-05-01 12:47   410984   ----a-w   c:\windows\system32\deploytk.dll
2009-05-01 12:46 . 2009-05-01 12:46   152576   ----a-w   c:\documents and settings\Jim\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-30 19:10 . 2009-04-30 19:10   --------   d-----w   c:\documents and settings\Jim\Application Data\Malwarebytes
2009-04-30 19:10 . 2009-04-06 19:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-04-30 19:10 . 2009-04-06 19:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 19:10 . 2009-04-30 19:10   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-04-30 19:10 . 2009-04-30 19:10   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-30 18:25 . 2009-05-18 19:41   117760   ----a-w   c:\documents and settings\Jim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-04-30 18:24 . 2009-04-30 18:24   --------   d-----w   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-30 18:24 . 2009-04-30 18:24   --------   d-----w   c:\program files\SUPERAntiSpyware
2009-04-30 18:24 . 2009-04-30 18:24   --------   d-----w   c:\documents and settings\Jim\Application Data\SUPERAntiSpyware.com
2009-04-30 18:23 . 2009-04-30 18:23   --------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2009-04-30 18:10 . 2009-04-30 18:10   --------   d-----w   c:\program files\CCleaner
2009-04-28 20:01 . 2009-05-18 16:56   --------   d--h--w   C:\$AVG8.VAULT$
2009-04-28 19:42 . 2009-04-28 19:42   --------   d-----w   c:\documents and settings\Jim\Application Data\AVG8
2009-04-28 19:28 . 2009-04-28 19:28   11952   ----a-w   c:\windows\system32\avgrsstx.dll
2009-04-28 19:28 . 2009-04-28 19:28   325896   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-04-28 19:28 . 2009-04-28 19:28   12552   ----a-w   c:\windows\system32\drivers\avgrkx86.sys
2009-04-28 19:28 . 2009-05-22 15:47   --------   d-----w   c:\windows\system32\drivers\Avg
2009-04-28 19:28 . 2009-04-28 19:57   --------   d-----w   c:\documents and settings\Jim\Application Data\AVGTOOLBAR
2009-04-28 19:28 . 2009-04-28 19:28   108552   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-04-28 19:27 . 2009-05-12 13:49   --------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2009-04-28 19:27 . 2009-04-28 19:27   50968   ----a-w   c:\windows\system32\avgfwdx.dll
2009-04-28 19:27 . 2009-04-28 19:27   29208   ----a-w   c:\windows\system32\drivers\avgfwdx.sys
2009-04-28 19:27 . 2009-04-28 19:27   --------   d-----w   c:\program files\AVG
2009-04-28 14:06 . 2007-03-09 15:25   2321288   ----a-w   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2009-04-28 14:06 . 2009-04-13 21:39   4656976   ----a-w   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{1CCBABAD-28AB-4A89-B7E5-BA46B52BD9AE}\mpengine.dll
2009-04-28 14:02 . 2009-04-28 14:02   --------   d-----w   c:\program files\Windows Defender
2009-04-27 21:28 . 2009-04-27 21:48   --------   d-----w   c:\program files\Windows Live Safety CenterRebootActions
2009-04-27 20:47 . 2009-04-27 20:49   --------   d-----w   c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 12:55 . 2007-04-28 05:41   --------   d-----w   c:\program files\Java
2009-04-28 19:28 . 2007-05-04 17:40   27784   ----a-w   c:\windows\system32\drivers\avgmfx86.sys
2009-03-06 14:00 . 2004-08-11 21:00   284160   ----a-w   c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 21:00   826368   ----a-w   c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-21_20.14.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-22 16:03 . 2009-05-22 16:03   16384 c:\windows\temp\Perflib_Perfdata_114.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-23 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-28 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-01 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05   356352   ----a-w   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-28 19:28   11952   ----a-w   c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [4/28/2007 1:26 AM 3456]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/28/2009 3:28 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/28/2009 3:28 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/28/2009 3:28 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/28/2009 3:28 PM 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [4/28/2009 3:28 PM 1366904]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [4/28/2009 3:27 PM 29208]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [4/28/2009 3:27 PM 29208]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311905349-2035659520-1787606364-1005.job
- c:\documents and settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-20 17:54]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 12:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-22 12:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-22 16:04
ComboFix2.txt 2009-05-21 20:16

Pre-Run: 148,030,795,776 bytes free
Post-Run: 148,021,633,024 bytes free

181   --- E O F ---   2009-05-22 15:47

Let me know your thoughts of what to do next.......thanks, Wildbjk

evilfantasy · « **Reply #14 on:** May 24, 2009, 11:11:47 AM »

Looks good. How is the computer running now?

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Computer Hope Forum

News:

Author Topic: Help needed with infection......please! (Read 13614 times)

wildbjk

Help needed with infection......please!

wildbjk

Re: Help needed with infection......please!

Karnac

Re: Help needed with infection......please!

wildbjk

Re: Help needed with infection......please!

evilfantasy

Re: Help needed with infection......please!

romalias

Re: Help needed with infection......please!

Karnac

Re: Help needed with infection......please!

wildbjk

Re: Help needed with infection......please!

Karnac

Re: Help needed with infection......please!

wildbjk

Re: Help needed with infection......please!

evilfantasy

Re: Help needed with infection......please!

wildbjk

Re: Help needed with infection......please!

evilfantasy

Re: Help needed with infection......please!

wildbjk

Re: Help needed with infection......please!

evilfantasy

Re: Help needed with infection......please!